Documentation ¶
Overview ¶
Package keystore implements Acra Keystore version 2.
Index ¶
- Constants
- Variables
- func DescribeKeyRings(keyRings []string, keyStore api.KeyStore) ([]keystore.KeyDescription, error)
- func DescribeRotatedKeyRings(keyRings []string, keyStore api.KeyStore) ([]keystore.KeyDescription, error)
- func GetMasterKeysFromEnvironment() ([]byte, []byte, error)
- func GetMasterKeysFromEnvironmentVariable(varname string) ([]byte, []byte, error)
- func NewSCellSuite(encryptionKey, signatureKey []byte) (*crypto.KeyStoreSuite, error)
- func NewSerializedMasterKeys() ([]byte, error)
- type KeyBackuper
- type KeyFileImportV1
- type SerializedKeys
- type ServerKeyStore
- func (s *ServerKeyStore) CacheOnStart() error
- func (s *ServerKeyStore) DescribeKeyRing(path string) (*keystore.KeyDescription, error)
- func (s *ServerKeyStore) DescribeRotatedKeyRing(path string) ([]keystore.KeyDescription, error)
- func (s *ServerKeyStore) DestroyClientIDEncryptionKeyPair(clientID []byte) error
- func (s *ServerKeyStore) DestroyClientIDSymmetricKey(clientID []byte) error
- func (s *ServerKeyStore) DestroyHmacSecretKey(clientID []byte) error
- func (s *ServerKeyStore) DestroyPoisonKeyPair() error
- func (s *ServerKeyStore) DestroyPoisonSymmetricKey() error
- func (s *ServerKeyStore) DestroyRotatedClientIDEncryptionKeyPair(clientID []byte, index int) error
- func (s *ServerKeyStore) DestroyRotatedClientIDSymmetricKey(clientID []byte, index int) error
- func (s *ServerKeyStore) DestroyRotatedHmacSecretKey(clientID []byte, index int) error
- func (s *ServerKeyStore) DestroyRotatedPoisonKeyPair(index int) error
- func (s *ServerKeyStore) DestroyRotatedPoisonSymmetricKey(index int) error
- func (s *ServerKeyStore) GenerateClientIDSymmetricKey(clientID []byte) error
- func (s *ServerKeyStore) GenerateDataEncryptionKeys(clientID []byte) error
- func (s *ServerKeyStore) GenerateHmacKey(clientID []byte) error
- func (s *ServerKeyStore) GenerateLogKey() error
- func (s *ServerKeyStore) GeneratePoisonKeyPair() error
- func (s *ServerKeyStore) GeneratePoisonSymmetricKey() error
- func (s *ServerKeyStore) GetClientIDEncryptionPublicKey(clientID []byte) (*keys.PublicKey, error)
- func (s *ServerKeyStore) GetClientIDSymmetricKey(clientID []byte) ([]byte, error)
- func (s *ServerKeyStore) GetClientIDSymmetricKeys(clientID []byte) ([][]byte, error)
- func (s *ServerKeyStore) GetHMACSecretKey(clientID []byte) ([]byte, error)
- func (s *ServerKeyStore) GetLogSecretKey() ([]byte, error)
- func (s *ServerKeyStore) GetPoisonKeyPair() (*keys.Keypair, error)
- func (s *ServerKeyStore) GetPoisonPrivateKeys() ([]*keys.PrivateKey, error)
- func (s *ServerKeyStore) GetPoisonSymmetricKey() ([]byte, error)
- func (s *ServerKeyStore) GetPoisonSymmetricKeys() ([][]byte, error)
- func (s *ServerKeyStore) GetServerDecryptionPrivateKey(clientID []byte) (*keys.PrivateKey, error)
- func (s *ServerKeyStore) GetServerDecryptionPrivateKeys(clientID []byte) ([]*keys.PrivateKey, error)
- func (s *ServerKeyStore) ImportKeyFileV1(oldKeyStore filesystemV1.KeyExport, key filesystemV1.ExportedKey) error
- func (s *ServerKeyStore) ListKeys() ([]keystore.KeyDescription, error)
- func (s *ServerKeyStore) ListRotatedKeys() ([]keystore.KeyDescription, error)
- func (s *ServerKeyStore) Reset()
- func (s *ServerKeyStore) SaveDataEncryptionKeys(clientID []byte, keypair *keys.Keypair) error
- type TranslatorKeyStore
Constants ¶
const ( PurposePoisonRecord = "poison record key" PurposeStorageClient = "client storage key" PurposeAuditLog = "audit log signature key" PurposePoisonSym = "poison record symmetric key" PurposeStorageClientSym = "client storage symmetric key" PurposeSearchHMAC = "encrypted search HMAC key" )
Key purpose constants.
Variables ¶
var (
ErrEqualMasterKeys = errors.New("encryption and signature master keys are equal")
)
Errors produced by master key validation:
var ErrInvalidIndex = errors.New("invalid index value provided")
ErrInvalidIndex error represent invalid index for --index flag
var (
ErrUnknownPurpose = errors.New("unknown key purpose")
)
Errors returned by key import:
var (
ErrUnrecognizedKeyPurpose = errors.New("key purpose not recognized")
)
Errors for describing keys
Functions ¶
func DescribeKeyRings ¶
DescribeKeyRings describes multiple key rings by their purpose paths.
func DescribeRotatedKeyRings ¶
func DescribeRotatedKeyRings(keyRings []string, keyStore api.KeyStore) ([]keystore.KeyDescription, error)
DescribeRotatedKeyRings describes multiple key rings by their purpose paths.
func GetMasterKeysFromEnvironment ¶
GetMasterKeysFromEnvironment reads master keys from default environment variable. Returns encryption key, signature key, error.
func GetMasterKeysFromEnvironmentVariable ¶
GetMasterKeysFromEnvironmentVariable reads master keys from specified environment variable. Returns encryption key, signature key, error.
func NewSCellSuite ¶
func NewSCellSuite(encryptionKey, signatureKey []byte) (*crypto.KeyStoreSuite, error)
NewSCellSuite creates default cryptography suite for KeyStore: - keys are encrypted by Themis Secure Cell in Seal mode - keystore is signed with HMAC-SHA-256
func NewSerializedMasterKeys ¶
NewSerializedMasterKeys generates a new set of master keys, already serialized into bytes.
Types ¶
type KeyBackuper ¶
type KeyBackuper struct {
// contains filtered or unexported fields
}
KeyBackuper implements keystore.Exporter and keystore.Importer interface for v2
func NewKeyBackuper ¶
func NewKeyBackuper(privateFolder, publicFolder string, storage api.BackupKeystore) (*KeyBackuper, error)
NewKeyBackuper create, initialize and return new instance of KeyBackuper
func (*KeyBackuper) Export ¶
func (store *KeyBackuper) Export(exportIDs []keystoreV1.ExportID, mode keystoreV1.ExportMode) (*keystoreV1.KeysBackup, error)
Export keys from KeyStore encrypted with new key for backup
func (*KeyBackuper) Import ¶
func (store *KeyBackuper) Import(backup *keystoreV1.KeysBackup) ([]keystoreV1.KeyDescription, error)
Import keys from backup to current keystore
type KeyFileImportV1 ¶
type KeyFileImportV1 interface {
ImportKeyFileV1(oldKeyStore filesystemV1.KeyExport, key filesystemV1.ExportedKey) error
}
KeyFileImportV1 defines how filesystem keystore v1 keys are imported.
type SerializedKeys ¶
type SerializedKeys struct { Encryption []byte `json:"encryption"` Signature []byte `json:"signature"` }
SerializedKeys is the serialized form of master keys.
func NewMasterKeys ¶
func NewMasterKeys() (*SerializedKeys, error)
NewMasterKeys generates a new set of master keys.
func (*SerializedKeys) Marshal ¶
func (k *SerializedKeys) Marshal() ([]byte, error)
Marshal serializes master key into a byte buffer.
func (*SerializedKeys) Unmarshal ¶
func (k *SerializedKeys) Unmarshal(buffer []byte) error
Unmarshal deserializes master keys from a byte buffer.
type ServerKeyStore ¶
type ServerKeyStore struct { api.MutableKeyStore // contains filtered or unexported fields }
ServerKeyStore provides full access to Acra Keystore.
It is intended to be used by AcraServer components and uses server transport keys.
func NewServerKeyStore ¶
func NewServerKeyStore(keyStore api.MutableKeyStore) *ServerKeyStore
NewServerKeyStore configures keystore for AcraServer.
func (*ServerKeyStore) CacheOnStart ¶
func (s *ServerKeyStore) CacheOnStart() error
CacheOnStart v2 keystore doesnt support keys caching
func (*ServerKeyStore) DescribeKeyRing ¶
func (s *ServerKeyStore) DescribeKeyRing(path string) (*keystore.KeyDescription, error)
DescribeKeyRing describes key ring by its purpose path.
func (*ServerKeyStore) DescribeRotatedKeyRing ¶
func (s *ServerKeyStore) DescribeRotatedKeyRing(path string) ([]keystore.KeyDescription, error)
DescribeRotatedKeyRing describes key ring by its purpose path.
func (*ServerKeyStore) DestroyClientIDEncryptionKeyPair ¶
func (s *ServerKeyStore) DestroyClientIDEncryptionKeyPair(clientID []byte) error
DestroyClientIDEncryptionKeyPair destroy client storage key pair ring
func (*ServerKeyStore) DestroyClientIDSymmetricKey ¶
func (s *ServerKeyStore) DestroyClientIDSymmetricKey(clientID []byte) error
DestroyClientIDSymmetricKey destroy client storage symmetric key ring
func (*ServerKeyStore) DestroyHmacSecretKey ¶
func (s *ServerKeyStore) DestroyHmacSecretKey(clientID []byte) error
DestroyHmacSecretKey destroy hmac secret key ring
func (*ServerKeyStore) DestroyPoisonKeyPair ¶
func (s *ServerKeyStore) DestroyPoisonKeyPair() error
DestroyPoisonKeyPair destroy poison record key pair ring
func (*ServerKeyStore) DestroyPoisonSymmetricKey ¶
func (s *ServerKeyStore) DestroyPoisonSymmetricKey() error
DestroyPoisonSymmetricKey destroy poison symmetric key ring
func (*ServerKeyStore) DestroyRotatedClientIDEncryptionKeyPair ¶
func (s *ServerKeyStore) DestroyRotatedClientIDEncryptionKeyPair(clientID []byte, index int) error
DestroyRotatedClientIDEncryptionKeyPair destroy created rotated storage key pair
func (*ServerKeyStore) DestroyRotatedClientIDSymmetricKey ¶
func (s *ServerKeyStore) DestroyRotatedClientIDSymmetricKey(clientID []byte, index int) error
DestroyRotatedClientIDSymmetricKey destroy created rotated symmetric key
func (*ServerKeyStore) DestroyRotatedHmacSecretKey ¶
func (s *ServerKeyStore) DestroyRotatedHmacSecretKey(clientID []byte, index int) error
DestroyRotatedHmacSecretKey destroy created rotated hmac symmetric key
func (*ServerKeyStore) DestroyRotatedPoisonKeyPair ¶
func (s *ServerKeyStore) DestroyRotatedPoisonKeyPair(index int) error
DestroyRotatedPoisonKeyPair destroy created rotated poison record key pair
func (*ServerKeyStore) DestroyRotatedPoisonSymmetricKey ¶
func (s *ServerKeyStore) DestroyRotatedPoisonSymmetricKey(index int) error
DestroyRotatedPoisonSymmetricKey destroy created rotated poison record symmetric key
func (*ServerKeyStore) GenerateClientIDSymmetricKey ¶
func (s *ServerKeyStore) GenerateClientIDSymmetricKey(clientID []byte) error
GenerateClientIDSymmetricKey generates new storage symmetric key used by given client.
func (*ServerKeyStore) GenerateDataEncryptionKeys ¶
func (s *ServerKeyStore) GenerateDataEncryptionKeys(clientID []byte) error
GenerateDataEncryptionKeys generates new storage keypair used by given client.
func (*ServerKeyStore) GenerateHmacKey ¶
func (s *ServerKeyStore) GenerateHmacKey(clientID []byte) error
GenerateHmacKey generates new symmetric key for token HMAC for given client.
func (*ServerKeyStore) GenerateLogKey ¶
func (s *ServerKeyStore) GenerateLogKey() error
GenerateLogKey generates new audit log symmetric key.
func (*ServerKeyStore) GeneratePoisonKeyPair ¶
func (s *ServerKeyStore) GeneratePoisonKeyPair() error
GeneratePoisonKeyPair generates new poison keypair, saving it in the storage. Old keypair is rotated.
func (*ServerKeyStore) GeneratePoisonSymmetricKey ¶
func (s *ServerKeyStore) GeneratePoisonSymmetricKey() error
GeneratePoisonSymmetricKey generates new poison record symmetric key.
func (*ServerKeyStore) GetClientIDEncryptionPublicKey ¶
func (s *ServerKeyStore) GetClientIDEncryptionPublicKey(clientID []byte) (*keys.PublicKey, error)
GetClientIDEncryptionPublicKey retrieves public key used to encrypt data by given client.
func (*ServerKeyStore) GetClientIDSymmetricKey ¶
func (s *ServerKeyStore) GetClientIDSymmetricKey(clientID []byte) ([]byte, error)
GetClientIDSymmetricKey retrieves latest symmetric key used to encrypt data by given client
func (*ServerKeyStore) GetClientIDSymmetricKeys ¶
func (s *ServerKeyStore) GetClientIDSymmetricKeys(clientID []byte) ([][]byte, error)
GetClientIDSymmetricKeys retrieves all symmetric keys used to decrypt data by given client. The keys are returned from newest to oldest.
func (*ServerKeyStore) GetHMACSecretKey ¶
func (s *ServerKeyStore) GetHMACSecretKey(clientID []byte) ([]byte, error)
GetHMACSecretKey retrieves current symmetric key for token HMAC for given client.
func (*ServerKeyStore) GetLogSecretKey ¶
func (s *ServerKeyStore) GetLogSecretKey() ([]byte, error)
GetLogSecretKey retrieves audit log symmetric key.
func (*ServerKeyStore) GetPoisonKeyPair ¶
func (s *ServerKeyStore) GetPoisonKeyPair() (*keys.Keypair, error)
GetPoisonKeyPair retrieves current poison EC keypair. Returns ErrKeysNotFound if the keypair doesn't exist.
func (*ServerKeyStore) GetPoisonPrivateKeys ¶
func (s *ServerKeyStore) GetPoisonPrivateKeys() ([]*keys.PrivateKey, error)
GetPoisonPrivateKeys returns all private keys used to decrypt poison records, from newest to oldest. Returns ErrKeysNotFound if the keys don't exist.
func (*ServerKeyStore) GetPoisonSymmetricKey ¶
func (s *ServerKeyStore) GetPoisonSymmetricKey() ([]byte, error)
GetPoisonSymmetricKey returns latest symmetric key for encryption of poison records with AcraBlock. Returns ErrKeysNotFound if the keys don't exist.
func (*ServerKeyStore) GetPoisonSymmetricKeys ¶
func (s *ServerKeyStore) GetPoisonSymmetricKeys() ([][]byte, error)
GetPoisonSymmetricKeys returns all symmetric keys used to decrypt poison records with AcraBlock, from newest to oldest. Returns ErrKeysNotFound if the keys don't exist.
func (*ServerKeyStore) GetServerDecryptionPrivateKey ¶
func (s *ServerKeyStore) GetServerDecryptionPrivateKey(clientID []byte) (*keys.PrivateKey, error)
GetServerDecryptionPrivateKey retrieves private key used to decrypt data by given client.
func (*ServerKeyStore) GetServerDecryptionPrivateKeys ¶
func (s *ServerKeyStore) GetServerDecryptionPrivateKeys(clientID []byte) ([]*keys.PrivateKey, error)
GetServerDecryptionPrivateKeys retrieves all private key used to decrypt data by given client. The keys are returned from newest to oldest.
func (*ServerKeyStore) ImportKeyFileV1 ¶
func (s *ServerKeyStore) ImportKeyFileV1(oldKeyStore filesystemV1.KeyExport, key filesystemV1.ExportedKey) error
ImportKeyFileV1 transfers key data from keystore version 1.
func (*ServerKeyStore) ListKeys ¶
func (s *ServerKeyStore) ListKeys() ([]keystore.KeyDescription, error)
ListKeys enumerates keys present in the keystore.
func (*ServerKeyStore) ListRotatedKeys ¶
func (s *ServerKeyStore) ListRotatedKeys() ([]keystore.KeyDescription, error)
ListRotatedKeys enumerates rotated keys present in the keystore.
func (*ServerKeyStore) Reset ¶
func (s *ServerKeyStore) Reset()
Reset is a compatibility method that does nothing. In KeyStoreV1 this method is used to reset cache. KeyStoreV2 currently does not support key caching so there is nothing to reset.
func (*ServerKeyStore) SaveDataEncryptionKeys ¶
func (s *ServerKeyStore) SaveDataEncryptionKeys(clientID []byte, keypair *keys.Keypair) error
SaveDataEncryptionKeys overwrites storage keypair used by given client.
type TranslatorKeyStore ¶
type TranslatorKeyStore struct {
ServerKeyStore
}
TranslatorKeyStore provides access to Acra Keystore for AcraTranslator.
This is the same as ServerKeyStore, but with AcraTranslator transport keys.
func NewTranslatorKeyStore ¶
func NewTranslatorKeyStore(keyStore api.MutableKeyStore) *TranslatorKeyStore
NewTranslatorKeyStore configures keystore for AcraTranslator
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package api describes API of Acra Keystore version 2.
|
Package api describes API of Acra Keystore version 2. |
tests
Package tests provides conformity test suite for KeyStore API.
|
Package tests provides conformity test suite for KeyStore API. |
Package asn1 contains descriptions of ASN.1 data structures used by Keystore.
|
Package asn1 contains descriptions of ASN.1 data structures used by Keystore. |
Package crypto provides implementations of cryptographic algorithms used by KeyStore.
|
Package crypto provides implementations of cryptographic algorithms used by KeyStore. |
Package filesystem provides a common filesystem-based implementation of KeyStore.
|
Package filesystem provides a common filesystem-based implementation of KeyStore. |
backend
Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it.
|
Package backend provides a common filesystem Backend interface for filesystem.KeyStore as well as some basic implementations of it. |
backend/api
Package api defines abstract backend interface.
|
Package api defines abstract backend interface. |
backend/api/tests
Package tests provides conformity test suite for KeyStore Backend API.
|
Package tests provides conformity test suite for KeyStore Backend API. |
Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data.
|
Package signature implements generation and verification of signatures used by KeyStore to authenticate stored key data. |