Documentation
¶
Index ¶
- func DefaultAuthorizer() autorest.Authorizer
- func EnvironmentAuthorizer() (autorest.Authorizer, error)
- func GetKeyName(keyID string) string
- func GetKeyVersion(keyID string) string
- func NewKvClient(authorizer autorest.Authorizer) (keyvault.BaseClient, error)
- type IdentifiableCoseSigner
- type IdentifiableCoseSignerFactory
- type KeyVault
- func (kv *KeyVault) GetKeyByKID(ctx context.Context, keyID string) (keyvault.KeyBundle, error)
- func (kv *KeyVault) GetKeyVersionsKeys(ctx context.Context, keyID string) ([]keyvault.KeyBundle, error)
- func (kv *KeyVault) GetLatestKey(ctx context.Context, keyName string) (keyvault.KeyBundle, error)
- func (kv *KeyVault) HashAndSign(ctx context.Context, payload []byte, keyID string, ...) ([]byte, error)
- func (kv *KeyVault) Sign(ctx context.Context, payload []byte, keyID string, ...) ([]byte, error)
- func (kv *KeyVault) Verify(ctx context.Context, signature []byte, digest []byte, keyID string, ...) (bool, error)
- type KeyVaultCoseSigner
- func (kv *KeyVaultCoseSigner) Algorithm() cose.Algorithm
- func (kv *KeyVaultCoseSigner) KeyIdentifier() string
- func (kv *KeyVaultCoseSigner) KeyLocation() string
- func (kv *KeyVaultCoseSigner) PublicKey() (*ecdsa.PublicKey, error)
- func (kv *KeyVaultCoseSigner) Sign(rand io.Reader, content []byte) ([]byte, error)
- type KeyVaultCoseSignerFactory
- type SecretEntry
- type SecretVault
- func (k *SecretVault) GetOrgKey(ctx context.Context, id string) (*ecdsa.PrivateKey, error)
- func (k *SecretVault) ListSecrets(ctx context.Context, prefix string, tags map[string]string) (map[string]SecretEntry, error)
- func (k *SecretVault) ReadSecret(ctx context.Context, id string) (*SecretEntry, error)
- type TestCoseSigner
- type TestCoseSignerFactory
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultAuthorizer ¶
func DefaultAuthorizer() autorest.Authorizer
DefaultAuthorizer creates an authorizer which expects to work in cluster using an aad-podidentiy to acquire an oauth2 access token. This authorizer is used automatically if none is specified on the SecretVault
func EnvironmentAuthorizer ¶
func EnvironmentAuthorizer() (autorest.Authorizer, error)
func GetKeyVersion ¶
GetKeyVersion gets the version of the given key
func NewKvClient ¶
func NewKvClient(authorizer autorest.Authorizer) (keyvault.BaseClient, error)
NewKvClient create a keyvault.BaseClient. If auth is nil, the DefaultAuthorizer is used
Types ¶
type IdentifiableCoseSigner ¶ added in v0.13.6
type IdentifiableCoseSigner interface {
cose.Signer
PublicKey() (*ecdsa.PublicKey, error)
KeyIdentifier() string
KeyLocation() string
}
IdentifiableCoseSigner represents a Cose1 signer that has additional methods to provide sufficient information to verify the signed product (an identifier for the signing key and the public key.)
type IdentifiableCoseSignerFactory ¶ added in v0.13.6
type IdentifiableCoseSignerFactory interface {
NewIdentifiableCoseSigner(ctx context.Context) (IdentifiableCoseSigner, error)
}
IdentifiableCoseSignerFactory is for creating IdentifiableCoseSigners. The reason for a factory here is that we can always create a fresh instance, capturing the latest key information at that point in time.
func NewTestCoseSignerFactory ¶ added in v0.13.6
func NewTestCoseSignerFactory(t *testing.T, signingKey ecdsa.PrivateKey) IdentifiableCoseSignerFactory
type KeyVault ¶
type KeyVault struct {
Authorizer autorest.Authorizer // optional, nil for production
// contains filtered or unexported fields
}
KeyVault is the azure keyvault client for interacting with keyvault keys
func NewKeyVault ¶
NewKeyVault creates a new keyvault client
func (*KeyVault) GetKeyByKID ¶
GetKeyByKID gets the key by its KID
func (*KeyVault) GetKeyVersionsKeys ¶
func (kv *KeyVault) GetKeyVersionsKeys( ctx context.Context, keyID string, ) ([]keyvault.KeyBundle, error)
GetKeyVersionsKeys returns all the keys, for all the versions of the identified key.
The keys returned are the public half of the asymetric keys
func (*KeyVault) GetLatestKey ¶
func (kv *KeyVault) GetLatestKey( ctx context.Context, keyName string, ) (keyvault.KeyBundle, error)
GetLatestKey returns the latest version of the identified key
func (*KeyVault) HashAndSign ¶ added in v0.12.16
func (kv *KeyVault) HashAndSign( ctx context.Context, payload []byte, keyID string, algorithm keyvault.JSONWebKeySignatureAlgorithm, ) ([]byte, error)
Sign signs a hash of a given payload
type KeyVaultCoseSigner ¶ added in v0.13.6
type KeyVaultCoseSigner struct {
*KeyVault
// contains filtered or unexported fields
}
KeyVaultCoseSigner is the azure keyvault client for interacting with keyvault keys using a cose.Signer interface
func (*KeyVaultCoseSigner) Algorithm ¶ added in v0.13.6
func (kv *KeyVaultCoseSigner) Algorithm() cose.Algorithm
Algorithm gets the cose algorithm for the key
func (*KeyVaultCoseSigner) KeyIdentifier ¶ added in v0.13.6
func (kv *KeyVaultCoseSigner) KeyIdentifier() string
KeyIdentifier returns the essential information to identify the key, apart from any platform specific format (i.e. the Azure URL.) It takes the form: <location>:<key name>/<key version>. The location helps us identify where this key is stored. In this case, its azure key vault
func (*KeyVaultCoseSigner) KeyLocation ¶ added in v0.13.6
func (kv *KeyVaultCoseSigner) KeyLocation() string
KeyLocation returns an identifier for the place where the key is stored, used by the KeyIdentifier implementation.
type KeyVaultCoseSignerFactory ¶ added in v0.13.6
type KeyVaultCoseSignerFactory struct {
// contains filtered or unexported fields
}
KeyVaultCoseSignerFactory creates instances of our Azure KeyVault implementation of IdentifiableCoseSigner. The keyvault configuration is stored on the object and new instances can be created without caller knowledge of it.
func NewKeyVaultCoseSignerFactory ¶ added in v0.13.6
func NewKeyVaultCoseSignerFactory(keyVaultURL string, keyName string) *KeyVaultCoseSignerFactory
NewKeyVaultCoseSignerFactory returns a new instance of the factory, storing the keyvault config
func (*KeyVaultCoseSignerFactory) NewIdentifiableCoseSigner ¶ added in v0.13.6
func (f *KeyVaultCoseSignerFactory) NewIdentifiableCoseSigner(ctx context.Context) (IdentifiableCoseSigner, error)
NewIdentifiableCoseSigner creates a new keyvault configuration that signs with ES384 using the latest version of the named key
type SecretEntry ¶
type SecretVault ¶
type SecretVault struct {
Name string
Authorizer autorest.Authorizer // optional, nil for production
}
func (*SecretVault) GetOrgKey ¶
func (k *SecretVault) GetOrgKey( ctx context.Context, id string, ) (*ecdsa.PrivateKey, error)
func (*SecretVault) ListSecrets ¶
func (k *SecretVault) ListSecrets( ctx context.Context, prefix string, tags map[string]string, ) (map[string]SecretEntry, error)
ListSecrets whose id's match prefix and whose tags include all of the provided tags
func (*SecretVault) ReadSecret ¶
func (k *SecretVault) ReadSecret( ctx context.Context, id string, ) (*SecretEntry, error)
ReadSecret returns the identified secret metadata and value
type TestCoseSigner ¶ added in v0.13.6
type TestCoseSigner struct {
// contains filtered or unexported fields
}
TestCoseSigner implements IdentifiableCoseSigner for use with the factory setup in logconfirmer.
func NewTestCoseSigner ¶ added in v0.13.6
func NewTestCoseSigner(t *testing.T, signingKey ecdsa.PrivateKey) *TestCoseSigner
func (*TestCoseSigner) Algorithm ¶ added in v0.13.6
func (s *TestCoseSigner) Algorithm() cose.Algorithm
func (*TestCoseSigner) KeyIdentifier ¶ added in v0.13.6
func (s *TestCoseSigner) KeyIdentifier() string
func (*TestCoseSigner) KeyLocation ¶ added in v0.13.6
func (s *TestCoseSigner) KeyLocation() string
type TestCoseSignerFactory ¶ added in v0.13.6
type TestCoseSignerFactory struct {
// contains filtered or unexported fields
}
func (*TestCoseSignerFactory) NewIdentifiableCoseSigner ¶ added in v0.13.6
func (f *TestCoseSignerFactory) NewIdentifiableCoseSigner(ctx context.Context) (IdentifiableCoseSigner, error)
Source Files