NAME

OpenXPKI::Crypto::SecretManager

Description

Management of secrets, i.e. passphrases/keys for cryptographic tokens.

ATTRIBUTES

default_token

Required: instance of OpenXPKI::Crypto::API.

METHODS

_get_secret_def ($alias, $return_undef_if_not_found)

Returns the configuration HashRef of the secret specified by the given name or "undef" if realm or secret do not exist.

When called first this method tries to load the secret data from configuration and (the serialized data) from the cache.

_set_secret ($realm, $group, $secret_def)

Set the named secret to the given $secret_def HashRef.

_load ($alias)

Create and return the internal config HashRef incl. object for the secret of the given name.

Returns:

    {
        ... # options from configuration file
        _alias => STR,
        _realm => STR,
        _ref => OBJECT with Moose role OpenXPKI::Crypto::SecretRole,
    }

_create_object ($secret_def)

Returns an object with Moose role OpenXPKI::Crypto::SecretRole according to the given config data HashRef.

_get_encryptedshare_names ($template, $alias, $count)

Uses Template to render the names (or paths for encrypted share type "FILESYSTEM") for all "n" encrypted secret shares.

Returns an ArrayRef of all "n" share names.

_load_from_cache ($realm, $alias, $cache_type)

Try to load the secret's serialized data from the cache (session or DB).

Returns serialized secret data to be passed to "thaw" in OpenXPKI::Crypto::SecretRole or "undef".

_save_to_cache ($realm, $alias, $cache_type, $dump)

Save the secret's serialized data to the cache (session or DB).

_clear_cache ($secret_def)

Removes the secret's serialized data from the cache (session or DB).

get_infos

List type and name of all secret groups in the current realm

Returns:

    {
        'my-secret' => {
            label => STR,
            type  => STR,
            complete => BOOL,
            required_parts => NUM,
            inserted_parts => NUM,
        },
        'other-secret' => {
            ...
        },
        ...
    }

get_required_part_count

Returns the number of required parts to complete this secret.

get_inserted_part_count

Returns the number of parts that are already inserted / set.

is_complete ($alias)

Check if the secret is complete (all passwords loaded).

Returns 0 or 1.

get_secret ($alias)

Get the plaintext value of the stored secret. This requires that the secret was created with the "export" flag set, otherwise an exception is thrown.

Returns the secret value or "undef" if the secret is not complete.

set_part ({ GROUP, VALUE, PART })

Set the secret "VALUE" of the given "GROUP" (aka alias), for plain secrets omit "PART".

clear ($alias)

Purge the secret of the given name.

request_transfer

Initialize a secret transfer to the current node. Creates a keypair for negotiation of the transfer secret and writes placeholder items for this key into the database.

perform_transfer ($pubkey)

Needs to be executed on the sending node, i.e. the one that already has established/completed its secrets.

Expects the public key created by "request_transfer" in $pubkey and tries to fill the database entries assigned to this transfer key.

accept_transfer ($transfer_id, $pubkey)

Needs to be executed on the receiving node, expects the id and public key generated by the sending node via "perform_transfer".

Transfers the exported secrets from the database (transfer pool) into the secret cache so they can be used by all children of this node.