-
Notifications
You must be signed in to change notification settings - Fork 25
/
wasi_ephemeral_crypto_external_secrets.witx
107 lines (101 loc) · 5.02 KB
/
wasi_ephemeral_crypto_external_secrets.witx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
;;; External secrets storage.
;;;
;;; External secrets are binary blobs, that can represent external API tokens or anything that is not meant to be consumed by the wasi-crypto APIs.
;;; These secrets can be securely stored, and then retrieved using an identifier.
;;;
;;; Alternatively, the secrets manager can encrypt them, and applications will supply the ciphertext get the original secret back.
;;;
;;; The whole module is optional.
;;;
;;; __(optional)__
(module $wasi_ephemeral_crypto_external_secrets
(use * from $wasi_ephemeral_crypto_common)
;;; Store an external secret into the secrets manager.
;;;
;;; `$expiration` is the expiration date of the secret as a UNIX timestamp, in seconds.
;;; An expiration date is mandatory.
;;;
;;; On success, the secret identifier is put into `$secret_id` if it fits into `$secret_id_max_len` bytes.
;;; If the supplied ouptut buffer is too small, `$overflow` is returned.
;;;
;;; If this function is not supported by the host the `$unsupported_feature` error is returned.
(@interface func (export "external_secret_store")
(param $secrets_manager $secrets_manager)
(param $secret (@witx const_pointer u8))
(param $secret_len $size)
(param $expiration $timestamp)
(param $secret_id (@witx pointer u8))
(param $secret_id_max_len $size)
(result $error (expected (error $crypto_errno)))
)
;;; Replace a managed external with a new version.
;;;
;;; `$expiration` is the expiration date of the secret as a UNIX timestamp, in seconds.
;;; An expiration date is mandatory.
;;;
;;; On success, a new version is created and returned.
;;;
;;; If this function is not supported by the host the `$unsupported_feature` error is returned.
(@interface func (export "external_secret_replace")
(param $secrets_manager $secrets_manager)
(param $secret (@witx const_pointer u8))
(param $secret_len $size)
(param $expiration $timestamp)
(param $secret_id (@witx const_pointer u8))
(param $secret_id_len $size)
(result $error (expected $version (error $crypto_errno)))
)
;;; Get a copy of an external secret given an identifier and version.
;;;
;;; `secret_version` can be set to a version number, or to `version.latest` to retrieve the most recent version of a secret.
;;;
;;; On success, a copy of the secret is returned.
;;;
;;; The function returns `$unsupported_feature` if this operation is not supported by the host, and `not_found` if the identifier and version don't match any existing secret.
(@interface func (export "external_secret_from_id")
(param $secrets_manager $secrets_manager)
(param $secret_id (@witx const_pointer u8))
(param $secret_id_len $size)
(param $secret_version $version)
(result $error (expected $array_output (error $crypto_errno)))
)
;;; Invalidate an external secret given an identifier and a version.
;;;
;;; This asks the secrets manager to delete or revoke a stored secret, a specific version of a secret.
;;;
;;; `secret_version` can be set to a version number, or to `version.latest` to invalidate the current version, or to `version.all` to invalidate all versions of a secret.
;;;
;;; The function returns `$unsupported_feature` if this operation is not supported by the host, and `not_found` if the identifier and version don't match any existing secret.
(@interface func (export "external_secret_invalidate")
(param $secrets_manager $secrets_manager)
(param $secret_id (@witx const_pointer u8))
(param $secret_id_len $size)
(param $secret_version $version)
(result $error (expected (error $crypto_errno)))
)
;;; Encrypt an external secret.
;;;
;;; Applications don't have access to the encryption key, and the secrets manager is free to choose any suitable algorithm.
;;;
;;; However, the returned ciphertext must include and authenticate both the secret and the expiration date.
;;;
;;; On success, the ciphertext is returned.
(@interface func (export "external_secret_encapsulate")
(param $secrets_manager $secrets_manager)
(param $secret (@witx const_pointer u8))
(param $secret_len $size)
(param $expiration $timestamp)
(result $error (expected $array_output (error $crypto_errno)))
)
;;; Decrypt an external secret previously encrypted by the secrets manager.
;;;
;;; Returns the original secret if the ciphertext is valid.
;;; Returns `$expired` if the current date is past the stored expiration date.
;;; Returns `$verification_failed` if the ciphertext format is invalid or if its authentication tag couldn't be verified.
(@interface func (export "external_secret_decapsulate")
(param $secrets_manager $secrets_manager)
(param $encrypted_secret (@witx const_pointer u8))
(param $encrypted_secret_len $size)
(result $error (expected $array_output (error $crypto_errno)))
)
)