localcert

package
v0.0.0-...-da2d6c7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 25, 2023 License: BSD-3-Clause Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PfxKeyProviderName = "pfx"
)

Variables

View Source
var PfxKeyProvider = Provider{AllowedLocations: make([]string, 0), /* contains filtered or unexported fields */}

Functions

This section is empty.

Types

type InvalidCertificatePathError

type InvalidCertificatePathError struct {
	// contains filtered or unexported fields
}

InvalidCertificatePathError indicates the provided path could not be used to load a certificate

func (*InvalidCertificatePathError) Error

func (*InvalidCertificatePathError) Unwrap

func (i *InvalidCertificatePathError) Unwrap() error

type Provider

type Provider struct {

	// AllowedLocations constrains which locations the provider will use to find certificates. If empty, all locations are allowed.
	// When presented with a key store path not in the allowed list, the data will be returned still encrypted.
	AllowedLocations []string
	// contains filtered or unexported fields
}

Provider uses local certificates to decrypt CEKs It supports both 'MSSQL_CERTIFICATE_STORE' and 'pfx' key stores. MSSQL_CERTIFICATE_STORE key paths are of the form `storename/storepath/thumbprint` and only supported on Windows clients. pfx key paths are absolute file system paths that are operating system dependent.

func (*Provider) DecryptColumnEncryptionKey

func (p *Provider) DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) (decryptedKey []byte, err error)

DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.

func (*Provider) EncryptColumnEncryptionKey

func (p *Provider) EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, cek []byte) (buf []byte, err error)

EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.

func (*Provider) KeyLifetime

func (p *Provider) KeyLifetime() *time.Duration

KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires. If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime. If it returns zero, the keys will not be cached.

func (Provider) SetCertificatePassword

func (p Provider) SetCertificatePassword(location string, password string)

SetCertificatePassword stores the password associated with the certificate at the given location. If location is empty the given password applies to all certificates that have not been explicitly assigned a value.

func (*Provider) SignColumnMasterKeyMetadata

func (p *Provider) SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)

SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key referenced by the masterKeyPath parameter. The input values used to generate the signature should be the specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.

func (*Provider) VerifyColumnMasterKeyMetadata

func (p *Provider) VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)

VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key with the specified key path and the specified enclave behavior. Return nil if not supported.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL