revocation

package

v0.2.1 Latest Latest Go to latest Published: Mar 22, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/agentic-research/signet

Links

Open Source Insights

Documentation ¶

Overview ¶

Package revocation provides pluggable revocation checking for Signet tokens.

Index ¶

Variables
type CABundleChecker
- func NewCABundleChecker(fetcher types.Fetcher, storage types.Storage, cache *cabundle.BundleCache, ...) *CABundleChecker
- func (c *CABundleChecker) IsRevoked(ctx context.Context, token *signet.Token) (bool, error)
type Checker

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrBundleRollback = errors.New("revocation: bundle seqno decreased (rollback attack)")

ErrBundleRollback indicates a potential rollback attack.

View Source

var ErrBundleTooStale = errors.New("revocation: bundle too old, cannot verify freshness")

ErrBundleTooStale indicates that the CA bundle is too old to be trusted.

View Source

var ErrInvalidBundle = errors.New("revocation: bundle failed signature verification")

ErrInvalidBundle indicates that the CA bundle failed signature verification.

View Source

var ErrNotFound = errors.New("revocation: key not found")

ErrNotFound indicates that a key was not found in storage. This is typically returned on first request when no seqno has been stored yet.

View Source

var ErrStorageCorrupted = errors.New("revocation: persistent storage HMAC verification failed")

ErrStorageCorrupted indicates that the persistent storage for the sequence number is corrupted.

Functions ¶

This section is empty.

Types ¶

type CABundleChecker ¶

type CABundleChecker struct {
	// contains filtered or unexported fields
}

CABundleChecker implements SPIRE-model revocation via CA bundle rotation.

func NewCABundleChecker ¶

func NewCABundleChecker(fetcher types.Fetcher, storage types.Storage, cache *cabundle.BundleCache, trustAnchor crypto.PublicKey) *CABundleChecker

NewCABundleChecker creates a new CABundleChecker with signature verification. The trustAnchor is the public key used to verify CA bundle signatures. This prevents attackers from serving fake bundles. Accepts any crypto.PublicKey (Ed25519, ML-DSA, etc.).

func (*CABundleChecker) IsRevoked ¶

func (c *CABundleChecker) IsRevoked(ctx context.Context, token *signet.Token) (bool, error)

IsRevoked checks if a token is revoked following the SPIRE model. The check follows this sequence: 1. Fetch current CA bundle (cached with TTL) 2. Verify bundle signature to prevent fake bundles 3. Check monotonic sequence number (rollback protection) 4. Persist new sequence number immediately after validation 5. Check epoch-based revocation (full CA rotation) 6. Check key ID mismatch (CA key rotated)

type Checker ¶

type Checker interface {
	// IsRevoked checks if a token is revoked.
	IsRevoked(ctx context.Context, token *signet.Token) (bool, error)
}

Checker is the interface for checking if a token is revoked.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cabundle
types

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL