providers

package

v0.6.0 Latest Latest Go to latest Published: Feb 14, 2024 License: MIT Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ThalesGroup/k8s-kms-plugin

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func IsPKCS11AuthenticationError(err error) bool
type Config
type P11
- func NewP11(config *crypto11.Config, createKey bool, k8sKekLabel string, ...) (p *P11, err error)
type Provider

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNoSuchKey  = errors.New("no such key")
	ErrNoSuchCert = errors.New("no such cert")
)

Functions ¶

func IsPKCS11AuthenticationError ¶

func IsPKCS11AuthenticationError(err error) bool

IsPKCS11AuthenticationError returns true if further attempts to log in will risk causing the device to be locked.

Types ¶

type Config ¶

type Config struct {
	CaKid  []byte
	KekKid []byte
}

type P11 ¶

type P11 struct {
	// contains filtered or unexported fields
}

func NewP11 ¶

func NewP11(config *crypto11.Config, createKey bool, k8sKekLabel string, hmacKeyLabel string, algorithm jose.Alg) (p *P11, err error)

func (*P11) AuthenticatedDecrypt ¶

func (p *P11) AuthenticatedDecrypt(ctx context.Context, request *istio.AuthenticatedDecryptRequest) (resp *istio.AuthenticatedDecryptResponse, err error)

func (*P11) AuthenticatedEncrypt ¶

func (p *P11) AuthenticatedEncrypt(ctx context.Context, request *istio.AuthenticatedEncryptRequest) (resp *istio.AuthenticatedEncryptResponse, err error)

func (*P11) Close ¶

func (p *P11) Close() (err error)

Close the key manager

func (*P11) Decrypt ¶

func (p *P11) Decrypt(ctx context.Context, req *k8s.DecryptRequest) (resp *k8s.DecryptResponse, err error)

Symmetric decryption....

func (*P11) Encrypt ¶

func (p *P11) Encrypt(ctx context.Context, req *k8s.EncryptRequest) (resp *k8s.EncryptResponse, err error)

func (*P11) GenerateDEK ¶

func (p *P11) GenerateDEK(ctx context.Context, request *istio.GenerateDEKRequest) (resp *istio.GenerateDEKResponse, err error)

GenerateDEK a 256 bit AES DEK Key , Wrapped via JWE with the PKCS11 base KEK

func (*P11) GenerateKEK ¶

func (p *P11) GenerateKEK(ctx context.Context, request *istio.GenerateKEKRequest) (resp *istio.GenerateKEKResponse, err error)

GenerateKEK a 256 bit AES KEK Key that resides in the Pkcs11 device

func (*P11) GenerateSKey ¶

func (p *P11) GenerateSKey(ctx context.Context, request *istio.GenerateSKeyRequest) (resp *istio.GenerateSKeyResponse, err error)

GenerateSKey gens a 4096 RSA Key with the DEK that is protected by the KEK for later Unwrapping by the remote client in it's pod/container

func (*P11) ImportCACert ¶

func (p *P11) ImportCACert(ctx context.Context, request *istio.ImportCACertRequest) (resp *istio.ImportCACertResponse, err error)

ImportCACert inserts the Root CA cert chain

func (*P11) LoadSKey ¶

func (p *P11) LoadSKey(ctx context.Context, request *istio.LoadSKeyRequest) (resp *istio.LoadSKeyResponse, err error)

LoadSKey unwraps the supplied sKey with the Wrapped sKey

func (*P11) UnaryInterceptor ¶

func (s *P11) UnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error)

func (*P11) VerifyCertChain ¶

func (p *P11) VerifyCertChain(ctx context.Context, request *istio.VerifyCertChainRequest) (resp *istio.VerifyCertChainResponse, err error)

VerifyCertChain verifies a provided cert-chain (currently self-contained)

func (*P11) Version ¶

func (p *P11) Version(ctx context.Context, request *kms.VersionRequest) (versionResponse *kms.VersionResponse, err error)

type Provider ¶

type Provider interface {
	k8s.KeyManagementServiceServer
	istio.KeyManagementServiceServer
	// Ad
	UnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL