-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow associating an ID with a biscuit's root key
In order to accommodate biscuit issuers with multiple key pairs in use, whether concurrently or in an ongoing rotation cycle, biscuits can record and expose an identifier for the root private key used to sign its authority block. Allow issuers to associate such an identifier with the private key when creating a new biscuit. Introduce the option function "WithRootKeyID" to supply such an identifier at composition time, and the "(*Biscuit).RootKeyID" method to query this identifier later.
- Loading branch information
Showing
4 changed files
with
116 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package biscuit | ||
|
||
import "io" | ||
|
||
type compositionOption interface { | ||
builderOption | ||
biscuitOption | ||
} | ||
|
||
type rngOption struct { | ||
io.Reader | ||
} | ||
|
||
func (o rngOption) applyToBuilder(b *builderOptions) { | ||
if r := o.Reader; r != nil { | ||
b.rng = o | ||
} | ||
} | ||
|
||
func (o rngOption) applyToBiscuit(b *biscuitOptions) error { | ||
if r := o.Reader; r != nil { | ||
b.rng = r | ||
} | ||
return nil | ||
} | ||
|
||
// WithRNG supplies a random number generator as a byte stream from which to read when generating | ||
// key pairs with which to sign blocks within biscuits. | ||
func WithRNG(r io.Reader) compositionOption { | ||
return rngOption{r} | ||
} | ||
|
||
type rootKeyIDOption uint32 | ||
|
||
func (o rootKeyIDOption) applyToBuilder(b *builderOptions) { | ||
id := uint32(o) | ||
b.rootKeyID = &id | ||
} | ||
|
||
func (o rootKeyIDOption) applyToBiscuit(b *biscuitOptions) error { | ||
id := uint32(o) | ||
b.rootKeyID = &id | ||
return nil | ||
} | ||
|
||
// WithRootKeyID specifies the identifier for the root key pair used to sign a biscuit's authority | ||
// block, allowing a consuming party to later select the corresponding public key to validate that | ||
// signature. | ||
func WithRootKeyID(id uint32) compositionOption { | ||
return rootKeyIDOption(id) | ||
} |