github.com/blend/go-sdk@v1.20220411.3/vault/transit_opts.go (about) 1 /* 2 3 Copyright (c) 2022 - Present. Blend Labs, Inc. All rights reserved 4 Use of this source code is governed by a MIT license that can be found in the LICENSE file. 5 6 */ 7 8 package vault 9 10 import "github.com/blend/go-sdk/ex" 11 12 var validTKTypes = map[string]struct{}{ 13 TypeAES256GCM96: {}, 14 TypeCHACHA20POLY1305: {}, 15 TypeED25519: {}, 16 TypeECDSAP256: {}, 17 TypeRSA2048: {}, 18 TypeRSA4096: {}, 19 } 20 21 // CreateTransitKeyOption is an option type for transit key creation 22 type CreateTransitKeyOption func(tkc *CreateTransitKeyConfig) error 23 24 // UpdateTransitKeyOption is an option type for transit key creation 25 type UpdateTransitKeyOption func(tkc *UpdateTransitKeyConfig) error 26 27 // OptCreateTransitConfig is a creation option for when you have a pre-defined struct 28 func OptCreateTransitConfig(config CreateTransitKeyConfig) CreateTransitKeyOption { 29 return func(tkc *CreateTransitKeyConfig) error { 30 *tkc = config 31 return nil 32 } 33 } 34 35 // OptCreateTransitConvergent - If enabled, the key will support convergent encryption, where the same plaintext creates 36 // the same ciphertext. This also sets derived to true (which is required). When enabled, each encryption (or decryption 37 // or rewrap or datakey) operation will derive a nonce value rather than randomly generate it. 38 func OptCreateTransitConvergent() CreateTransitKeyOption { 39 return func(tkc *CreateTransitKeyConfig) error { 40 tkc.Convergent = true 41 tkc.Derived = true 42 return nil 43 } 44 } 45 46 // OptCreateTransitDerived - Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this 47 // named key must provide a context which is used for key derivation. 48 func OptCreateTransitDerived() CreateTransitKeyOption { 49 return func(tkc *CreateTransitKeyConfig) error { 50 tkc.Derived = true 51 return nil 52 } 53 } 54 55 // OptCreateTransitExportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be 56 // exported. Once set, this cannot be disabled. 57 func OptCreateTransitExportable() CreateTransitKeyOption { 58 return func(tkc *CreateTransitKeyConfig) error { 59 tkc.Exportable = true 60 return nil 61 } 62 } 63 64 // OptCreateTransitAllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this 65 // cannot be disabled. 66 func OptCreateTransitAllowPlaintextBackup() CreateTransitKeyOption { 67 return func(tkc *CreateTransitKeyConfig) error { 68 tkc.AllowPlaintextBackup = true 69 return nil 70 } 71 } 72 73 // OptCreateTransitType - specifies the type of key to create. The default type is "aes256-gcm96": 74 // aes256-gcm96 – AES-256 wrapped with GCM using a 96-bit nonce size AEAD (symmetric, supports derivation and 75 // convergent encryption) 76 // chacha20-poly1305 – ChaCha20-Poly1305 AEAD (symmetric, supports derivation and convergent encryption) 77 // ed25519 – ED25519 (asymmetric, supports derivation). When using derivation, a sign operation with the same 78 // context will derive the same key and signature; this is a signing analog to convergent_encryption. 79 // ecdsa-p256 – ECDSA using the P-256 elliptic curve (asymmetric) 80 // rsa-2048 - RSA with bit size of 2048 (asymmetric) 81 // rsa-4096 - RSA with bit size of 4096 (asymmetric) 82 func OptCreateTransitType(keyType string) CreateTransitKeyOption { 83 return func(tkc *CreateTransitKeyConfig) error { 84 if _, ok := validTKTypes[keyType]; !ok { 85 return ex.New("invalid keyType") 86 } 87 tkc.Type = keyType 88 return nil 89 } 90 } 91 92 // OptUpdateTransitConfig is an update option for when you have a pre-defined struct 93 func OptUpdateTransitConfig(config UpdateTransitKeyConfig) UpdateTransitKeyOption { 94 return func(tku *UpdateTransitKeyConfig) error { 95 *tku = config 96 return nil 97 } 98 } 99 100 // OptUpdateTransitMinDecryptionVer - Specifies the minimum version of ciphertext allowed to be decrypted. Adjusting 101 // this as part of a key rotation policy can prevent old copies of ciphertext from being decrypted, should they fall into 102 // the wrong hands. For signatures, this value controls the minimum version of signature that can be verified 103 // against. For HMACs, this controls the minimum version of a key allowed to be used as the key for verification. 104 func OptUpdateTransitMinDecryptionVer(minDecryptionVersion int) UpdateTransitKeyOption { 105 return func(tku *UpdateTransitKeyConfig) error { 106 tku.MinDecryptionVersion = minDecryptionVersion 107 return nil 108 } 109 } 110 111 // OptUpdateTransitMinEncryptionVer - Specifies the minimum version of the key that can be used to encrypt plaintext, 112 // sign payloads, or generate HMACs. Must be 0 (which will use the latest version) or a value greater or equal to 113 // min_decryption_version. 114 func OptUpdateTransitMinEncryptionVer(minEncryptionVersion int) UpdateTransitKeyOption { 115 return func(tku *UpdateTransitKeyConfig) error { 116 tku.MinEncryptionVersion = minEncryptionVersion 117 return nil 118 } 119 } 120 121 // OptUpdateTransitDeletionAllowed - Specifies if the key is allowed to be deleted. 122 func OptUpdateTransitDeletionAllowed(deletionAllowed bool) UpdateTransitKeyOption { 123 return func(tku *UpdateTransitKeyConfig) error { 124 tku.DeletionAllowed = &deletionAllowed 125 return nil 126 } 127 } 128 129 // OptUpdateTransitExportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be 130 // exported. Once set, this cannot be disabled. 131 func OptUpdateTransitExportable() UpdateTransitKeyOption { 132 return func(tku *UpdateTransitKeyConfig) error { 133 tku.Exportable = true 134 return nil 135 } 136 } 137 138 // OptUpdateTransitAllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this 139 // cannot be disabled. 140 func OptUpdateTransitAllowPlaintextBackup() UpdateTransitKeyOption { 141 return func(tku *UpdateTransitKeyConfig) error { 142 tku.AllowPlaintextBackup = true 143 return nil 144 } 145 }