Documentation ¶
Index ¶
- Constants
- func VerifySignedFile(signedFile signer.SignedFile, truststore *x509.CertPool, opts Options, ...) error
- type Metafile
- type Options
- type Recommendation
- type Signature
- type XPISigner
- func (s *XPISigner) Config() signer.Configuration
- func (s *XPISigner) GetDefaultOptions() interface{}
- func (s *XPISigner) MakeEndEntity(cn string, coseAlg *cose.Algorithm) (eeCert *x509.Certificate, eeKey crypto.PrivateKey, err error)
- func (s *XPISigner) ReadAndVerifyRecommendationFile(signedXPI []byte) (recFileBytes []byte, err error)
- func (s *XPISigner) SignData(sigfile []byte, options interface{}) (signer.Signature, error)
- func (s *XPISigner) SignFile(input []byte, options interface{}) (signedFile signer.SignedFile, err error)
Constants ¶
const ( // Type of this signer is "xpi" Type = "xpi" // ModeAddOn represents a signer that issues signatures for // regular firefox add-ons and web extensions developed by anyone ModeAddOn = "add-on" // ModeAddOnWithRecommendation represents a signer that issues // signatures for regular firefox add-ons and web extensions // developed by anyone including a recommendation file ModeAddOnWithRecommendation = "add-on-with-recommendation" // ModeExtension represents a signer that issues signatures for // internal extensions developed by Mozilla ModeExtension = "extension" // ModeSystemAddOn represents a signer that issues signatures for // System Add-Ons developed by Mozilla ModeSystemAddOn = "system add-on" // ModeHotFix represents a signer that issues signatures for // Firefox HotFixes ModeHotFix = "hotfix" )
Variables ¶
This section is empty.
Functions ¶
func VerifySignedFile ¶
func VerifySignedFile(signedFile signer.SignedFile, truststore *x509.CertPool, opts Options, verificationTime time.Time) error
VerifySignedFile checks the XPI's PKCS7 signature and COSE signatures if present
Types ¶
type Metafile ¶
Metafile is a file to pack into a JAR at .Name with contents .Body
func (*Metafile) IsNameValid ¶
IsNameValid checks whether a Metafile.Name is non-nil and begins with "META-INF/" functions taking Metafile args should validate names before reading or writing them to JARs
type Options ¶
type Options struct { // ID is the add-on ID which is stored in the end-entity subject CN ID string `json:"id"` // COSEAlgorithms is an optional list of strings referring to IANA algorithms to use for COSE signatures COSEAlgorithms []string `json:"cose_algorithms"` // PKCS7Digest is a string required for /sign/file referring to algorithm to use for the PKCS7 signature digest PKCS7Digest string `json:"pkcs7_digest"` // Recommendations is an optional list of strings referring to // recommended states to add to the recommendations file // for signers in ModeAddOnWithRecommendation Recommendations []string `json:"recommendations"` }
Options contains specific parameters used to sign XPIs
func GetOptions ¶
GetOptions takes a input interface and reflects it into a struct of options
func (*Options) Algorithms ¶
Algorithms validates and returns COSE algorithms
type Recommendation ¶
type Recommendation struct { // AddOnID is the ID of the extension this recommendation is // for. Must match the ID in the extension’s manifest.json AddOnID string `json:"addon_id"` // States is a list of strings for each state of an addon that // firefox understands States []string `json:"states"` // Validity is a pair of timestamps to expire a recommendation // after an appropriate amount of time, since the // recommendation is for a given version of the addon and it // will need to be reissued for new versions. Validity map[string]time.Time `json:"validity"` // SchemaVersion is a uint to allow gradual upgrades of the // recommendation file SchemaVersion int `json:"schema_version"` }
Recommendation represents an Addon Recommendation file
func Recommend ¶
func Recommend(addonID string, states []string, notBefore, notAfter time.Time) *Recommendation
Recommend returns a Recommendation for param addonID with param states
func UnmarshalRecommendation ¶
func UnmarshalRecommendation(input []byte) (r *Recommendation, err error)
UnmarshalRecommendation parses a recommendation file from JSON
func (*Recommendation) Marshal ¶
func (r *Recommendation) Marshal() ([]byte, error)
Marshal serializes a Recommendation to JSON
type Signature ¶
Signature is a detached PKCS7 signature or COSE SignMessage
func Unmarshal ¶
Unmarshal parses a PKCS7 struct from the base64 representation of a PKCS7 detached and content of the signed data or it parses a COSE Sign Message struct from the base64 representation of a CBOR encoded Sign Message
func (*Signature) Marshal ¶
Marshal returns the base64 representation of a detached PKCS7 signature or COSE Sign Message
func (*Signature) VerifyWithChain ¶
VerifyWithChain verifies an xpi signature using the provided truststore
func (*Signature) VerifyWithChainAt ¶
func (sig *Signature) VerifyWithChainAt(truststore *x509.CertPool, verificationTime time.Time) error
VerifyWithChainAt verifies an xpi signature using the provided truststore at a given time.
When truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to one of the root in the truststore.
type XPISigner ¶
type XPISigner struct { signer.Configuration // OU is the organizational unit of the end-entity certificate // generated for each operation performed by this signer OU string // EndEntityCN is the subject CN of the end-entity certificate generated // for each operation performed by this signer. Most of the time // the ID will be left blank and provided by the requester of the // signature, but for hotfix signers, it is set to a specific value. EndEntityCN string // contains filtered or unexported fields }
An XPISigner is configured to issue detached PKCS7 and COSE signatures for Firefox Add-ons of various types.
func New ¶
func New(conf signer.Configuration, stats *signer.StatsClient) (s *XPISigner, err error)
New initializes an XPI signer using a configuration
func (*XPISigner) Config ¶
func (s *XPISigner) Config() signer.Configuration
Config returns the configuration of the current signer
func (*XPISigner) GetDefaultOptions ¶
func (s *XPISigner) GetDefaultOptions() interface{}
GetDefaultOptions returns default options of the signer
func (*XPISigner) MakeEndEntity ¶
func (s *XPISigner) MakeEndEntity(cn string, coseAlg *cose.Algorithm) (eeCert *x509.Certificate, eeKey crypto.PrivateKey, err error)
MakeEndEntity generates a private key and certificate ready to sign a given XPI.
The subject CN of the certificate is taken from the `cn` string argument.
The key type is identical to the key type of the signer that issues the certificate when the optional `coseAlg` argument is nil. For example, if the signer uses an RSA 2048 key, so will the end-entity. When `coseAlg` is not nil, a key type of the COSE algorithm is generated.
The signature expiration date is copied over from the issuer.
The signed x509 certificate and private key are returned.
func (*XPISigner) ReadAndVerifyRecommendationFile ¶
func (s *XPISigner) ReadAndVerifyRecommendationFile(signedXPI []byte) (recFileBytes []byte, err error)
ReadAndVerifyRecommendationFile reads and verifies the recommendation file from an XPI for a signer's config and returns the file bytes and an error when verification fails