keystores

package module
v0.0.0-...-e3b57d9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

README

go-keystores

Manage cryptographic keystores.

Object model

Keystore provider

A keystore provider is a software module that provides a keystore implementation. It can create and/or open a keystore instance. A keystore provider can the built-in in-memory provider, an interface to a specific a hardware, or a connection factory to a cloud service.

Usage examples

How to use Keystore to protect TLS key

How to use Keystore to protect passwords

How to use Keystore to sign audit logs

https://docs.oracle.com/cd/E36784_01/html/E36870/pktool-1.html

https://smallstep.com/blog/everything-pki/

PKCS 11 Samples in Go using SoftHSM:

https://github.com/salrashid123/go_pkcs11

Documentation

Index

Constants

View Source 
const KeyUsageAgree = "agree"
View Source 
const KeyUsageDecrypt = "decrypt"
View Source 
const KeyUsageDerive = "derive"
View Source 
const KeyUsageSign = "sign"
View Source 
const KeyUsageUnwrap = "unwrap"

Variables

View Source 
var (
	ErrNotImplemented                  = errors.New("not implemented yet")
	ErrAlgorithmNotSupportedByKeyStore = errors.New("algorithm not supported by key store")
	ErrOperationNotSupportedByKeyStore = errors.New("operation not supported by key store")
)
View Source 
var (
	ErrAlreadyOpen   = errors.New("already open")
	ErrAlreadyClosed = errors.New("already closed")
)
View Source 
var ECCAlgorithmByOid = make(map[string]*KeyAlgorithm)
View Source 
var (
	ErrOperationNotSupportedByKeyPair = errors.New("operation not supported by key pair")
)
View Source 
var (
	ErrOperationNotSupportedByProvider = errors.New("operation not supported by keystore provider")
)
View Source 
var ErrorHandler func(err error, context ...interface{}) error
View Source 
var KeyAlgECP224 = KeyAlgorithm{
	Oid:      asn1.ObjectIdentifier{1, 3, 132, 0, 33},
	ECCCurve: elliptic.P224(),
	Name:     "NIST P-224",
}
View Source 
var KeyAlgECP256 = KeyAlgorithm{
	Oid:      asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7},
	ECCCurve: elliptic.P256(),
	Name:     "NIST P-256",
}
View Source 
var KeyAlgECP384 = KeyAlgorithm{
	Oid:      asn1.ObjectIdentifier{1, 3, 132, 0, 34},
	ECCCurve: elliptic.P384(),
	Name:     "NIST P-384",
}
View Source 
var KeyAlgECP521 = KeyAlgorithm{
	Oid:      asn1.ObjectIdentifier{1, 3, 132, 0, 35},
	ECCCurve: elliptic.P521(),
	Name:     "NIST P-521",
}
View Source 
var KeyAlgEd25519 = KeyAlgorithm{
	Oid:  asn1.ObjectIdentifier{1, 3, 101, 112},
	Name: "Ed25519",
}
View Source 
var KeyAlgEd448 = KeyAlgorithm{
	Oid:  asn1.ObjectIdentifier{1, 3, 101, 113},
	Name: "Ed448",
}
View Source 
var KeyAlgRSA1024 = KeyAlgRSA(1024)
View Source 
var KeyAlgRSA2048 = KeyAlgRSA(2048)
View Source 
var KeyAlgRSA3072 = KeyAlgRSA(3072)
View Source 
var KeyAlgRSA4096 = KeyAlgRSA(4096)

Functions

func EnsureClosed 

func EnsureClosed(obj Openable) error

func EnsureOpen 

func EnsureOpen(obj Openable) error

func MustClosed 

func MustClosed(obj Openable)

func PublicKeyFromPrivate 

func PublicKeyFromPrivate(privKey crypto.PrivateKey) (crypto.PublicKey, error)

Types

type AsyncKeyPair 

type AsyncKeyPair interface {
	Id(ctx context.Context) <-chan KeyPairId
	Label(ctx context.Context) <-chan string
	SetLabel(ctx context.Context, label string) (errCh <-chan error)
	Algorithm(ctx context.Context) <-chan KeyAlgorithm
	KeyUsage(ctx context.Context) <-chan []KeyUsage
	KeyStore(ctx context.Context) <-chan AsyncKeyStore
	Public(ctx context.Context) <-chan crypto.PublicKey
	Sign(ctx context.Context, rand io.Reader, digest []byte, opts crypto.SignerOpts) (signatureCh <-chan []byte, errCh <-chan error)
	Decrypt(ctx context.Context, rand io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintextCh <-chan []byte, errCh <-chan error)
	ExportPrivate(ctx context.Context) (privKeyCh <-chan crypto.PrivateKey, errCh <-chan error)
	Destroy(ctx context.Context) <-chan error
	Verify(ctx context.Context, signature []byte, digest []byte, opts crypto.SignerOpts) <-chan error
	Attestation(ctx context.Context, nonce []byte) (att <-chan Attestation, errCh <-chan error)
}

type AsyncKeyStore 

type AsyncKeyStore interface {
	Id(ctx context.Context) <-chan string
	Name(ctx context.Context) <-chan string
	Open(ctx context.Context) <-chan error
	Close(ctx context.Context) <-chan error
	IsOpen(ctx context.Context) <-chan bool
	Reload(ctx context.Context) <-chan error
	SupportedPrivateKeyAlgorithms(ctx context.Context) <-chan KeyAlgorithm
	KeyPairs(ctx context.Context) (<-chan AsyncKeyPair, <-chan error)
	CreateKeyPair(ctx context.Context, opts GenKeyPairOpts) (<-chan AsyncKeyPair, <-chan error)
	ImportKeyPair(ctx context.Context, der []byte) (<-chan AsyncKeyPair, <-chan error)
}

type AsyncProvider 

type AsyncProvider interface {
	AsyncKeyStores(ctx context.Context) (chan KeyStore, chan error)
}

type Attestation 

type Attestation []byte

type DynamicProvider 

type DynamicProvider interface {
	Provider
	OnConnected(handler func(store KeyStore) error)
	OnDisconnected(handler func(store KeyStore) error)
}

type GenKeyPairOpts 

type GenKeyPairOpts struct {
	Algorithm  KeyAlgorithm
	Label      string
	KeyUsage   map[KeyUsage]bool
	Exportable bool
	Ephemeral  bool
}

GenKeyPairOpts controls the key pair generation or import

type KeyAlgorithm 

type KeyAlgorithm struct {
	Oid          asn1.ObjectIdentifier
	RSAKeyLength int
	ECCCurve     elliptic.Curve
	Name         string
}

func AlgorithmFromPublicKey 

func AlgorithmFromPublicKey(pubKey crypto.PublicKey) (KeyAlgorithm, error)

func KeyAlgRSA 

func KeyAlgRSA(keyLength int) KeyAlgorithm

func (KeyAlgorithm) Equal 

func (ka KeyAlgorithm) Equal(other KeyAlgorithm) bool

func (KeyAlgorithm) String 

func (ka KeyAlgorithm) String() string

type KeyPair 

type KeyPair interface {
	Id() KeyPairId
	Label() string
	SetLabel(label string) error
	Algorithm() KeyAlgorithm
	KeyUsage() map[KeyUsage]bool
	KeyStore() KeyStore
	Public() crypto.PublicKey
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error)
	ExportPrivate() (privKey crypto.PrivateKey, err error)
	Destroy() error
	Verify(signature []byte, digest []byte, opts crypto.SignerOpts) (err error)
	ECDH(remote *ecdsa.PublicKey) ([]byte, error)
	Attestation(nonce []byte) (att Attestation, err error)
}

type KeyPairId 

type KeyPairId string

func GenerateKeyPairIdFromPubKey 

func GenerateKeyPairIdFromPubKey(pubKey crypto.PublicKey) (KeyPairId, error)

func IdFromPublicKey 

func IdFromPublicKey(pubKey crypto.PublicKey) (KeyPairId, error)

type KeyStore 

type KeyStore interface {
	// Unique identifier within the provider. The returned Id must be URL safe.
	Id() string
	Name() string
	Open() error
	Close() error
	IsOpen() bool
	Reload() error
	SupportedPrivateKeyAlgorithms() []KeyAlgorithm
	KeyPairById(id KeyPairId) KeyPair
	KeyPairs(reload bool) (map[KeyPairId]KeyPair, error)
	CreateKeyPair(opts GenKeyPairOpts) (kp KeyPair, err error)
	ImportKeyPair(privKey crypto.PrivateKey, opts GenKeyPairOpts) (kp KeyPair, err error)
}

type KeyUsage 

type KeyUsage string

type Openable 

type Openable interface {
	Open() error
	Close() error
	IsOpen() bool
}

type Provider 

type Provider interface {
	KeyStores() ([]KeyStore, error)
	Open() error
	Close() error
	IsOpen() bool
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
etokentest
gks
yktest

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.