Documentation
¶
Index ¶
- func ASN1ToSEC1PublicKey(asn1PublicKey []byte) ([]byte, error)
- func ASN1ToSEC1Sig(asn1Sig, ecdsaPubKeyBytes, hash []byte) ([]byte, error)
- func NewKeystore(client Client) (interface{ ... }, error)
- func SEC1ToASN1PublicKey(sec1PubKey []byte) ([]byte, error)
- func SEC1ToASN1Sig(sec1Sig []byte) ([]byte, error)
- type Client
- type ClientOptions
- type ECDSASig
- type FakeKMSClient
- func (m *FakeKMSClient) DescribeKey(ctx context.Context, input *kms.DescribeKeyInput, opts ...func(*kms.Options)) (*kms.DescribeKeyOutput, error)
- func (m *FakeKMSClient) GetPublicKey(ctx context.Context, input *kms.GetPublicKeyInput, opts ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
- func (m *FakeKMSClient) ListKeys(ctx context.Context, input *kms.ListKeysInput, opts ...func(*kms.Options)) (*kms.ListKeysOutput, error)
- func (m *FakeKMSClient) Sign(ctx context.Context, input *kms.SignInput, opts ...func(*kms.Options)) (*kms.SignOutput, error)
- type Key
- type SPKI
- type SPKIAlgorithmIdentifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ASN1ToSEC1PublicKey ¶
ASN1ToSEC1PublicKey converts a KMS public key (ASN.1 DER-encoded SPKI format) to SEC1 format (uncompressed: 0x04 || X || Y, 65 bytes).
KMS returns public keys in ASN.1 DER-encoded SubjectPublicKeyInfo (SPKI) format as defined in RFC 5280. This function extracts the public key and converts it to SEC1 uncompressed format.
This matches the implementation in chainlink-deployments-framework: https://github.com/smartcontractkit/chainlink-deployments-framework/blob/main/chain/evm/provider/kms_signer.go#L78
func ASN1ToSEC1Sig ¶
ASN1ToSEC1Sig converts a ASN.1 signature (ASN.1 format) to SEC1 format (R || S || V). This follows this example provided by AWS Guides. Notably Ethereum and most blockchain systems use the SEC1 format for signatures.
func NewKeystore ¶
func SEC1ToASN1PublicKey ¶
SEC1ToASN1PublicKey converts a SEC1 uncompressed public key (0x04 || X || Y, 65 bytes) to ASN.1 DER-encoded SubjectPublicKeyInfo format.
This is the reverse operation of ASN1ToSEC1PublicKey.
func SEC1ToASN1Sig ¶
SEC1ToASN1Sig converts a SEC1 signature (R || S || V, 65 bytes) to ASN.1 DER format.
The SEC1 signature format is: [32 bytes R][32 bytes S][1 byte V] The ASN.1 format is a SEQUENCE of two INTEGERs: { R, S } The recovery ID (V) is not included in ASN.1 format as it's only used for public key recovery.
This is the reverse operation of KMSToSEC1Sig, but note that the recovery ID (V) is lost in the conversion since ASN.1 format doesn't include it.
Types ¶
type Client ¶
type Client interface {
GetPublicKey(ctx context.Context, input *kms.GetPublicKeyInput, opts ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
Sign(ctx context.Context, input *kms.SignInput, opts ...func(*kms.Options)) (*kms.SignOutput, error)
DescribeKey(ctx context.Context, input *kms.DescribeKeyInput, opts ...func(*kms.Options)) (*kms.DescribeKeyOutput, error)
ListKeys(ctx context.Context, input *kms.ListKeysInput, opts ...func(*kms.Options)) (*kms.ListKeysOutput, error)
}
Client is an interface that defines the methods for interacting with AWS KMS. We only expose the methods that are needed for our use case, which is to get a public key and sign data.
These methods are based on the AWS SDK for Go v2 KMS client interface. https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/kms
func NewClient ¶
func NewClient(ctx context.Context, opts ClientOptions) (Client, error)
NewClient constructs a new KMS client using AWS SDK v2. If Profile is specified, it uses profile-based authentication (for local dev). Otherwise, it uses the default credential chain (IRSA in production, EC2 instance profiles, etc.).
type ClientOptions ¶
type ClientOptions struct {
// Profile is the AWS profile name to use (for local development).
// If empty, uses default credential chain (IRSA, EC2 instance profiles, etc.).
Profile string
// Region is the AWS region. If empty, will be read from profile or environment.
Region string
}
ClientOptions contains options for creating a KMS client.
type ECDSASig ¶
ECDSASig represents the ECDSA signature structure as defined in [RFC 3279] in ASN.1 format. This structure is used to unpack the ECDSA signature returned by AWS KMS when signing data.
[RFC 3279] https://datatracker.ietf.org/doc/html/rfc3279#section-2.2.3
type FakeKMSClient ¶
type FakeKMSClient struct {
// contains filtered or unexported fields
}
func NewFakeKMSClient ¶
func NewFakeKMSClient(keys []Key) (*FakeKMSClient, error)
func (*FakeKMSClient) DescribeKey ¶
func (m *FakeKMSClient) DescribeKey(ctx context.Context, input *kms.DescribeKeyInput, opts ...func(*kms.Options)) (*kms.DescribeKeyOutput, error)
DescribeKey returns metadata about the key.
func (*FakeKMSClient) GetPublicKey ¶
func (m *FakeKMSClient) GetPublicKey(ctx context.Context, input *kms.GetPublicKeyInput, opts ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
func (*FakeKMSClient) ListKeys ¶
func (m *FakeKMSClient) ListKeys(ctx context.Context, input *kms.ListKeysInput, opts ...func(*kms.Options)) (*kms.ListKeysOutput, error)
ListKeys returns a list of key IDs.
type SPKI ¶
type SPKI struct {
AlgorithmIdentifier SPKIAlgorithmIdentifier
SubjectPublicKey asn1.BitString
}
SPKI represents the SubjectPublicKeyInfo structure as defined in RFC 5280 in ASN.1 format.
The public key that AWS KMS returns is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI). This structure is used to unpack the public key returned by the KMS GetPublicKey API call.
For more details: see the AWS KMS documentation on GetPublicKey response syntax.
type SPKIAlgorithmIdentifier ¶
type SPKIAlgorithmIdentifier struct {
Algorithm asn1.ObjectIdentifier
Parameters asn1.ObjectIdentifier
}
SPKIAlgorithmIdentifier represents the AlgorithmIdentifier structure for the SubjectPublicKeyInfo (SPKI) in ASN.1 format.
Source Files