README
¶
Signer and Decrypter for Azure KeyVault
This Go package wraps Azure KeyVault, sign and decrypt, into Golang crypto.Signer and crypto.Decrypter. The private key is protected by Azure KeyVault and no direct access from app.
Examples
Permissions required
Keep minimal permision to protect the private keys. No extra permission required if API is not in use.
- Public() keys/get
- Signer.Sign() keys/sign
- Decrypter.Decrypt() keys/decrypt
Documentation
¶
Overview ¶
Example (HttpsServer) ¶
// https server using azure keyvault
vaultBaseURL := "https://<xxxx>.vault.azure.net/"
keyName := "<key>"
// config using client access key
credential, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
panic(err)
}
keyClient, err := azkeys.NewClient(vaultBaseURL, credential, nil)
if err != nil {
panic(err)
}
certClient, err := azcertificates.NewClient(vaultBaseURL, credential, nil)
if err != nil {
panic(err)
}
kv, err := azkeyvault.NewSigner(keyClient, keyName, "")
if err != nil {
panic(err)
}
l, err := net.Listen("tcp", ":9000")
if err != nil {
log.Fatal(err)
}
r, err := certClient.GetCertificate(context.Background(), keyName, "", nil)
if err != nil {
log.Fatal(err)
}
cert, err := x509.ParseCertificate(r.CER)
if err != nil {
log.Fatal(err)
}
tlsconf := &tls.Config{
Certificates: []tls.Certificate{{
Certificate: [][]byte{cert.Raw},
PrivateKey: kv,
}},
}
netln := tls.NewListener(l, tlsconf)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "hello\n")
})
panic(http.Serve(netln, nil))
Output:
Example (SshClient) ¶
// config using client access key
vaultBaseURL := "https://<xxxx>.vault.azure.net/"
keyName := "<key>"
credential, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
panic(err)
}
keyClient, err := azkeys.NewClient(vaultBaseURL, credential, nil)
if err != nil {
panic(err)
}
kv, err := azkeyvault.NewSigner(keyClient, keyName, "")
if err != nil {
panic(err)
}
signer, err := ssh.NewSignerFromSigner(kv)
if err != nil {
panic(err)
}
fmt.Printf(`echo "%s" >> /root/.ssh/authorized_keys`, strings.Trim(string(ssh.MarshalAuthorizedKey(signer.PublicKey())), "\n"))
fmt.Println()
client, err := ssh.Dial("tcp", "127.0.0.1:22", &ssh.ClientConfig{
User: "root",
Auth: []ssh.AuthMethod{
ssh.PublicKeys(signer),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
})
if err != nil {
log.Fatal("Failed to dial: ", err)
}
defer client.Close()
// Each ClientConn can support multiple interactive sessions,
// represented by a Session.
session, err := client.NewSession()
if err != nil {
log.Fatal("Failed to create session: ", err)
}
defer session.Close()
// Once a Session is created, you can execute a single command on
// the remote side using the Run method.
var b bytes.Buffer
session.Stdout = &b
if err := session.Run("/usr/bin/whoami"); err != nil {
log.Fatal("Failed to run: " + err.Error())
}
fmt.Println(b.String())
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrUnsupportedHash is returned by Signer.Sign() when the provided hash // algorithm isn't supported. ErrUnsupportedHash = fmt.Errorf("unsupported hash algorithm") )
Functions ¶
func NewDecrypter ¶
Types ¶
type DecrypterOpts ¶
type DecrypterOpts struct {
Algorithm azkeys.JSONWebKeyEncryptionAlgorithm
Context context.Context
}
type SignerOpts ¶
type SignerOpts struct {
Algorithm azkeys.JSONWebKeySignatureAlgorithm
Context context.Context
}
func (*SignerOpts) HashFunc ¶
func (o *SignerOpts) HashFunc() crypto.Hash
Source Files
Click to show internal directories.
Click to hide internal directories.