trust

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 27, 2018 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package trust defines type Store, a unified interface for TRC and Certificate retrieval.

Index

Constants

View Source 
const (
	IssSigKeyFile = "core-sig.seed" // TODO(roosd): rename "core-sig.key" -> "iss-sig.key"
	DecKeyFile    = "as-decrypt.key"
	OffKeyFile    = "offline-root.seed"
	OnKeyFile     = "online-root.seed"
	SigKeyFile    = "as-sig.seed"
)
View Source 
const (
	ErrorOpen    = "Unable to load key"
	ErrorParse   = "Unable to parse key file"
	ErrorUnknown = "Unknown algorithm"
)
View Source 
const (
	// Handler lifetime
	HandlerTimeout = 3 * time.Second
)
View Source 
const RawKey = "raw"

Variables

View Source 
var (
	ErrNotFoundLocally      = "Chain/TRC not found locally"
	ErrMissingAuthoritative = "Trust store is authoritative for requested object, and object was not found"
)

Functions

func CreateSign added in v0.1.1 

func CreateSign(ia addr.IA, store infra.TrustStore) (*proto.SignS, error)

func LoadKey added in v0.1.1 

func LoadKey(file string, algo string) (common.RawBytes, error)

LoadKey decodes a base64 encoded key stored in file and returns the raw bytes.

func VerifyChain added in v0.1.1 

func VerifyChain(subject addr.IA, chain *cert.Chain, store infra.TrustStore) error

VerifyChain verifies the chain based on the TRCs present in the store.

Types

type Config added in v0.1.1 

type Config struct {
	// MustHaveLocalChain states that chain requests for the trust store's own
	// IA must always return a valid chain. This is set to true on CSes and to
	// false on others.
	MustHaveLocalChain bool
	// LocalCSes must have a length of 0 on CS nodes. On others, a random entry
	// is queried for TRCs and Chains.
	LocalCSes []net.Addr
}

type KeyConf added in v0.1.1 

type KeyConf struct {
	// IssSigKey is the AS issuer signing Key.
	IssSigKey common.RawBytes
	// DecryptKey is the AS decryption key.
	DecryptKey common.RawBytes
	// OffRootKey is the AS offline root key.
	OffRootKey common.RawBytes
	// OnRootKey is the AS online root key.
	OnRootKey common.RawBytes
	// SignKey is the AS signing key.
	SignKey common.RawBytes
}

func LoadKeyConf added in v0.1.1 

func LoadKeyConf(path string, issSigKey, onKey, offKey bool) (*KeyConf, error)

LoadKeyConf loads key configuration from specified path. issSigKey, onKey, offKey can be set true, to load the respective keys.

func (*KeyConf) String added in v0.1.1 

func (a *KeyConf) String() string

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store manages requests for TRC and Certificate Chain objects.

Chain and TRC requests from the local process (running the trust store) are handled by GetValidChain/GetChain and GetValidTRC/GetTRC respectively, while requests from other services can be handled via NewXxxReqHandler methods.

By default, a Store object can only return objects that are already present in the database. To allow a Store to use the SCION network to retrieve objects from other infrastructure services, an infra.Messenger must be set with SetMessenger.

Store is backed by a sqlite3 database in package go/lib/infra/modules/trust/trustdb.

func NewStore 

func NewStore(db *trustdb.DB, local addr.IA, startID uint64, options *Config,
	logger log.Logger) (*Store, error)

NewStore initializes a TRC/Certificate Chain cache/resolver backed by db. Parameter local must specify the AS in which the trust store resides (which is used during request forwarding decisions). When sending infra messages, the trust store will use IDs starting from startID, and increment by one for each message.

func (*Store) ChooseServer added in v0.1.1 

func (store *Store) ChooseServer(destination addr.IA) (net.Addr, error)

ChooseServer builds a CS address for crypto material regarding the destination AS.

func (*Store) GetChain 

func (store *Store) GetChain(ctx context.Context, ia addr.IA,
	version uint64) (*cert.Chain, error)

GetChain asks the trust store to return a certificate chain of requested version without performing any verification. If the certificate chain is not available, it is requested from the authoritative CS.

func (*Store) GetTRC 

func (store *Store) GetTRC(ctx context.Context,
	isd addr.ISD, version uint64) (*trc.TRC, error)

GetTRC asks the trust store to return a TRC of the requested version without performing any verification. If the TRC is not available, it is requested from the authoritative CS.

func (*Store) GetValidCachedTRC added in v0.2.0 

func (store *Store) GetValidCachedTRC(ctx context.Context, isd addr.ISD) (*trc.TRC, error)

GetValidCachedTRC asks the trust store to return a valid TRC for isd without accessing the network.

func (*Store) GetValidChain 

func (store *Store) GetValidChain(ctx context.Context, ia addr.IA,
	server net.Addr) (*cert.Chain, error)

GetValidChain asks the trust store to return a valid certificate chain for ia. Server is queried over the network if the chain is not available locally.

func (*Store) GetValidTRC 

func (store *Store) GetValidTRC(ctx context.Context, isd addr.ISD,
	server net.Addr) (*trc.TRC, error)

GetValidTRC asks the trust store to return a valid TRC for isd. Server is queried over the network if the TRC is not available locally. Otherwise, the default server is queried.

func (*Store) LoadAuthoritativeChain added in v0.1.1 

func (store *Store) LoadAuthoritativeChain(dir string) error

func (*Store) LoadAuthoritativeTRC added in v0.1.1 

func (store *Store) LoadAuthoritativeTRC(dir string) error

func (*Store) NewChainPushHandler added in v0.1.1 

func (store *Store) NewChainPushHandler() infra.Handler

NewChainPushHandler returns an infra.Handler for Certifificate Chain pushes coming from a peer, backed by the trust store. Certificate chains are pushed by other ASes during core registration. Pushes are allowed from all local ISD sources.

func (*Store) NewChainReqHandler 

func (store *Store) NewChainReqHandler(recurse bool) infra.Handler

NewChainReqHandler returns an infra.Handler for Certificate Chain requests coming from a peer, backed by the trust store. If recurse is set to true, the handler is allowed to issue new TRC and Certificate Chain requests over the network. This method should only be used when servicing requests coming from remote nodes.

func (*Store) NewTRCPushHandler added in v0.1.1 

func (store *Store) NewTRCPushHandler() infra.Handler

NewTRCPushHandler returns an infra.Handler for TRC pushes coming from a peer, backed by the trust store. TRCs are pushed by local BSes during beaconing. Pushes are allowed from all local AS sources.

func (*Store) NewTRCReqHandler 

func (store *Store) NewTRCReqHandler(recurse bool) infra.Handler

NewTRCReqHandler returns an infra.Handler for TRC requests coming from a peer, backed by the trust store. If recurse is set to true, the handler is allowed to issue new TRC requests over the network. This method should only be used when servicing requests coming from remote nodes.

func (*Store) SetMessenger 

func (store *Store) SetMessenger(msger infra.Messenger)

SetMessenger enables network access for the trust store via msger. The messenger can only be set once.

type ValidateChainF 

type ValidateChainF func(ctx context.Context, chain *cert.Chain) error

type ValidateTRCF 

type ValidateTRCF func(ctx context.Context, trcObj *trc.TRC) error

Source Files

View all Source files

Directories

Path Synopsis
Package trustdb provides wrappers for SQL calls for managing a database containing TRCs and Certificate Chains.
 Package trustdb provides wrappers for SQL calls for managing a database containing TRCs and Certificate Chains.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.