Documentation ¶
Index ¶
- type TransitPublicKey
- type TransitSigner
- type VaultTransitKey
- func (k *VaultTransitKey) GetPublicKeyFromTransitResponse(keyInfo *vault.Secret, version int) (crypto.PublicKey, error)
- func (k *VaultTransitKey) SetSigKeyVersion(v int)
- func (k *VaultTransitKey) Sign(inputBytes []byte, apiSigAlg string, apiHashAlg string, marshallingAlg string, ...) (string, error)
- func (k *VaultTransitKey) SyncKeyInfo() error
- func (k *VaultTransitKey) Verify(inputBytes []byte, signature string, apiSigAlg string, apiHashAlg string, ...) (bool, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type TransitPublicKey ¶
type TransitPublicKey struct { // pub key for JWKS PublicKey crypto.PublicKey // Version Version int // Name Name string }
func NewTransitPublicKey ¶
func NewTransitPublicKey(pub crypto.PublicKey, v int, name string) *TransitPublicKey
type TransitSigner ¶
type TransitSigner struct { Key *VaultTransitKey // signature_algorithm one of "pss" or "pkcs1v15" SigAlg string }
TransitSigner implement crypto.signer interface https://pkg.go.dev/crypto#Signer
func NewTransitSigner ¶
func NewTransitSigner(k *VaultTransitKey, SigAlg string) *TransitSigner
NewTransitSigner with transit key and signature_algorithm one of "pss" or "pkcs1v15"
func (*TransitSigner) Public ¶
func (s *TransitSigner) Public() crypto.PublicKey
Public returns the public key corresponding to the opaque, private key.
func (*TransitSigner) Sign ¶
func (s *TransitSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign signs digest with the private key, possibly using entropy from rand. For an RSA key, the resulting signature should be either a PKCS #1 v1.5 or PSS signature (as indicated by opts). For an (EC)DSA key, it should be a DER-serialised, ASN.1 signature structure.
Hash implements the SignerOpts interface and, in most cases, one can simply pass in the hash function used as opts. Sign may also attempt to type assert opts to other types in order to obtain algorithm specific values. See the documentation in each package for details.
Note that when a signature of a hash of a larger message is needed, the caller is responsible for hashing the larger message and passing the hash (as digest) and the hash function (as opts) to Sign.
type VaultTransitKey ¶
type VaultTransitKey struct { // transit backend mount MountPath string // transit Key Name Name string // 'key' type Type string // Version Version int // Min Version MinVersion int // Set sig version SigVersion int // List of public keys PublicKeys []*TransitPublicKey // contains filtered or unexported fields }
func NewVaultTransitKey ¶
func (*VaultTransitKey) GetPublicKeyFromTransitResponse ¶
func (k *VaultTransitKey) GetPublicKeyFromTransitResponse(keyInfo *vault.Secret, version int) (crypto.PublicKey, error)
GetPublicKeyFromTransitResponse return parsed public key from the keyInfo transit read API response
func (*VaultTransitKey) SetSigKeyVersion ¶
func (k *VaultTransitKey) SetSigKeyVersion(v int)
func (*VaultTransitKey) Sign ¶
func (k *VaultTransitKey) Sign(inputBytes []byte, apiSigAlg string, apiHashAlg string, marshallingAlg string, prehashed bool) (string, error)
Sign byte payload, and returns "signature" output of transit sign api
func (*VaultTransitKey) SyncKeyInfo ¶
func (k *VaultTransitKey) SyncKeyInfo() error
SyncKeyInfo read transit key info
func (*VaultTransitKey) Verify ¶
func (k *VaultTransitKey) Verify(inputBytes []byte, signature string, apiSigAlg string, apiHashAlg string, marshallingAlg string, prehashed bool) (bool, error)
verify byte payload, and signature (without the "vault:v1")
returns true if signature is valid for byte payload