keysharecore

package

v0.15.2 Latest Latest Go to latest Published: Mar 20, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/privacybydesign/irmago

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type AESKey
- func GenerateDecryptionKey() (AESKey, error)
type Configuration
type Core
- func NewKeyshareCore(conf *Configuration) *Core
type UserSecrets

Constants ¶

View Source

const (
	JWTIssuerDefault    = "keyshare_server"
	JWTPinExpiryDefault = 5 * 60 // seconds
)

View Source

const ChallengeJWTMaxExpiry = 6 * time.Minute

ChallengeJWTMaxExpiry is the maximum exp (expiry) that we allow JWTs to have with which calls to GenerateChallenge() (i.e. /users/verify_start) are authenticated.

Variables ¶

View Source

var (
	ErrInvalidPin                = errors.New("invalid pin")
	ErrPinTooLong                = errors.New("pin too long")
	ErrInvalidChallenge          = errors.New("challenge out of bounds")
	ErrInvalidJWT                = errors.New("invalid jwt token")
	ErrExpiredJWT                = errors.New("jwt expired")
	ErrKeyNotFound               = errors.New("public key not found")
	ErrUnknownCommit             = errors.New("unknown commit id")
	ErrChallengeResponseRequired = errors.New("challenge-response authentication required")
	ErrWrongChallenge            = errors.New("wrong challenge")
)

View Source

var (
	ErrKeyshareSecretTooBig   = errors.New("Keyshare secret too big to store")
	ErrKeyshareSecretNegative = errors.New("Keyshare secret negative")
	ErrNoSuchKey              = errors.New("Key identifier unknown")
)

Functions ¶

This section is empty.

Types ¶

type AESKey ¶

type AESKey [32]byte

func GenerateDecryptionKey ¶

func GenerateDecryptionKey() (AESKey, error)

type Configuration ¶

type Configuration struct {
	// Keys used for storage encryption/decryption
	DecryptionKey   AESKey
	DecryptionKeyID uint32

	// Key used to sign keyshare protocol messages
	JWTPrivateKey   *rsa.PrivateKey
	JWTPrivateKeyID uint32

	JWTIssuer    string
	JWTPinExpiry int // in seconds
}

type Core ¶

type Core struct {
	// contains filtered or unexported fields
}

func NewKeyshareCore ¶

func NewKeyshareCore(conf *Configuration) *Core

func (*Core) ChangePin ¶

func (c *Core) ChangePin(secrets UserSecrets, jwtt string) (UserSecrets, error)

ChangePin changes the pin in an encrypted keyshare user secret to a new value, after validating that the request was validly signed and that the old value is known by the caller.

func (*Core) ChangePinLegacy ¶ added in v0.11.0

func (c *Core) ChangePinLegacy(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error)

ChangePinLegacy is like ChangePin() but for legacy clients that have not yet upgraded to challenge-response.

func (*Core) DangerousAddDecryptionKey ¶

func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey)

DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID. Calling this will cause all keyshare secrets generated with the key to be trusted.

func (*Core) DangerousAddTrustedPublicKey ¶

func (c *Core) DangerousAddTrustedPublicKey(keyID irma.PublicKeyIdentifier, key *gabikeys.PublicKey)

DangerousAddTrustedPublicKey adds a public key as trusted by keysharecore. Calling this on incorrectly generated key material WILL compromise keyshare secrets!

func (*Core) GenerateChallenge ¶ added in v0.11.0

func (c *Core) GenerateChallenge(secrets UserSecrets, jwtt string) ([]byte, error)

func (*Core) GenerateCommitments ¶

func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*gabi.ProofPCommitment, uint64, error)

GenerateCommitments generates keyshare commitments using the specified Idemix public key(s).

func (*Core) GeneratePs ¶ added in v0.14.0

func (c *Core) GeneratePs(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*big.Int, error)

GeneratePs generates a list of keyshare server P's, i.e. a list of R_0^keyshareSecret.

func (*Core) GenerateResponse ¶

func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitID uint64, challenge *big.Int, keyID irma.PublicKeyIdentifier) (string, error)

GenerateResponse generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and challenge.

func (*Core) GenerateResponseV2 ¶ added in v0.14.0

func (c *Core) GenerateResponseV2(
	secrets UserSecrets,
	accessToken string,
	commitID uint64,
	hashedComms gabi.KeyshareCommitmentRequest,
	req gabi.KeyshareResponseRequest[irma.PublicKeyIdentifier],
	keyID irma.PublicKeyIdentifier,
	linkable bool) (string, error)

GenerateResponseV2 generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and response request. In older versions of the IRMA protocol (2.8 or below), issuers need a response that is linkable to earlier issuance sessions. In this case, the ProofP.P will be set as well. The linkable parameter indicates whether the ProofP.P should be included.

func (*Core) NewUserSecrets ¶

func (c *Core) NewUserSecrets(pin string, pk *ecdsa.PublicKey) (UserSecrets, error)

NewUserSecrets generates a new keyshare secret, secured with the given pin.

func (*Core) SetUserPublicKey ¶ added in v0.11.0

func (c *Core) SetUserPublicKey(secrets UserSecrets, pin string, pk *ecdsa.PublicKey) (string, UserSecrets, error)

func (*Core) ValidateAuth ¶ added in v0.11.0

func (c *Core) ValidateAuth(secrets UserSecrets, jwtt string) (string, error)

ValidateAuth checks pin for validity and generates JWT for future access.

func (*Core) ValidateAuthLegacy ¶ added in v0.11.0

func (c *Core) ValidateAuthLegacy(secrets UserSecrets, pin string) (string, error)

ValidateAuthLegacy checks pin for validity and generates JWT for future access.

func (*Core) ValidateJWT ¶

func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error

ValidateJWT checks whether the given JWT is currently valid as an access token for operations on the provided encrypted keyshare user secrets.

type UserSecrets ¶

type UserSecrets []byte

UserSecrets contains the encrypted data of a keyshare user.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL