keys

package
v0.0.0-...-cdb227b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2024 License: Apache-2.0 Imports: 18 Imported by: 25

Documentation

Overview

Package keys defines common interfaces for Teleport client keys.

Index

Constants

View Source 
const (
	PKCS1PrivateKeyType = "RSA PRIVATE KEY"
	PKCS8PrivateKeyType = "PRIVATE KEY"
	ECPrivateKeyType    = "EC PRIVATE KEY"
)

Variables

This section is empty.

Functions

func IsPrivateKeyPolicyError 

func IsPrivateKeyPolicyError(err error) bool

IsPrivateKeyPolicyError returns true if the given error is a private key policy error.

func IsRSAPrivateKey 

func IsRSAPrivateKey(privKey []byte) bool

IsRSAPrivateKey returns true if the given private key is an RSA private key. This function does a similar check to ParsePrivateKey, followed by key.RSAPrivateKeyPEM() without parsing the private fully into a crypto.Signer. This reduces the time it takes to check if a private key is an RSA private key and improves the performance compared to ParsePrivateKey by a factor of 20.

func LoadX509KeyPair 

func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair parse a tls.Certificate from a private key file and certificate file. This should be used instead of tls.LoadX509KeyPair to support non-raw private keys, like PIV keys.

func MarshalPrivateKey 

func MarshalPrivateKey(key crypto.Signer) ([]byte, error)

MarshalPrivateKey will return a PEM encoded crypto.Signer. Only supports rsa, ecdsa, and ed25519 keys.

func NewPrivateKeyPolicyError 

func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error

func X509KeyPair 

func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)

X509KeyPair parse a tls.Certificate from a private key PEM and certificate PEM. This should be used instead of tls.X509KeyPair to support non-raw private keys, like PIV keys.

Types

type AttestationData 

type AttestationData struct {
	// PublicKeyDER is the public key in PKIX, ASN.1 DER form.
	PublicKeyDER []byte `json:"public_key"`
	// PrivateKeyPolicy specifies the private key policy supported by the associated private key.
	PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"`
	// SerialNumber is the serial number of the Attested hardware key.
	SerialNumber uint32 `json:"serial_number"`
}

AttestationData is verified attestation data for a public key.

type AttestationStatement 

type AttestationStatement attestation.AttestationStatement

AttestationStatement is an attestation statement for a hardware private key that supports json marshaling through the standard json/encoding package.

func AttestationStatementFromProto 

func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement

AttestationStatementFromProto converts an AttestationStatement from its protobuf form.

func (*AttestationStatement) MarshalJSON 

func (ar *AttestationStatement) MarshalJSON() ([]byte, error)

MarshalJSON implements custom protobuf json marshaling.

func (*AttestationStatement) ToProto 

func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement

ToProto converts this AttestationStatement to its protobuf form.

func (*AttestationStatement) UnmarshalJSON 

func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error

UnmarshalJSON implements custom protobuf json unmarshaling.

type HardwareSigner 

type HardwareSigner interface {
	crypto.Signer

	// GetAttestationStatement returns an AttestationStatement for this private key.
	GetAttestationStatement() *AttestationStatement

	// GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key.
	GetPrivateKeyPolicy() PrivateKeyPolicy
}

HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key. This enables the ability to enforce hardware key private key policies.

type PIVSlot 

type PIVSlot string

PIVSlot is the string representation of a PIV slot. e.g. "9a".

func (PIVSlot) Validate 

func (s PIVSlot) Validate() error

Validate that the PIV slot is a valid value.

type PrivateKey 

type PrivateKey struct {
	crypto.Signer
	// contains filtered or unexported fields
}

PrivateKey implements crypto.Signer with additional helper methods. The underlying private key may be a standard crypto.Signer implemented in the standard library (aka *rsa.PrivateKey, *ecdsa.PrivateKey, or ed25519.PrivateKey), or it may be a custom implementation for a non-standard private key, such as a hardware key.

func GetYubiKeyPrivateKey 

func GetYubiKeyPrivateKey(ctx context.Context, policy PrivateKeyPolicy, slot PIVSlot) (*PrivateKey, error)

GetYubiKeyPrivateKey attempt to retrieve a YubiKey private key matching the given hardware key policy from the given slot. If slot is unspecified, the default slot for the given key policy will be used. If the slot is empty, a new private key matching the given policy will be generated in the slot.

  • hardware_key: 9a
  • hardware_key_touch: 9c
  • hardware_key_pin: 9d
  • hardware_key_touch_pin: 9e

func LoadKeyPair 

func LoadKeyPair(privFile, sshPubFile string) (*PrivateKey, error)

LoadKeyPair returns the PrivateKey for the given private and public key files.

func LoadPrivateKey 

func LoadPrivateKey(keyFile string) (*PrivateKey, error)

LoadPrivateKey returns the PrivateKey for the given key file.

func NewPrivateKey 

func NewPrivateKey(signer crypto.Signer, keyPEM []byte) (*PrivateKey, error)

NewPrivateKey returns a new PrivateKey for the given crypto.Signer.

func ParseKeyPair 

func ParseKeyPair(privPEM, marshalledSSHPub []byte) (*PrivateKey, error)

ParseKeyPair returns the PrivateKey for the given private and public key PEM blocks.

func ParsePrivateKey 

func ParsePrivateKey(keyPEM []byte) (*PrivateKey, error)

ParsePrivateKey returns the PrivateKey for the given key PEM block.

func (*PrivateKey) GetAttestationStatement 

func (k *PrivateKey) GetAttestationStatement() *AttestationStatement

GetAttestationStatement returns this key's AttestationStatement. If the key is not a hardware-backed key, this method returns nil.

func (*PrivateKey) GetPrivateKeyPolicy 

func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy

GetPrivateKeyPolicy returns this key's PrivateKeyPolicy.

func (*PrivateKey) MarshalSSHPublicKey 

func (k *PrivateKey) MarshalSSHPublicKey() []byte

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) PPKFile 

func (k *PrivateKey) PPKFile() ([]byte, error)

PPKFile returns a PuTTY PPK-formatted keypair

func (*PrivateKey) PrivateKeyPEM 

func (k *PrivateKey) PrivateKeyPEM() []byte

PrivateKeyPEM returns PEM encoded private key data. This may be data necessary to retrieve the key, such as a YubiKey serial number and slot, or it can be a PKCS marshaled private key.

The resulting PEM encoded data should only be decoded with ParsePrivateKey to prevent errors from parsing non PKCS marshaled keys, such as a PIV key.

func (*PrivateKey) RSAPrivateKeyPEM 

func (k *PrivateKey) RSAPrivateKeyPEM() ([]byte, error)

RSAPrivateKeyPEM returns a PEM encoded RSA private key for the given key. If the given key is not an RSA key, then an error will be returned.

This is used by some integrations which currently only support raw RSA private keys, like Kubernetes, MongoDB, and PPK files for windows.

func (*PrivateKey) SSHPublicKey 

func (k *PrivateKey) SSHPublicKey() ssh.PublicKey

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) TLSCertificate 

func (k *PrivateKey) TLSCertificate(certPEMBlock []byte) (tls.Certificate, error)

TLSCertificate parses the given TLS certificate(s) paired with the private key to rerturn a tls.Certificate, ready to be used in a TLS handshake.

type PrivateKeyPolicy 

type PrivateKeyPolicy string

PrivateKeyPolicy is a requirement for client private key storage. 

const (
	// PrivateKeyPolicyNone means that the client can store their private keys
	// anywhere (usually on disk).
	PrivateKeyPolicyNone PrivateKeyPolicy = "none"
	// PrivateKeyPolicyHardwareKey means that the client must use a valid
	// hardware key to generate and store their private keys securely.
	PrivateKeyPolicyHardwareKey PrivateKeyPolicy = "hardware_key"
	// PrivateKeyPolicyHardwareKeyTouch means that the client must use a valid
	// hardware key to generate and store their private keys securely, and
	// this key must require touch to be accessed and used.
	PrivateKeyPolicyHardwareKeyTouch PrivateKeyPolicy = "hardware_key_touch"
	// PrivateKeyPolicyHardwareKeyPIN means that the client must use a valid
	// hardware key to generate and store their private keys securely, and
	// this key must require pin to be accessed and used.
	PrivateKeyPolicyHardwareKeyPIN PrivateKeyPolicy = "hardware_key_pin"
	// PrivateKeyPolicyHardwareKeyTouchAndPIN means that the client must use a valid
	// hardware key to generate and store their private keys securely, and
	// this key must require touch and pin to be accessed and used.
	PrivateKeyPolicyHardwareKeyTouchAndPIN PrivateKeyPolicy = "hardware_key_touch_and_pin"
	// PrivateKeyPolicyWebSession is a special case used for Web Sessions. This policy
	// implies that the client private key and certificate are stored in the Proxy
	// Process Memory and Auth Storage. These certs do not leave the Proxy/Auth
	// services, but the Web Client receives a Web Cookie which can be used to
	// make requests with the server-side client key+cert.
	//
	// This policy does not provide the same hardware key guarantee as the above policies.
	// Instead, this policy must be accompanied by WebAuthn prompts for important operations
	// in order to pass hardware key policy requirements.
	PrivateKeyPolicyWebSession PrivateKeyPolicy = "web_session"
)

func ParsePrivateKeyPolicyError 

func ParsePrivateKeyPolicyError(err error) (PrivateKeyPolicy, error)

ParsePrivateKeyPolicyError checks if the given error is a private key policy error and returns the contained unsatisfied PrivateKeyPolicy.

func PolicyThatSatisfiesSet 

func PolicyThatSatisfiesSet(policies []PrivateKeyPolicy) (PrivateKeyPolicy, error)

PolicyThatSatisfiesSet returns least restrictive policy necessary to satisfy the given set of policies.

func (PrivateKeyPolicy) IsHardwareKeyPolicy 

func (p PrivateKeyPolicy) IsHardwareKeyPolicy() bool

IsHardwareKeyPolicy return true if this private key policy requires a hardware key.

func (PrivateKeyPolicy) IsSatisfiedBy 

func (requiredPolicy PrivateKeyPolicy) IsSatisfiedBy(keyPolicy PrivateKeyPolicy) bool

IsSatisfiedBy returns whether this key policy is satisfied by the given key policy.

func (PrivateKeyPolicy) MFAVerified 

func (p PrivateKeyPolicy) MFAVerified() bool

MFAVerified checks that private keys with this key policy count as MFA verified. Both Hardware key touch and pin are count as MFA verification.

Note: MFA checks with private key policies are only performed during the establishment of the connection, during the TLS/SSH handshake. For long term connections, MFA should be re-verified through other methods (e.g. webauthn).

func (PrivateKeyPolicy) VerifyPolicy 

func (requiredPolicy PrivateKeyPolicy) VerifyPolicy(keyPolicy PrivateKeyPolicy) error

Deprecated in favor of IsSatisfiedBy. TODO(Joerger): delete once reference in /e is replaced.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.