vault: github.com/hashicorp/vault/sdk/helper/keysutil Index | Files

package keysutil

import "github.com/hashicorp/vault/sdk/helper/keysutil"

Index

Package Files

cache.go consts.go encrypted_key_storage.go lock_manager.go policy.go transit_lru.go transit_syncmap.go

Constants

const (
    // DefaultCacheSize is used if no cache size is specified for
    // NewEncryptedKeyStorage. This value is the number of cache entries to
    // store, not the size in bytes of the cache.
    DefaultCacheSize = 16 * 1024

    // DefaultPrefix is used if no prefix is specified for
    // NewEncryptedKeyStorage. Prefix must be defined so we can provide context
    // for the base folder.
    DefaultPrefix = "encryptedkeys/"

    // EncryptedKeyPolicyVersionTpl is a template that can be used to minimize
    // the amount of data that's stored with the ciphertext.
    EncryptedKeyPolicyVersionTpl = "{{version}}:"
)
const (
    Kdf_hmac_sha256_counter = iota // built-in helper
    Kdf_hkdf_sha256                // golang.org/x/crypto/hkdf
)

Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF

const (
    KeyType_AES256_GCM96 = iota
    KeyType_ECDSA_P256
    KeyType_ED25519
    KeyType_RSA2048
    KeyType_RSA4096
    KeyType_ChaCha20_Poly1305
    KeyType_ECDSA_P384
    KeyType_ECDSA_P521
    KeyType_AES128_GCM96
)

Or this one...we need the default of zero to be the original AES256-GCM96

const (
    // ErrTooOld is returned whtn the ciphertext or signatures's key version is
    // too old.
    ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)"

    // DefaultVersionTemplate is used when no version template is provided.
    DefaultVersionTemplate = "vault:v{{version}}:"
)

Variables

var (
    HashTypeMap = map[string]HashType{
        "sha1":     HashTypeSHA1,
        "sha2-224": HashTypeSHA2224,
        "sha2-256": HashTypeSHA2256,
        "sha2-384": HashTypeSHA2384,
        "sha2-512": HashTypeSHA2512,
    }

    HashFuncMap = map[HashType]func() hash.Hash{
        HashTypeSHA1:    sha1.New,
        HashTypeSHA2224: sha256.New224,
        HashTypeSHA2256: sha256.New,
        HashTypeSHA2384: sha512.New384,
        HashTypeSHA2512: sha512.New,
    }

    MarshalingTypeMap = map[string]MarshalingType{
        "asn1": MarshalingTypeASN1,
        "jws":  MarshalingTypeJWS,
    }
)
var (
    // ErrPolicyDerivedKeys is returned if the provided policy does not use
    // derived keys. This is a requirement for this storage implementation.
    ErrPolicyDerivedKeys = errors.New("key policy must use derived keys")

    // ErrPolicyConvergentEncryption is returned if the provided policy does not use
    // convergent encryption. This is a requirement for this storage implementation.
    ErrPolicyConvergentEncryption = errors.New("key policy must use convergent encryption")

    // ErrPolicyConvergentVersion is returned if the provided policy does not use
    // a new enough convergent version. This is a requirement for this storage
    // implementation.
    ErrPolicyConvergentVersion = errors.New("key policy must use convergent version > 2")

    // ErrNilStorage is returned if the provided storage is nil.
    ErrNilStorage = errors.New("nil storage provided")

    // ErrNilPolicy is returned if the provided policy is nil.
    ErrNilPolicy = errors.New("nil policy provided")
)

type BackupInfo Uses

type BackupInfo struct {
    Time    time.Time `json:"time"`
    Version int       `json:"version"`
}

type Cache Uses

type Cache interface {
    Delete(key interface{})
    Load(key interface{}) (value interface{}, ok bool)
    Store(key, value interface{})
    Size() int
}

type EncryptedKeyStorageConfig Uses

type EncryptedKeyStorageConfig struct {
    // Policy is the key policy to use to encrypt the key paths.
    Policy *Policy

    // Prefix is the storage prefix for this instance of the EncryptedKeyStorage
    // object. This is stored in plaintext. If not set the DefaultPrefix will be
    // used.
    Prefix string

    // CacheSize is the number of elements to cache. If not set the
    // DetaultCacheSize will be used.
    CacheSize int
}

EncryptedKeyStorageConfig is used to configure an EncryptedKeyStorage object.

type EncryptedKeyStorageWrapper Uses

type EncryptedKeyStorageWrapper struct {
    // contains filtered or unexported fields
}

func NewEncryptedKeyStorageWrapper Uses

func NewEncryptedKeyStorageWrapper(config EncryptedKeyStorageConfig) (*EncryptedKeyStorageWrapper, error)

NewEncryptedKeyStorageWrapper takes an EncryptedKeyStorageConfig and returns a new EncryptedKeyStorage object.

func (*EncryptedKeyStorageWrapper) Wrap Uses

func (f *EncryptedKeyStorageWrapper) Wrap(s logical.Storage) logical.Storage

type HashType Uses

type HashType uint32
const (
    HashTypeSHA1 HashType = iota
    HashTypeSHA2224
    HashTypeSHA2256
    HashTypeSHA2384
    HashTypeSHA2512
)

type KeyData Uses

type KeyData struct {
    Policy       *Policy       `json:"policy"`
    ArchivedKeys *archivedKeys `json:"archived_keys"`
}

type KeyEntry Uses

type KeyEntry struct {
    // AES or some other kind that is a pure byte slice like ED25519
    Key []byte `json:"key"`

    // Key used for HMAC functions
    HMACKey []byte `json:"hmac_key"`

    // Time of creation
    CreationTime time.Time `json:"time"`

    EC_X *big.Int `json:"ec_x"`
    EC_Y *big.Int `json:"ec_y"`
    EC_D *big.Int `json:"ec_d"`

    RSAKey *rsa.PrivateKey `json:"rsa_key"`

    // The public key in an appropriate format for the type of key
    FormattedPublicKey string `json:"public_key"`

    // If convergent is enabled, the version (falling back to what's in the
    // policy)
    ConvergentVersion int `json:"convergent_version"`

    // This is deprecated (but still filled) in favor of the value above which
    // is more precise
    DeprecatedCreationTime int64 `json:"creation_time"`
}

KeyEntry stores the key and metadata

type KeyType Uses

type KeyType int

func (KeyType) DecryptionSupported Uses

func (kt KeyType) DecryptionSupported() bool

func (KeyType) DerivationSupported Uses

func (kt KeyType) DerivationSupported() bool

func (KeyType) EncryptionSupported Uses

func (kt KeyType) EncryptionSupported() bool

func (KeyType) HashSignatureInput Uses

func (kt KeyType) HashSignatureInput() bool

func (KeyType) SigningSupported Uses

func (kt KeyType) SigningSupported() bool

func (KeyType) String Uses

func (kt KeyType) String() string

type LockManager Uses

type LockManager struct {
    // contains filtered or unexported fields
}

func NewLockManager Uses

func NewLockManager(useCache bool, cacheSize int) (*LockManager, error)

func (*LockManager) BackupPolicy Uses

func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage, name string) (string, error)

func (*LockManager) DeletePolicy Uses

func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage, name string) error

func (*LockManager) GetCacheSize Uses

func (lm *LockManager) GetCacheSize() int

func (*LockManager) GetPolicy Uses

func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error)

When the function returns, if caching was disabled, the Policy's lock must be unlocked when the caller is done (and it should not be re-locked).

func (*LockManager) GetUseCache Uses

func (lm *LockManager) GetUseCache() bool

func (*LockManager) InvalidatePolicy Uses

func (lm *LockManager) InvalidatePolicy(name string)

func (*LockManager) RestorePolicy Uses

func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string, force bool) error

RestorePolicy acquires an exclusive lock on the policy name and restores the given policy along with the archive.

type MarshalingType Uses

type MarshalingType uint32
const (
    MarshalingTypeASN1 MarshalingType = iota
    MarshalingTypeJWS
)

type Policy Uses

type Policy struct {
    Name string      `json:"name"`
    Key  []byte      `json:"key,omitempty"` //DEPRECATED
    Keys keyEntryMap `json:"keys"`

    // Derived keys MUST provide a context and the master underlying key is
    // never used. If convergent encryption is true, the context will be used
    // as the nonce as well.
    Derived              bool `json:"derived"`
    KDF                  int  `json:"kdf"`
    ConvergentEncryption bool `json:"convergent_encryption"`

    // Whether the key is exportable
    Exportable bool `json:"exportable"`

    // The minimum version of the key allowed to be used for decryption
    MinDecryptionVersion int `json:"min_decryption_version"`

    // The minimum version of the key allowed to be used for encryption
    MinEncryptionVersion int `json:"min_encryption_version"`

    // The latest key version in this policy
    LatestVersion int `json:"latest_version"`

    // The latest key version in the archive. We never delete these, so this is
    // a max.
    ArchiveVersion int `json:"archive_version"`

    // ArchiveMinVersion is the minimum version of the key in the archive.
    ArchiveMinVersion int `json:"archive_min_version"`

    // MinAvailableVersion is the minimum version of the key present. All key
    // versions before this would have been deleted.
    MinAvailableVersion int `json:"min_available_version"`

    // Whether the key is allowed to be deleted
    DeletionAllowed bool `json:"deletion_allowed"`

    // The version of the convergent nonce to use
    ConvergentVersion int `json:"convergent_version"`

    // The type of key
    Type KeyType `json:"type"`

    // BackupInfo indicates the information about the backup action taken on
    // this policy
    BackupInfo *BackupInfo `json:"backup_info"`

    // RestoreInfo indicates the information about the restore action taken on
    // this policy
    RestoreInfo *RestoreInfo `json:"restore_info"`

    // AllowPlaintextBackup allows taking backup of the policy in plaintext
    AllowPlaintextBackup bool `json:"allow_plaintext_backup"`

    // VersionTemplate is used to prefix the ciphertext with information about
    // the key version. It must inclide {{version}} and a delimiter between the
    // version prefix and the ciphertext.
    VersionTemplate string `json:"version_template"`

    // StoragePrefix is used to add a prefix when storing and retrieving the
    // policy object.
    StoragePrefix string `json:"storage_prefix"`
    // contains filtered or unexported fields
}

Policy is the struct used to store metadata

func LoadPolicy Uses

func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, error)

LoadPolicy will load a policy from the provided storage path and set the necessary un-exported variables. It is particularly useful when accessing a policy without the lock manager.

func NewPolicy Uses

func NewPolicy(config PolicyConfig) *Policy

NewPolicy takes a policy config and returns a Policy with those settings.

func (*Policy) Backup Uses

func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out string, retErr error)

Backup should be called with an exclusive lock held on the policy

func (*Policy) Decrypt Uses

func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)

func (*Policy) DeriveKey Uses

func (p *Policy) DeriveKey(context []byte, ver, numBytes int) ([]byte, error)

DeriveKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.

func (*Policy) Encrypt Uses

func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error)

func (*Policy) HMACKey Uses

func (p *Policy) HMACKey(version int) ([]byte, error)

func (*Policy) LoadArchive Uses

func (p *Policy) LoadArchive(ctx context.Context, storage logical.Storage) (*archivedKeys, error)

func (*Policy) Lock Uses

func (p *Policy) Lock(exclusive bool)

func (*Policy) MigrateKeyToKeysMap Uses

func (p *Policy) MigrateKeyToKeysMap()

func (*Policy) NeedsUpgrade Uses

func (p *Policy) NeedsUpgrade() bool

func (*Policy) Persist Uses

func (p *Policy) Persist(ctx context.Context, storage logical.Storage) (retErr error)

func (*Policy) Rotate Uses

func (p *Policy) Rotate(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)

func (*Policy) Serialize Uses

func (p *Policy) Serialize() ([]byte, error)

func (*Policy) Sign Uses

func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, sigAlgorithm string, marshaling MarshalingType) (*SigningResult, error)

func (*Policy) Unlock Uses

func (p *Policy) Unlock()

func (*Policy) Upgrade Uses

func (p *Policy) Upgrade(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)

func (*Policy) VerifySignature Uses

func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, sigAlgorithm string, marshaling MarshalingType, sig string) (bool, error)

type PolicyConfig Uses

type PolicyConfig struct {
    // The name of the policy
    Name string `json:"name"`

    // The type of key
    Type KeyType

    // Derived keys MUST provide a context and the master underlying key is
    // never used.
    Derived              bool
    KDF                  int
    ConvergentEncryption bool

    // Whether the key is exportable
    Exportable bool

    // Whether the key is allowed to be deleted
    DeletionAllowed bool

    // AllowPlaintextBackup allows taking backup of the policy in plaintext
    AllowPlaintextBackup bool

    // VersionTemplate is used to prefix the ciphertext with information about
    // the key version. It must inclide {{version}} and a delimiter between the
    // version prefix and the ciphertext.
    VersionTemplate string

    // StoragePrefix is used to add a prefix when storing and retrieving the
    // policy object.
    StoragePrefix string
}

PolicyConfig is used to create a new policy

type PolicyRequest Uses

type PolicyRequest struct {
    // The storage to use
    Storage logical.Storage

    // The name of the policy
    Name string

    // The key type
    KeyType KeyType

    // Whether it should be derived
    Derived bool

    // Whether to enable convergent encryption
    Convergent bool

    // Whether to allow export
    Exportable bool

    // Whether to upsert
    Upsert bool

    // Whether to allow plaintext backup
    AllowPlaintextBackup bool
}

PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.

type RestoreInfo Uses

type RestoreInfo struct {
    Time    time.Time `json:"time"`
    Version int       `json:"version"`
}

type SigningResult Uses

type SigningResult struct {
    Signature string
    PublicKey []byte
}

type TransitLRU Uses

type TransitLRU struct {
    // contains filtered or unexported fields
}

func NewTransitLRU Uses

func NewTransitLRU(size int) (*TransitLRU, error)

func (*TransitLRU) Delete Uses

func (c *TransitLRU) Delete(key interface{})

func (*TransitLRU) Load Uses

func (c *TransitLRU) Load(key interface{}) (value interface{}, ok bool)

func (*TransitLRU) Size Uses

func (c *TransitLRU) Size() int

func (*TransitLRU) Store Uses

func (c *TransitLRU) Store(key, value interface{})

type TransitSyncMap Uses

type TransitSyncMap struct {
    // contains filtered or unexported fields
}

func NewTransitSyncMap Uses

func NewTransitSyncMap() *TransitSyncMap

func (*TransitSyncMap) Delete Uses

func (c *TransitSyncMap) Delete(key interface{})

func (*TransitSyncMap) Load Uses

func (c *TransitSyncMap) Load(key interface{}) (value interface{}, ok bool)

func (*TransitSyncMap) Size Uses

func (c *TransitSyncMap) Size() int

func (*TransitSyncMap) Store Uses

func (c *TransitSyncMap) Store(key, value interface{})

Package keysutil imports 41 packages (graph) and is imported by 3 packages. Updated 2019-10-18. Refresh now. Tools for package owners.