-
Notifications
You must be signed in to change notification settings - Fork 23
/
base_objects.go
472 lines (428 loc) · 19.6 KB
/
base_objects.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
package kmip
import (
"math/big"
"github.com/gemalto/kmip-go/kmip14"
"github.com/gemalto/kmip-go/ttlv"
)
// 2.1 Base Objects
//
// These objects are used within the messages of the protocol, but are not objects managed by the key
// management system. They are components of Managed Objects.
// Attribute 2.1.1 Table 2
//
// An Attribute object is a structure (see Table 2) used for sending and receiving Managed Object attributes.
// The Attribute Name is a text-string that is used to identify the attribute. The Attribute Index is an index
// number assigned by the key management server. The Attribute Index is used to identify the particular instance.
// Attribute Indices SHALL start with 0. The Attribute Index of an attribute SHALL NOT change when other instances
// are added or deleted. Single-instance Attributes (attributes which an object MAY only have at most one instance
// thereof) SHALL have an Attribute Index of 0. The Attribute Value is either a primitive data type or structured
// object, depending on the attribute.
//
// When an Attribute structure is used to specify or return a particular instance of an Attribute and the Attribute
// Index is not specified it SHALL be assumed to be 0.
type Attribute struct {
// AttributeName should contain the canonical name of a tag, e.g. "Cryptographic Algorithm"
AttributeName string
// AttributeIndex is typically 0 when clients use this struct to create objects or add attributes. Clients
// only need to set this if modifying or deleting an existing attribute.
AttributeIndex int `ttlv:",omitempty"`
AttributeValue interface{}
}
func NewAttributeFromTag(tag ttlv.Tag, idx int, val interface{}) Attribute {
return Attribute{
AttributeName: tag.CanonicalName(),
AttributeIndex: idx,
AttributeValue: val,
}
}
// Credential 2.1.2 Table 3
//
// A Credential is a structure (see Table 3) used for client identification purposes and is not managed by the
// key management system (e.g., user id/password pairs, Kerberos tokens, etc.). It MAY be used for authentication
// purposes as indicated in [KMIP-Prof].
//
// TODO: add an unmarshal impl to Credential to handle decoding the right kind
// of credential based on the credential type value
type Credential struct {
CredentialType kmip14.CredentialType
CredentialValue interface{}
}
// UsernameAndPasswordCredentialValue 2.1.2 Table 4
//
// If the Credential Type in the Credential is Username and Password, then Credential Value is a
// structure as shown in Table 4. The Username field identifies the client, and the Password field
// is a secret that authenticates the client.
type UsernameAndPasswordCredentialValue struct {
Username string
Password string `ttlv:",omitempty"`
}
// DeviceCredentialValue 2.1.2 Table 5
//
// If the Credential Type in the Credential is Device, then Credential Value is a structure as shown in
// Table 5. One or a combination of the Device Serial Number, Network Identifier, Machine Identifier,
// and Media Identifier SHALL be unique. Server implementations MAY enforce policies on uniqueness for
// individual fields. A shared secret or password MAY also be used to authenticate the client.
// The client SHALL provide at least one field.
type DeviceCredentialValue struct {
DeviceSerialNumber string `ttlv:",omitempty"`
Password string `ttlv:",omitempty"`
DeviceIdentifier string `ttlv:",omitempty"`
NetworkIdentifier string `ttlv:",omitempty"`
MachineIdentifier string `ttlv:",omitempty"`
MediaIdentifier string `ttlv:",omitempty"`
}
// AttestationCredentialValue 2.1.2 Table 6
//
// If the Credential Type in the Credential is Attestation, then Credential Value is a structure
// as shown in Table 6. The Nonce Value is obtained from the key management server in a Nonce Object.
// The Attestation Credential Object can contain a measurement from the client or an assertion from a
// third party if the server is not capable or willing to verify the attestation data from the client.
// Neither type of attestation data (Attestation Measurement or Attestation Assertion) is necessary to
// allow the server to accept either. However, the client SHALL provide attestation data in either the
// Attestation Measurement or Attestation Assertion fields.
type AttestationCredentialValue struct {
Nonce Nonce
AttestationType kmip14.AttestationType
AttestationMeasurement []byte `ttlv:",omitempty"`
AttestationAssertion []byte `ttlv:",omitempty"`
}
// KeyBlock 2.1.3 Table 7
//
// A Key Block object is a structure (see Table 7) used to encapsulate all of the information that is
// closely associated with a cryptographic key. It contains a Key Value of one of the following Key Format Types:
//
// - Raw – This is a key that contains only cryptographic key material, encoded as a string of bytes.
// - Opaque – This is an encoded key for which the encoding is unknown to the key management system.
// It is encoded as a string of bytes.
// - PKCS1 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#1 object.
// - PKCS8 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#8 object, supporting both
// the RSAPrivateKey syntax and EncryptedPrivateKey.
// - X.509 – This is an encoded object, expressed as a DER-encoded ASN.1 X.509 object.
// - ECPrivateKey – This is an ASN.1 encoded elliptic curve private key.
// - Several Transparent Key types – These are algorithm-specific structures containing defined values
// for the various key types, as defined in Section 2.1.7.
// - Extensions – These are vendor-specific extensions to allow for proprietary or legacy key formats.
//
// The Key Block MAY contain the Key Compression Type, which indicates the format of the elliptic curve public
// key. By default, the public key is uncompressed.
//
// The Key Block also has the Cryptographic Algorithm and the Cryptographic Length of the key contained
// in the Key Value field. Some example values are:
//
// - RSA keys are typically 1024, 2048 or 3072 bits in length.
// - 3DES keys are typically from 112 to 192 bits (depending upon key length and the presence of parity bits).
// - AES keys are 128, 192 or 256 bits in length.
//
// The Key Block SHALL contain a Key Wrapping Data structure if the key in the Key Value field is
// wrapped (i.e., encrypted, or MACed/signed, or both).
type KeyBlock struct {
KeyFormatType kmip14.KeyFormatType
KeyCompressionType kmip14.KeyCompressionType `ttlv:",omitempty"`
KeyValue *KeyValue `ttlv:",omitempty"`
CryptographicAlgorithm kmip14.CryptographicAlgorithm `ttlv:",omitempty"`
CryptographicLength int `ttlv:",omitempty"`
KeyWrappingData *KeyWrappingData
}
// KeyValue 2.1.4 Table 8
//
// The Key Value is used only inside a Key Block and is either a Byte String or a structure (see Table 8):
//
// - The Key Value structure contains the key material, either as a byte string or as a Transparent Key
// structure (see Section 2.1.7), and OPTIONAL attribute information that is associated and encapsulated
// with the key material. This attribute information differs from the attributes associated with Managed
// Objects, and is obtained via the Get Attributes operation, only by the fact that it is encapsulated with
// (and possibly wrapped with) the key material itself.
// - The Key Value Byte String is either the wrapped TTLV-encoded (see Section 9.1) Key Value structure, or
// the wrapped un-encoded value of the Byte String Key Material field.
//
// TODO: Unmarshaler impl which unmarshals correct KeyMaterial type.
type KeyValue struct {
// KeyMaterial should be []byte, one of the Transparent*Key structs, or a custom struct if KeyFormatType is
// an extension.
KeyMaterial interface{}
Attribute []Attribute
}
// KeyWrappingData 2.1.5 Table 9
//
// The Key Block MAY also supply OPTIONAL information about a cryptographic key wrapping mechanism used
// to wrap the Key Value. This consists of a Key Wrapping Data structure (see Table 9). It is only used
// inside a Key Block.
//
// This structure contains fields for:
//
// - A Wrapping Method, which indicates the method used to wrap the Key Value.
// - Encryption Key Information, which contains the Unique Identifier (see 3.1) value of the encryption key
// and associated cryptographic parameters.
// - MAC/Signature Key Information, which contains the Unique Identifier value of the MAC/signature key
// and associated cryptographic parameters.
// - A MAC/Signature, which contains a MAC or signature of the Key Value.
// - An IV/Counter/Nonce, if REQUIRED by the wrapping method.
// - An Encoding Option, specifying the encoding of the Key Material within the Key Value structure of the
// Key Block that has been wrapped. If No Encoding is specified, then the Key Value structure SHALL NOT contain
// any attributes.
//
// If wrapping is used, then the whole Key Value structure is wrapped unless otherwise specified by the
// Wrapping Method. The algorithms used for wrapping are given by the Cryptographic Algorithm attributes of
// the encryption key and/or MAC/signature key; the block-cipher mode, padding method, and hashing algorithm used
// for wrapping are given by the Cryptographic Parameters in the Encryption Key Information and/or MAC/Signature
// Key Information, or, if not present, from the Cryptographic Parameters attribute of the respective key(s).
// Either the Encryption Key Information or the MAC/Signature Key Information (or both) in the Key Wrapping Data
// structure SHALL be specified.
//
// The following wrapping methods are currently defined:
//
// - Encrypt only (i.e., encryption using a symmetric key or public key, or authenticated encryption algorithms that use a single key).
// - MAC/sign only (i.e., either MACing the Key Value with a symmetric key, or signing the Key Value with a private key).
// - Encrypt then MAC/sign.
// - MAC/sign then encrypt.
// - TR-31.
// - Extensions.
//
// The following encoding options are currently defined:
//
// - No Encoding (i.e., the wrapped un-encoded value of the Byte String Key Material field in the Key Value structure).
// - TTLV Encoding (i.e., the wrapped TTLV-encoded Key Value structure).
type KeyWrappingData struct {
WrappingMethod kmip14.WrappingMethod
EncryptionKeyInformation *EncryptionKeyInformation
MACSignatureKeyInformation *MACSignatureKeyInformation
MACSignature []byte
IVCounterNonce []byte
EncodingOption kmip14.EncodingOption `ttlv:",omitempty" default:"TTLVEncoding"`
}
// EncryptionKeyInformation 2.1.5 Table 10
type EncryptionKeyInformation struct {
UniqueIdentifier string
CryptographicParameters *CryptographicParameters
}
// MACSignatureKeyInformation 2.1.5 Table 11
type MACSignatureKeyInformation struct {
UniqueIdentifier string
CryptographicParameters *CryptographicParameters
}
// TransparentSymmetricKey 2.1.7.1 Table 14
//
// If the Key Format Type in the Key Block is Transparent Symmetric Key, then Key Material is a
// structure as shown in Table 14.
type TransparentSymmetricKey struct {
Key []byte `validate:"required"`
}
// TransparentDSAPrivateKey 2.1.7.2 Table 15
//
// If the Key Format Type in the Key Block is Transparent DSA Private Key, then Key Material is a structure as
// shown in Table 15.
type TransparentDSAPrivateKey struct {
// TODO: should these be pointers? big package deals entirely with pointers, but these are not optional values.
P *big.Int `validate:"required"`
Q *big.Int `validate:"required"`
G *big.Int `validate:"required"`
X *big.Int `validate:"required"`
}
// TransparentDSAPublicKey 2.1.7.3 Table 16
//
// If the Key Format Type in the Key Block is Transparent DSA Public Key, then Key Material is a structure as
// shown in Table 16.
type TransparentDSAPublicKey struct {
P *big.Int `validate:"required"`
Q *big.Int `validate:"required"`
G *big.Int `validate:"required"`
Y *big.Int `validate:"required"`
}
// TransparentRSAPrivateKey 2.1.7.4 Table 17
//
// If the Key Format Type in the Key Block is Transparent RSA Private Key, then Key Material is a structure
// as shown in Table 17.
//
// One of the following SHALL be present (refer to [PKCS#1]):
//
// - Private Exponent,
// - P and Q (the first two prime factors of Modulus), or
// - Prime Exponent P and Prime Exponent Q.
type TransparentRSAPrivateKey struct {
Modulus *big.Int `validate:"required"`
PrivateExponent, PublicExponent *big.Int
P, Q *big.Int
PrimeExponentP, PrimeExponentQ *big.Int
CRTCoefficient *big.Int
}
// TransparentRSAPublicKey 2.1.7.5 Table 18
//
// If the Key Format Type in the Key Block is Transparent RSA Public Key, then Key Material is a structure
// as shown in Table 18.
type TransparentRSAPublicKey struct {
Modulus *big.Int `validate:"required"`
PublicExponent *big.Int `validate:"required"`
}
// TransparentDHPrivateKey 2.1.7.6 Table 19
//
// If the Key Format Type in the Key Block is Transparent DH Private Key, then Key Material is a structure as shown
// in Table 19.
type TransparentDHPrivateKey struct {
P *big.Int `validate:"required"`
Q *big.Int
G *big.Int `validate:"required"`
J *big.Int
X *big.Int `validate:"required"`
}
// TransparentDHPublicKey 2.1.7.7 Table 20
//
// If the Key Format Type in the Key Block is Transparent DH Public Key, then Key Material is a structure as
// shown in Table 20.
//
// P, G, and Y are required.
type TransparentDHPublicKey struct {
P *big.Int `validate:"required"`
Q *big.Int
G *big.Int `validate:"required"`
J *big.Int
Y *big.Int `validate:"required"`
}
// TransparentECDSAPrivateKey 2.1.7.8 Table 21
//
// The Transparent ECDSA Private Key structure is deprecated as of version 1.3 of this
// specification and MAY be removed from subsequent versions of the specification. The
// Transparent EC Private Key structure SHOULD be used as a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECDSA Private Key, then Key Material is a
// structure as shown in Table 21.
type TransparentECDSAPrivateKey struct {
RecommendedCurve kmip14.RecommendedCurve
D *big.Int `validate:"required"`
}
// TransparentECDSAPublicKey 2.1.7.9 Table 22
//
// The Transparent ECDSA Public Key structure is deprecated as of version 1.3 of this specification and
// MAY be removed from subsequent versions of the specification. The Transparent EC Public Key structure
// SHOULD be used as a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECDSA Public Key, then Key Material is a
// structure as shown in Table 22.
type TransparentECDSAPublicKey struct {
RecommendedCurve kmip14.RecommendedCurve
QString []byte `validate:"required"`
}
// TransparentECDHPrivateKey 2.1.7.10 Table 23
//
// The Transparent ECDH Private Key structure is deprecated as of version 1.3 of this specification and
// MAY be removed from subsequent versions of the specification. The Transparent EC Private Key structure
// SHOULD be used as a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECDH Private Key, then Key Material is a structure
// as shown in Table 23.
type TransparentECDHPrivateKey TransparentECPrivateKey
// TransparentECDHPublicKey 2.1.7.11 Table 24
//
// The Transparent ECDH Public Key structure is deprecated as of version 1.3 of this specification and MAY
// be removed from subsequent versions of the specification. The Transparent EC Public Key structure SHOULD
// be used as a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECDH Public Key, then Key Material is a structure as
// shown in Table 24.
type TransparentECDHPublicKey TransparentECPublicKey
// TransparentECMQVPrivateKey 2.1.7.12 Table 25
//
// The Transparent ECMQV Private Key structure is deprecated as of version 1.3 of this specification and MAY
// be removed from subsequent versions of the specification. The Transparent EC Private Key structure SHOULD
// be used as a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECMQV Private Key, then Key Material is a structure
// as shown in Table 25.
type TransparentECMQVPrivateKey TransparentECPrivateKey
// TransparentECMQVPublicKey 2.1.7.13 Table 26
//
// The Transparent ECMQV Public Key structure is deprecated as of version 1.3 of this specification and MAY be
// removed from subsequent versions of the specification. The Transparent EC Public Key structure SHOULD be used as
// a replacement.
//
// If the Key Format Type in the Key Block is Transparent ECMQV Public Key, then Key Material is a structure as shown
// in Table 26.
type TransparentECMQVPublicKey TransparentECPublicKey
// TransparentECPrivateKey 2.1.7.14 Table 27
//
// If the Key Format Type in the Key Block is Transparent EC Private Key, then Key Material is a structure as shown
// in Table 27.
type TransparentECPrivateKey struct {
RecommendedCurve kmip14.RecommendedCurve
D *big.Int `validate:"required"`
}
// TransparentECPublicKey 2.1.7.15 Table 28
//
// If the Key Format Type in the Key Block is Transparent EC Public Key, then Key Material is a structure as
// shown in Table 28.
type TransparentECPublicKey struct {
RecommendedCurve kmip14.RecommendedCurve
QString []byte `validate:"required"`
}
// TemplateAttribute 2.1.8 Table 29
//
// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from
// subsequent versions of the specification. Individual Attributes SHOULD be used in operations which currently
// support use of a Name within a Template-Attribute to reference a Template.
//
// These structures are used in various operations to provide the desired attribute values and/or template
// names in the request and to return the actual attribute values in the response.
//
// The Template-Attribute, Common Template-Attribute, Private Key Template-Attribute, and Public Key
// Template-Attribute structures are defined identically as follows:
//
// type TemplateAttribute struct {
// Attribute []Attribute
// }
type TemplateAttribute struct {
Name []Name
Attribute []Attribute
}
// Get returns a reference to the first Attribute in the list matching the name.
// Returns nil if not found.
func (t *TemplateAttribute) Get(s string) *Attribute {
if t == nil {
return nil
}
for i := range t.Attribute {
if t.Attribute[i].AttributeName == s {
return &t.Attribute[i]
}
}
return nil
}
// GetIdx returns a reference to the Attribute in the list matching the name and index.
// Returns nil if not found.
func (t *TemplateAttribute) GetIdx(s string, idx int) *Attribute {
if t == nil {
return nil
}
for i := range t.Attribute {
if t.Attribute[i].AttributeName == s && t.Attribute[i].AttributeIndex == idx {
return &t.Attribute[i]
}
}
return nil
}
// GetTag returns a reference to the first Attribute in the list matching the tag.
// Returns nil if not found.
func (t *TemplateAttribute) GetTag(tag ttlv.Tag) *Attribute {
return t.Get(tag.String())
}
// GetTagIdx returns a reference to the first Attribute in the list matching the tag and index.
// Returns nil if not found.
func (t *TemplateAttribute) GetTagIdx(tag ttlv.Tag, idx int) *Attribute {
return t.GetIdx(tag.String(), idx)
}
func (t *TemplateAttribute) GetAll(s string) []Attribute {
if t == nil {
return nil
}
var ret []Attribute
for i := range t.Attribute {
if t.Attribute[i].AttributeName == s {
ret = append(ret, t.Attribute[i])
}
}
return ret
}
func (t *TemplateAttribute) Append(tag ttlv.Tag, value interface{}) {
t.Attribute = append(t.Attribute, NewAttributeFromTag(tag, 0, value))
}
func (t *TemplateAttribute) GetAllTag(tag ttlv.Tag) []Attribute {
return t.GetAll(tag.String())
}