keystore

package
v0.0.0-...-982e07a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2023 License: Apache-2.0 Imports: 12 Imported by: 11

Documentation

Overview

Package keystore describes various KeyStore interfaces. KeyStore is responsible for storing and accessing encryption keys: both transport ans storage. Keystore abstracts from real key storage (it might be folder in file system or remote KMS). Keystore is responsible for generating, reading and decrypting specific keys.

Index

Constants

View Source 
const (
	// InfiniteCacheSize unlimited size
	InfiniteCacheSize = 0
	// DefaultCacheSize default cache size
	DefaultCacheSize = 1000
	// WithoutCache means not using cache at all
	WithoutCache = -1
)
View Source 
const (
	// DefaultKeyDirShort
	DefaultKeyDirShort   = ".acrakeys"
	ValidChars           = "_- "
	MaxClientIDLength    = 256
	MinClientIDLength    = 5
	AcraMasterKeyVarName = "ACRA_MASTER_KEY"
	// SymmetricKeyLength in bytes for master key
	SymmetricKeyLength = 32
	NoKeyFoundExit     = true
)

KeyStore-related constants.

View Source 
const (
	KeyPoisonKeypair   = "poison-keypair"
	KeyPoisonSymmetric = "poison-symmetric"
	KeyPoisonPublic    = "poison-public"
	KeyPoisonPrivate   = "poison-private"
	KeyStorageKeypair  = "storage-keypair"
	KeyStoragePublic   = "storage-public"
	KeyStoragePrivate  = "storage-private"

	KeySymmetric = "symmetric-key"
	KeySearch    = "hmac-key"
)

Key kind constants:

View Source 
const (
	KeyOwnerTypeClient = iota
)

Set of values for KeyOwnerType

Variables

View Source 
var (
	ErrInvalidClientID          = errors.New("invalid client ID")
	ErrEmptyMasterKey           = errors.New("master key is empty")
	ErrMasterKeyIncorrectLength = fmt.Errorf("master key must have %v length in bytes", SymmetricKeyLength)
	ErrCacheIsNotSupportedV2    = errors.New("keystore cache is not supported for keystore v2")
)

Errors returned during accessing to client id or master key.

View Source 
var ErrKeysNotFound = errors.New("keys not found")

ErrKeysNotFound used if can't find key or keys

View Source 
var KeyPurposeToKeyKind = map[KeyPurpose]string{
	PurposeSearchHMAC:                KeySearch,
	PurposePoisonRecordSymmetricKey:  KeyPoisonSymmetric,
	PurposePoisonRecordKeyPair:       KeyPoisonKeypair,
	PurposeStorageClientPublicKey:    KeyStorageKeypair,
	PurposeStorageClientPrivateKey:   KeyStorageKeypair,
	PurposeStorageClientSymmetricKey: KeySymmetric,
}

KeyPurposeToKeyKind mapping between KeyPurpose and KeyKind

Functions

func GenerateSymmetricKey 

func GenerateSymmetricKey() ([]byte, error)

GenerateSymmetricKey return new generated symmetric key that must used in keystore as master key and will comply our requirements.

func GetKeyContextFromContext 

func GetKeyContextFromContext(keyContext KeyContext) []byte

GetKeyContextFromContext return byte context depending on provided options

func GetMasterKeyFromEnvironment 

func GetMasterKeyFromEnvironment() (key []byte, err error)

GetMasterKeyFromEnvironment return master key from environment variable with name AcraMasterKeyVarName

func GetMasterKeyFromEnvironmentVariable 

func GetMasterKeyFromEnvironmentVariable(varname string) ([]byte, error)

GetMasterKeyFromEnvironmentVariable return master key from specified environment variable.

func PrintKeysTable 

func PrintKeysTable(keys []KeyDescription, writer io.Writer) error

PrintKeysTable prints table which describes keys in a human readable format into the writer. Code is shared by `acra-keys list` and a couple of tests

func PrintRotatedKeysTable 

func PrintRotatedKeysTable(keys []KeyDescription, writer io.Writer) error

PrintRotatedKeysTable prints table which describes keys in a readable format into the writer. In format `Key purpose | Client | Creation Time | Key ID` Code is shared by `acra-keys list` and a couple of tests

func ValidateID 

func ValidateID(clientID []byte) bool

ValidateID checks that clientID length is within required limits and clientID contains only valid chars (digits, letters, -, _, ' ').

func ValidateMasterKey 

func ValidateMasterKey(key []byte) error

ValidateMasterKey do validation of symmetric master key and return nil if pass check.

Types

type AuditLogKeyGenerator 

type AuditLogKeyGenerator interface {
	GenerateLogKey() error
}

AuditLogKeyGenerator is able to generate keys for AuditLogKeyStore.

type AuditLogKeyStore 

type AuditLogKeyStore interface {
	GetLogSecretKey() ([]byte, error)
}

AuditLogKeyStore keeps symmetric keys for audit log signtures.

type Backup 

type Backup interface {
	Exporter
	Importer
}

Backup interface for export/import KeyStore

type Cache 

type Cache interface {
	Add(keyID string, keyValue []byte)
	Get(keyID string) ([]byte, bool)
	Clear()
}

Cache that used by FilesystemKeystore to cache loaded keys from filesystem

type DataEncryptorKeyStore 

type DataEncryptorKeyStore interface {
	PrivateKeyStore
	PublicKeyStore
}

DataEncryptorKeyStore interface with required methods for CryptoHandlers

type DecryptionKeyStore 

type DecryptionKeyStore interface {
	PublicKeyStore
	PrivateKeyStore
	PoisonKeyStore
	HmacKeyStore
}

DecryptionKeyStore enables AcraStruct decryption. It is used by acra-server.

type ExportID 

type ExportID struct {
	KeyKind   string
	ContextID []byte
}

ExportID represent KeyKind and KeyContext for Exporter

type ExportMode 

type ExportMode int

ExportMode constants describe which data to export from key storage. 

const (
	// Export only public key data.
	ExportPublicOnly ExportMode = 1 << iota
	// Export private and public key data.
	ExportPrivateKeys
	// Use as marker to say Backuper to read all keys from keystore
	ExportAllKeys
)

ExportMode flags.

type Exporter 

type Exporter interface {
	Export(exportIDs []ExportID, mode ExportMode) (*KeysBackup, error)
}

Exporter interface for acra-keys export command

type HmacKeyGenerator 

type HmacKeyGenerator interface {
	GenerateHmacKey(id []byte) error
}

HmacKeyGenerator is able to generate keys for HmacKeyStore.

type HmacKeyStore 

type HmacKeyStore interface {
	GetHMACSecretKey(id []byte) ([]byte, error)
}

HmacKeyStore interface to fetch keys for hma calculation

type Importer 

type Importer interface {
	Import(*KeysBackup) ([]KeyDescription, error)
}

Importer interface for acra-keys import command

type Key 

type Key struct {
	Name    string
	Content []byte
}

Key struct store content of keypair or some symmetric key

type KeyContext 

type KeyContext struct {
	ClientID []byte
	Context  []byte
	Purpose  KeyPurpose
}

KeyContext contains generic key context for key operation

func NewClientIDKeyContext 

func NewClientIDKeyContext(purpose KeyPurpose, clientID []byte) KeyContext

NewClientIDKeyContext create new key context with key purpose and clientID

func NewEmptyKeyContext 

func NewEmptyKeyContext(ctx []byte) KeyContext

NewEmptyKeyContext create new empty key context

func NewKeyContext 

func NewKeyContext(purpose KeyPurpose, ctx []byte) KeyContext

NewKeyContext create new key context with key purpose and pure context

func (KeyContext) String 

func (ctx KeyContext) String() string

String implementation of Stringer interface for KeyContext

type KeyDescription 

type KeyDescription struct {
	Index        int
	KeyID        string
	State        KeyState
	Purpose      KeyPurpose
	ClientID     string     `json:",omitempty"`
	CreationTime *time.Time `json:",omitempty"`
}

KeyDescription describes a key in the keystore.

"Index" is unique integer that can be used to identify key in the context of KeyID. "KeyID" is unique string that can be used to identify this key set in the keystore. "Purpose" is short human-readable description of the key purpose. "ClientID" and "AdditionalContext" are filled in where relevant. "CreationTime" used to display creation time of rotated key

type KeyEncryptor 

type KeyEncryptor interface {
	Encrypt(ctx context.Context, key []byte, keyContext KeyContext) ([]byte, error)
	Decrypt(ctx context.Context, key []byte, keyContext KeyContext) ([]byte, error)
}

KeyEncryptor describes Encrypt and Decrypt interfaces.

type KeyMaking 

type KeyMaking interface {
	StorageKeyCreation
	StorageKeyDestruction
	StorageRotatedKeyDestruction
	PoisonKeyGenerator
	AuditLogKeyGenerator
	HmacKeyGenerator
	SymmetricEncryptionKeyStoreGenerator
}

KeyMaking enables keystore initialization. It is used by acra-keymaker tool.

type KeyOwnerType 

type KeyOwnerType int

KeyOwnerType define type key owners. Defined to avoid function overrides for clientID keys and allow to define one function for several key owners

type KeyPurpose 

type KeyPurpose string

KeyPurpose describe usage of specific key 

const (
	PurposeSearchHMAC                KeyPurpose = "search_hmac"
	PurposeAuditLog                  KeyPurpose = "audit_log"
	PurposePoisonRecordSymmetricKey  KeyPurpose = "poison_sym_key"
	PurposeStorageClientSymmetricKey KeyPurpose = "storage_sym_key"
	PurposePoisonRecordKeyPair       KeyPurpose = "poison_key"
	PurposeStorageClientKeyPair      KeyPurpose = "storage"
	PurposeStorageClientPublicKey    KeyPurpose = "public_storage"
	PurposeStorageClientPrivateKey   KeyPurpose = "private_storage"
	PurposeLegacy                    KeyPurpose = "legacy"
	PurposeUndefined                 KeyPurpose = "undefined"
)

Supported key purposes

func (KeyPurpose) String 

func (p KeyPurpose) String() string

type KeyState 

type KeyState string

KeyState set key state for KeyDescription (current/rotated) 

const (
	StateCurrent KeyState = "current"
	StateRotated          = "rotated"
)

StateCurrent represent current KeyState

type KeysBackup 

type KeysBackup struct {
	Keys []byte
	Data []byte
}

KeysBackup struct that store keys for poison records and all client's keys

type NoCache 

type NoCache struct{}

NoCache is cache implementation for case when keystore should not to use any cache

func (NoCache) Add 

func (NoCache) Add(keyID string, keyValue []byte)

Add empty implementation

func (NoCache) Clear 

func (NoCache) Clear()

Clear empty implementation

func (NoCache) Get 

func (NoCache) Get(keyID string) ([]byte, bool)

Get empty implementation

type PoisonKeyGenerator 

type PoisonKeyGenerator interface {
	GeneratePoisonSymmetricKey() error
	GeneratePoisonKeyPair() error
}

PoisonKeyGenerator is responsible for generation of poison keys.

type PoisonKeyStorageAndGenerator 

type PoisonKeyStorageAndGenerator interface {
	PoisonKeyStore
	PoisonKeyGenerator
}

PoisonKeyStorageAndGenerator has all methods to create and retrieve various keys dedicated to poison records.

type PoisonKeyStore 

type PoisonKeyStore interface {
	// Reads current poison record key pair, returning ErrKeysNotFound if it
	// does not exist yet.
	GetPoisonKeyPair() (*keys.Keypair, error)
	GetPoisonPrivateKeys() ([]*keys.PrivateKey, error)
	GetPoisonSymmetricKeys() ([][]byte, error)
	GetPoisonSymmetricKey() ([]byte, error)
}

PoisonKeyStore provides access to poison record key pairs.

type PrivateKeyStore 

type PrivateKeyStore interface {
	SymmetricEncryptionKeyStore
	GetServerDecryptionPrivateKey(id []byte) (*keys.PrivateKey, error)
	GetServerDecryptionPrivateKeys(id []byte) ([]*keys.PrivateKey, error)
}

PrivateKeyStore provides access to storage private keys, used to decrypt stored data.

type PublicKeyStore 

type PublicKeyStore interface {
	GetClientIDEncryptionPublicKey(clientID []byte) (*keys.PublicKey, error)
}

PublicKeyStore provides access to storage public keys, used to encrypt data for storage.

type RecordProcessorKeyStore 

type RecordProcessorKeyStore interface {
	GetPoisonPrivateKeys() ([]*keys.PrivateKey, error)
	GetPoisonSymmetricKeys() ([][]byte, error)
	GetPoisonSymmetricKey() ([]byte, error)
}

RecordProcessorKeyStore interface with required methods for RecordProcessor

type SCellKeyEncryptor 

type SCellKeyEncryptor struct {
	// contains filtered or unexported fields
}

SCellKeyEncryptor uses Themis Secure Cell with provided master key to encrypt and decrypt keys.

func NewSCellKeyEncryptor 

func NewSCellKeyEncryptor(masterKey []byte) (*SCellKeyEncryptor, error)

NewSCellKeyEncryptor creates new SCellKeyEncryptor object with masterKey using Themis Secure Cell in Seal mode.

func (*SCellKeyEncryptor) Decrypt 

func (encryptor *SCellKeyEncryptor) Decrypt(ctx context.Context, key []byte, keyContext KeyContext) ([]byte, error)

Decrypt return decrypted key using masterKey and context.

func (*SCellKeyEncryptor) Encrypt 

func (encryptor *SCellKeyEncryptor) Encrypt(ctx context.Context, key []byte, keyContext KeyContext) ([]byte, error)

Encrypt return encrypted key using masterKey and context.

type ServerKeyStore 

type ServerKeyStore interface {
	DecryptionKeyStore
	StorageKeyCreation
	AuditLogKeyStore
	HmacKeyGenerator
	SymmetricEncryptionKeyStoreGenerator

	CacheOnStart() error
	ListKeys() ([]KeyDescription, error)
	ListRotatedKeys() ([]KeyDescription, error)
	Reset()
}

ServerKeyStore enables AcraStruct encryption, decryption, and secure communication of acra-server with other services.

type StorageKeyCreation 

type StorageKeyCreation interface {
	// Generates a new storage key pair for given client ID.
	GenerateDataEncryptionKeys(clientID []byte) error
	// Sets storage key pair for given client ID.
	SaveDataEncryptionKeys(clientID []byte, keypair *keys.Keypair) error
}

StorageKeyCreation enables creation of new storage key pairs and rotation of existing ones.

type StorageKeyDestruction 

type StorageKeyDestruction interface {
	DestroyPoisonKeyPair() error
	DestroyPoisonSymmetricKey() error
	DestroyClientIDEncryptionKeyPair(clientID []byte) error
	DestroyClientIDSymmetricKey(clientID []byte) error
	DestroyHmacSecretKey(clientID []byte) error
}

StorageKeyDestruction enables destruction of created keys.

type StorageKeyGenerator 

type StorageKeyGenerator interface {
	StorageKeyCreation
	SymmetricEncryptionKeyStoreGenerator
}

StorageKeyGenerator is able to generate keys for Acra CE and Acra EE.

type StorageRotatedKeyDestruction 

type StorageRotatedKeyDestruction interface {
	DestroyRotatedPoisonKeyPair(index int) error
	DestroyRotatedPoisonSymmetricKey(index int) error
	DestroyRotatedClientIDEncryptionKeyPair(clientID []byte, index int) error
	DestroyRotatedClientIDSymmetricKey(clientID []byte, index int) error
	DestroyRotatedHmacSecretKey(clientID []byte, index int) error
}

StorageRotatedKeyDestruction enables destruction of created rotated keys.

type SymmetricEncryptionKeyStore 

type SymmetricEncryptionKeyStore interface {
	GetClientIDSymmetricKeys(id []byte) ([][]byte, error)
	GetClientIDSymmetricKey(id []byte) ([]byte, error)
}

SymmetricEncryptionKeyStore interface describe access methods to encryption symmetric keys

type SymmetricEncryptionKeyStoreGenerator 

type SymmetricEncryptionKeyStoreGenerator interface {
	GenerateClientIDSymmetricKey(id []byte) error
}

SymmetricEncryptionKeyStoreGenerator interface methods responsible for generation encryption symmetric keys

type TranslationKeyStore 

type TranslationKeyStore interface {
	DecryptionKeyStore
	AuditLogKeyStore

	CacheOnStart() error
}

TranslationKeyStore enables AcraStruct translation. It is used by acra-translator tool.

type TransportKeyStore 

type TransportKeyStore interface {
	AuditLogKeyStore
	CheckIfPrivateKeyExists(clientID []byte) (bool, error)
}

TransportKeyStore provides access to transport keys. It is used by acra-connector tool.

Source Files

View all Source files

Directories

Path Synopsis
Package filesystem implements keystores that write and reads keys from file system.
 Package filesystem implements keystores that write and reads keys from file system.
internal
env_loader
hashicorp
kms
kms
aws
base
Package lru implements simple LRU cache used by Keystore.
 Package lru implements simple LRU cache used by Keystore.
v2
keystore
Package keystore implements Acra Keystore version 2.
 Package keystore implements Acra Keystore version 2.
keystore/api
Package api describes API of Acra Keystore version 2.
 Package api describes API of Acra Keystore version 2.
keystore/api/tests
Package tests provides conformity test suite for KeyStore API.
 Package tests provides conformity test suite for KeyStore API.
keystore/asn1
Package asn1 contains descriptions of ASN.1 data structures used by Keystore.
 Package asn1 contains descriptions of ASN.1 data structures used by Keystore.
keystore/crypto
Package crypto provides implementations of cryptographic algorithms used by KeyStore.
 Package crypto provides implementations of cryptographic algorithms used by KeyStore.
keystore/filesystem
Package filesystem provides a common filesystem-based implementation of KeyStore.
 Package filesystem provides a common filesystem-based implementation of KeyStore.
keystore/filesystem/backend
Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it.
 Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it.
keystore/filesystem/backend/api
Package api defines abstract backend interface.
 Package api defines abstract backend interface.
keystore/filesystem/backend/api/tests
Package tests provides conformity test suite for KeyStore Backend API.
 Package tests provides conformity test suite for KeyStore Backend API.
keystore/signature
Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data.
 Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.