keyset

package
v0.83.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2026 License: BSD-3-Clause Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Attempt 

func Attempt[R any](ks *Keyset, f func(cryptoutil.Key32) (R, error)) (R, error)

Attempt runs the provided function for each key in the keyset until either (i) an attempt does not return an error (meaning it succeeded) or (ii) all keys have been attempted. This is useful when you want to fallback to a prior key if the current key fails due to a recent rotation.

Types

type AppKeyset 

type AppKeyset struct {
	// contains filtered or unexported fields
}

func MustAppKeyset 

func MustAppKeyset(cfg AppKeysetConfig) *AppKeyset

Panics if anything is misconfigured. If desired, you can defer the panic to the first use (rather than at instantiation) by passing in a true boolean as the second argument.

func (*AppKeyset) HKDF 

func (ak *AppKeyset) HKDF(purpose string) func() *Keyset

func (*AppKeyset) Root 

func (ak *AppKeyset) Root() *Keyset

type AppKeysetConfig 

type AppKeysetConfig struct {
	// Provide a latest-first slice of environment variable names pointing
	// to base64-encoded 32-byte root secrets.
	// Example: []string{"CURRENT_SECRET", "PREVIOUS_SECRET"}
	LatestFirstEnvVarNames []string
	// Passed into the salt parameter of downstream HKDF functions.
	// Once set, do not change this unless you want and entirely new keyset.
	ApplicationName string
	// When instantiated via MustAppKeyset, if this is true, panics
	// due to misconfiguration are deferred to the first use of the
	// keyset rather than at instantiation time.
	DeferPanic bool
}

type Keyset 

type Keyset struct {
	// contains filtered or unexported fields
}

func FromUnwrapped 

func FromUnwrapped(uks UnwrappedKeyset) (*Keyset, error)

func LoadRootKeyset 

func LoadRootKeyset(latestFirstEnvVarNames ...string) (*Keyset, error)

Pass in a latest-first slice of environment variable names pointing to base64-encoded 32-byte root secrets. Example: LoadRootKeyset("CURRENT_SECRET", "PREVIOUS_SECRET")

func RootSecretsToRootKeyset 

func RootSecretsToRootKeyset(rootSecrets RootSecrets) (*Keyset, error)

RootSecretsToRootKeyset converts a slice of base64-encoded root secrets into a Keyset.

func (*Keyset) First 

func (wk *Keyset) First() (cryptoutil.Key32, error)

First returns the first key in the keyset and returns an error if the keyset is nil or empty or if the first key is nil.

func (*Keyset) HKDF 

func (ks *Keyset) HKDF(salt []byte, info string) (*Keyset, error)

Keyset.HKDF applies HKDF to each key in the base Keyset using the provided salt and info string, returning a new Keyset consisting of the derived keys.

func (*Keyset) Unwrap 

func (wk *Keyset) Unwrap() UnwrappedKeyset

Unwrap returns the underlying UnwrappedKeyset, which is a latest-first slice of size 32 byte array pointers.

func (*Keyset) Validate 

func (wk *Keyset) Validate() error

type RootSecret 

type RootSecret = string

Base64-encoded 32-byte root secret. To generate new root secrets, run `openssl rand -base64 32`.

type RootSecrets 

type RootSecrets []RootSecret

Latest-first slice of base64-encoded 32-byte root secrets. To generate new root secrets, run `openssl rand -base64 32`.

func LoadRootSecrets 

func LoadRootSecrets(latestFirstEnvVarNames ...string) (RootSecrets, error)

Pass in a latest-first slice of environment variable names pointing to base64-encoded 32-byte root secrets. Example: LoadRootSecrets("CURRENT_SECRET", "PREVIOUS_SECRET")

type UnwrappedKeyset 

type UnwrappedKeyset []cryptoutil.Key32

Latest-first slice of size 32 byte array pointers

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.