Documentation
¶
Index ¶
- Constants
- Variables
- func Backend(ctx context.Context, conf *logical.BackendConfig) (*backend, error)
- func Canonicalize(nsPath string) string
- func ContextWithNamespace(ctx context.Context, ns *Namespace) context.Context
- func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func GetCacheSizeFromStorage(ctx context.Context, s logical.Storage) (int, error)
- func RootContext(ctx context.Context) context.Context
- func SplitIDFromString(input string) (string, string)
- type BatchRequestItem
- type DecryptBatchResponseItem
- type EncryptBatchResponseItem
- type KeyData
- type KeyType
- type LockManager
- func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage, name string) (string, error)
- func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage, name string) error
- func (lm *LockManager) GetCacheSize() int
- func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error)
- func (lm *LockManager) GetUseCache() bool
- func (lm *LockManager) InitCache(cacheSize int) error
- func (lm *LockManager) InvalidatePolicy(name string)
- func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string, force bool) error
- type Namespace
- type Policy
- func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out string, retErr error)
- func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)
- func (p *Policy) DeriveKey(context, salt []byte, ver int, numBytes int) ([]byte, error)
- func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error)
- func (p *Policy) GetKey(context []byte, ver, numBytes int) ([]byte, error)
- func (p *Policy) HMACKey(version int) ([]byte, error)
- func (p *Policy) LoadArchive(ctx context.Context, storage logical.Storage) (*archivedKeys, error)
- func (p *Policy) Lock(exclusive bool)
- func (p *Policy) MigrateKeyToKeysMap()
- func (p *Policy) NeedsUpgrade() bool
- func (p *Policy) Persist(ctx context.Context, storage logical.Storage) (retErr error)
- func (p *Policy) Rotate(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
- func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error)
- func (p *Policy) Serialize() ([]byte, error)
- func (p *Policy) Sign(ver int, input []byte, marshaling keysutil.MarshalingType) (*keysutil.SigningResult, error)
- func (p *Policy) SymmetricDecryptRaw(encKey, ciphertext []byte, opts SymmetricOpts) ([]byte, error)
- func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts SymmetricOpts) ([]byte, error)
- func (p *Policy) Unlock()
- func (p *Policy) Upgrade(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
- func (p *Policy) VerifySignature(input []byte, marshaling keysutil.MarshalingType, sig string) (bool, error)
- type PolicyConfig
- type PolicyRequest
- type SymmetricOpts
Constants ¶
View Source
const ( Kdf_hmac_sha256_counter = iota // built-in helper Kdf_hkdf_sha256 // golang.org/x/crypto/hkdf )
Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF
View Source
const ( KeyType_SM4_GCM96 = iota KeyType_ECDSA_SM2 )
Or this one...we need the default of zero to be the original SM4-GCM96
View Source
const (
RootNamespaceID = "root"
)
Variables ¶
View Source
var ( ErrNoNamespace error = errors.New("no namespace") RootNamespace *Namespace = &Namespace{ ID: RootNamespaceID, Path: "", } )
View Source
var ErrInvalidKeyName = errors.New("key names cannot be paths")
Functions ¶
func Canonicalize ¶ added in v0.2.2
Canonicalize trims any prefix '/' and adds a trailing '/' to the provided string
func ContextWithNamespace ¶ added in v0.2.2
func GetCacheSizeFromStorage ¶
func SplitIDFromString ¶ added in v0.2.2
Types ¶
type BatchRequestItem ¶
type BatchRequestItem struct {
// Context for key derivation. This is required for derived keys.
Context string `json:"context" structs:"context" mapstructure:"context"`
// DecodedContext is the base64 decoded version of Context
DecodedContext []byte
// Plaintext for encryption
Plaintext string `json:"plaintext" structs:"plaintext" mapstructure:"plaintext"`
// Ciphertext for decryption
Ciphertext string `json:"ciphertext" structs:"ciphertext" mapstructure:"ciphertext"`
// Nonce to be used when v1 convergent encryption is used
Nonce string `json:"nonce" structs:"nonce" mapstructure:"nonce"`
// The key version to be used for encryption
KeyVersion int `json:"key_version" structs:"key_version" mapstructure:"key_version"`
// DecodedNonce is the base64 decoded version of Nonce
DecodedNonce []byte
}
BatchRequestItem represents a request item for batch processing
type DecryptBatchResponseItem ¶
type DecryptBatchResponseItem struct {
// Plaintext for the ciphertext present in the corresponding batch
// request item
Plaintext string `json:"plaintext" structs:"plaintext" mapstructure:"plaintext"`
// Error, if set represents a failure encountered while encrypting a
// corresponding batch request item
Error string `json:"error,omitempty" structs:"error" mapstructure:"error"`
}
type EncryptBatchResponseItem ¶
type EncryptBatchResponseItem struct {
// Ciphertext for the plaintext present in the corresponding batch
// request item
Ciphertext string `json:"ciphertext,omitempty" structs:"ciphertext" mapstructure:"ciphertext"`
// KeyVersion defines the key version used to encrypt plaintext.
KeyVersion int `json:"key_version,omitempty" structs:"key_version" mapstructure:"key_version"`
// Error, if set represents a failure encountered while encrypting a
// corresponding batch request item
Error string `json:"error,omitempty" structs:"error" mapstructure:"error"`
}
EncryptBatchResponseItem represents a response item for batch processing
type KeyData ¶
type KeyData struct {
Policy *Policy `json:"policy"`
ArchivedKeys *archivedKeys `json:"archived_keys"`
}
type KeyType ¶
type KeyType int
func (KeyType) DecryptionSupported ¶
func (KeyType) DerivationSupported ¶
func (KeyType) EncryptionSupported ¶
func (KeyType) HashSignatureInput ¶
func (KeyType) SigningSupported ¶
type LockManager ¶
type LockManager struct {
// contains filtered or unexported fields
}
func NewLockManager ¶
func NewLockManager(useCache bool, cacheSize int) (*LockManager, error)
func (*LockManager) BackupPolicy ¶
func (*LockManager) DeletePolicy ¶
func (*LockManager) GetCacheSize ¶
func (lm *LockManager) GetCacheSize() int
func (*LockManager) GetPolicy ¶
func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error)
When the function returns, if caching was disabled, the Policy's lock must be unlocked when the caller is done (and it should not be re-locked).
func (*LockManager) GetUseCache ¶
func (lm *LockManager) GetUseCache() bool
func (*LockManager) InitCache ¶ added in v0.2.1
func (lm *LockManager) InitCache(cacheSize int) error
func (*LockManager) InvalidatePolicy ¶
func (lm *LockManager) InvalidatePolicy(name string)
func (*LockManager) RestorePolicy ¶
func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string, force bool) error
RestorePolicy acquires an exclusive lock on the policy name and restores the given policy along with the archive.
type Namespace ¶ added in v0.2.2
func FromContext ¶ added in v0.2.2
This function caches the ns to avoid doing a .Value lookup over and over, because it's called a *lot* in the request critical path. .Value is concurrency-safe so uses some kind of locking/atomicity, but it should never be read before first write, plus we don't believe this will be called from different goroutines, so it should be safe.
func (*Namespace) TrimmedPath ¶ added in v0.2.2
type Policy ¶
type Policy struct {
Name string `json:"name"`
Key []byte `json:"key,omitempty"` //DEPRECATED
Keys keyEntryMap `json:"keys"`
// Derived keys MUST provide a context and the master underlying key is
// never used. If convergent encryption is true, the context will be used
// as the nonce as well.
Derived bool `json:"derived"`
KDF int `json:"kdf"`
ConvergentEncryption bool `json:"convergent_encryption"`
// Whether the key is exportable
Exportable bool `json:"exportable"`
// The minimum version of the key allowed to be used for decryption
MinDecryptionVersion int `json:"min_decryption_version"`
// The minimum version of the key allowed to be used for encryption
MinEncryptionVersion int `json:"min_encryption_version"`
// The latest key version in this policy
LatestVersion int `json:"latest_version"`
// The latest key version in the archive. We never delete these, so this is
// a max.
ArchiveVersion int `json:"archive_version"`
// ArchiveMinVersion is the minimum version of the key in the archive.
ArchiveMinVersion int `json:"archive_min_version"`
// MinAvailableVersion is the minimum version of the key present. All key
// versions before this would have been deleted.
MinAvailableVersion int `json:"min_available_version"`
// Whether the key is allowed to be deleted
DeletionAllowed bool `json:"deletion_allowed"`
// The version of the convergent nonce to use
ConvergentVersion int `json:"convergent_version"`
// The type of key
Type KeyType `json:"type"`
// BackupInfo indicates the information about the backup action taken on
// this policy
BackupInfo *keysutil.BackupInfo `json:"backup_info"`
// RestoreInfo indicates the information about the restore action taken on
// this policy
RestoreInfo *keysutil.RestoreInfo `json:"restore_info"`
// AllowPlaintextBackup allows taking backup of the policy in plaintext
AllowPlaintextBackup bool `json:"allow_plaintext_backup"`
// VersionTemplate is used to prefix the ciphertext with information about
// the key version. It must inclide {{version}} and a delimiter between the
// version prefix and the ciphertext.
VersionTemplate string `json:"version_template"`
// StoragePrefix is used to add a prefix when storing and retrieving the
// policy object.
StoragePrefix string `json:"storage_prefix"`
// contains filtered or unexported fields
}
Policy is the struct used to store metadata
func LoadPolicy ¶
LoadPolicy will load a policy from the provided storage path and set the necessary un-exported variables. It is particularly useful when accessing a policy without the lock manager.
func NewPolicy ¶
func NewPolicy(config PolicyConfig) *Policy
NewPolicy takes a policy config and returns a Policy with those settings.
func (*Policy) DeriveKey ¶
DeriveKey is used to derive a symmetric key given a context and salt. This does not check the policies Derived flag, but just implements the derivation logic. GetKey is responsible for switching on the policy config.
func (*Policy) GetKey ¶
GetKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.
func (*Policy) LoadArchive ¶
func (*Policy) MigrateKeyToKeysMap ¶
func (p *Policy) MigrateKeyToKeysMap()
func (*Policy) NeedsUpgrade ¶
func (*Policy) Rotate ¶
func (p *Policy) Rotate(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
Rotate rotates the policy and persists it to storage. If the rotation partially fails, the policy state will be restored.
func (*Policy) RotateInMemory ¶
RotateInMemory rotates the policy but does not persist it to storage.
func (*Policy) Sign ¶
func (p *Policy) Sign(ver int, input []byte, marshaling keysutil.MarshalingType) (*keysutil.SigningResult, error)
func (*Policy) SymmetricDecryptRaw ¶
func (p *Policy) SymmetricDecryptRaw(encKey, ciphertext []byte, opts SymmetricOpts) ([]byte, error)
Symmetrically decrypt a ciphertext given the convergence configuration and appropriate keys
func (*Policy) SymmetricEncryptRaw ¶
func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts SymmetricOpts) ([]byte, error)
Symmetrically encrypt a plaintext given the convergence configuration and appropriate keys
func (*Policy) VerifySignature ¶
type PolicyConfig ¶
type PolicyConfig struct {
// The name of the policy
Name string `json:"name"`
// The type of key
Type KeyType
// Derived keys MUST provide a context and the master underlying key is
// never used.
Derived bool
KDF int
ConvergentEncryption bool
// Whether the key is exportable
Exportable bool
// Whether the key is allowed to be deleted
DeletionAllowed bool
// AllowPlaintextBackup allows taking backup of the policy in plaintext
AllowPlaintextBackup bool
// VersionTemplate is used to prefix the ciphertext with information about
// the key version. It must inclide {{version}} and a delimiter between the
// version prefix and the ciphertext.
VersionTemplate string
// StoragePrefix is used to add a prefix when storing and retrieving the
// policy object.
StoragePrefix string
}
PolicyConfig is used to create a new policy
type PolicyRequest ¶
type PolicyRequest struct {
// The storage to use
Storage logical.Storage
// The name of the policy
Name string
// The key type
KeyType KeyType
// Whether it should be derived
Derived bool
// Whether to enable convergent encryption
Convergent bool
// Whether to allow export
Exportable bool
// Whether to upsert
Upsert bool
// Whether to allow plaintext backup
AllowPlaintextBackup bool
}
PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.
type SymmetricOpts ¶
type SymmetricOpts struct {
// Whether to use convergent encryption
Convergent bool
// The version of the convergent encryption scheme
ConvergentVersion int
// The nonce, if not randomly generated
Nonce []byte
// Additional data to include in AEAD authentication
AdditionalData []byte
// The HMAC key, for generating IVs in convergent encryption
HMACKey []byte
}
SymmetricOpts are the arguments to symmetric operations that are "optional", e.g. not always used. This improves the aesthetics of calls to those functions.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.