github.com/blend/go-sdk@v1.20240719.1/vault/transit_opts.go (about) 1 /* 2 3 Copyright (c) 2024 - Present. Blend Labs, Inc. All rights reserved 4 Use of this source code is governed by a MIT license that can be found in the LICENSE file. 5 6 */ 7 8 package vault 9 10 import "github.com/blend/go-sdk/ex" 11 12 var validTKTypes = map[string]struct{}{ 13 TypeAES256GCM96: {}, 14 TypeCHACHA20POLY1305: {}, 15 TypeED25519: {}, 16 TypeECDSAP256: {}, 17 TypeRSA2048: {}, 18 TypeRSA4096: {}, 19 } 20 21 // CreateTransitKeyOption is an option type for transit key creation 22 type CreateTransitKeyOption func(tkc *CreateTransitKeyConfig) error 23 24 // UpdateTransitKeyOption is an option type for transit key creation 25 type UpdateTransitKeyOption func(tkc *UpdateTransitKeyConfig) error 26 27 // OptCreateTransitConfig is a creation option for when you have a pre-defined struct 28 func OptCreateTransitConfig(config CreateTransitKeyConfig) CreateTransitKeyOption { 29 return func(tkc *CreateTransitKeyConfig) error { 30 *tkc = config 31 return nil 32 } 33 } 34 35 // OptCreateTransitConvergent - If enabled, the key will support convergent encryption, where the same plaintext creates 36 // the same ciphertext. This also sets derived to true (which is required). When enabled, each encryption (or decryption 37 // or rewrap or datakey) operation will derive a nonce value rather than randomly generate it. 38 func OptCreateTransitConvergent() CreateTransitKeyOption { 39 return func(tkc *CreateTransitKeyConfig) error { 40 tkc.Convergent = true 41 tkc.Derived = true 42 return nil 43 } 44 } 45 46 // OptCreateTransitDerived - Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this 47 // named key must provide a context which is used for key derivation. 48 func OptCreateTransitDerived() CreateTransitKeyOption { 49 return func(tkc *CreateTransitKeyConfig) error { 50 tkc.Derived = true 51 return nil 52 } 53 } 54 55 // OptCreateTransitExportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be 56 // exported. Once set, this cannot be disabled. 57 func OptCreateTransitExportable() CreateTransitKeyOption { 58 return func(tkc *CreateTransitKeyConfig) error { 59 tkc.Exportable = true 60 return nil 61 } 62 } 63 64 // OptCreateTransitAllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this 65 // cannot be disabled. 66 func OptCreateTransitAllowPlaintextBackup() CreateTransitKeyOption { 67 return func(tkc *CreateTransitKeyConfig) error { 68 tkc.AllowPlaintextBackup = true 69 return nil 70 } 71 } 72 73 // OptCreateTransitType - specifies the type of key to create. The default type is "aes256-gcm96": 74 // 75 // aes256-gcm96 – AES-256 wrapped with GCM using a 96-bit nonce size AEAD (symmetric, supports derivation and 76 // convergent encryption) 77 // chacha20-poly1305 – ChaCha20-Poly1305 AEAD (symmetric, supports derivation and convergent encryption) 78 // ed25519 – ED25519 (asymmetric, supports derivation). When using derivation, a sign operation with the same 79 // context will derive the same key and signature; this is a signing analog to convergent_encryption. 80 // ecdsa-p256 – ECDSA using the P-256 elliptic curve (asymmetric) 81 // rsa-2048 - RSA with bit size of 2048 (asymmetric) 82 // rsa-4096 - RSA with bit size of 4096 (asymmetric) 83 func OptCreateTransitType(keyType string) CreateTransitKeyOption { 84 return func(tkc *CreateTransitKeyConfig) error { 85 if _, ok := validTKTypes[keyType]; !ok { 86 return ex.New("invalid keyType") 87 } 88 tkc.Type = keyType 89 return nil 90 } 91 } 92 93 // OptUpdateTransitConfig is an update option for when you have a pre-defined struct 94 func OptUpdateTransitConfig(config UpdateTransitKeyConfig) UpdateTransitKeyOption { 95 return func(tku *UpdateTransitKeyConfig) error { 96 *tku = config 97 return nil 98 } 99 } 100 101 // OptUpdateTransitMinDecryptionVer - Specifies the minimum version of ciphertext allowed to be decrypted. Adjusting 102 // this as part of a key rotation policy can prevent old copies of ciphertext from being decrypted, should they fall into 103 // the wrong hands. For signatures, this value controls the minimum version of signature that can be verified 104 // against. For HMACs, this controls the minimum version of a key allowed to be used as the key for verification. 105 func OptUpdateTransitMinDecryptionVer(minDecryptionVersion int) UpdateTransitKeyOption { 106 return func(tku *UpdateTransitKeyConfig) error { 107 tku.MinDecryptionVersion = minDecryptionVersion 108 return nil 109 } 110 } 111 112 // OptUpdateTransitMinEncryptionVer - Specifies the minimum version of the key that can be used to encrypt plaintext, 113 // sign payloads, or generate HMACs. Must be 0 (which will use the latest version) or a value greater or equal to 114 // min_decryption_version. 115 func OptUpdateTransitMinEncryptionVer(minEncryptionVersion int) UpdateTransitKeyOption { 116 return func(tku *UpdateTransitKeyConfig) error { 117 tku.MinEncryptionVersion = minEncryptionVersion 118 return nil 119 } 120 } 121 122 // OptUpdateTransitDeletionAllowed - Specifies if the key is allowed to be deleted. 123 func OptUpdateTransitDeletionAllowed(deletionAllowed bool) UpdateTransitKeyOption { 124 return func(tku *UpdateTransitKeyConfig) error { 125 tku.DeletionAllowed = &deletionAllowed 126 return nil 127 } 128 } 129 130 // OptUpdateTransitExportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be 131 // exported. Once set, this cannot be disabled. 132 func OptUpdateTransitExportable() UpdateTransitKeyOption { 133 return func(tku *UpdateTransitKeyConfig) error { 134 tku.Exportable = true 135 return nil 136 } 137 } 138 139 // OptUpdateTransitAllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this 140 // cannot be disabled. 141 func OptUpdateTransitAllowPlaintextBackup() UpdateTransitKeyOption { 142 return func(tku *UpdateTransitKeyConfig) error { 143 tku.AllowPlaintextBackup = true 144 return nil 145 } 146 }