Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateCerts(rootCa *x509.Certificate, rootKey crypto.Signer, leafDnsName string, ...) (*tls.Certificate, error)
- type Edge
- type ExplicitTestCase
- type InvalidReason
- type StringSet
- type TestCaseImpl
- type TestCaseProvider
- func (p *TestCaseProvider) DescribeFeature(feature test_case.Feature) string
- func (p *TestCaseProvider) GetFeatures() []test_case.Feature
- func (p *TestCaseProvider) GetSanityCheckTestCase() (uint, error)
- func (p *TestCaseProvider) GetTestCase(testCaseIdx uint) (test_case.TestCase, error)
- func (p *TestCaseProvider) GetTestCaseCount() (uint, error)
- func (p *TestCaseProvider) GetTestCasesForFeature(feature test_case.Feature) ([]uint, error)
- func (p *TestCaseProvider) Name() string
- type TrustGraph
Constants ¶
View Source
const ( INVALID_REASON_UNSPECIFIED = iota INVALID_REASON_EXPIRED INVALID_REASON_NAME_CONSTRAINTS INVALID_REASON_BAD_EKU INVALID_REASON_MISSING_BASIC_CONSTRAINTS INVALID_REASON_NOT_A_CA INVALID_REASON_DEPRECATED_CRYPTO )
View Source
const ( SANITY_CHECK_TEST_CASE uint = iota BRANCHING_FEATURE_TEST_CASE_1 BRANCHING_FEATURE_TEST_CASE_2 FIRST_INVALID_REASON_TEST_CASE )
View Source
const FEATURE_BRANCHING = 0
Variables ¶
View Source
var ALL_TRUST_GRAPHS = []*TrustGraph{ TWO_ROOTS, LINEAR_TRUST_GRAPH, FIGURE_SEVEN, BRIDGE_CA_PKI, }
View Source
var BRIDGE_CA_PKI = NewGraph("BRIDGE_CA_PKI", []Edge{
{"F", "H"},
{"F", "G"},
{"G", "F"},
{"H", "I"},
{"I", "H"},
{"G", "I"},
{"TA W", "F"},
{"TA W", "G"},
{"J", "K"},
{"N", "EE"},
{"L", "N"},
{"L", "M"},
{"TA X", "J"},
{"TA X", "L"},
{"B", "E"},
{"B", "D"},
{"A", "B"},
{"C", "B"},
{"A", "C"},
{"C", "A"},
{"TA Y", "A"},
{"TA Y", "C"},
{"R", "S"},
{"O", "R"},
{"O", "Q"},
{"P", "S"},
{"TA Z", "O"},
{"TA Z", "P"},
{"TA W", "Bridge CA"},
{"Bridge CA", "TA W"},
{"TA X", "Bridge CA"},
{"Bridge CA", "TA X"},
{"TA Y", "Bridge CA"},
{"Bridge CA", "TA Y"},
{"TA Z", "Bridge CA"},
{"Bridge CA", "TA Z"},
})
https://datatracker.ietf.org/doc/html/rfc4158#section-2.4
+---+ +---+
| F |--->| H |
+---+ +---+
^ ^ ^
| \ \
| \ \
| v v
| +---+ +---+
| | G |--->| I |
| +---+ +---+
| ^
| /
| /
+------+ +-----------+ +------+ +---+ +---+
| TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M |
+------+ +-----------+ +------+ +---+ +---+
^ ^ \ \
/ \ \ \
/ \ \ \
v v v v
+------+ +------+ +---+ +---+
| TA Y | | TA Z | | J | | N |
+------+ +------+ +---+ +---+
/ \ / \ | |
/ \ / \ | |
/ \ / \ v v
v v v v +---+ +----+
+---+ +---+ +---+ +---+ | K | | EE |
| A |<--->| C | | O | | P | +---+ +----+
+---+ +---+ +---+ +---+
\ / / \ \
\ / / \ \
\ / v v v
v v +---+ +---+ +---+
+---+ | Q | | R | | S |
| B | +---+ +---+ +---+
+---+ |
/\ |
/ \ |
v v v
+---+ +---+ +---+
| E | | D | | T |
+---+ +---+ +---+
View Source
var EXPLICIT_TEST_CASES = []*ExplicitTestCase{ { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "Trust Anchor", DstNode: "EE", Comment: "The most basic linear chain.", }, { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "ICA"}}, ExpectFailure: true, Comment: "The most basic linear chain, broken by an expired ICA.", }, { TrustGraph: LINEAR_TRUST_GRAPH, SrcNode: "ICA", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "ICA"}}, Comment: "ICA is trusted directly, so the expired TA => ICA cert should not cause validation to fail.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", Comment: "Should be able to discover a path to either root.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", Comment: "Should be able to discover a path to either root.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", InvalidEdges: []Edge{{"Root2", "ICA"}}, Comment: "Should be able to discover a path when alternate root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", InvalidEdges: []Edge{{"Root1", "ICA"}}, Comment: "Should be able to discover a path when alternate root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root1", DstNode: "EE", InvalidEdges: []Edge{{"Root1", "ICA"}}, ExpectFailure: true, Comment: "Should not be able to find a path when only trusted root is invalid.", }, { TrustGraph: TWO_ROOTS, SrcNode: "Root2", DstNode: "EE", InvalidEdges: []Edge{{"Root2", "ICA"}}, ExpectFailure: true, Comment: "Should not be able to find a path when only trusted root is invalid.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", Comment: "Should be able to find a path through a more complicated tree.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "C"}, {"A", "B"}}, Comment: "Should be able to find an alternate path through a more complicated tree.", }, { TrustGraph: FIGURE_SEVEN, SrcNode: "Trust Anchor", DstNode: "EE", InvalidEdges: []Edge{{"Trust Anchor", "A"}, {"C", "B"}}, Comment: "Should be able to find an alternate path through a more complicated tree.", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "D", Comment: "RFC 4158, section 2.3", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", Comment: "RFC 4158, section 2.4.2", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"TA X", "Bridge CA"}}, Comment: "Irrelevant expired cross-signed cert", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"Bridge CA", "TA X"}}, ExpectFailure: true, Comment: "Certificate from bridge CA into infrastructure X is invalid.", }, { TrustGraph: BRIDGE_CA_PKI, SrcNode: "TA Z", DstNode: "EE", InvalidEdges: []Edge{{"TA Z", "Bridge CA"}}, ExpectFailure: true, Comment: "Certificate from infrastructure Z to bridge CA is invalid.", }, }
View Source
var FIGURE_SEVEN = NewGraph("FIGURE_SEVEN", []Edge{
{"B", "EE"},
{"C", "B"},
{"A", "B"},
{"C", "A"},
{"A", "C"},
{"Trust Anchor", "C"},
{"Trust Anchor", "A"},
})
https://datatracker.ietf.org/doc/html/rfc4158#section-2.3
+---------+
| Trust |
| Anchor |
+---------+
| |
v v
+---+ +---+
| A |<-->| C |
+---+ +---+
| |
| +---+ |
+->| B |<-+
+---+
|
v
+----+
| EE |
+----+
View Source
var LINEAR_TRUST_GRAPH = NewGraph("LINEAR_TRUST_GRAPH", []Edge{
{"ICA", "EE"},
{"Trust Anchor", "ICA"},
})
View Source
var TWO_ROOTS = NewGraph("TWO_ROOTS", []Edge{
{"ICA", "EE"},
{"Root1", "ICA"},
{"Root2", "ICA"},
})
Functions ¶
func GenerateCerts ¶
func GenerateCerts(rootCa *x509.Certificate, rootKey crypto.Signer, leafDnsName string, testCase *TestCaseImpl) (*tls.Certificate, error)
Types ¶
type ExplicitTestCase ¶
type ExplicitTestCase struct {
// A trust graph, as defined in trust_graph.go
TrustGraph *TrustGraph
// The source (trust anchor) the client will trust in this test case
SrcNode string
// The destination entity which will create the leaf certificate the client needs to verify
DstNode string
// Edges from the trust graph that will be made invalid (e.g. expired) in the test case
InvalidEdges []Edge
// The reason that the above-listed edges will be invalid, such as expired or bad EKU constraints. If unspecified
// and there are non-zero invalid edges, this test case is a "meta" test case that will be expanded to include
// all supported invalid reasons
InvalidReason InvalidReason
// Whether it is expected that the client will fail to be able to build a trust path
ExpectFailure bool
// An optional comment, explaining what the test is and/or why a client be able to succeed/fail at building the
// trust path.
Comment string
}
type InvalidReason ¶
type InvalidReason int
func InvalidReasonFromString ¶
func InvalidReasonFromString(s string) InvalidReason
func InvalidReasons ¶
func InvalidReasons() []InvalidReason
func (InvalidReason) String ¶
func (r InvalidReason) String() string
type StringSet ¶
type StringSet struct {
// contains filtered or unexported fields
}
func NewStringSet ¶
func NewStringSet() *StringSet
type TestCaseImpl ¶
type TestCaseImpl struct {
ExplicitTestCase *ExplicitTestCase
InvalidReason InvalidReason
}
func (*TestCaseImpl) ExpectedResult ¶
func (p *TestCaseImpl) ExpectedResult() test_case.ExpectedResult
func (*TestCaseImpl) GetCertificates ¶
func (p *TestCaseImpl) GetCertificates(rootCert *x509.Certificate, rootKey crypto.Signer) (*tls.Certificate, error)
func (*TestCaseImpl) GetHostname ¶
func (p *TestCaseImpl) GetHostname() string
func (*TestCaseImpl) RequiredFeatures ¶
func (p *TestCaseImpl) RequiredFeatures() []test_case.Feature
type TestCaseProvider ¶
type TestCaseProvider struct {
// contains filtered or unexported fields
}
func NewTestCaseProvider ¶
func NewTestCaseProvider() *TestCaseProvider
func (*TestCaseProvider) DescribeFeature ¶
func (p *TestCaseProvider) DescribeFeature(feature test_case.Feature) string
func (*TestCaseProvider) GetFeatures ¶
func (p *TestCaseProvider) GetFeatures() []test_case.Feature
func (*TestCaseProvider) GetSanityCheckTestCase ¶
func (p *TestCaseProvider) GetSanityCheckTestCase() (uint, error)
func (*TestCaseProvider) GetTestCase ¶
func (p *TestCaseProvider) GetTestCase(testCaseIdx uint) (test_case.TestCase, error)
func (*TestCaseProvider) GetTestCaseCount ¶
func (p *TestCaseProvider) GetTestCaseCount() (uint, error)
func (*TestCaseProvider) GetTestCasesForFeature ¶
func (p *TestCaseProvider) GetTestCasesForFeature(feature test_case.Feature) ([]uint, error)
func (*TestCaseProvider) Name ¶
func (p *TestCaseProvider) Name() string
type TrustGraph ¶
type TrustGraph struct {
// contains filtered or unexported fields
}
A TrustGraph is abstractly a directed graph (potentially with cycles). It represents the trust relationship between entities where are arrow represents a certificate signed by the source entity for the destination entity. A TrustGraph can also label some edges as "invalid" meaning that there is a certificate but it should be considered invalid, e.g. because it is expired.
func NewGraph ¶
func NewGraph(name string, edges []Edge) *TrustGraph
NewGraph creates a TrustGraph instance with the given edges, where all edges are considered valid
func (*TrustGraph) EdgeCount ¶
func (g *TrustGraph) EdgeCount() uint
EdgeCount returns the number of edges in the graph (including both valid and invalid edges)
func (*TrustGraph) GetAllEdges ¶
func (g *TrustGraph) GetAllEdges() []Edge
GetAllEdges returns the edges from this graph
func (*TrustGraph) Name ¶
func (g *TrustGraph) Name() string
func (*TrustGraph) NodeNames ¶
func (g *TrustGraph) NodeNames() []string
NodeNames returns a slice of all the names of nodes in the graph
Source Files
Click to show internal directories.
Click to hide internal directories.