common

package
v0.0.0-...-a4b61b0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 9, 2021 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const X931_PAD_BYTE byte = 0xBB
View Source 
const X931_SIG_HASH_ID_SHA256 byte = 0x34

Variables

View Source 
var ASN1_BIT_STRING_TAG byte = 0x03

* ASN.1 tag for BIT STRING

View Source 
var ASN1_CONTEXT_SPECIFIC_TAG byte = 0x80

* ASN.1 tag for context-specific entry

View Source 
var ASN1_INTEGER_TAG byte = 0x02

* ASN.1 tag for INTEGER

View Source 
var ASN1_OCTET_STRING_TAG byte = 0x04

* ASN.1 tag for OCTET STRING

View Source 
var ASN1_OID_TAG byte = 0x06

* ASN.1 tag for an object identifier (OID)

View Source 
var ASN1_SEQUENCE_TAG byte = 0x30

* ASN.1 tag for SEQUENCE

View Source 
var CryptoModulesFileName = "CRYPTOMODULES"
View Source 
var DomainsFileName = "DOMAINS"
View Source 
var PMTAG_DOMAIN_ADMIN_CERTS string = "0x000B"

* Domain administrator certificates

View Source 
var PMTAG_DOMAIN_ADMIN_SKIS string = "0x000A"

* Domain administrator subject key identifiers (SKIs)

View Source 
var PMTAG_DOMAIN_ATTRIBUTES string = "0x000F"

* Domain attributes

View Source 
var PMTAG_DOMAIN_CONTROL_POINTS string = "0x0017"

* Domain control points

View Source 
var PMTAG_DOMAIN_QUERY_INFO string = "0x000C"

* Domain level information

View Source 
var PMTAG_DOMAIN_TRANSACTION_COUNTER string = "0x0011"

* Domain transaction counter

View Source 
var PMTAG_ENCR_KEY_PART string = "0x0019"

* ASN.1 structure containing an encrypted key part

View Source 
var PMTAG_KPH_CERTIFICATE string = "0x001D"

* KPH certificate containing a public key

View Source 
var PMTAG_M_POLICY string = "0x001C"

* M policy (number of key parts required to reconstruct the key)

View Source 
var PMTAG_OA_CERTIFICATE string = "0x0015"

* OA certificate

View Source 
var PMTAG_SIGNATURE_ENCR_KEY_PART string = "0x001A"

* ASN.1 structure containing an OA signature over encrypted key part

View Source 
var PMTAG_STATE_SCOPE = "0x001F"

* Scope restrictions on a state export request

Functions

func Asn1EncodeLength 

func Asn1EncodeLength(length int) []byte

---------------------------------------------------------------------------- 

Returns a DER-encoded length for a non-negative four-byte integer.

----------------------------------------------------------------------------

func Asn1FormBitString 

func Asn1FormBitString(source []byte) []byte

#B@T372621CLH ---------------------------------------------------------------------------- 

Forms an ASN.1 BIT STRING containing the input byte stream.  Adds a 0x00
byte to the beginning of the source data.

----------------------------------------------------------------------------

func Asn1FormOctetString 

func Asn1FormOctetString(source []byte) []byte

---------------------------------------------------------------------------- 

Forms an ASN.1 OCTET STRING containing the input byte stream.

----------------------------------------------------------------------------

func Asn1FormSequence 

func Asn1FormSequence(elements [][]byte) []byte

---------------------------------------------------------------------------- 

Forms an ASN.1 SEQUENCE containing the set of input elements.

The input argument is an array of ASN.1 encoded elements that are
concatenated together to form the final SEQUENCE.

----------------------------------------------------------------------------

func Asn1GetIntegerBytes 

func Asn1GetIntegerBytes(source []byte, offset int) ([]byte, error)

---------------------------------------------------------------------------- 

Interprets the byte stream at the specified offset as an INTEGER, and
returns the payload bytes without the INTEGER tag and length.

----------------------------------------------------------------------------

func Asn1GetLength 

func Asn1GetLength(source []byte, offset int) (int, error)

---------------------------------------------------------------------------- 

Interprets the byte stream at the specified offset as a BER-encoded
length, and returns the length value.

----------------------------------------------------------------------------

func Asn1GetOctetStringBytes 

func Asn1GetOctetStringBytes(source []byte, offset int) ([]byte, error)

---------------------------------------------------------------------------- 

Interprets the byte stream at the specified offset as an OCTET STRING,
and returns the payload bytes without the OCTET STRING tag and length.

----------------------------------------------------------------------------

func Asn1GetSequenceBytes 

func Asn1GetSequenceBytes(source []byte, offset int) ([]byte, error)

---------------------------------------------------------------------------- 

Interprets the byte stream at the specified offset as a SEQUENCE, and
returns the payload bytes without the SEQUENCE tag and length.

----------------------------------------------------------------------------

func Asn1SkipInteger 

func Asn1SkipInteger(source []byte, offset int) (int, error)

---------------------------------------------------------------------------- 

Returns an updated offset into a source byte stream when the stream is
interpreted as an INTEGER and we want to skip to the next field in the
stream.

----------------------------------------------------------------------------

func Asn1SkipLength 

func Asn1SkipLength(source []byte, offset int) (int, error)

---------------------------------------------------------------------------- 

Returns an updated offset into a source byte stream when the stream is
interpreted as a BER-encoded length and we want to skip to the next field
in the stream.

----------------------------------------------------------------------------

func Asn1SkipOctetString 

func Asn1SkipOctetString(source []byte, offset int) (int, error)

#B@T390301CLH ---------------------------------------------------------------------------- 

Returns an updated offset into a source byte stream when the stream is
interpreted as an OCTET STRING and we want to skip to the next field in
the stream.

----------------------------------------------------------------------------

func Asn1SkipSequence 

func Asn1SkipSequence(source []byte, offset int) (int, error)

---------------------------------------------------------------------------- 

Returns an updated offset into a source byte stream when the stream is
interpreted as a SEQUENCE and we want to skip to the next field in the
stream.

----------------------------------------------------------------------------

func ByteSlicesAreEqual 

func ByteSlicesAreEqual(a, b []byte) bool

---------------------------------------------------------------------------- 

Checks if two []byte are equal

----------------------------------------------------------------------------

func Calc_vp 

func Calc_vp(rawkey []byte) []byte

---------------------------------------------------------------------------- 

Calculates the verification pattern of an AES key part.

The verification pattern of a symmetric key is defined in section 6.7 of
the EP11 wire formats document as:
SHA_256( 01 || <raw_key> ), with the last four bytes set to zero.

In practice, it does not appear the last four bytes are set to zero, so
that is commented out below.

----------------------------------------------------------------------------

func CalculateECKeyHash 

func CalculateECKeyHash(pubKey ecdsa.PublicKey) []byte

---------------------------------------------------------------------------- 

Calculates the Subject Key Identifier of an EC key.

Inputs:
ecdsa.PublicKey pubKey -- the EC public key

Outputs:
[]byte -- the calculated subject key identifier

----------------------------------------------------------------------------

func CalculateRSAKeyHash 

func CalculateRSAKeyHash(pubKey rsa.PublicKey) ([]byte, error)

---------------------------------------------------------------------------- 

Calculates the Subject Key Identifier for an RSA key.

Inputs:
rsa.PublicKey pubKey -- the RSA public key

Outputs:
[]byte -- the calculated subject key identifier
error -- reports any errors

----------------------------------------------------------------------------

func CheckSubdir 

func CheckSubdir() error

---------------------------------------------------------------------------- 

Checks that the CLOUDTKEFILES environment variable is set and points to
a usable subdirectory on the local workstation.

Also changes the current working subdirectory to the directory identified
by CLOUDTKEFILES.

----------------------------------------------------------------------------

func CreateGetHsmsRequest 

func CreateGetHsmsRequest(authToken string, urlStart string,
	cryptoInstance string) *rest.Request

---------------------------------------------------------------------------- 

Creates the HTTP request for querying the domains for a crypto instance.

----------------------------------------------------------------------------

func CreateGetPublicKeyRequest 

func CreateGetPublicKeyRequest(sigkeyToken string, urlStart string,
	sigkey string) *rest.Request

---------------------------------------------------------------------------- 

Creates an HTTP request to a signing service specified by the user to
return the public part of a signature key

----------------------------------------------------------------------------

func CreatePostHsmsRequest 

func CreatePostHsmsRequest(authToken string, urlStart string,
	cryptoInstance string, hsmId string, htpRequest string) *rest.Request

---------------------------------------------------------------------------- 

Creates the HTTP request for sending an HTPRequest to a TKE catcher
program.

----------------------------------------------------------------------------

func CreateSignDataRequest 

func CreateSignDataRequest(sigkeyToken string, urlStart string,
	sigkey string, dataToSign string) *rest.Request

---------------------------------------------------------------------------- 

Creates an HTTP request to a signing service specified by the user to
sign data using a signature key

----------------------------------------------------------------------------

func Decrypt 

func Decrypt(data []byte, key []byte) ([]byte, error)

---------------------------------------------------------------------------- 

Decrypts ciphertext using an AES key

The input data is a nonce followed by the ciphertext.
Returns the plaintext.

----------------------------------------------------------------------------

func Derive_aes_key 

func Derive_aes_key(passwd string, salt string) ([]byte, []byte)

---------------------------------------------------------------------------- 

Derives an AES key from a password.

This hashes the password 4096 times to get the AES key.  A previously
used salt value may be supplied for existing files, otherwise a random
salt value will be generated and used.

----------------------------------------------------------------------------

func Encrypt 

func Encrypt(plaintext []byte, aeskey []byte) ([]byte, error)

---------------------------------------------------------------------------- 

Encrypts plaintext using an AES key

Returns a nonce followed by the ciphertext

----------------------------------------------------------------------------

func FourByteSliceToInt 

func FourByteSliceToInt(theSlice []byte) int

func GetBaseURL 

func GetBaseURL(apiEndPoint string, region string) (string, error)

---------------------------------------------------------------------------- 

Determines the base URL to use for HTTP requests to the IBM Cloud

----------------------------------------------------------------------------

func GetDomainIndexFromLocation 

func GetDomainIndexFromLocation(location string) int

---------------------------------------------------------------------------- 

Returns the domain index from a location string

----------------------------------------------------------------------------

func GetPartialLocation 

func GetPartialLocation(location string) string

---------------------------------------------------------------------------- 

Returns the part of the location string that identifies a crypto module.
That is, everything except the domain index at the end.

----------------------------------------------------------------------------

func GetPublicKeyFromSigningService 

func GetPublicKeyFromSigningService(ssURL string, sigkey string, sigkeyToken string) ([]byte, error)

---------------------------------------------------------------------------- 

Gets the public key from a signing service

Inputs:
string -- base URL for the signing service
string -- identifies the signature key to be accessed
string -- authentication token for the signature key to be accessed

Outputs:
[]byte -- the public key.  Only P521 EC signature keys are supported.
    This will be a compression byte (0x04) followed by a 66 byte X-value
    and a 66-byte Y value.
error -- reports any error encountered during processing

----------------------------------------------------------------------------

func IsBitSet 

func IsBitSet(data []byte, bitnum int) bool

---------------------------------------------------------------------------- 

Checks if a bit in a []byte is set.

----------------------------------------------------------------------------

func PadANSIX931 

func PadANSIX931(data []byte, offset int, length int, sigbits int) []byte

---------------------------------------------------------------------------- 

Adds ANSI X9.31 formatting to the input hash.

The goal is to create a result that looks like:
0x6B BB ... BB BA || hash || 0x34 CC

Inputs:
   data -- contains the hash to be padded
   offset -- starting offset of the hash to be padded
   length -- length in bytes of the hash to be padded
   sigbits -- length in bits of the signature

Returns the padded hash.

----------------------------------------------------------------------------

func SignWithP521ECKey 

func SignWithP521ECKey(dataToSign []byte, pemBytes []byte, savedSKI string) ([]byte, error)

---------------------------------------------------------------------------- 

Signs the input data using a P521 EC key.

Inputs:
[]byte dataToSign -- the data to be signed
[]byte pemBytes -- PEM encoded representation of EC private key
string savedSKI -- subject key identifier for the EC public key from the
    signature key file, represented as a hexadecimal string

Outputs:
[]byte -- the EC signature.  This is an ASN.1 sequence containing two
    integers.
error -- reports any errors

----------------------------------------------------------------------------

func SignWithRSA2048Key 

func SignWithRSA2048Key(dataToSign []byte, pemBytes []byte, savedSKI string) ([]byte, error)

---------------------------------------------------------------------------- 

Signs the input data using a 2048-bit RSA key.

A SHA-256 hash is calculated over dataToSign.  This is padded using the
ANSI X9.31 method, and the result is enciphered using the RSA private key.

Inputs:
[]byte dataToSign -- the data to be signed
[]byte pemBytes -- PEM encoded representation of RSA private key
string savedSKI -- subject key identifier for the RSA public key from the
    signature key file, represented as a hexadecimal string

Outputs:
[]byte -- the RSA signature.  Padded with leading zeroes if needed to make
    it 256 bytes long.
error -- reports any errors

----------------------------------------------------------------------------

func SignWithSignatureKey 

func SignWithSignatureKey(dataToSign []byte, sigkey string, sigkeyToken string) ([]byte, error)

---------------------------------------------------------------------------- 

Signs the input data.  Checks the TKE_SIGNSERV_URL environment variable.
If set, uses a signing service provided by the user to sign the data.
Otherwise, assumes signature keys are in files on the local workstation.

Inputs:
dataToSign []byte -- the data to be signed
sigkey string -- identifies the signature key to use
sigkeyToken string -- authentication token for the signature key

Outputs:
[]byte -- the calculated signature
error -- any error encountered

----------------------------------------------------------------------------

func SignWithSignatureKeyFile 

func SignWithSignatureKeyFile(dataToSign []byte, sigkey string, sigkeyToken string) ([]byte, error)

---------------------------------------------------------------------------- 

Signs the input data using the private key in a signature key file.
The signature key could be either a 2048-bit RSA key or a P521 EC key.

Inputs:
dataToSign []byte -- the data to be signed
sigkey string -- identifies the signature key to use
sigkeyToken string -- authentication token for the signature key

Outputs:
[]byte -- the calculated signature
error -- any error encountered

----------------------------------------------------------------------------

func Signature256 

func Signature256(dataToSign []byte, rsaKey *rsa.PrivateKey) []byte

---------------------------------------------------------------------------- 

Calculate a 256 byte RSA signature

----------------------------------------------------------------------------

func SubmitHTPRequest 

func SubmitHTPRequest(req *rest.Request) (htpResponse string, err error)

---------------------------------------------------------------------------- 

Submits the POST /hsms request that sends an HTPRequest to a TKE catcher
program.

Returns the HTPResponse string from the TKE catcher program.

----------------------------------------------------------------------------

func SubmitQueryDomainsRequest 

func SubmitQueryDomainsRequest(req *rest.Request) ([]string, []string,
	[]string, []string, error)

---------------------------------------------------------------------------- 

Submits the GET /hsms request that queries the Cloud for the domains
associated with a crypto instance.

Input:
*rest.Request -- the GET /hsms request to be sent to the cloud.

Outputs:
[]string -- hsm_ids of each domain in the crypto instance
[]string -- locations of the crypto modules for each domain
[]string -- serial numbers of the crypto modules for each domain
[]string -- hsm_types, "recovery" or "operational"
error -- reports any errors for the operation

----------------------------------------------------------------------------

func SubmitQueryPublicKeyRequest 

func SubmitQueryPublicKeyRequest(req *rest.Request) (string, error)

---------------------------------------------------------------------------- 

Submits a GET /keys request to a signing service to retrieve the public
part of a signature key.

Input:
*rest.Request -- the GET /keys request to be sent to the signing service

Outputs:
string -- the base64 encoded public key
error -- reports any errors for the operation

----------------------------------------------------------------------------

func SubmitSignDataRequest 

func SubmitSignDataRequest(req *rest.Request) (string, error)

---------------------------------------------------------------------------- 

Submits a POST /sign request to a signing service to sign the supplied
data.

Input:
*rest.Request -- the POST /sign request to be sent to the signing service

Outputs:
string -- the base64 encoded signature
error -- reports any errors for the operation

----------------------------------------------------------------------------

func Uint32To4ByteSlice 

func Uint32To4ByteSlice(theInt uint32) []byte

Types

type AdminInfo 

type AdminInfo struct {
	Domain DomainEntry
	Name   string
	Ski    string
}

type CryptoModuleEntry 

type CryptoModuleEntry struct {
	Serial_num string `json:"serial_num"`
	Public_key string `json:"public_key"`
}

* Entry in the CRYPTOMODULES file

type DomainEntry 

type DomainEntry struct {
	Domain_num int    `json:"domain_num"`
	Hsm_id     string `json:"hsm_id"`
	// UUID for this particular domain
	Crypto_instance_id string `json:"crypto_instance_id"`
	// UUID for the crypto instance containing this domain
	Location string `json:"location"`
	// Describes the location of the domain
	// Format is [Availability zone].[Host].[Crypto module index].[domain index]
	Serial_num string `json:"serial_num"`
	Public_key string `json:"public_key"`
	Type       string `json:"type"` //@T390301CLH
	// "operational" or "recovery"  //@T407032CLH
	Selected bool `json:"selected"`
}

* Entry in the DOMAINS file describing a single domain

func (DomainEntry) GetCryptoModuleIndex 

func (de DomainEntry) GetCryptoModuleIndex() int

---------------------------------------------------------------------------- 

Returns the crypto module index from the Location field of a DomainEntry

----------------------------------------------------------------------------

func (DomainEntry) GetDomainIndex 

func (de DomainEntry) GetDomainIndex() int

---------------------------------------------------------------------------- 

Returns the domain index from the Location field of a DomainEntry

----------------------------------------------------------------------------

type DomainEntryNoType 

type DomainEntryNoType struct {
	Domain_num int    `json:"domain_num"`
	Hsm_id     string `json:"hsm_id"`
	// UUID for this particular domain
	Crypto_instance_id string `json:"crypto_instance_id"`
	// UUID for the crypto instance containing this domain
	Location string `json:"location"`
	// Describes the location of the domain
	// Format is [Availability zone].[Host].[Crypto module index].[domain index]
	Serial_num string `json:"serial_num"`
	Public_key string `json:"public_key"`
	Selected   bool   `json:"selected"`
}
  • Entry in the DOMAINS file describing a single domain. This version lacks a "type" field.

type ECPublicKey 

type ECPublicKey struct {
	X *big.Int
	Y *big.Int
}

* Used to work with an ASN.1 sequence representing an EC public key

type ECSignature 

type ECSignature struct {
	R *big.Int
	S *big.Int
}

* Used to create an ASN.1 sequence representing an EC signature

type Location 

type Location struct {
	AvailZone   string
	HostSystem  string
	CMIndex     int
	DomainIndex int
}

func ParseLocation 

func ParseLocation(location string) (result *Location, err error)

type ParameterMap 

type ParameterMap struct {
	// contains filtered or unexported fields
}

---------------------------------------------------------------------------- 

Type for working with ASN.1 sequences of the form defined in section 5.3
("Serialized module state") of the EP11 wire formats document.

Export WK and Export pending WK use ASN.1 sequences of this form for their
input and output parameters.

----------------------------------------------------------------------------

func NewParameterMap 

func NewParameterMap() ParameterMap

---------------------------------------------------------------------------- 

Creates a new parameter map and initializes it to empty.

----------------------------------------------------------------------------

func (ParameterMap) GenerateBytes 

func (pm ParameterMap) GenerateBytes() []byte

---------------------------------------------------------------------------- 

Returns an ASN.1 sequence of octet strings for the parameters in the map.

Output:
[]byte -- ASN.1 sequence

----------------------------------------------------------------------------

func (ParameterMap) GetAuxInt 

func (pm ParameterMap) GetAuxInt(tag string) uint32

---------------------------------------------------------------------------- 

Returns the auxiuliary integer associated with a parameter entry.

Input:
string -- tag identifying the parameter to retrieve

Output:
uint32 -- integer value associated with the parameter

----------------------------------------------------------------------------

func (ParameterMap) GetDataUsingIndex 

func (pm ParameterMap) GetDataUsingIndex(tag string, index uint32) []byte

---------------------------------------------------------------------------- 

Returns data from a parameter map when an index value is used.

Inputs:
string -- tag identifying the parameter to retrieve
uint32 -- index value to combine with the tag

Output:
[]byte -- the parameter from the map, nil if no map entry exists

----------------------------------------------------------------------------

func (ParameterMap) Load 

func (pm ParameterMap) Load(data []byte) (ParameterMap, error)

---------------------------------------------------------------------------- 

Initializes a parameter map using an input ASN.1 sequence of the form
described in section 5.3 of the EP11 wire formats document.

Input:
[]byte -- input ASN.1 sequence

Outputs:
ParameterMap -- the updated parameter map
error -- reports invalid ASN.1 input sequence

----------------------------------------------------------------------------

func (ParameterMap) Put 

func (pm ParameterMap) Put(tag string, index uint32, data []byte)

---------------------------------------------------------------------------- 

Adds a value to a parameter map.

Inputs:
string -- tag identifying the parameter to add
uint32 -- index or associated integer
[]byte -- additional data

----------------------------------------------------------------------------

type RotateStatus 

type RotateStatus struct {
	Status  string `json:"status"`
	Message string `json:"message"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.