vault-signer

A Go crypto.Signer that leverages the transit secrets engine in HashiCorp Vault

Usage

To use vault-signer just pass in a Vault API client and key configuration to get a struct that implements the Go crypto.Signer interface.

vaultConfig := api.DefaultConfig()
vaultClient, err := api.NewClient(vaultConfig)
if err != nil {
	log.Fatalf("err: %s", err)
}

signerConfig := &vaultsigner.SignerConfig{
	MountPath: "transit",
	KeyName:   "test-key",
}
vaultSigner, err := vaultsigner.NewVaultSigner(vaultClient, signerConfig)
if err != nil {
	log.Fatalf("err: %s", err)
}

Examples

Sign JWT

import (
	"log"

	"gopkg.in/square/go-jose.v2"
	"gopkg.in/square/go-jose.v2/cryptosigner"
	"gopkg.in/square/go-jose.v2/jwt"
)

// using VaultSigner setup above

opaqueSigner := cryptosigner.Opaque(vaultSigner)
signingKey := jose.SigningKey{Algorithm: jose.EdDSA, Key: opaqueSigner}
signer, err := jose.NewSigner(signingKey, nil)
if err != nil {
	log.Fatalf("error creating signer: %v", err)
}

builder := jwt.Signed(signer)
pubClaims := jwt.Claims{
	Issuer:   "issuer1",
	Subject:  "subject1",
	ID:       "id1",
	Audience: jwt.Audience{"aud1", "aud2"},
	IssuedAt: jwt.NewNumericDate(time.Date(2017, 1, 1, 0, 0, 0, 0, time.UTC)),
	Expiry:   jwt.NewNumericDate(time.Date(2030, 1, 1, 0, 15, 0, 0, time.UTC)),
}
builder = builder.Claims(pubClaims)

rawJWT, err := builder.CompactSerialize()
if err != nil {
	log.Fatalf("failed to create JWT: %+v", err)
}

// decode the raw JWT
parsedJWT, err := jwt.ParseSigned(rawJWT)
if err != nil {
	log.Fatalf("failed to parse JWT:%+v", err)
}

// verify signature
resultCl := map[string]interface{}{}
if err := parsedJWT.Claims(vaultSigner.Public(), &resultCl); err != nil {
	log.Fatalf("Failed to verify JWT: %+v", err)
}

Sign x509 Certificate

import (
	"crypto/rand"
	"crypto/x509"
	"log"
)

// using VaultSigner setup above

template := &x509.Certificate{
	Subject: pkix.Name{
		CommonName: "Test",
	},
	SerialNumber:       big.NewInt(1),
	NotAfter:           time.Now().Add(time.Hour).UTC(),
	SignatureAlgorithm: x509.SHA256WithRSA,
}

cert, err = x509.CreateCertificate(rand.Reader, template, template, vaultSigner.Public(), vaultSigner)
if err != nil {
	log.Fatalf("Error creating certificate: %s", err)
}

Name		Name	Last commit message	Last commit date
Latest commit History 139 Commits
.github		.github
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
go.mod		go.mod
go.sum		go.sum
vault_signer.go		vault_signer.go
vault_signer_test.go		vault_signer_test.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.github

.github

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

go.mod

go.mod

go.sum

go.sum

vault_signer.go

vault_signer.go

vault_signer_test.go

vault_signer_test.go

Repository files navigation

vault-signer

Usage

Examples

Sign JWT

Sign x509 Certificate

About

Releases

Packages

Contributors 3

Languages

License

chrishoffman/vault-signer

Folders and files

Latest commit

History

Repository files navigation

vault-signer

Usage

Examples

Sign JWT

Sign x509 Certificate

About

Resources

License

Stars

Watchers

Forks

Languages