kms

package
v0.0.0-...-49daac4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2024 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MinIterations defines minimum allowed PBKDF2 iterations
	MinIterations = 100_000

	// MaxUsernameLen defines maximum username length in bytes
	MaxUsernameLen = 255
)
View Source 
const (
	AUTH_SALT = "openk4auth"
)

Variables

View Source 
var (
	// Common key operation errors
	ErrKeyRevoked   = errors.New("key has been revoked")
	ErrNilEncrypter = errors.New("encrypter cannot be nil")
	ErrNilDecrypter = errors.New("decrypter cannot be nil")

	// DEK specific errors
	ErrInvalidDEK = errors.New("invalid DEK")
	ErrEmptyKey   = errors.New("key data is empty")
)
View Source 
var (
	// ErrUsernameEmpty indicates an empty username was provided
	ErrUsernameEmpty = errors.New("username cannot be empty")

	// ErrUsernameLength indicates username exceeds maximum length
	ErrUsernameLength = errors.New("username exceeds maximum length")

	// ErrUsernameInvalid indicates username contains invalid characters
	ErrUsernameInvalid = errors.New("username contains invalid characters")

	// ErrIterationsInvalid indicates iteration count is below minimum
	ErrIterationsInvalid = errors.New("iterations below minimum value")
)
View Source 
var (
	// KeyPair specific errors
	ErrInvalidKeyPairID    = errors.New("invalid key pair ID")
	ErrDecrypterIDMismatch = errors.New("decrypter ID mismatch")
)
View Source 
var (
	ErrInvalidPassword = errors.New("invalid password")
	ErrInvalidUsername = errors.New("invalid username")
	ErrKeyNotDerived   = errors.New("master key not derived")
	ErrKeyAlreadySet   = errors.New("master key already set")
)
View Source 
var ErrNoValidEnvelope = errors.New("no valid envelope found for decrypter")

Functions

This section is empty.

Types

type DEK 

type DEK struct {
	ID        string
	Algorithm crypto.Algorithm
	Created   time.Time
	State     crypto.KeyState
	Envelopes map[string]*Envelope
}

func (*DEK) Unseal 

func (dek *DEK) Unseal(dec crypto.Decrypter) (*UnsealedDEK, error)

type Envelope 

type Envelope struct {
	ID          string
	DEKID       string
	Algorithm   crypto.Algorithm
	Key         *crypto.Ciphertext
	Created     time.Time
	State       crypto.KeyState
	EncrypterID string
}

type InitialDEK 

type InitialDEK struct {
	Algorithm crypto.Algorithm
	Created   time.Time
	State     crypto.KeyState
	Envelopes []*InitialEnvelope
}

type InitialEnvelope 

type InitialEnvelope struct {
	Algorithm   crypto.Algorithm
	Key         *crypto.Ciphertext
	Created     time.Time
	State       crypto.KeyState
	EncrypterID string
}

type InitialKeyDerivation 

type InitialKeyDerivation struct {
	Username   string
	Iterations int
}

InitialKeyDerivation represents parameters before storage

func NewKeyDerivation 

func NewKeyDerivation(username string, iterations int) (*InitialKeyDerivation, error)

NewKeyDerivation creates key derivation parameters

type InitialKeyPair 

type InitialKeyPair struct {
	Algorithm   crypto.Algorithm
	PublicKey   []byte             // X.509/SPKI format
	PrivateKey  *crypto.Ciphertext // Encrypted with protection key
	Created     time.Time
	State       crypto.KeyState
	EncrypterID string // ID of the encryption provider
}

InitialKeyPair represents a newly generated key pair before server storage

type KeyDerivation 

type KeyDerivation struct {
	ID         string
	Username   string
	Iterations int
	CreatedAt  time.Time
}

KeyDerivation represents parameters as stored in the backend

type KeyPair 

type KeyPair struct {
	ID          string
	Algorithm   crypto.Algorithm
	PublicKey   []byte
	PrivateKey  *crypto.Ciphertext
	Created     time.Time
	State       crypto.KeyState
	EncrypterID string // ID of the encryption provider
}

KeyPair represents a key pair as stored in the backend

func (*KeyPair) Unseal 

func (kp *KeyPair) Unseal(dec crypto.Decrypter) (*UnsealedKeyPair, error)

Unseal decrypts the private key using the provided decrypter

type MasterKey 

type MasterKey struct {
	// contains filtered or unexported fields
}

func NewMasterKey 

func NewMasterKey() *MasterKey

func (*MasterKey) Clear 

func (mk *MasterKey) Clear()

func (*MasterKey) Decrypt 

func (mk *MasterKey) Decrypt(ct *crypto.Ciphertext) ([]byte, error)

func (*MasterKey) Derive 

func (mk *MasterKey) Derive(password, username []byte) error

func (*MasterKey) Encrypt 

func (mk *MasterKey) Encrypt(plaintext []byte) (*crypto.Ciphertext, error)

func (*MasterKey) GetAuthKey 

func (mk *MasterKey) GetAuthKey() ([]byte, error)

func (*MasterKey) HasKey 

func (mk *MasterKey) HasKey() bool

func (*MasterKey) ID 

func (mk *MasterKey) ID() string

type UnsealedDEK 

type UnsealedDEK struct {
	// contains filtered or unexported fields
}

func GenerateDEK 

func GenerateDEK() (*UnsealedDEK, error)

func (*UnsealedDEK) Clear 

func (dek *UnsealedDEK) Clear()

func (*UnsealedDEK) CreateEnvelope 

func (dek *UnsealedDEK) CreateEnvelope(enc crypto.Encrypter) (*InitialEnvelope, error)

func (*UnsealedDEK) Decrypt 

func (dek *UnsealedDEK) Decrypt(ct *crypto.Ciphertext) ([]byte, error)

func (*UnsealedDEK) Encrypt 

func (dek *UnsealedDEK) Encrypt(data []byte) (*crypto.Ciphertext, error)

func (*UnsealedDEK) ID 

func (dek *UnsealedDEK) ID() string

func (*UnsealedDEK) Seal 

func (dek *UnsealedDEK) Seal(enc crypto.Encrypter) (*InitialDEK, error)

type UnsealedKeyPair 

type UnsealedKeyPair struct {
	// contains filtered or unexported fields
}

UnsealedKeyPair represents an active key pair with access to private key operations

func GenerateKeyPair 

func GenerateKeyPair() (*UnsealedKeyPair, error)

GenerateKeyPair creates a new RSA key pair

func (*UnsealedKeyPair) Clear 

func (kp *UnsealedKeyPair) Clear()

Clear wipes the private key material from memory

func (*UnsealedKeyPair) Decrypt 

func (kp *UnsealedKeyPair) Decrypt(ct *crypto.Ciphertext) ([]byte, error)

Decrypt performs RSA-OAEP decryption of data using the private key

func (*UnsealedKeyPair) Encrypt 

func (kp *UnsealedKeyPair) Encrypt(data []byte) (*crypto.Ciphertext, error)

Encrypt implements the Encrypter interface for public key operations

func (*UnsealedKeyPair) ID 

func (kp *UnsealedKeyPair) ID() string

ID implements the Encrypter interface by returning a stable provider ID

func (*UnsealedKeyPair) InitialSeal 

func (kp *UnsealedKeyPair) InitialSeal(enc crypto.Encrypter) (*InitialKeyPair, error)

InitialSeal creates an InitialKeyPair by encrypting the private key using the provided encrypter

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.