- Notifications
You must be signed in to change notification settings - Fork1
A golang KMIP client and server library, supporting KMIP v1.0 to v1.4.
License
NotificationsYou must be signed in to change notification settings
ovh/kmip-go
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A go implementation of the KMIP protocol and client, supporting KMIP v1.0 to v1.4.SeeKMIP v1.4 protocole specification
This library is developped for and tested againstOVHcloud KMS.
NOTE: THIS PROJECT IS CURRENTLY UNDER DEVELOPMENT AND SUBJECT TO BREAKING CHANGES.
Add it to your project by running
go get github.com/ovh/kmip-go@latest
and import required packages
import ("github.com/ovh/kmip-go""github.com/ovh/kmip-go/kmipclient""github.com/ovh/kmip-go/payloads""github.com/ovh/kmip-go/ttlv")
Then you can connect to your KMS service:
const (ADDR="eu-west-rbx.okms.ovh.net:5696"CA="ca.pem"CERT="cert.pem"KEY="key.pem")client,err:=kmipclient.Dial(ADDR,// Optional if server's CA is known by the system// kmipclient.WithRootCAFile(CA),kmipclient.WithClientCertFiles(CERT,KEY),kmipclient.WithMiddlewares(kmipclient.CorrelationValueMiddleware(uuid.NewString),kmipclient.DebugMiddleware(os.Stdout,ttlv.MarshalXML),),// kmipclient.EnforceVersion(kmip.V1_4),)iferr!=nil {panic(err)}deferclient.Close()fmt.Println("Connected using KMIP version",client.Version())
You can then use the high level client helper methods to create and send requeststo the server:
resp:=client.Create().AES(256,kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).WithName("my-key").MustExec()fmt.Println("Created AES key with ID",resp.UniqueIdentifier)
Or alternatively if more flexibility is required, craft your kmip requests payloads:
request:= payloads.CreateRequestPayload{ObjectType:kmip.ObjectTypeSymmetricKey,TemplateAttribute: kmip.TemplateAttribute{Attribute: []kmip.Attribute{{AttributeName:kmip.AttributeNameCryptographicAlgorithm,AttributeValue:kmip.CryptographicAlgorithmAES,}, {AttributeName:kmip.AttributeNameCryptographicLength,AttributeValue:int32(256),}, {AttributeName:kmip.AttributeNameName,AttributeValue: kmip.Name{NameType:kmip.NameTypeUninterpretedTextString,NameValue:"another-key",},}, {AttributeName:kmip.AttributeNameCryptographicUsageMask,AttributeValue:kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt,},},},}response,err:=client.Request(context.Background(),&request)iferr!=nil {panic(err)}id:=response.(*payloads.CreateResponsePayload).UniqueIdentifierfmt.Println("Created an AES key with ID",id)
You can also send batches of requests:
batchResponse,err:=client.Batch(context.Background(),&request,&request)iferr!=nil {panic(err)}id1:=batchResponse[0].ResponsePayload.(*payloads.CreateResponsePayload).UniqueIdentifierid2:=batchResponse[1].ResponsePayload.(*payloads.CreateResponsePayload).UniqueIdentifierfmt.Println("Created 2 AES keys with IDs",id1,id2)
And directly craft your request message with one or more payloads batched together:
msg:=kmip.NewRequestMessage(client.Version(),&request,&request)rMsg,err:=client.Roundtrip(context.Background(),&msg)iferr!=nil {panic(err)}id1:=rMsg.BatchItem[0].ResponsePayload.(*payloads.CreateResponsePayload).UniqueIdentifierid2:=rMsg.BatchItem[1].ResponsePayload.(*payloads.CreateResponsePayload).UniqueIdentifierfmt.Println("Created a 5th and 6th AES keys with IDs",id1,id2)
}
Seeexamples for more possibilities.
Legend:
- N/A : Not Applicable
- ✅ : Fully compatible
- ❌ : Not implemented or reviewed
- 🚧 : Work in progress / Partially compatible
- 💀 : Deprecated
| v1.0 | v1.1 | v1.2 | v1.3 | v1.4 | |
|---|---|---|---|---|---|
| Request Message | ✅ | ✅ | ✅ | ✅ | ✅ |
| Response Message | ✅ | ✅ | ✅ | ✅ | ✅ |
| Operation | v1.0 | v1.1 | v1.2 | v1.3 | v1.4 |
|---|---|---|---|---|---|
| Create | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create Key Pair | ✅ | ✅ | ✅ | ✅ | ✅ |
| Register | ✅ | ✅ | ✅ | ✅ | ✅ |
| Re-key | ✅ | ✅ | ✅ | ✅ | ✅ |
| DeriveKey | ❌ | ❌ | ❌ | ❌ | ❌ |
| Certify | ❌ | ❌ | ❌ | ❌ | ❌ |
| Re-certify | ❌ | ❌ | ❌ | ❌ | ❌ |
| Locate | ✅ | ✅ | ✅ | ✅ | ✅ |
| Check | ❌ | ❌ | ❌ | ❌ | ❌ |
| Get | ✅ | ✅ | ✅ | ✅ | ✅ |
| Get Attributes | ✅ | ✅ | ✅ | ✅ | ✅ |
| Get Attribute List | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add Attribute | ✅ | ✅ | ✅ | ✅ | ✅ |
| Modify Attribute | ✅ | ✅ | ✅ | ✅ | ✅ |
| Delete Attribute | ✅ | ✅ | ✅ | ✅ | ✅ |
| Obtain Lease | ✅ | ✅ | ✅ | ✅ | ✅ |
| Get Usage Allocation | ✅ | ✅ | ✅ | ✅ | ✅ |
| Activate | ✅ | ✅ | ✅ | ✅ | ✅ |
| Revoke | ✅ | ✅ | ✅ | ✅ | ✅ |
| Destroy | ✅ | ✅ | ✅ | ✅ | ✅ |
| Archive | ✅ | ✅ | ✅ | ✅ | ✅ |
| Recover | ✅ | ✅ | ✅ | ✅ | ✅ |
| Validate | ❌ | ❌ | ❌ | ❌ | ❌ |
| Query | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cancel | ❌ | ❌ | ❌ | ❌ | ❌ |
| Poll | ❌ | ❌ | ❌ | ❌ | ❌ |
| Notify | ❌ | ❌ | ❌ | ❌ | ❌ |
| Put | ❌ | ❌ | ❌ | ❌ | ❌ |
| Discover | N/A | ✅ | ✅ | ✅ | ✅ |
| Re-key Key Pair | N/A | ❌ | ❌ | ❌ | ❌ |
| Encrypt | N/A | N/A | ✅ | ✅ | ✅ |
| Decrypt | N/A | N/A | ✅ | ✅ | ✅ |
| Sign | N/A | N/A | ✅ | ✅ | ✅ |
| Signature Verify | N/A | N/A | ✅ | ✅ | ✅ |
| MAC | N/A | N/A | ❌ | ❌ | ❌ |
| MAC Verify | N/A | N/A | ❌ | ❌ | ❌ |
| RNG Retrieve | N/A | N/A | ❌ | ❌ | ❌ |
| RNG Seed | N/A | N/A | ❌ | ❌ | ❌ |
| Hash | N/A | N/A | ❌ | ❌ | ❌ |
| Create Split Key | N/A | N/A | ❌ | ❌ | ❌ |
| Join Split Key | N/A | N/A | ❌ | ❌ | ❌ |
| Export | N/A | N/A | N/A | N/A | ❌ |
| Import | N/A | N/A | N/A | N/A | ❌ |
| Object | v1.0 | v1.1 | v1.2 | v1.3 | v1.4 |
|---|---|---|---|---|---|
| Certificate | ✅ | ✅ | ✅ | ✅ | ✅ |
| Symmetric Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| Public Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| Private Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| Split Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| Template | ✅ | ✅ | ✅ | 💀 | 💀 |
| Secret Data | ✅ | ✅ | ✅ | ✅ | ✅ |
| Opaque Object | ✅ | ✅ | ✅ | ✅ | ✅ |
| PGP Key | N/A | N/A | ✅ | ✅ | ✅ |
| Object | v1.0 | v1.1 | v1.2 | v1.3 | v1.4 |
|---|---|---|---|---|---|
| Attribute | ✅ | ✅ | ✅ | ✅ | ✅ |
| Credential | ✅ | ✅ | ✅ | ✅ | ✅ |
| Key Block | ✅ | ✅ | ✅ | ✅ | ✅ |
| Key Value | ✅ | ✅ | ✅ | ✅ | ✅ |
| Key Wrapping Data | ✅ | ✅ | ✅ | ✅ | ✅ |
| Key Wrapping Specification | ✅ | ✅ | ✅ | ✅ | ✅ |
| Transparent Key Structures | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 |
| Template-Attribute Structures | ✅ | ✅ | ✅ | ✅ | ✅ |
| Extension Information | N/A | ✅ | ✅ | ✅ | ✅ |
| Data | N/A | N/A | ✅ | ✅ | ✅ |
| Data Length | N/A | N/A | ❌ | ❌ | ❌ |
| Signature Data | N/A | N/A | ✅ | ✅ | ✅ |
| MAC Data | N/A | N/A | ❌ | ❌ | ❌ |
| Nonce | N/A | N/A | ✅ | ✅ | ✅ |
| Correlation Value | N/A | N/A | N/A | ✅ | ✅ |
| Init Indicator | N/A | N/A | N/A | ✅ | ✅ |
| Final Indicator | N/A | N/A | N/A | ✅ | ✅ |
| RNG Parameter | N/A | N/A | N/A | ✅ | ✅ |
| Profile Information | N/A | N/A | N/A | ✅ | ✅ |
| Validation Information | N/A | N/A | N/A | ✅ | ✅ |
| Capability Information | N/A | N/A | N/A | ✅ | ✅ |
| Authenticated Encryption Additional Data | N/A | N/A | N/A | N/A | ✅ |
| Authenticated Encryption Tag | N/A | N/A | N/A | N/A | ✅ |
| Object | v1.0 | v1.1 | v1.2 | v1.3 | v1.4 |
|---|---|---|---|---|---|
| Symmetric Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| DSA Private/Public Key | ❌ | ❌ | ❌ | ❌ | ❌ |
| RSA Private/Public Key | ✅ | ✅ | ✅ | ✅ | ✅ |
| DH Private/Public Key | ❌ | ❌ | ❌ | ❌ | ❌ |
| ECDSA Private/Public Key | ✅ | ✅ | ✅ | 💀 | 💀 |
| ECDH Private/Public Key | ❌ | ❌ | ❌ | 💀 | 💀 |
| ECMQV Private/Public | ❌ | ❌ | ❌ | 💀 | 💀 |
| EC Private/Public | N/A | N/A | N/A | ✅ | ✅ |
| Attribute | v1.0 | v1.1 | v1.2 | v1.3 | v1.4 |
|---|---|---|---|---|---|
| Unique Identifier | ✅ | ✅ | ✅ | ✅ | ✅ |
| Name | ✅ | ✅ | ✅ | ✅ | ✅ |
| Object Type | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cryptographic Algorithm | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cryptographic Length | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cryptographic Parameters | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cryptographic Domain Parameters | ✅ | ✅ | ✅ | ✅ | ✅ |
| Certificate Type | ✅ | ✅ | ✅ | ✅ | ✅ |
| Certificate Identifier | ✅ | 💀 | 💀 | 💀 | 💀 |
| Certificate Subject | ✅ | 💀 | 💀 | 💀 | 💀 |
| Certificate Issuer | ✅ | 💀 | 💀 | 💀 | 💀 |
| Digest | ✅ | ✅ | ✅ | ✅ | ✅ |
| Operation Policy Name | ✅ | ✅ | ✅ | 💀 | 💀 |
| Cryptographic Usage Mask | ✅ | ✅ | ✅ | ✅ | ✅ |
| Lease Time | ✅ | ✅ | ✅ | ✅ | ✅ |
| Usage Limits | ✅ | ✅ | ✅ | ✅ | ✅ |
| State | ✅ | ✅ | ✅ | ✅ | ✅ |
| Initial Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Activation Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Process Start Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Protect Stop Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Deactivation Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Destroy Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Compromise Occurrence Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Compromise Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Revocation Reason | ✅ | ✅ | ✅ | ✅ | ✅ |
| Archive Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Object Group | ✅ | ✅ | ✅ | ✅ | ✅ |
| Link | ✅ | ✅ | ✅ | ✅ | ✅ |
| Application Specific Information | ✅ | ✅ | ✅ | ✅ | ✅ |
| Contact Information | ✅ | ✅ | ✅ | ✅ | ✅ |
| Last Change Date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Custom Attribute | ✅ | ✅ | ✅ | ✅ | ✅ |
| Certificate Length | N/A | ✅ | ✅ | ✅ | ✅ |
| X.509 Certificate Identifier | N/A | ✅ | ✅ | ✅ | ✅ |
| X.509 Certificate Subject | N/A | ✅ | ✅ | ✅ | ✅ |
| X.509 Certificate Issuer | N/A | ✅ | ✅ | ✅ | ✅ |
| Digital Signature Algorithm | N/A | ✅ | ✅ | ✅ | ✅ |
| Fresh | N/A | ✅ | ✅ | ✅ | ✅ |
| Alternative Name | N/A | N/A | ✅ | ✅ | ✅ |
| Key Value Present | N/A | N/A | ✅ | ✅ | ✅ |
| Key Value Location | N/A | N/A | ✅ | ✅ | ✅ |
| Original Creation Date | N/A | N/A | ✅ | ✅ | ✅ |
| Random Number Generator | N/A | N/A | N/A | ✅ | ✅ |
| PKCS#12 Friendly Name | N/A | N/A | N/A | N/A | ✅ |
| Description | N/A | N/A | N/A | N/A | ✅ |
| Comment | N/A | N/A | N/A | N/A | ✅ |
| Sensitive | N/A | N/A | N/A | N/A | ✅ |
| Always Sensitive | N/A | N/A | N/A | N/A | ✅ |
| Extractable | N/A | N/A | N/A | N/A | ✅ |
| Never Extractable | N/A | N/A | N/A | N/A | ✅ |
About
A golang KMIP client and server library, supporting KMIP v1.0 to v1.4.