nonprod

package
v0.0.0-...-5fa9814 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package nonprod provides an in-memory signer and CA for endorsement using generated or provided keys.

This package is testonly and non-production since key material should not be loaded into memory on the endorsing machine, likely a compilation node. Instead, signing should be offloaded to a trusted device whose sole purpose is key management and signing.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultOpts 

func DefaultOpts() crypto.SignerOpts

DefaultOpts returns the only crypto signing options setting that is supported.

func RsaPublicKeyToPEM 

func RsaPublicKeyToPEM(pub *rsa.PublicKey) []byte

RsaPublicKeyToPEM returns an RSA public key in its PEM encoding.

Types

type Key 

type Key struct {
	// Private is optional for creating a fake Signer. If nil, will be generated.
	Private *rsa.PrivateKey
	Cert    *x509.Certificate
	Info    KeyInfo
}

Key represents a precreated private key that will get certificates for a nonprod signer.

type KeyInfo 

type KeyInfo struct {
	// KeyVersionName is the key's unique name (path) for use in signing requests.
	KeyVersionName string
	// PkixName is the whole subject description of the key. If set, overrides CommonName.
	PkixName *pkix.Name
}

KeyInfo represents configurable parts of a fake signer's representation of a key.

type Options 

type Options struct {
	Now               time.Time
	Random            io.Reader
	CA                styp.CertificateAuthority
	Root              Key
	PrimarySigningKey Key
	SigningKeys       []Key
}

Options carries all the configurable components for a non-production in-memory signer.

type Signer 

type Signer struct {
	Now time.Time
	// Keys require randomness to create.
	Rand io.Reader
	Keys map[string]*rsa.PrivateKey
}

Signer is an in-memory implementation of the Signer interface for endorsing golden measurements.

func MakeCustomSigner 

func MakeCustomSigner(ctx context.Context, opts *Options) (*Signer, error)

MakeCustomSigner creates a new nonprod Signer with keys of the given names and private keys.

func (*Signer) ClearKeys 

func (s *Signer) ClearKeys()

ClearKeys clears the keys in the signer as part of a wipeout operation.

func (*Signer) DestroyKeyVersion 

func (s *Signer) DestroyKeyVersion(keyVersionName string)

DestroyKeyVersion destroys the private key for keyVersionName if it exists.

func (*Signer) GenerateRootKey 

func (s *Signer) GenerateRootKey(keyVersionName string) (*rsa.PrivateKey, error)

GenerateRootKey registers and returns a new key with root key settings.

func (*Signer) GenerateSigningKey 

func (s *Signer) GenerateSigningKey(keyVersionName string) (*rsa.PrivateKey, error)

GenerateSigningKey registers and returns a new key with signing key settings.

func (*Signer) LoadKey 

func (s *Signer) LoadKey(name string, key any) error

LoadKey stores a given key only if it's the correct type. Otherwise it returns an error.

func (*Signer) PublicKey 

func (s *Signer) PublicKey(_ context.Context, keyVersionName string) ([]byte, error)

PublicKey returns the PEM-encoded public key of the given keyVersionName.

func (*Signer) Sign 

func (s *Signer) Sign(_ context.Context, keyVersionName string, digest styp.Digest, opts crypto.SignerOpts) ([]byte, error)

Sign uses the given key to sign the given digest. toSign must be the result of hashing the input message with SHA384.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.