keystore

package
v0.0.0-...-982e07a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package keystore implements Acra Keystore version 2.

Index

Constants

View Source 
const (
	PurposePoisonRecord     = "poison record key"
	PurposeStorageClient    = "client storage key"
	PurposeAuditLog         = "audit log signature key"
	PurposePoisonSym        = "poison record symmetric key"
	PurposeStorageClientSym = "client storage symmetric key"
	PurposeSearchHMAC       = "encrypted search HMAC key"
)

Key purpose constants.

Variables

View Source 
var (
	ErrEqualMasterKeys = errors.New("encryption and signature master keys are equal")
)

Errors produced by master key validation:

View Source 
var ErrInvalidIndex = errors.New("invalid index value provided")

ErrInvalidIndex error represent invalid index for --index flag

View Source 
var (
	ErrUnknownPurpose = errors.New("unknown key purpose")
)

Errors returned by key import:

View Source 
var (
	ErrUnrecognizedKeyPurpose = errors.New("key purpose not recognized")
)

Errors for describing keys

Functions

func DescribeKeyRings 

func DescribeKeyRings(keyRings []string, keyStore api.KeyStore) ([]keystore.KeyDescription, error)

DescribeKeyRings describes multiple key rings by their purpose paths.

func DescribeRotatedKeyRings 

func DescribeRotatedKeyRings(keyRings []string, keyStore api.KeyStore) ([]keystore.KeyDescription, error)

DescribeRotatedKeyRings describes multiple key rings by their purpose paths.

func GetMasterKeysFromEnvironment 

func GetMasterKeysFromEnvironment() ([]byte, []byte, error)

GetMasterKeysFromEnvironment reads master keys from default environment variable. Returns encryption key, signature key, error.

func GetMasterKeysFromEnvironmentVariable 

func GetMasterKeysFromEnvironmentVariable(varname string) ([]byte, []byte, error)

GetMasterKeysFromEnvironmentVariable reads master keys from specified environment variable. Returns encryption key, signature key, error.

func NewSCellSuite 

func NewSCellSuite(encryptionKey, signatureKey []byte) (*crypto.KeyStoreSuite, error)

NewSCellSuite creates default cryptography suite for KeyStore: - keys are encrypted by Themis Secure Cell in Seal mode - keystore is signed with HMAC-SHA-256

func NewSerializedMasterKeys 

func NewSerializedMasterKeys() ([]byte, error)

NewSerializedMasterKeys generates a new set of master keys, already serialized into bytes.

Types

type KeyBackuper 

type KeyBackuper struct {
	// contains filtered or unexported fields
}

KeyBackuper implements keystore.Exporter and keystore.Importer interface for v2

func NewKeyBackuper 

func NewKeyBackuper(privateFolder, publicFolder string, storage api.BackupKeystore) (*KeyBackuper, error)

NewKeyBackuper create, initialize and return new instance of KeyBackuper

func (*KeyBackuper) Export 

func (store *KeyBackuper) Export(exportIDs []keystoreV1.ExportID, mode keystoreV1.ExportMode) (*keystoreV1.KeysBackup, error)

Export keys from KeyStore encrypted with new key for backup

func (*KeyBackuper) Import 

func (store *KeyBackuper) Import(backup *keystoreV1.KeysBackup) ([]keystoreV1.KeyDescription, error)

Import keys from backup to current keystore

type KeyFileImportV1 

type KeyFileImportV1 interface {
	ImportKeyFileV1(oldKeyStore filesystemV1.KeyExport, key filesystemV1.ExportedKey) error
}

KeyFileImportV1 defines how filesystem keystore v1 keys are imported.

type SerializedKeys 

type SerializedKeys struct {
	Encryption []byte `json:"encryption"`
	Signature  []byte `json:"signature"`
}

SerializedKeys is the serialized form of master keys.

func NewMasterKeys 

func NewMasterKeys() (*SerializedKeys, error)

NewMasterKeys generates a new set of master keys.

func (*SerializedKeys) Marshal 

func (k *SerializedKeys) Marshal() ([]byte, error)

Marshal serializes master key into a byte buffer.

func (*SerializedKeys) Unmarshal 

func (k *SerializedKeys) Unmarshal(buffer []byte) error

Unmarshal deserializes master keys from a byte buffer.

type ServerKeyStore 

type ServerKeyStore struct {
	api.MutableKeyStore
	// contains filtered or unexported fields
}

ServerKeyStore provides full access to Acra Keystore.

It is intended to be used by AcraServer components and uses server transport keys.

func NewServerKeyStore 

func NewServerKeyStore(keyStore api.MutableKeyStore) *ServerKeyStore

NewServerKeyStore configures keystore for AcraServer.

func (*ServerKeyStore) CacheOnStart 

func (s *ServerKeyStore) CacheOnStart() error

CacheOnStart v2 keystore doesnt support keys caching

func (*ServerKeyStore) DescribeKeyRing 

func (s *ServerKeyStore) DescribeKeyRing(path string) (*keystore.KeyDescription, error)

DescribeKeyRing describes key ring by its purpose path.

func (*ServerKeyStore) DescribeRotatedKeyRing 

func (s *ServerKeyStore) DescribeRotatedKeyRing(path string) ([]keystore.KeyDescription, error)

DescribeRotatedKeyRing describes key ring by its purpose path.

func (*ServerKeyStore) DestroyClientIDEncryptionKeyPair 

func (s *ServerKeyStore) DestroyClientIDEncryptionKeyPair(clientID []byte) error

DestroyClientIDEncryptionKeyPair destroy client storage key pair ring

func (*ServerKeyStore) DestroyClientIDSymmetricKey 

func (s *ServerKeyStore) DestroyClientIDSymmetricKey(clientID []byte) error

DestroyClientIDSymmetricKey destroy client storage symmetric key ring

func (*ServerKeyStore) DestroyHmacSecretKey 

func (s *ServerKeyStore) DestroyHmacSecretKey(clientID []byte) error

DestroyHmacSecretKey destroy hmac secret key ring

func (*ServerKeyStore) DestroyPoisonKeyPair 

func (s *ServerKeyStore) DestroyPoisonKeyPair() error

DestroyPoisonKeyPair destroy poison record key pair ring

func (*ServerKeyStore) DestroyPoisonSymmetricKey 

func (s *ServerKeyStore) DestroyPoisonSymmetricKey() error

DestroyPoisonSymmetricKey destroy poison symmetric key ring

func (*ServerKeyStore) DestroyRotatedClientIDEncryptionKeyPair 

func (s *ServerKeyStore) DestroyRotatedClientIDEncryptionKeyPair(clientID []byte, index int) error

DestroyRotatedClientIDEncryptionKeyPair destroy created rotated storage key pair

func (*ServerKeyStore) DestroyRotatedClientIDSymmetricKey 

func (s *ServerKeyStore) DestroyRotatedClientIDSymmetricKey(clientID []byte, index int) error

DestroyRotatedClientIDSymmetricKey destroy created rotated symmetric key

func (*ServerKeyStore) DestroyRotatedHmacSecretKey 

func (s *ServerKeyStore) DestroyRotatedHmacSecretKey(clientID []byte, index int) error

DestroyRotatedHmacSecretKey destroy created rotated hmac symmetric key

func (*ServerKeyStore) DestroyRotatedPoisonKeyPair 

func (s *ServerKeyStore) DestroyRotatedPoisonKeyPair(index int) error

DestroyRotatedPoisonKeyPair destroy created rotated poison record key pair

func (*ServerKeyStore) DestroyRotatedPoisonSymmetricKey 

func (s *ServerKeyStore) DestroyRotatedPoisonSymmetricKey(index int) error

DestroyRotatedPoisonSymmetricKey destroy created rotated poison record symmetric key

func (*ServerKeyStore) GenerateClientIDSymmetricKey 

func (s *ServerKeyStore) GenerateClientIDSymmetricKey(clientID []byte) error

GenerateClientIDSymmetricKey generates new storage symmetric key used by given client.

func (*ServerKeyStore) GenerateDataEncryptionKeys 

func (s *ServerKeyStore) GenerateDataEncryptionKeys(clientID []byte) error

GenerateDataEncryptionKeys generates new storage keypair used by given client.

func (*ServerKeyStore) GenerateHmacKey 

func (s *ServerKeyStore) GenerateHmacKey(clientID []byte) error

GenerateHmacKey generates new symmetric key for token HMAC for given client.

func (*ServerKeyStore) GenerateLogKey 

func (s *ServerKeyStore) GenerateLogKey() error

GenerateLogKey generates new audit log symmetric key.

func (*ServerKeyStore) GeneratePoisonKeyPair 

func (s *ServerKeyStore) GeneratePoisonKeyPair() error

GeneratePoisonKeyPair generates new poison keypair, saving it in the storage. Old keypair is rotated.

func (*ServerKeyStore) GeneratePoisonSymmetricKey 

func (s *ServerKeyStore) GeneratePoisonSymmetricKey() error

GeneratePoisonSymmetricKey generates new poison record symmetric key.

func (*ServerKeyStore) GetClientIDEncryptionPublicKey 

func (s *ServerKeyStore) GetClientIDEncryptionPublicKey(clientID []byte) (*keys.PublicKey, error)

GetClientIDEncryptionPublicKey retrieves public key used to encrypt data by given client.

func (*ServerKeyStore) GetClientIDSymmetricKey 

func (s *ServerKeyStore) GetClientIDSymmetricKey(clientID []byte) ([]byte, error)

GetClientIDSymmetricKey retrieves latest symmetric key used to encrypt data by given client

func (*ServerKeyStore) GetClientIDSymmetricKeys 

func (s *ServerKeyStore) GetClientIDSymmetricKeys(clientID []byte) ([][]byte, error)

GetClientIDSymmetricKeys retrieves all symmetric keys used to decrypt data by given client. The keys are returned from newest to oldest.

func (*ServerKeyStore) GetHMACSecretKey 

func (s *ServerKeyStore) GetHMACSecretKey(clientID []byte) ([]byte, error)

GetHMACSecretKey retrieves current symmetric key for token HMAC for given client.

func (*ServerKeyStore) GetLogSecretKey 

func (s *ServerKeyStore) GetLogSecretKey() ([]byte, error)

GetLogSecretKey retrieves audit log symmetric key.

func (*ServerKeyStore) GetPoisonKeyPair 

func (s *ServerKeyStore) GetPoisonKeyPair() (*keys.Keypair, error)

GetPoisonKeyPair retrieves current poison EC keypair. Returns ErrKeysNotFound if the keypair doesn't exist.

func (*ServerKeyStore) GetPoisonPrivateKeys 

func (s *ServerKeyStore) GetPoisonPrivateKeys() ([]*keys.PrivateKey, error)

GetPoisonPrivateKeys returns all private keys used to decrypt poison records, from newest to oldest. Returns ErrKeysNotFound if the keys don't exist.

func (*ServerKeyStore) GetPoisonSymmetricKey 

func (s *ServerKeyStore) GetPoisonSymmetricKey() ([]byte, error)

GetPoisonSymmetricKey returns latest symmetric key for encryption of poison records with AcraBlock. Returns ErrKeysNotFound if the keys don't exist.

func (*ServerKeyStore) GetPoisonSymmetricKeys 

func (s *ServerKeyStore) GetPoisonSymmetricKeys() ([][]byte, error)

GetPoisonSymmetricKeys returns all symmetric keys used to decrypt poison records with AcraBlock, from newest to oldest. Returns ErrKeysNotFound if the keys don't exist.

func (*ServerKeyStore) GetServerDecryptionPrivateKey 

func (s *ServerKeyStore) GetServerDecryptionPrivateKey(clientID []byte) (*keys.PrivateKey, error)

GetServerDecryptionPrivateKey retrieves private key used to decrypt data by given client.

func (*ServerKeyStore) GetServerDecryptionPrivateKeys 

func (s *ServerKeyStore) GetServerDecryptionPrivateKeys(clientID []byte) ([]*keys.PrivateKey, error)

GetServerDecryptionPrivateKeys retrieves all private key used to decrypt data by given client. The keys are returned from newest to oldest.

func (*ServerKeyStore) ImportKeyFileV1 

func (s *ServerKeyStore) ImportKeyFileV1(oldKeyStore filesystemV1.KeyExport, key filesystemV1.ExportedKey) error

ImportKeyFileV1 transfers key data from keystore version 1.

func (*ServerKeyStore) ListKeys 

func (s *ServerKeyStore) ListKeys() ([]keystore.KeyDescription, error)

ListKeys enumerates keys present in the keystore.

func (*ServerKeyStore) ListRotatedKeys 

func (s *ServerKeyStore) ListRotatedKeys() ([]keystore.KeyDescription, error)

ListRotatedKeys enumerates rotated keys present in the keystore.

func (*ServerKeyStore) Reset 

func (s *ServerKeyStore) Reset()

Reset is a compatibility method that does nothing. In KeyStoreV1 this method is used to reset cache. KeyStoreV2 currently does not support key caching so there is nothing to reset.

func (*ServerKeyStore) SaveDataEncryptionKeys 

func (s *ServerKeyStore) SaveDataEncryptionKeys(clientID []byte, keypair *keys.Keypair) error

SaveDataEncryptionKeys overwrites storage keypair used by given client.

type TranslatorKeyStore 

type TranslatorKeyStore struct {
	ServerKeyStore
}

TranslatorKeyStore provides access to Acra Keystore for AcraTranslator.

This is the same as ServerKeyStore, but with AcraTranslator transport keys.

func NewTranslatorKeyStore 

func NewTranslatorKeyStore(keyStore api.MutableKeyStore) *TranslatorKeyStore

NewTranslatorKeyStore configures keystore for AcraTranslator

Source Files

View all Source files

Directories

Path Synopsis
api
Package api describes API of Acra Keystore version 2.
 Package api describes API of Acra Keystore version 2.
tests
Package tests provides conformity test suite for KeyStore API.
 Package tests provides conformity test suite for KeyStore API.
Package asn1 contains descriptions of ASN.1 data structures used by Keystore.
 Package asn1 contains descriptions of ASN.1 data structures used by Keystore.
Package crypto provides implementations of cryptographic algorithms used by KeyStore.
 Package crypto provides implementations of cryptographic algorithms used by KeyStore.
Package filesystem provides a common filesystem-based implementation of KeyStore.
 Package filesystem provides a common filesystem-based implementation of KeyStore.
backend
Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it.
 Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it.
backend/api
Package api defines abstract backend interface.
 Package api defines abstract backend interface.
backend/api/tests
Package tests provides conformity test suite for KeyStore Backend API.
 Package tests provides conformity test suite for KeyStore Backend API.
Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data.
 Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.