Skip to content
Snippets Groups Projects
Select Git revision
  • renovate/git.autistici.org-id-go-sso-digest
  • renovate/golang.org-x-crypto-0.x
  • renovate/github.com-prometheus-client_golang-1.x
  • renovate/github.com-go-ldap-ldap-v3-3.x
  • renovate/golang.org-x-sync-0.x
  • renovate/github.com-go-sql-driver-mysql-1.x
  • renovate/github.com-mattn-go-sqlite3-1.x
  • master default
  • renovate/github.com-lib-pq-1.x
  • renovate/git.autistici.org-ai3-go-common-digest
  • pass-state
  • integration-test
  • memguard
13 results
Blame Permalink
README.md 4.24 KiB

keystore

KeyStore holds unencrypted secrets on behalf of users in memory for a short time (of the order of a SSO session lifespan). User secrets can be opened with a password (used to decrypt the key, which is stored encrypted in a database), queried by presenting a suitable authentication token, and closed (wiped and forgotten).

The database can provide multiple versions of the encrypted key (to support multiple decryption passwords), in which case we'll try them all sequentially until one of them decrypts successfully with the provided password.

In order to query the KeyStore, you need to present a valid SSO token for the user whose secrets you would like to obtain.

API

The server exports an API over HTTP/HTTPS. All requests should be made using the POST method and a Content-Type of application/json. The request body should contain a JSON-encoded object. Responses will be similarly JSON-encoded.

/api/open (OpenRequest)

Retrieve the encrypted key for a user, decrypt it with the provided password, and store it in memory.

OpenRequest is an object with the following attributes:

  • username
  • password to decrypt the user's key with
  • ttl (seconds) time after which the credentials are automatically forgotten