ehsm

package module
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AlgorithmEHRSA4096 = "EH_RSA_4096"
	AlgorithmEHRSA3072 = "EH_RSA_3072"
	AlgorithmEHRSA2048 = "EH_RSA_2048"
	AlgorithmEHECP256  = "EH_EC_P256"
	AlgorithmEHECP224  = "EH_EC_P224"
	AlgorithmEHECP384  = "EH_EC_P384"
	AlgorithmEHECP521  = "EH_EC_P521"
	AlgorithmEMSM2     = "EH_SM2"
)

Taken from https://www.vaultproject.io/api/secret/transit nolint:revive

View Source
const (

	// ReferenceScheme schemes for various KMS services are copied from https://github.com/google/go-cloud/tree/master/secrets
	ReferenceScheme = "ehsm://"
)

Variables

This section is empty.

Functions

func ValidReference

func ValidReference(ref string) error

ValidReference returns a non-nil error if the reference string is invalid

Types

type SignerVerifier

type SignerVerifier struct {
	// contains filtered or unexported fields
}

SignerVerifier creates and verifies digital signatures over a message using EHSM KMS service

func LoadSignerVerifier

func LoadSignerVerifier(referenceStr string, hashFunc crypto.Hash, opts ...signature.RPCOption) (*SignerVerifier, error)

LoadSignerVerifier generates signatures using the specified key object in Vault and hash algorithm.

It also can verify signatures (via a remote vall to the Vault instance). hashFunc should be set to crypto.Hash(0) if the key referred to by referenceStr is an ED25519 signing key.

func (SignerVerifier) CreateKey

func (h SignerVerifier) CreateKey(_ context.Context, algorithm string) (crypto.PublicKey, error)

CreateKey attempts to create a new key in Vault with the specified algorithm.

func (*SignerVerifier) CryptoSigner

func (h *SignerVerifier) CryptoSigner(ctx context.Context, errFunc func(error)) (crypto.Signer, crypto.SignerOpts, error)

CryptoSigner returns a crypto.Signer object that uses the underlying SignerVerifier, along with a crypto.SignerOpts object that allows the KMS to be used in APIs that only accept the standard golang objects

func (*SignerVerifier) DefaultAlgorithm

func (*SignerVerifier) DefaultAlgorithm() string

DefaultAlgorithm returns the default algorithm for the EHSM service

func (SignerVerifier) PublicKey

PublicKey returns the public key that can be used to verify signatures created by this signer. All options provided in arguments to this method are ignored.

func (SignerVerifier) SignMessage

func (h SignerVerifier) SignMessage(message io.Reader, opts ...signature.SignOption) ([]byte, error)

SignMessage signs the provided message using HashiCorp Vault KMS. If the message is provided, this method will compute the digest according to the hash function specified when the HashivaultSigner was created.

SignMessage recognizes the following Options listed in order of preference:

- WithDigest()

All other options are ignored if specified.

func (*SignerVerifier) SupportedAlgorithms

func (*SignerVerifier) SupportedAlgorithms() []string

SupportedAlgorithms returns the list of algorithms supported by the EHSM service

func (SignerVerifier) VerifySignature

func (h SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signature.VerifyOption) error

VerifySignature verifies the signature for the given message. Unless provided in an option, the digest of the message will be computed using the hash function specified when the SignerVerifier was created.

This function returns nil if the verification succeeded, and an error message otherwise.

This function recognizes the following Options listed in order of preference:

- WithDigest()

- WithCryptoSignerOpts()

All other options are ignored if specified.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL