github.com/hyperledger/aries-framework-go@v0.3.2/pkg/secretlock/local/local.go

github.com/hyperledger/aries-framework-go@v0.3.2/pkg/secretlock/local/local.go (about)

     1  /*
     2  Copyright SecureKey Technologies Inc. All Rights Reserved.
     3  SPDX-License-Identifier: Apache-2.0
     4  */
     5  
     6  // Package local provides a local secret lock service. The user must create a master key and store it
     7  // in a local file or an environment variable prior to using this service.
     8  //
     9  // The user has the option to encrypt the master key using hkdf.NewMasterLock(passphrase, hash func(), salt)
    10  // found in the sub package masterlock/hkdf. There's also the option of using pbkdf2.NewMasterLock() instead of hkdf
    11  // which is located under masterlock/pbkdf2.
    12  //
    13  // This lock services uses the NIST approved AES-GCM 256 bit encryption as per NIST SP 800-38D.
    14  //
    15  // The user can then call either:
    16  //
    17  //	MasterKeyFromPath(path) or
    18  //	MasterKeyFromEnv(envPrefix, keyURI)
    19  //
    20  // to get an io.Reader instance needed to read the master key and create a keys Lock service.
    21  //
    22  // The content of the master key reader may be either raw bytes or base64URL encoded (by masterlock if protected or
    23  // manually if not). Base64URL encoding is useful when setting a master key in an environment variable as some OSs may
    24  // reject setting env variables with binary data as value. The service will attempt to base64URL decode the content of
    25  // reader first and if it fails, will try to create the service with the raw (binary) content.
    26  //
    27  // To get the lock service, call:
    28  //
    29  //	NewService(reader, secLock)
    30  //
    31  // where reader is the instance returned from one of the MasterKeyFrom..() functions mentioned above
    32  // and secLock which is the masterKey lock used to encrypt/decrypt the master key. If secLock is nil
    33  // then the masterKey content in reader will be used as-is without being decrypted. The keys however are always
    34  // encrypted using the read masterKey.
    35  package local
    36  
    37  import (
    38  	"io"
    39  
    40  	"github.com/hyperledger/aries-framework-go/component/kmscrypto/secretlock/local"
    41  	"github.com/hyperledger/aries-framework-go/pkg/secretlock"
    42  )
    43  
    44  // Lock is a secret lock service responsible for encrypting keys using a master key.
    45  type Lock = local.Lock
    46  
    47  // NewService creates a new instance of local secret lock service using a master key in masterKeyReader.
    48  // If the masterKey is not protected (secLock=nil) this function will attempt to base64 URL Decode the
    49  // content of masterKeyReader and if it fails, then will attempt to create a secret lock cipher with the raw key as is.
    50  func NewService(masterKeyReader io.Reader, secLock secretlock.Service) (secretlock.Service, error) {
    51  	return local.NewService(masterKeyReader, secLock)
    52  }