Documentation ¶
Index ¶
- type RemoteCrypto
- func (r *RemoteCrypto) ComputeMAC(data []byte, keyURL interface{}) ([]byte, error)
- func (r *RemoteCrypto) Decrypt(cipher, aad, nonce []byte, keyURL interface{}) ([]byte, error)
- func (r *RemoteCrypto) Encrypt(msg, aad []byte, keyURL interface{}) ([]byte, []byte, error)
- func (r *RemoteCrypto) Sign(msg []byte, keyURL interface{}) ([]byte, error)
- func (r *RemoteCrypto) UnwrapKey(recWK *crypto.RecipientWrappedKey, keyURL interface{}, ...) ([]byte, error)
- func (r *RemoteCrypto) Verify(signature, msg []byte, keyURL interface{}) error
- func (r *RemoteCrypto) VerifyMAC(mac, data []byte, keyURL interface{}) error
- func (r *RemoteCrypto) WrapKey(cek, apu, apv []byte, recPubKey *crypto.PublicKey, opts ...crypto.WrapKeyOpts) (*crypto.RecipientWrappedKey, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type RemoteCrypto ¶
type RemoteCrypto struct {
// contains filtered or unexported fields
}
RemoteCrypto implementation of kms.KeyManager api.
func New ¶
func New(keystoreURL string, client *http.Client, opts ...webkmsimpl.Opt) *RemoteCrypto
New creates a new remoteCrypto instance using http client connecting to keystoreURL.
func (*RemoteCrypto) ComputeMAC ¶
func (r *RemoteCrypto) ComputeMAC(data []byte, keyURL interface{}) ([]byte, error)
ComputeMAC remotely computes message authentication code (MAC) for code data with key at keyURL. using a matching MAC primitive in kh key handle.
func (*RemoteCrypto) Decrypt ¶
func (r *RemoteCrypto) Decrypt(cipher, aad, nonce []byte, keyURL interface{}) ([]byte, error)
Decrypt will remotely decrypt cipher with aad and given nonce using a matching AEAD primitive in a remote key handle at keyURL of a private key. returns:
plainText in []byte error in case of errors
func (*RemoteCrypto) Encrypt ¶
func (r *RemoteCrypto) Encrypt(msg, aad []byte, keyURL interface{}) ([]byte, []byte, error)
Encrypt will remotely encrypt msg and aad using a matching AEAD primitive in a remote key handle at keyURL of a public key. returns:
cipherText in []byte nonce in []byte error in case of errors during encryption
func (*RemoteCrypto) Sign ¶
func (r *RemoteCrypto) Sign(msg []byte, keyURL interface{}) ([]byte, error)
Sign will remotely sign msg using a matching signature primitive in remote kh key handle at keyURL of a private key. returns:
signature in []byte error in case of errors
func (*RemoteCrypto) UnwrapKey ¶
func (r *RemoteCrypto) UnwrapKey(recWK *crypto.RecipientWrappedKey, keyURL interface{}, opts ...crypto.WrapKeyOpts) ([]byte, error)
UnwrapKey remotely unwraps a key in recWK using recipient private key found at keyURL. 'opts' allows setting the option sender key handle using WithSender() optionwhere the sender key handle consists of a remote key located in the option as a keyURL. This options allows ECDH-1PU key unwrapping (aka Authcrypt). The absence of this option uses ECDH-ES key unwrapping (aka Anoncrypt). returns:
unwrapped key in raw bytes error in case of errors
func (*RemoteCrypto) Verify ¶
func (r *RemoteCrypto) Verify(signature, msg []byte, keyURL interface{}) error
Verify will remotely verify a signature for the given msg using a matching signature primitive in a remote key handle at keyURL of a public key. returns:
error in case of errors or nil if signature verification was successful
func (*RemoteCrypto) VerifyMAC ¶
func (r *RemoteCrypto) VerifyMAC(mac, data []byte, keyURL interface{}) error
VerifyMAC remotely determines if mac is a correct authentication code (MAC) for data using a key at KeyURL using a matching MAC primitive in kh key handle and returns nil if so, otherwise it returns an error.
func (*RemoteCrypto) WrapKey ¶
func (r *RemoteCrypto) WrapKey(cek, apu, apv []byte, recPubKey *crypto.PublicKey, opts ...crypto.WrapKeyOpts) (*crypto.RecipientWrappedKey, error)
WrapKey will remotely execute key wrapping of cek using apu, apv and recipient public key 'recPubKey'. 'opts' allows setting the option sender key handle using WithSender() option where the sender key handle consists of a remote key located in the option as a keyURL. This option allows ECDH-1PU key wrapping (aka Authcrypt). The absence of this option uses ECDH-ES key wrapping (aka Anoncrypt).
RecipientWrappedKey containing the wrapped cek value error in case of errors