pki

package
v1.5.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2023 License: BSD-3-Clause Imports: 12 Imported by: 1

Documentation

Index

Constants

View Source
const (
	ERROR_CERTIFICATE_UNKNOWN = iota
	ERROR_CERTIFICATE_EXPIRATION
	ERROR_CERTIFICATE_PARENT
	ERROR_CERTIFICATE_REVOCATION
	ERROR_CERTIFICATE_RESOURCE
	ERROR_CERTIFICATE_CONFLICT
	ERROR_FILE
	ERROR_CERTIFICATE_MANIFEST
	ERROR_CERTIFICATE_HASH
	ERROR_CERTIFICATE_CRL
)
View Source
const (
	TYPE_UNKNOWN = iota
	TYPE_CER
	TYPE_MFT
	TYPE_ROA
	TYPE_CRL
	TYPE_ROACER
	TYPE_MFTCER
	TYPE_CAREPO
	TYPE_TAL
)

Variables

View Source
var (
	CARepository = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 5}
	Manifest     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 10}

	TypeToName = map[int]string{
		TYPE_UNKNOWN: "unknown",
		TYPE_CER:     "certificate",
		TYPE_MFT:     "manifest",
		TYPE_ROA:     "roa",
		TYPE_CRL:     "crl",
		TYPE_ROACER:  "roa-ee",
		TYPE_MFTCER:  "manifest-ee",
		TYPE_CAREPO:  "ca-repo",
		TYPE_TAL:     "tal",
	}
)

Functions

func DetermineType

func DetermineType(path string) int

Types

type CallbackExplore

type CallbackExplore func(*PKIFile, *SeekFile, bool)

type CertificateError added in v1.2.0

type CertificateError struct {
	EType int

	InnerErr error
	Message  string

	Certificate *librpki.RPKICertificate
	Conflict    *librpki.RPKICertificate
	Parent      *librpki.RPKICertificate

	IPs  []librpki.IPCertificateInformation
	ASNs []librpki.ASNCertificateInformation

	Stack *stack

	File     *PKIFile
	SeekFile *SeekFile

	InnerFile *PKIFile
}

func NewCertificateErrorCRLRevocation added in v1.2.0

func NewCertificateErrorCRLRevocation(cert *librpki.RPKICertificate, err error, fileCrl *PKIFile, fileAffected *PKIFile) *CertificateError

func NewCertificateErrorConflict added in v1.2.0

func NewCertificateErrorConflict(cert *librpki.RPKICertificate, conflict *librpki.RPKICertificate) *CertificateError

func NewCertificateErrorManifestRevocation added in v1.2.0

func NewCertificateErrorManifestRevocation(cert *librpki.RPKICertificate, err error, fileMft *PKIFile, fileAffected *PKIFile) *CertificateError

func NewCertificateErrorParent added in v1.2.0

func NewCertificateErrorParent(cert, parent *librpki.RPKICertificate, err error) *CertificateError

func NewCertificateErrorResource added in v1.2.0

func NewCertificateErrorResource(cert *librpki.RPKICertificate, ips []librpki.IPCertificateInformation, asns []librpki.ASNCertificateInformation) *CertificateError

func NewCertificateErrorRevocation added in v1.2.0

func NewCertificateErrorRevocation(cert *librpki.RPKICertificate) *CertificateError

func NewCertificateErrorValidity added in v1.2.0

func NewCertificateErrorValidity(cert *librpki.RPKICertificate, err error) *CertificateError

func (*CertificateError) AddFileErrorInfo added in v1.2.0

func (e *CertificateError) AddFileErrorInfo(file *PKIFile, seek *SeekFile)

func (*CertificateError) Error added in v1.2.0

func (e *CertificateError) Error() string

func (*CertificateError) SetSentryScope added in v1.2.0

func (e *CertificateError) SetSentryScope(scope *sentry.Scope)

func (*CertificateError) StackTrace added in v1.2.0

func (e *CertificateError) StackTrace() []Frame

type FileError added in v1.2.0

type FileError CertificateError

func NewFileError added in v1.2.0

func NewFileError(err error) *FileError

func (*FileError) AddFileErrorInfo added in v1.2.0

func (e *FileError) AddFileErrorInfo(file *PKIFile, seek *SeekFile)

func (*FileError) Error added in v1.2.0

func (e *FileError) Error() string

func (*FileError) SetSentryScope added in v1.2.0

func (e *FileError) SetSentryScope(scope *sentry.Scope)

func (*FileError) StackTrace added in v1.2.0

func (e *FileError) StackTrace() []Frame

type FileSeeker

type FileSeeker interface {
	GetFile(*PKIFile) (*SeekFile, error)
	GetRepository(*PKIFile, CallbackExplore) error
}

type Frame added in v1.2.0

type Frame uintptr

func StackTrace added in v1.2.0

func StackTrace(s *stack) []Frame

This function returns the Stacktrace of the error. The naming scheme corresponds to what Sentry fetches https://github.com/getsentry/sentry-go/blob/master/stacktrace.go#L49

type Log

type Log interface {
	Debugf(string, ...interface{})
	Printf(string, ...interface{})
	Errorf(string, ...interface{})
	Warnf(string, ...interface{})
}

type PKIFile

type PKIFile struct {
	Parent *PKIFile
	Repo   string
	Path   string
	Type   int
	Trust  bool

	ManifestHash []byte
}

func ExtractPathCert

func ExtractPathCert(cert *librpki.RPKICertificate) []*PKIFile

func ExtractPathManifest

func ExtractPathManifest(mft *librpki.RPKIManifest) ([]*PKIFile, error)

Returns the list of files from the Manifest

func (*PKIFile) ComputePath

func (f *PKIFile) ComputePath() string

type Resource

type Resource struct {
	Type     int
	Parent   *Resource
	File     *PKIFile
	Resource interface{}
	Childs   []*Resource

	CertTALValid bool // currently used for TALs: indicates the child is valid and does not need to be fetched again
}

func ObjectToResource

func ObjectToResource(data interface{}) *Resource

func (*Resource) GetIdentifier

func (res *Resource) GetIdentifier() (bool, []byte)

type ResourceError added in v1.2.0

type ResourceError struct {
	EType         int
	InnerValidity bool
	InnerErr      error
	Message       string

	Wrapper interface{}

	Stack *stack

	File     *PKIFile
	SeekFile *SeekFile
}

func NewResourceErrorHash added in v1.2.0

func NewResourceErrorHash(hashFile, hashExpected []byte) *ResourceError

func NewResourceErrorWrap added in v1.2.0

func NewResourceErrorWrap(wrapper interface{}, err error) *ResourceError

func (*ResourceError) AddFileErrorInfo added in v1.2.0

func (e *ResourceError) AddFileErrorInfo(file *PKIFile, seek *SeekFile)

func (*ResourceError) Error added in v1.2.0

func (e *ResourceError) Error() string

func (*ResourceError) SetSentryScope added in v1.2.0

func (e *ResourceError) SetSentryScope(scope *sentry.Scope)

func (*ResourceError) StackTrace added in v1.2.0

func (e *ResourceError) StackTrace() []Frame

type SeekFile

type SeekFile struct {
	Repo   string
	File   string
	Data   []byte
	Sha256 []byte
}

type SimpleManager

type SimpleManager struct {
	PathOfResource  map[*Resource]*PKIFile
	ResourceOfPath  map[*PKIFile]*Resource
	ToExplore       []*PKIFile
	FileSeeker      FileSeeker
	Validator       *Validator
	Explored        map[string]bool
	ToExploreUnique map[string]bool
	Log             Log

	ReportErrors bool
	Errors       chan error

	StrictManifests bool
	StrictHash      bool
}

func NewSimpleManager

func NewSimpleManager() *SimpleManager

func (*SimpleManager) AddInitial

func (sm *SimpleManager) AddInitial(fileList []*PKIFile)

func (*SimpleManager) Close added in v1.2.0

func (sm *SimpleManager) Close()

func (*SimpleManager) Explore

func (sm *SimpleManager) Explore(notMFT bool, addInvalidChilds bool) int

addInvalidChilds is a strict mode: visible at LACNIC with manifests with short expiration date. The certificate can still be valid while its discovery path will not

func (*SimpleManager) ExploreAdd

func (sm *SimpleManager) ExploreAdd(file *PKIFile, data *SeekFile, addInvalidChilds bool)

func (*SimpleManager) GetNextExplore

func (sm *SimpleManager) GetNextExplore() (*PKIFile, bool, error)

func (*SimpleManager) GetNextFile

func (sm *SimpleManager) GetNextFile(curExplore *PKIFile) (*SeekFile, error)

func (*SimpleManager) GetNextRepository

func (sm *SimpleManager) GetNextRepository(curExplore *PKIFile, callback CallbackExplore) error

func (*SimpleManager) HasMore

func (sm *SimpleManager) HasMore() bool

func (*SimpleManager) InvalidateCRLParent added in v1.2.0

func (sm *SimpleManager) InvalidateCRLParent(file *PKIFile, crlError error)

func (*SimpleManager) InvalidateManifestParent added in v1.2.0

func (sm *SimpleManager) InvalidateManifestParent(file *PKIFile, mftError error)

Given a file, invalidates the certificate parent of the Manifest in which the file is listed in

func (*SimpleManager) PutFiles

func (sm *SimpleManager) PutFiles(fileList []*PKIFile)

type Validator

type Validator struct {
	TALs map[string]*Resource

	// Key by SubjectKeyIdentifier
	ValidObjects map[string]*Resource
	Objects      map[string]*Resource

	// Key by path
	ObjectsPath map[string]*Resource

	CertsSerial map[string]*Resource
	Revoked     map[string]bool

	// Key by parent certificate
	ValidCRL map[string]*Resource
	CRL      map[string]*Resource

	// Key by parent certificate
	ValidROA map[string]*Resource // Make sure EE certificates are unique for a ROA
	ROA      map[string]*Resource

	// Key by parent certificate
	ValidManifest map[string]*Resource // Make sure EE certificates are unique for a ROA
	Manifest      map[string]*Resource

	DecoderConfig *librpki.DecoderConfig

	Time time.Time
}

func NewValidator

func NewValidator() *Validator

func (*Validator) AddCRL

func (v *Validator) AddCRL(crl *pkix.CertificateList) (bool, *Resource, error)

func (*Validator) AddCert

func (v *Validator) AddCert(cert *librpki.RPKICertificate, trust bool) (bool, []*PKIFile, *Resource, error)

func (*Validator) AddManifest

func (v *Validator) AddManifest(pkifile *PKIFile, mft *librpki.RPKIManifest) (bool, []*PKIFile, *Resource, error)

func (*Validator) AddROA

func (v *Validator) AddROA(pkifile *PKIFile, roa *librpki.RPKIROA) (bool, *Resource, error)

func (*Validator) AddResource

func (v *Validator) AddResource(pkifile *PKIFile, data []byte) (bool, []*PKIFile, *Resource, error)

func (*Validator) AddTAL

func (v *Validator) AddTAL(tal *librpki.RPKITAL) ([]*PKIFile, *Resource, error)

func (*Validator) GetRepositories

func (v *Validator) GetRepositories()

func (*Validator) GetValidROAs

func (v *Validator) GetValidROAs()

func (*Validator) InvalidateObject

func (v *Validator) InvalidateObject(keyid []byte)

func (*Validator) ValidateCertificate

func (v *Validator) ValidateCertificate(cert *librpki.RPKICertificate, trust bool) error

func (*Validator) ValidateROA

func (v *Validator) ValidateROA(roa *librpki.RPKIROA) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL