Documentation ¶
Overview ¶
Package awskms implements a crypto.Signer that uses AWS's KMS service
e.g for creating a suitible key: `aws kms create-key --customer-master-key-spec RSA_2048 --key-usage SIGN_VERIFY` `aws kms create-key --customer-master-key-spec RSA_2048 --key-usage ENCRYPT_DECRYPT`
Index ¶
Constants ¶
const ( // EncryptionAlgorithmOaepSha256 = RSAES_OAEP_SHA_256 (https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#KMS-Decrypt-request-EncryptionAlgorithm) EncryptionAlgorithmOaepSha256 = kms.AlgorithmSpecRsaesOaepSha256 // EncryptionAlgorithmOaepSha1 = RSAES_OAEP_SHA_1 (https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#KMS-Decrypt-request-EncryptionAlgorithm) EncryptionAlgorithmOaepSha1 = kms.AlgorithmSpecRsaesOaepSha1 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Decrypter ¶
type Decrypter struct {
// contains filtered or unexported fields
}
Decrypter implents a crypto.Decrypter that uses a RSA key stored in AWS It should be initialized via NewDecrypter
func NewDecrypter ¶
NewDecrypter will configure a new decrypter using the given KMS client, bound to the given key.
type DecrypterOpts ¶
type DecrypterOpts struct { // EncryptionAlgorithm indicates the encryption algorithm that was used. // If not set, defaults to EncryptionAlgorithmOaepSha256 EncryptionAlgorithm EncryptionAlgorithm }
DecrypterOpts implements crypto.DecrypterOpts for this Decrypter
type EncryptionAlgorithm ¶
type EncryptionAlgorithm string
EncryptionAlgorithm https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#KMS-Decrypt-request-EncryptionAlgorithm
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer is a crypto.Signer that uses a AWS KMS backed key. It should be initialized via NewSigner
func NewSigner ¶
NewSigner will configure a new Signer using the given KMS client, bound to the given key.
func (*Signer) Sign ¶
func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign signs digest with the private key. By default, for an RSA key a PKCS#1 v1.5 signature, and for an EC key a DER-serialised, ASN.1 signature structure will be returned. If the passed options are a *rsa.PSSOptions, the RSA key will return a PSS signature.
Hash is required, as must correspond to a hash the KMS service supports.
rand is unused.