keyring

package

v0.34.0 Latest Latest Go to latest Published: Aug 22, 2025 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/target/goalert

Links

Documentation ¶

Index ¶

func ReEncryptAll(ctx context.Context, db *sql.DB, keys Keys) error
type Config
type DB
- func NewDB(ctx context.Context, logger *log.Logger, db *sql.DB, cfg *Config) (*DB, error)
type Keyring
type Keys
- func (k Keys) Decrypt(pemData []byte) (data []byte, label string, err error)
- func (k Keys) Encrypt(label string, data []byte) ([]byte, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ReEncryptAll ¶ added in v0.34.0

func ReEncryptAll(ctx context.Context, db *sql.DB, keys Keys) error

ReEncryptAll will re-encrypt all encrypted values in the database to the first key in the provided list, using the remaining keys as alternates for decryption. This function will return an error if any values fail to re-encrypt.

Types ¶

type Config ¶

type Config struct {
	// Name is the unique identifier of this keyring.
	Name string

	// RotationDays is the number of days between automatic rotations. If zero, automatic rotation is disabled.
	RotationDays int

	// MaxOldKeys determines how many old keys (1-254) are kept for validation. This value, multiplied by RotationDays
	// determines the minimum amount of time a signature remains valid.
	MaxOldKeys int

	// Keys specifies a set of keys to use for encrypting and decrypting the private key.
	Keys Keys
}

Config allows specifying operational parameters of a keyring.

type DB ¶

type DB struct {
	// contains filtered or unexported fields
}

DB implements a Keyring using postgres as the datastore.

func NewDB ¶

func NewDB(ctx context.Context, logger *log.Logger, db *sql.DB, cfg *Config) (*DB, error)

NewDB creates a new postgres-backed keyring.

func (*DB) RotateKeys ¶

func (db *DB) RotateKeys(ctx context.Context) error

RotateKeys will force a key rotation.

func (*DB) Shutdown ¶

func (db *DB) Shutdown(ctx context.Context) error

Shutdown allows gracefully shutting down the keyring (e.g. auto rotations) after finishing any in-progress rotations.

func (*DB) Sign ¶

func (db *DB) Sign(p []byte) ([]byte, error)

Sign will sign a message and return the signature.

func (*DB) SignJWT ¶

func (db *DB) SignJWT(c jwt.Claims) (string, error)

func (*DB) Verify ¶

func (db *DB) Verify(p []byte, signature []byte) (valid, oldKey bool)

Verify will validate the signature and metadata, and optionally length, of a message.

func (*DB) VerifyJWT ¶

func (db *DB) VerifyJWT(s string, c jwt.Claims, iss, aud string) (bool, error)

type Keyring ¶

type Keyring interface {
	RotateKeys(ctx context.Context) error

	Sign(p []byte) ([]byte, error)
	Verify(p []byte, signature []byte) (valid, oldKey bool)

	SignJWT(jwt.Claims) (string, error)
	VerifyJWT(token string, c jwt.Claims, iss, aud string) (bool, error)

	Shutdown(context.Context) error
}

A Keyring allows signing and verifying messages.

type Keys ¶

type Keys [][]byte

Keys represents a set of encryption/decryption keys.

func (Keys) Decrypt ¶

func (k Keys) Decrypt(pemData []byte) (data []byte, label string, err error)

Decrypt will decrypt PEM-encoded data using the first successful key. The index of the used key is returned as n.

func (Keys) Encrypt ¶

func (k Keys) Encrypt(label string, data []byte) ([]byte, error)

Encrypt will encrypt and then encode data into PEM-format.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL