|
|
|
@ -1,15 +1,15 @@ |
|
|
|
# KeyStar, an HTTP and In-process Key Management Solution |
|
|
|
|
|
|
|
KeyStar is a lightweight key management utility that provides a RESTful HTTP |
|
|
|
server and in-process key management for Golang applications. Presently, it only |
|
|
|
supports file system backed storage, but plans are in progress to support bbolt, |
|
|
|
SQLite, and eventually S3-compatible backends. Other options may be explored as |
|
|
|
time permits or requirements change (this includes etcd). |
|
|
|
server. Additionally, KeyStar also provides an in-process key management library |
|
|
|
for Golang applications along with cryptographic wrapper utilities that make use |
|
|
|
of its internal key management. Presently, it only supports file system backed |
|
|
|
storage, but plans are in progress to support bbolt, SQLite, and eventually |
|
|
|
S3-compatible backends. Other options may be explored as time permits or |
|
|
|
requirements change (this includes etcd). |
|
|
|
|
|
|
|
This is considered the authoritative HTTP API documentation and follows closely |
|
|
|
comments in the source files. |
|
|
|
|
|
|
|
Available in this document are the following sections: |
|
|
|
Available in this document are the following sections; missing sections will be |
|
|
|
added as time allows: |
|
|
|
|
|
|
|
* [Why KeyStar?](#why-keystar) |
|
|
|
* [Command Line](#command-line) |
|
|
|
@ -48,6 +48,7 @@ Available in this document are the following sections: |
|
|
|
* [Byte Generation](#byte-generation) |
|
|
|
* [Key Generation](#key-generation) |
|
|
|
* [Signature Generation](#signature-generation) |
|
|
|
* [Cryptographic Utilities](#cryptographic-utilities) |
|
|
|
|
|
|
|
## Why KeyStar? |
|
|
|
|
|
|
|
@ -1415,6 +1416,20 @@ Responses from this endpoint will contain the following JSON-formatted schema: |
|
|
|
| signature | string | Signature derived from submitted data | |
|
|
|
| algorithm | string | Algorithm used to generate signature | |
|
|
|
|
|
|
|
## Cryptographic Utilities |
|
|
|
|
|
|
|
KeyStar provides an assortment of cryptographic utilities. These interface |
|
|
|
directly with KeyStar's key types (primarily composite keys for convenience) and |
|
|
|
provide features such as encrypt-then-MAC and time-based token generation. |
|
|
|
Wrappers such as these may be used for encrypting cookies or user session data; |
|
|
|
in the case of time-based token generation, this may be useful for generating |
|
|
|
password reset tokens and similar without littering the host application |
|
|
|
database with ephemeral data. As a bonus example, KeyStar's key namespacing |
|
|
|
features allow applications to create isolated key stores specifically for |
|
|
|
generating user tokens that automatically invalidate via key rotation, rendering |
|
|
|
them completely unusable in the event an adversary attempts to attack the token |
|
|
|
signature to control its contents. |
|
|
|
|
|
|
|
[^1]: This needs to be a word. |
|
|
|
|
|
|
|
[^2]: A **500**-level error may be more appropriate for this circumstance, but we |
|
|
|
|
