Documentation
¶
Index ¶
- Constants
- Variables
- type APIEndpoint
- type ASN1Cert
- type AddChainRequest
- type AddChainResponse
- type CTExtensions
- type CertificateTimestamp
- type DigitallySigned
- type GetRootsResponse
- type JSONDataEntry
- type LogEntry
- type LogEntryType
- type LogID
- type MerkleLeafType
- type MerkleTreeLeaf
- type MerkleTreeNode
- type PreCert
- type Precertificate
- type RawLogEntry
- type SHA256Hash
- type SignatureType
- type SignedCertificateTimestamp
- type SignedTreeHead
- type TimestampedEntry
- type TreeHeadSignature
- type Version
Constants ¶
const ( TreeLeafPrefix = byte(0x00) TreeNodePrefix = byte(0x01) )
RFC6962 section 2.1 requires a prefix byte on hash inputs for second preimage resistance.
const ( AddChainPath = "/ct/v1/add-chain" AddPreChainPath = "/ct/v1/add-pre-chain" GetRootsPath = "/ct/v1/get-roots" )
URI paths for Log requests; see section 4. WARNING: Should match the API endpoints, with the "/ct/v1/" prefix. If changing these constants, may need to change those too.
Variables ¶
var ( OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} OIDExtKeyUsageCertificateTransparency = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} )
Defined in RFC 6962 s3.1.
Functions ¶
This section is empty.
Types ¶
type APIEndpoint ¶
type APIEndpoint string
APIEndpoint is a string that represents one of the Certificate Transparency Log API endpoints.
const ( AddChainStr APIEndpoint = "add-chain" AddPreChainStr APIEndpoint = "add-pre-chain" GetRootsStr APIEndpoint = "get-roots" )
Certificate Transparency Log API endpoints; see section 4. WARNING: Should match the URI paths without the "/ct/v1/" prefix. If changing these constants, may need to change those too.
type ASN1Cert ¶
type ASN1Cert struct {
Data []byte `tls:"minlen:1,maxlen:16777215"`
}
ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1).
type AddChainRequest ¶
type AddChainRequest struct {
Chain [][]byte `json:"chain"`
}
AddChainRequest represents the JSON request body sent to the add-chain and add-pre-chain POST methods from sections 4.1 and 4.2.
type AddChainResponse ¶
type AddChainResponse struct {
SCTVersion Version `json:"sct_version"` // SCT structure version
ID []byte `json:"id"` // Log ID
Timestamp uint64 `json:"timestamp"` // Timestamp of issuance
Extensions string `json:"extensions"` // Holder for any CT extensions
Signature []byte `json:"signature"` // Log signature for this SCT
}
AddChainResponse represents the JSON response to the add-chain and add-pre-chain POST methods. An SCT represents a Log's promise to integrate a [pre-]certificate into the log within a defined period of time.
type CTExtensions ¶
type CTExtensions []byte // tls:"minlen:0,maxlen:65535"`
CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2). nolint: revive
type CertificateTimestamp ¶
type CertificateTimestamp struct {
SCTVersion Version `tls:"maxval:255"`
SignatureType SignatureType `tls:"maxval:255"`
Timestamp uint64
EntryType LogEntryType `tls:"maxval:65535"`
X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"`
PrecertEntry *PreCert `tls:"selector:EntryType,val:1"`
JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"`
Extensions CTExtensions `tls:"minlen:0,maxlen:65535"`
}
CertificateTimestamp is the collection of data that the signature in an SCT is over; see section 3.2.
type DigitallySigned ¶
type DigitallySigned tls.DigitallySigned
DigitallySigned is a local alias for tls.DigitallySigned so that we can attach a Base64String() method.
func (DigitallySigned) Base64String ¶
func (d DigitallySigned) Base64String() (string, error)
Base64String returns the base64 representation of the DigitallySigned struct.
type GetRootsResponse ¶
type GetRootsResponse struct {
Certificates []string `json:"certificates"`
}
GetRootsResponse represents the JSON response to the get-roots GET method from section 4.7.
type JSONDataEntry ¶
type JSONDataEntry struct {
Data []byte `tls:"minlen:0,maxlen:1677215"`
}
JSONDataEntry holds arbitrary data.
type LogEntry ¶
type LogEntry struct {
Index int64
Leaf MerkleTreeLeaf
// Exactly one of the following three fields should be non-empty.
X509Cert *x509.Certificate // Parsed X.509 certificate
Precert *Precertificate // Extracted precertificate
JSONData []byte
// Chain holds the issuing certificate chain, starting with the
// issuer of the leaf certificate / pre-certificate.
Chain []ASN1Cert
}
LogEntry represents the (parsed) contents of an entry in a CT log. This is described in section 3.1, but note that this structure does *not* match the TLS structure defined there (the TLS structure is never used directly in RFC6962).
type LogEntryType ¶
LogEntryType represents the LogEntryType enum from section 3.1:
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const ( X509LogEntryType LogEntryType = 0 PrecertLogEntryType LogEntryType = 1 )
LogEntryType constants from section 3.1.
func (LogEntryType) String ¶
func (e LogEntryType) String() string
type MerkleLeafType ¶
MerkleLeafType represents the MerkleLeafType enum from section 3.4:
enum { timestamped_entry(0), (255) } MerkleLeafType;
const TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
TimestampedEntryLeafType is the only defined MerkleLeafType constant from section 3.4.
func (MerkleLeafType) String ¶
func (m MerkleLeafType) String() string
type MerkleTreeLeaf ¶
type MerkleTreeLeaf struct {
Version Version `tls:"maxval:255"`
LeafType MerkleLeafType `tls:"maxval:255"`
TimestampedEntry *TimestampedEntry `tls:"selector:LeafType,val:0"`
}
MerkleTreeLeaf represents the deserialized structure of the hash input for the leaves of a log's Merkle tree; see section 3.4.
type MerkleTreeNode ¶
type MerkleTreeNode []byte
MerkleTreeNode represents an internal node in the CT tree.
type PreCert ¶
type PreCert struct {
IssuerKeyHash [sha256.Size]byte
TBSCertificate []byte `tls:"minlen:1,maxlen:16777215"` // DER-encoded TBSCertificate
}
PreCert represents a Precertificate (section 3.2).
type Precertificate ¶
type Precertificate struct {
// DER-encoded pre-certificate as originally added, which includes a
// poison extension and a signature generated over the pre-cert by
// the pre-cert issuer (which might differ from the issuer of the final
// cert, see RFC6962 s3.1).
Submitted ASN1Cert
// SHA256 hash of the issuing key
IssuerKeyHash [sha256.Size]byte
// Parsed TBSCertificate structure, held in an x509.Certificate for convenience.
TBSCertificate *x509.Certificate
}
Precertificate represents the parsed CT Precertificate structure.
type RawLogEntry ¶
type RawLogEntry struct {
// Index is a position of the entry in the log.
Index int64
// Leaf is a parsed Merkle leaf hash input.
Leaf MerkleTreeLeaf
// Cert is:
// - A certificate if Leaf.TimestampedEntry.EntryType is X509LogEntryType.
// - A precertificate if Leaf.TimestampedEntry.EntryType is
// PrecertLogEntryType, in the form of a DER-encoded Certificate as
// originally added (which includes the poison extension and a signature
// generated over the pre-cert by the pre-cert issuer).
// - Empty otherwise.
Cert ASN1Cert
// Chain is the issuing certificate chain starting with the issuer of Cert,
// or an empty slice if Cert is empty.
Chain []ASN1Cert
}
RawLogEntry represents the (TLS-parsed) contents of an entry in a CT log.
type SHA256Hash ¶
SHA256Hash represents the output from the SHA256 hash function.
func (SHA256Hash) Base64String ¶
func (s SHA256Hash) Base64String() string
Base64String returns the base64 representation of this SHA256Hash.
type SignatureType ¶
SignatureType differentiates STH signatures from SCT signatures, see section 3.2.
enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType;
const ( CertificateTimestampSignatureType SignatureType = 0 TreeHashSignatureType SignatureType = 1 )
SignatureType constants from section 3.2.
func (SignatureType) String ¶
func (st SignatureType) String() string
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct {
SCTVersion Version `tls:"maxval:255"`
LogID LogID
Timestamp uint64
Extensions CTExtensions `tls:"minlen:0,maxlen:65535"`
Signature DigitallySigned // Signature over TLS-encoded CertificateTimestamp
}
SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding; see sections 3.2, 4.1 and 4.2.
func (SignedCertificateTimestamp) String ¶
func (s SignedCertificateTimestamp) String() string
type SignedTreeHead ¶
type SignedTreeHead struct {
Version Version // The version of the protocol to which the STH conforms
TreeSize uint64 // The number of entries in the new tree
Timestamp uint64 // The time at which the STH was created
SHA256RootHash SHA256Hash // The root hash of the log's Merkle tree
TreeHeadSignature DigitallySigned // Log's signature over a TLS-encoded TreeHeadSignature
LogID SHA256Hash // The SHA256 hash of the log's public key
}
SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding; see sections 3.5 and 4.3.
func (SignedTreeHead) String ¶
func (s SignedTreeHead) String() string
type TimestampedEntry ¶
type TimestampedEntry struct {
Timestamp uint64
EntryType LogEntryType `tls:"maxval:65535"`
X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"`
PrecertEntry *PreCert `tls:"selector:EntryType,val:1"`
JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"`
Extensions CTExtensions `tls:"minlen:0,maxlen:65535"`
}
TimestampedEntry is part of the MerkleTreeLeaf structure; see section 3.4.
type TreeHeadSignature ¶
type TreeHeadSignature struct {
Version Version `tls:"maxval:255"`
SignatureType SignatureType `tls:"maxval:255"` // == TreeHashSignatureType
Timestamp uint64
TreeSize uint64
SHA256RootHash SHA256Hash
}
TreeHeadSignature holds the data over which the signature in an STH is generated; see section 3.5
Source Files