Documentation
¶
Index ¶
- type Graph
- func (g *Graph) AddCert(c *x509.Certificate)
- func (g *Graph) AddRoot(c *x509.Certificate)
- func (g *Graph) AppendFromPEM(r io.Reader, root bool) int
- func (g *Graph) Edges() []*GraphEdge
- func (g *Graph) FindEdge(fp x509.CertificateFingerprint) *GraphEdge
- func (g *Graph) FindNode(fp x509.CertificateFingerprint) *GraphNode
- func (g *Graph) IsRoot(c *x509.Certificate) bool
- func (g *Graph) Nodes() (out []*GraphNode)
- func (g *Graph) WalkChains(c *x509.Certificate) (out []x509.CertificateChain)
- func (g *Graph) WalkChainsAsync(c *x509.Certificate, opt WalkOptions) chan x509.CertificateChain
- type GraphEdge
- type GraphEdgeSet
- type GraphNode
- type VerificationOptions
- type VerificationResult
- type Verifier
- type VerifyProcedure
- type VerifyProcedureApple
- type VerifyProcedureGoogleCTPrimary
- type VerifyProcedureJava
- type VerifyProcedureMicrosoft
- type VerifyProcedureNSS
- type WalkOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Graph ¶
type Graph struct {
// contains filtered or unexported fields
}
Graph represents signing relationships between SubjectAndKey tuples. A node in the graph is a SubjectAndKey. An edge in the graph is a certificate issued by the direct predecessor (tail) to the direct successor (head).
func (*Graph) AddCert ¶
func (g *Graph) AddCert(c *x509.Certificate)
AddCert inserts an edge for c into the graph, and creates nodes as needed.
func (*Graph) AddRoot ¶
func (g *Graph) AddRoot(c *x509.Certificate)
AddRoot adges an edge for certificate c, and marks it as a root.
func (*Graph) AppendFromPEM ¶
AppendFromPEM adds any certificates encoded as PEM from r to the graph. If root is true, it marks them as roots. It returns the number of certificates parsed.
func (*Graph) FindEdge ¶
func (g *Graph) FindEdge(fp x509.CertificateFingerprint) *GraphEdge
FindEdge returns an edge with a certificate matching the given SHA256 fingerprint, if it exists. If it does not exist, FindEdge returns nil.
func (*Graph) FindNode ¶
func (g *Graph) FindNode(fp x509.CertificateFingerprint) *GraphNode
FindNode returns a node with a matching spki_subject_fingerprint to fp, if it exists. If it does not exist, FindNode returns nil.
func (*Graph) IsRoot ¶
func (g *Graph) IsRoot(c *x509.Certificate) bool
IsRoot returns true if c is a root in the graph.
func (*Graph) WalkChains ¶
func (g *Graph) WalkChains(c *x509.Certificate) (out []x509.CertificateChain)
WalkChains is the same as WalkChainsAsync, except synchronous.
func (*Graph) WalkChainsAsync ¶
func (g *Graph) WalkChainsAsync(c *x509.Certificate, opt WalkOptions) chan x509.CertificateChain
WalkChainsAsync performs a depth-first walk of g, starting at c, to any root edges. It returns all non-looping paths from c to a root. WalkChainsAsync immediately returns a channel. It sends any chains it finds through the channel, and closes it once all paths have been found. If the channel does not get consumed, this function may block indefinitely.
type GraphEdge ¶
type GraphEdge struct {
Certificate *x509.Certificate
// contains filtered or unexported fields
}
A GraphEdge is a certificate that joins two SubjectAndKeys.
type GraphEdgeSet ¶
type GraphEdgeSet struct {
// contains filtered or unexported fields
}
A GraphEdgeSet represents a set of edges. Edges are deduplicated by certificate fingerprint.
func NewGraphEdgeSet ¶
func NewGraphEdgeSet() (es *GraphEdgeSet)
NewGraphEdgeSet initializes an empty GraphEdgeSet.
func (*GraphEdgeSet) ContainsCertificate ¶
func (es *GraphEdgeSet) ContainsCertificate(c *x509.Certificate) bool
ContainsCertificate returns true if c is contained in the GraphEdgeSet.
func (*GraphEdgeSet) ContainsEdge ¶
func (es *GraphEdgeSet) ContainsEdge(edge *GraphEdge) bool
ContainsEdge returns true if the edge is contained in the GraphEdgeSet.
func (*GraphEdgeSet) Edges ¶
func (es *GraphEdgeSet) Edges() (out []*GraphEdge)
Edges returns all edges in the set as a slice.
func (*GraphEdgeSet) FindEdge ¶
func (es *GraphEdgeSet) FindEdge(fp x509.CertificateFingerprint) *GraphEdge
FindEdge returns an edge matching the certificate fingerprint, if it exists. If it does not exist, FindEdge returns nil.
func (*GraphEdgeSet) Size ¶
func (es *GraphEdgeSet) Size() int
Size returns the number of edges in the GraphEdgeSet.
type GraphNode ¶
type GraphNode struct {
SubjectAndKey *x509.SubjectAndKey
// contains filtered or unexported fields
}
A GraphNode is a SubjectAndKey
type VerificationOptions ¶
type VerificationOptions struct {
VerifyTime time.Time
Name string
PresentedChain *Graph // XXX: Unused
}
VerificationOptions contains settings for Verifier.Verify(). VerificationOptions should be safely copyable.
type VerificationResult ¶
type VerificationResult struct {
// The name being checked, e.g. "www.censys.io".
Name string
// Whitelisted is true if the certificate is whitelisted by a given verifier
// as trusted, e.g. when Apple whitelisted subset of StartCom certs by SPKI
// hash in the wake of the WoSign incidents surrounding misissuance.
Whitelisted bool
// Blacklisted is true if the certificate is blacklisted by a given verifier
// as untrusted, e.g. Cloudflare certificates valid at the time of Heartbleed
// disclosure in Chrome.
Blacklisted bool
// InRevocationSet is true if the certificate has been revoked and is listed
// in the revocation set that is part of the Verifier (e.g. in OneCRL).
InRevocationSet bool
// ValiditionError will be non-nil when there was some sort of error during
// validation not involving a name mismatch, e.g. if a chain could not be
// built.
ValidationError error
// NameError will be non-nil when there was a mismatch between the name on the
// certificate and the name being verified against.
NameError error
// Parents is a set of currently valid certificates that are immediate parents
// of the certificate being verified, and are part of a chain that is valid at
// the time the certificate being verified expires.
Parents []*x509.Certificate
// CurrentChains is a list of validated certificate chains that are valid at
// ValidationTime, starting at the certificate being verified, and ending at a
// certificate in the root store.
CurrentChains []x509.CertificateChain
// ExpiredChains is a list of certificate chains that were valid at some
// point, but not at ValidationTime.
ExpiredChains []x509.CertificateChain
// NeverValidChains is a list of certificate chains that could never be valid
// due to date-related issues, but are otherwise valid.
NeverValidChains []x509.CertificateChain
// ValidAtExpirationChains is a list of certificate chains that were valid at
// the time of expiration of the certificate being validated.
ValidAtExpirationChains []x509.CertificateChain
// CertificateType is one of Leaf, Intermediate, or Root.
CertificateType x509.CertificateType
// VerifyTime is time used in verification, set in the VerificationOptions.
VerifyTime time.Time
// Expired is false if NotBefore < VerifyTime < NotAfter
Expired bool
// ParentSPKISubjectFingerprint is the SHA256 of the (SPKI, Subject) for
// parents of this certificate.
ParentSPKISubjectFingerprint x509.CertificateFingerprint
}
VerificationResult contains the result of a verification of a certificate against a store and its associated policies. It discerns between NameError, meaning the name on the certificate does not match, and a ValidationError, meaning some sort of issue with the cryptography, or other issues with the chain.
func (*VerificationResult) HadTrustedChain ¶
func (res *VerificationResult) HadTrustedChain() bool
HadTrustedChain returns true if at some point in time, the certificate had a chain to a trusted root in this store.
This is equivalent to checking if len(Current) > 0 || len(ValidAtExpired) > 0
func (*VerificationResult) HasTrustedChain ¶
func (res *VerificationResult) HasTrustedChain() bool
HasTrustedChain returns true if len(current) > 0
func (*VerificationResult) MatchesDomain ¶
func (res *VerificationResult) MatchesDomain() bool
MatchesDomain returns true if NameError == nil and Name != "".
type Verifier ¶
type Verifier struct {
PKI *Graph
VerifyProcedure VerifyProcedure
}
A Verifier represents a context for verifying certificates.
func NewGoogleCTPrimary ¶
NewGoogleCTPrimary returns a new verifier mimicking the behavior of the primary Google CT logs (e.g. Pilot).
func NewMicrosoft ¶
NewMicrosoft returns a new verifier mimicking Microsoft SChannel.
func NewVerifier ¶
func NewVerifier(pki *Graph, verifyProc VerifyProcedure) *Verifier
NewVerifier returns and initializes a new Verifier given a PKI graph and set of verification procedures.
func (*Verifier) Verify ¶
func (v *Verifier) Verify(c *x509.Certificate, opts VerificationOptions) (res *VerificationResult)
Verify checks if c chains back to a certificate in Roots, possibly via a certificate in Intermediates, and returns all such chains. It additional checks if the Name in the VerificationOptions matches the name on the certificate.
type VerifyProcedure ¶
type VerifyProcedure interface {
}
VerifyProcedure is an interface to implement additional browser specific logic at the start and end of verification.
type VerifyProcedureApple ¶
type VerifyProcedureApple struct{}
VerifyProcedureApple implements the VerifyProcedure interface for Apple.
type VerifyProcedureGoogleCTPrimary ¶
type VerifyProcedureGoogleCTPrimary struct{}
VerifyProcedureGoogleCTPrimary implements the VerifyProcedure interface for the primary Google CT servers.
type VerifyProcedureJava ¶
type VerifyProcedureJava struct{}
VerifyProcedureJava implements the VerifyProcedure interface for Java.
type VerifyProcedureMicrosoft ¶
type VerifyProcedureMicrosoft struct{}
VerifyProcedureMicrosoft implements the VerifyProcedure interface for Microsoft.
type VerifyProcedureNSS ¶
type VerifyProcedureNSS struct{}
VerifyProcedureNSS implements the VerifyProcedure interface for NSS.
type WalkOptions ¶
type WalkOptions struct {
ChannelSize int
}
WalkOptions contains options for the Graph.Walk* functions. It's a structure since anything related to verification inevitably results in a large number of arguments.
Source Files