Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ChainQuery ¶
type ChainQuery struct {
// IA is the ISD-AS identifier that must be part of the AS certificate's
// subject.
IA addr.IA
// SubjectKeyID identifies the subject key that the AS certificate must
// authenticate.
SubjectKeyID []byte
// Validity is the validity period of the chain. A certificate c fulfills
// the validity requirement if c.not_before <= Validity.not_before and
// c.not_after >= Validity.not_after.
Validity cppki.Validity
}
ChainQuery identifies a set of chains that need to be looked up.
func (ChainQuery) MarshalJSON ¶
func (q ChainQuery) MarshalJSON() ([]byte, error)
MarshalJSON marshals the chain query for well formated log output.
type DB ¶
type DB interface {
// Chains looks up all chains that match the query.
Chains(context.Context, ChainQuery) ([][]*x509.Certificate, error)
// InsertChain inserts the given chain.
InsertChain(context.Context, []*x509.Certificate) (bool, error)
// SignedTRC looks up the TRC identified by the id.
SignedTRC(ctx context.Context, id cppki.TRCID) (cppki.SignedTRC, error)
// InsertTRC inserts the given TRC. Returns true if the TRC was not yet in
// the DB.
InsertTRC(ctx context.Context, trc cppki.SignedTRC) (bool, error)
Close() error
}
DB is the database interface for trust material.
type Option ¶
type Option func(o *options)
Option is a function that sets an option.
func AllowInactive ¶
func AllowInactive() Option
AllowInactive allows chains that are verifiable with TRCs that are no longer active.
type Provider ¶
type Provider interface {
// NotifyTRC notifies a provider of the existence of a TRC. When a signature
// metadata is received that contains base and serial number, this method
// should be invoked.
NotifyTRC(context.Context, cppki.TRCID, ...Option) error
// GetChains returns certificate chains that match the chain query. If no
// chain is locally available, the provider can resolve them over the
// network. By default, the provider only returns certificate chains that
// are verifiable with the currently active TRCs. To configure the behavior,
// options can be provided.
GetChains(context.Context, ChainQuery, ...Option) ([][]*x509.Certificate, error)
// GetSignedTRC returns the TRC with the given ID. If the TRC is not
// available, the provider can resolve it over the network.
GetSignedTRC(context.Context, cppki.TRCID, ...Option) (cppki.SignedTRC, error)
}
Provider provides crypto material. A crypto provider can spawn network requests if necessary and permitted.
type Signer ¶
type Signer struct {
PrivateKey crypto.Signer
Algorithm signed.SignatureAlgorithm
IA addr.IA
Subject pkix.Name
Chain []*x509.Certificate
SubjectKeyID []byte
Expiration time.Time
TRCID cppki.TRCID
ChainValidity cppki.Validity
InGrace bool
}
Signer is used to sign control plane messages with the AS private key.
func (Signer) Sign ¶
func (s Signer) Sign( ctx context.Context, msg []byte, associatedData ...[]byte, ) (*cryptopb.SignedMessage, error)
Sign signs the message with the associated data and returns a SignedMessage protobuf payload. The associated data is not included in the header or body of the signed message.
type Verifier ¶
type Verifier struct {
// BoundIA when non-zero makes sure that only a signature originated from that IA
// can be valid.
BoundIA addr.IA
// BoundServer binds a remote server to ask for missing crypto material.
BoundServer net.Addr
// BoundValidity binds the verifier to only use certificates that are valid
// at the specified time.
BoundValidity cppki.Validity
// Engine provides verified certificate chains.
Engine Provider
// Cache keeps track of recently used certificates. If nil no cache is used.
// This API is experimental.
Cache *cache.Cache
MaxCacheExpiration time.Duration
}
Verifier is used to verify control plane messages using the AS cert stored in the database.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.