Documentation ¶
Overview ¶
Package keys defines common interfaces for Teleport client keys.
Index ¶
- Constants
- func IsPrivateKeyPolicyError(err error) bool
- func IsRSAPrivateKey(privKey []byte) bool
- func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)
- func MarshalPrivateKey(key crypto.Signer) ([]byte, error)
- func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error
- func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)
- type AttestationData
- type AttestationStatement
- type HardwareSigner
- type PIVSlot
- type PrivateKey
- func GetYubiKeyPrivateKey(ctx context.Context, policy PrivateKeyPolicy, slot PIVSlot) (*PrivateKey, error)
- func LoadKeyPair(privFile, sshPubFile string) (*PrivateKey, error)
- func LoadPrivateKey(keyFile string) (*PrivateKey, error)
- func NewPrivateKey(signer crypto.Signer, keyPEM []byte) (*PrivateKey, error)
- func ParseKeyPair(privPEM, marshalledSSHPub []byte) (*PrivateKey, error)
- func ParsePrivateKey(keyPEM []byte) (*PrivateKey, error)
- func (k *PrivateKey) GetAttestationStatement() *AttestationStatement
- func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy
- func (k *PrivateKey) MarshalSSHPublicKey() []byte
- func (k *PrivateKey) PPKFile() ([]byte, error)
- func (k *PrivateKey) PrivateKeyPEM() []byte
- func (k *PrivateKey) RSAPrivateKeyPEM() ([]byte, error)
- func (k *PrivateKey) SSHPublicKey() ssh.PublicKey
- func (k *PrivateKey) TLSCertificate(certPEMBlock []byte) (tls.Certificate, error)
- type PrivateKeyPolicy
Constants ¶
const ( PKCS1PrivateKeyType = "RSA PRIVATE KEY" PKCS8PrivateKeyType = "PRIVATE KEY" ECPrivateKeyType = "EC PRIVATE KEY" )
Variables ¶
This section is empty.
Functions ¶
func IsPrivateKeyPolicyError ¶
IsPrivateKeyPolicyError returns true if the given error is a private key policy error.
func IsRSAPrivateKey ¶
IsRSAPrivateKey returns true if the given private key is an RSA private key. This function does a similar check to ParsePrivateKey, followed by key.RSAPrivateKeyPEM() without parsing the private fully into a crypto.Signer. This reduces the time it takes to check if a private key is an RSA private key and improves the performance compared to ParsePrivateKey by a factor of 20.
func LoadX509KeyPair ¶
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)
LoadX509KeyPair parse a tls.Certificate from a private key file and certificate file. This should be used instead of tls.LoadX509KeyPair to support non-raw private keys, like PIV keys.
func MarshalPrivateKey ¶
MarshalPrivateKey will return a PEM encoded crypto.Signer. Only supports rsa, ecdsa, and ed25519 keys.
func NewPrivateKeyPolicyError ¶
func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error
func X509KeyPair ¶
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)
X509KeyPair parse a tls.Certificate from a private key PEM and certificate PEM. This should be used instead of tls.X509KeyPair to support non-raw private keys, like PIV keys.
Types ¶
type AttestationData ¶
type AttestationData struct { // PublicKeyDER is the public key in PKIX, ASN.1 DER form. PublicKeyDER []byte `json:"public_key"` // PrivateKeyPolicy specifies the private key policy supported by the associated private key. PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"` // SerialNumber is the serial number of the Attested hardware key. SerialNumber uint32 `json:"serial_number"` }
AttestationData is verified attestation data for a public key.
type AttestationStatement ¶
type AttestationStatement attestation.AttestationStatement
AttestationStatement is an attestation statement for a hardware private key that supports json marshaling through the standard json/encoding package.
func AttestationStatementFromProto ¶
func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement
AttestationStatementFromProto converts an AttestationStatement from its protobuf form.
func (*AttestationStatement) MarshalJSON ¶
func (ar *AttestationStatement) MarshalJSON() ([]byte, error)
MarshalJSON implements custom protobuf json marshaling.
func (*AttestationStatement) ToProto ¶
func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement
ToProto converts this AttestationStatement to its protobuf form.
func (*AttestationStatement) UnmarshalJSON ¶
func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error
UnmarshalJSON implements custom protobuf json unmarshaling.
type HardwareSigner ¶
type HardwareSigner interface { crypto.Signer // GetAttestationStatement returns an AttestationStatement for this private key. GetAttestationStatement() *AttestationStatement // GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key. GetPrivateKeyPolicy() PrivateKeyPolicy }
HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key. This enables the ability to enforce hardware key private key policies.
type PrivateKey ¶
PrivateKey implements crypto.Signer with additional helper methods. The underlying private key may be a standard crypto.Signer implemented in the standard library (aka *rsa.PrivateKey, *ecdsa.PrivateKey, or ed25519.PrivateKey), or it may be a custom implementation for a non-standard private key, such as a hardware key.
func GetYubiKeyPrivateKey ¶
func GetYubiKeyPrivateKey(ctx context.Context, policy PrivateKeyPolicy, slot PIVSlot) (*PrivateKey, error)
GetYubiKeyPrivateKey attempt to retrieve a YubiKey private key matching the given hardware key policy from the given slot. If slot is unspecified, the default slot for the given key policy will be used. If the slot is empty, a new private key matching the given policy will be generated in the slot.
- hardware_key: 9a
- hardware_key_touch: 9c
- hardware_key_pin: 9d
- hardware_key_touch_pin: 9e
func LoadKeyPair ¶
func LoadKeyPair(privFile, sshPubFile string) (*PrivateKey, error)
LoadKeyPair returns the PrivateKey for the given private and public key files.
func LoadPrivateKey ¶
func LoadPrivateKey(keyFile string) (*PrivateKey, error)
LoadPrivateKey returns the PrivateKey for the given key file.
func NewPrivateKey ¶
func NewPrivateKey(signer crypto.Signer, keyPEM []byte) (*PrivateKey, error)
NewPrivateKey returns a new PrivateKey for the given crypto.Signer.
func ParseKeyPair ¶
func ParseKeyPair(privPEM, marshalledSSHPub []byte) (*PrivateKey, error)
ParseKeyPair returns the PrivateKey for the given private and public key PEM blocks.
func ParsePrivateKey ¶
func ParsePrivateKey(keyPEM []byte) (*PrivateKey, error)
ParsePrivateKey returns the PrivateKey for the given key PEM block.
func (*PrivateKey) GetAttestationStatement ¶
func (k *PrivateKey) GetAttestationStatement() *AttestationStatement
GetAttestationStatement returns this key's AttestationStatement. If the key is not a hardware-backed key, this method returns nil.
func (*PrivateKey) GetPrivateKeyPolicy ¶
func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy
GetPrivateKeyPolicy returns this key's PrivateKeyPolicy.
func (*PrivateKey) MarshalSSHPublicKey ¶
func (k *PrivateKey) MarshalSSHPublicKey() []byte
SSHPublicKey returns the ssh.PublicKey representiation of the public key.
func (*PrivateKey) PPKFile ¶
func (k *PrivateKey) PPKFile() ([]byte, error)
PPKFile returns a PuTTY PPK-formatted keypair
func (*PrivateKey) PrivateKeyPEM ¶
func (k *PrivateKey) PrivateKeyPEM() []byte
PrivateKeyPEM returns PEM encoded private key data. This may be data necessary to retrieve the key, such as a YubiKey serial number and slot, or it can be a PKCS marshaled private key.
The resulting PEM encoded data should only be decoded with ParsePrivateKey to prevent errors from parsing non PKCS marshaled keys, such as a PIV key.
func (*PrivateKey) RSAPrivateKeyPEM ¶
func (k *PrivateKey) RSAPrivateKeyPEM() ([]byte, error)
RSAPrivateKeyPEM returns a PEM encoded RSA private key for the given key. If the given key is not an RSA key, then an error will be returned.
This is used by some integrations which currently only support raw RSA private keys, like Kubernetes, MongoDB, and PPK files for windows.
func (*PrivateKey) SSHPublicKey ¶
func (k *PrivateKey) SSHPublicKey() ssh.PublicKey
SSHPublicKey returns the ssh.PublicKey representiation of the public key.
func (*PrivateKey) TLSCertificate ¶
func (k *PrivateKey) TLSCertificate(certPEMBlock []byte) (tls.Certificate, error)
TLSCertificate parses the given TLS certificate(s) paired with the private key to rerturn a tls.Certificate, ready to be used in a TLS handshake.
type PrivateKeyPolicy ¶
type PrivateKeyPolicy string
PrivateKeyPolicy is a requirement for client private key storage.
const ( // PrivateKeyPolicyNone means that the client can store their private keys // anywhere (usually on disk). PrivateKeyPolicyNone PrivateKeyPolicy = "none" // PrivateKeyPolicyHardwareKey means that the client must use a valid // hardware key to generate and store their private keys securely. PrivateKeyPolicyHardwareKey PrivateKeyPolicy = "hardware_key" // PrivateKeyPolicyHardwareKeyTouch means that the client must use a valid // hardware key to generate and store their private keys securely, and // this key must require touch to be accessed and used. PrivateKeyPolicyHardwareKeyTouch PrivateKeyPolicy = "hardware_key_touch" // PrivateKeyPolicyHardwareKeyPIN means that the client must use a valid // hardware key to generate and store their private keys securely, and // this key must require pin to be accessed and used. PrivateKeyPolicyHardwareKeyPIN PrivateKeyPolicy = "hardware_key_pin" // PrivateKeyPolicyHardwareKeyTouchAndPIN means that the client must use a valid // hardware key to generate and store their private keys securely, and // this key must require touch and pin to be accessed and used. PrivateKeyPolicyHardwareKeyTouchAndPIN PrivateKeyPolicy = "hardware_key_touch_and_pin" // PrivateKeyPolicyWebSession is a special case used for Web Sessions. This policy // implies that the client private key and certificate are stored in the Proxy // Process Memory and Auth Storage. These certs do not leave the Proxy/Auth // services, but the Web Client receives a Web Cookie which can be used to // make requests with the server-side client key+cert. // // This policy does not provide the same hardware key guarantee as the above policies. // Instead, this policy must be accompanied by WebAuthn prompts for important operations // in order to pass hardware key policy requirements. PrivateKeyPolicyWebSession PrivateKeyPolicy = "web_session" )
func ParsePrivateKeyPolicyError ¶
func ParsePrivateKeyPolicyError(err error) (PrivateKeyPolicy, error)
ParsePrivateKeyPolicyError checks if the given error is a private key policy error and returns the contained unsatisfied PrivateKeyPolicy.
func PolicyThatSatisfiesSet ¶
func PolicyThatSatisfiesSet(policies []PrivateKeyPolicy) (PrivateKeyPolicy, error)
PolicyThatSatisfiesSet returns least restrictive policy necessary to satisfy the given set of policies.
func (PrivateKeyPolicy) IsHardwareKeyPolicy ¶
func (p PrivateKeyPolicy) IsHardwareKeyPolicy() bool
IsHardwareKeyPolicy return true if this private key policy requires a hardware key.
func (PrivateKeyPolicy) IsSatisfiedBy ¶
func (requiredPolicy PrivateKeyPolicy) IsSatisfiedBy(keyPolicy PrivateKeyPolicy) bool
IsSatisfiedBy returns whether this key policy is satisfied by the given key policy.
func (PrivateKeyPolicy) MFAVerified ¶
func (p PrivateKeyPolicy) MFAVerified() bool
MFAVerified checks that private keys with this key policy count as MFA verified. Both Hardware key touch and pin are count as MFA verification.
Note: MFA checks with private key policies are only performed during the establishment of the connection, during the TLS/SSH handshake. For long term connections, MFA should be re-verified through other methods (e.g. webauthn).
func (PrivateKeyPolicy) VerifyPolicy ¶
func (requiredPolicy PrivateKeyPolicy) VerifyPolicy(keyPolicy PrivateKeyPolicy) error
Deprecated in favor of IsSatisfiedBy. TODO(Joerger): delete once reference in /e is replaced.