Documentation ¶
Index ¶
- Constants
- Variables
- func GenerateCerts(rootCa *x509.Certificate, rootKey crypto.Signer, leafDnsName string, ...) (*tls.Certificate, error)
- type Edge
- type ExplicitTestCase
- type InvalidReason
- type StringSet
- type TestCaseImpl
- type TestCaseProvider
- func (p *TestCaseProvider) DescribeFeature(feature test_case.Feature) string
- func (p *TestCaseProvider) GetFeatures() []test_case.Feature
- func (p *TestCaseProvider) GetSanityCheckTestCase() (uint, error)
- func (p *TestCaseProvider) GetTestCase(testCaseIdx uint) (test_case.TestCase, error)
- func (p *TestCaseProvider) GetTestCaseCount() (uint, error)
- func (p *TestCaseProvider) GetTestCasesForFeature(feature test_case.Feature) ([]uint, error)
- func (p *TestCaseProvider) Name() string
- type TrustGraph
Constants ¶
const ( INVALID_REASON_UNSPECIFIED = iota INVALID_REASON_EXPIRED INVALID_REASON_NAME_CONSTRAINTS INVALID_REASON_BAD_EKU INVALID_REASON_MISSING_BASIC_CONSTRAINTS INVALID_REASON_NOT_A_CA INVALID_REASON_DEPRECATED_CRYPTO )
const ( SANITY_CHECK_TEST_CASE uint = iota BRANCHING_FEATURE_TEST_CASE_1 BRANCHING_FEATURE_TEST_CASE_2 FIRST_INVALID_REASON_TEST_CASE )
const FEATURE_BRANCHING = 0
Variables ¶
var ALL_TRUST_GRAPHS = []*TrustGraph{ TWO_ROOTS, LINEAR_TRUST_GRAPH, FIGURE_SEVEN, BRIDGE_CA_PKI, }
var BRIDGE_CA_PKI = NewGraph("BRIDGE_CA_PKI", []Edge{
{"F", "H"},
{"F", "G"},
{"G", "F"},
{"H", "I"},
{"I", "H"},
{"G", "I"},
{"TA W", "F"},
{"TA W", "G"},
{"J", "K"},
{"N", "EE"},
{"L", "N"},
{"L", "M"},
{"TA X", "J"},
{"TA X", "L"},
{"B", "E"},
{"B", "D"},
{"A", "B"},
{"C", "B"},
{"A", "C"},
{"C", "A"},
{"TA Y", "A"},
{"TA Y", "C"},
{"R", "S"},
{"O", "R"},
{"O", "Q"},
{"P", "S"},
{"TA Z", "O"},
{"TA Z", "P"},
{"TA W", "Bridge CA"},
{"Bridge CA", "TA W"},
{"TA X", "Bridge CA"},
{"Bridge CA", "TA X"},
{"TA Y", "Bridge CA"},
{"Bridge CA", "TA Y"},
{"TA Z", "Bridge CA"},
{"Bridge CA", "TA Z"},
})
https://datatracker.ietf.org/doc/html/rfc4158#section-2.4
+---+ +---+ | F |--->| H | +---+ +---+ ^ ^ ^ | \ \ | \ \ | v v | +---+ +---+ | | G |--->| I | | +---+ +---+ | ^ | / | / +------+ +-----------+ +------+ +---+ +---+ | TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M | +------+ +-----------+ +------+ +---+ +---+ ^ ^ \ \ / \ \ \ / \ \ \ v v v v +------+ +------+ +---+ +---+ | TA Y | | TA Z | | J | | N | +------+ +------+ +---+ +---+ / \ / \ | | / \ / \ | | / \ / \ v v v v v v +---+ +----+ +---+ +---+ +---+ +---+ | K | | EE | | A |<--->| C | | O | | P | +---+ +----+ +---+ +---+ +---+ +---+ \ / / \ \ \ / / \ \ \ / v v v v v +---+ +---+ +---+ +---+ | Q | | R | | S | | B | +---+ +---+ +---+ +---+ | /\ | / \ | v v v +---+ +---+ +---+ | E | | D | | T | +---+ +---+ +---+
var EXPLICIT_TEST_CASES = []*ExplicitTestCase{ { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "Trust Anchor", DstNode: "EE", Comment: "The most basic linear chain.", }, { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "ICA"}}, ExpectFailure: true, Comment: "The most basic linear chain, broken by an expired ICA.", }, { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "ICA", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "ICA"}}, Comment: "ICA is trusted directly, so the expired TA => ICA cert should not cause validation to fail.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", Comment: "Should be able to discover a path to either root.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", Comment: "Should be able to discover a path to either root.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", InvalidEdges: []Edge{{"Root2", "ICA"}}, Comment: "Should be able to discover a path when alternate root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", InvalidEdges: []Edge{{"Root1", "ICA"}}, Comment: "Should be able to discover a path when alternate root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", InvalidEdges: []Edge{{"Root1", "ICA"}}, ExpectFailure: true, Comment: "Should not be able to find a path when only trusted root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", InvalidEdges: []Edge{{"Root2", "ICA"}}, ExpectFailure: true, Comment: "Should not be able to find a path when only trusted root is invalid.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", Comment: "Should be able to find a path through a more complicated tree.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "C"}, {"A", "B"}}, Comment: "Should be able to find an alternate path through a more complicated tree.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "A"}, {"C", "B"}}, Comment: "Should be able to find an alternate path through a more complicated tree.", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "D", Comment: "RFC 4158, section 2.3", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", Comment: "RFC 4158, section 2.4.2", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"TA X", "Bridge CA"}}, Comment: "Irrelevant expired cross-signed cert", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"Bridge CA", "TA X"}}, ExpectFailure: true, Comment: "Certificate from bridge CA into infrastructure X is invalid.", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"TA Z", "Bridge CA"}}, ExpectFailure: true, Comment: "Certificate from infrastructure Z to bridge CA is invalid.", }, }
var FIGURE_SEVEN = NewGraph("FIGURE_SEVEN", []Edge{
{"B", "EE"},
{"C", "B"},
{"A", "B"},
{"C", "A"},
{"A", "C"},
{"Trust Anchor", "C"},
{"Trust Anchor", "A"},
})
https://datatracker.ietf.org/doc/html/rfc4158#section-2.3
+---------+ | Trust | | Anchor | +---------+ | | v v +---+ +---+ | A |<-->| C | +---+ +---+ | | | +---+ | +->| B |<-+ +---+ | v +----+ | EE | +----+
var LINEAR_TRUST_GRAPH = NewGraph("LINEAR_TRUST_GRAPH", []Edge{
{"ICA", "EE"},
{"Trust Anchor", "ICA"},
})
var TWO_ROOTS = NewGraph("TWO_ROOTS", []Edge{
{"ICA", "EE"},
{"Root1", "ICA"},
{"Root2", "ICA"},
})
Functions ¶
func GenerateCerts ¶
func GenerateCerts(rootCa *x509.Certificate, rootKey crypto.Signer, leafDnsName string, testCase *TestCaseImpl) (*tls.Certificate, error)
Types ¶
type ExplicitTestCase ¶
type ExplicitTestCase struct { // A trust graph, as defined in trust_graph.go TrustGraph *TrustGraph // The source (trust anchor) the client will trust in this test case SrcNode string // The destination entity which will create the leaf certificate the client needs to verify DstNode string // Edges from the trust graph that will be made invalid (e.g. expired) in the test case InvalidEdges []Edge // The reason that the above-listed edges will be invalid, such as expired or bad EKU constraints. If unspecified // and there are non-zero invalid edges, this test case is a "meta" test case that will be expanded to include // all supported invalid reasons InvalidReason InvalidReason // Whether it is expected that the client will fail to be able to build a trust path ExpectFailure bool // An optional comment, explaining what the test is and/or why a client be able to succeed/fail at building the // trust path. Comment string }
type InvalidReason ¶
type InvalidReason int
func InvalidReasonFromString ¶
func InvalidReasonFromString(s string) InvalidReason
func InvalidReasons ¶
func InvalidReasons() []InvalidReason
func (InvalidReason) String ¶
func (r InvalidReason) String() string
type StringSet ¶
type StringSet struct {
// contains filtered or unexported fields
}
func NewStringSet ¶
func NewStringSet() *StringSet
type TestCaseImpl ¶
type TestCaseImpl struct { ExplicitTestCase *ExplicitTestCase InvalidReason InvalidReason }
func (*TestCaseImpl) ExpectedResult ¶
func (p *TestCaseImpl) ExpectedResult() test_case.ExpectedResult
func (*TestCaseImpl) GetCertificates ¶
func (p *TestCaseImpl) GetCertificates(rootCert *x509.Certificate, rootKey crypto.Signer) (*tls.Certificate, error)
func (*TestCaseImpl) GetHostname ¶
func (p *TestCaseImpl) GetHostname() string
func (*TestCaseImpl) RequiredFeatures ¶
func (p *TestCaseImpl) RequiredFeatures() []test_case.Feature
type TestCaseProvider ¶
type TestCaseProvider struct {
// contains filtered or unexported fields
}
func NewTestCaseProvider ¶
func NewTestCaseProvider() *TestCaseProvider
func (*TestCaseProvider) DescribeFeature ¶
func (p *TestCaseProvider) DescribeFeature(feature test_case.Feature) string
func (*TestCaseProvider) GetFeatures ¶
func (p *TestCaseProvider) GetFeatures() []test_case.Feature
func (*TestCaseProvider) GetSanityCheckTestCase ¶
func (p *TestCaseProvider) GetSanityCheckTestCase() (uint, error)
func (*TestCaseProvider) GetTestCase ¶
func (p *TestCaseProvider) GetTestCase(testCaseIdx uint) (test_case.TestCase, error)
func (*TestCaseProvider) GetTestCaseCount ¶
func (p *TestCaseProvider) GetTestCaseCount() (uint, error)
func (*TestCaseProvider) GetTestCasesForFeature ¶
func (p *TestCaseProvider) GetTestCasesForFeature(feature test_case.Feature) ([]uint, error)
func (*TestCaseProvider) Name ¶
func (p *TestCaseProvider) Name() string
type TrustGraph ¶
type TrustGraph struct {
// contains filtered or unexported fields
}
A TrustGraph is abstractly a directed graph (potentially with cycles). It represents the trust relationship between entities where are arrow represents a certificate signed by the source entity for the destination entity. A TrustGraph can also label some edges as "invalid" meaning that there is a certificate but it should be considered invalid, e.g. because it is expired.
func NewGraph ¶
func NewGraph(name string, edges []Edge) *TrustGraph
NewGraph creates a TrustGraph instance with the given edges, where all edges are considered valid
func (*TrustGraph) EdgeCount ¶
func (g *TrustGraph) EdgeCount() uint
EdgeCount returns the number of edges in the graph (including both valid and invalid edges)
func (*TrustGraph) GetAllEdges ¶
func (g *TrustGraph) GetAllEdges() []Edge
GetAllEdges returns the edges from this graph
func (*TrustGraph) Name ¶
func (g *TrustGraph) Name() string
func (*TrustGraph) NodeNames ¶
func (g *TrustGraph) NodeNames() []string
NodeNames returns a slice of all the names of nodes in the graph