local

package

v0.11.0 Latest Latest Go to latest Published: Jun 9, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

gitlab.com/phpboyscout/go-tool-base

Links

Open Source Insights

Documentation ¶

Overview ¶

Package local is the on-disk PEM-encoded RSA private key backend for pkg/signing. Blank-import to activate; the init() call registers the backend under the name "local" against pkg/signing's global registry.

import _ "gitlab.com/phpboyscout/go-tool-base/pkg/signing/local"

The backend reads a PEM file from disk (path supplied via the command-line --key-id) and returns its *rsa.PrivateKey as a crypto.Signer. Pairs with `gtb keys generate --algorithm rsa` for the tutorial / no-cloud-KMS path — the generate command produces a PEM private half that this backend consumes.

Supported PEM formats:

Unencrypted PKCS#1 RSA private key (header "-----BEGIN RSA PRIVATE KEY-----").
Unencrypted PKCS#8 (header "-----BEGIN PRIVATE KEY-----").

Encrypted-PKCS#8 PEMs are not supported in v0.1 — the standard library does not expose PKCS#8 decryption. Operators who need at-rest encryption should either use the aws-kms backend (recommended for production) or encrypt the PEM file at the filesystem layer (LUKS, FileVault, age). Adding encrypted-PKCS#8 support is additive and slated for v0.2 if a real consumer asks.

Non-RSA keys in the PEM file are rejected — Ed25519 / ECDSA in PEM flowing through this backend is unsupported in v0.1 (the only consumer is `gtb keys mint`, which currently only mints RSA via this path).

Index ¶

Variables
func NewSigner(_ context.Context, path string) (crypto.Signer, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrUnsupportedKeyType is returned when the PEM file contains
	// a non-RSA key (Ed25519, ECDSA, etc.). v0.1 only supports RSA
	// via the local backend.
	ErrUnsupportedKeyType = errors.New("PEM key is not RSA; only RSA private keys are supported")

	// ErrMissingPEMBlock is returned when the file decodes to zero
	// PEM blocks (e.g. the file is empty or contains only comments).
	ErrMissingPEMBlock = errors.New("no PEM block found in file")

	// ErrEncryptedPEMUnsupported is returned when the PEM block is
	// encrypted — the standard library does not expose a clean PKCS#8
	// decryption path. v0.1 operators who need encryption use the
	// aws-kms backend or filesystem-level encryption.
	ErrEncryptedPEMUnsupported = errors.New("encrypted PEM private keys are not supported in v0.1; decrypt out-of-band first or use the aws-kms backend")
)

Exported sentinel errors so callers (and tests) can errors.Is against specific failure modes.

Functions ¶

func NewSigner ¶

func NewSigner(_ context.Context, path string) (crypto.Signer, error)

NewSigner is the programmatic constructor for callers that bypass the global pkg/signing registry. The path is the on-disk PEM file. Most callers should use `signing.Get("local")` instead; this exists for integration tests and ad-hoc programmatic use.

Types ¶

This section is empty.

Source Files ¶

View all Source files

local.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL