trustmanager

package
v0.0.0-...-af40d72 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2016 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrPathOutsideStore indicates that the returned path would be
	// outside the store
	ErrPathOutsideStore = errors.New("path outside file store")
)

Functions

func CertToKey 

func CertToKey(cert *x509.Certificate) data.PublicKey

CertToKey transforms a single input certificate into its corresponding PublicKey

func CertToPEM 

func CertToPEM(cert *x509.Certificate) []byte

CertToPEM is an utility function returns a PEM encoded x509 Certificate

func CertsToKeys 

func CertsToKeys(certs []*x509.Certificate) map[string]data.PublicKey

CertsToKeys transforms each of the input certificates into it's corresponding PublicKey

func CreateDirectory 

func CreateDirectory(dir string) error

CreateDirectory uses createDirectory to create a chmod 755 Directory

func CreatePrivateDirectory 

func CreatePrivateDirectory(dir string) error

CreatePrivateDirectory uses createDirectory to create a chmod 700 Directory

func ECDSAToPrivateKey 

func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)

ECDSAToPrivateKey converts an ecdsa.Private key to a TUF data.PrivateKey type

func ED25519ToPrivateKey 

func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)

ED25519ToPrivateKey converts a serialized ED25519 key to a TUF data.PrivateKey type

func EncryptPrivateKey 

func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, error)

EncryptPrivateKey returns an encrypted PEM key given a Privatekey and a passphrase

func FingerprintCert 

func FingerprintCert(cert *x509.Certificate) (string, error)

FingerprintCert returns a TUF compliant fingerprint for a X509 Certificate

func GenerateECDSAKey 

func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)

GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey

func GenerateED25519Key 

func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)

GenerateED25519Key generates an ED25519 private key and returns a TUF PrivateKey. The serialization format we use is just the public key bytes followed by the private key bytes

func GenerateRSAKey 

func GenerateRSAKey(random io.Reader, bits int) (data.PrivateKey, error)

GenerateRSAKey generates an RSA private key and returns a TUF PrivateKey

func GetCertFromURL 

func GetCertFromURL(urlStr string) (*x509.Certificate, error)

GetCertFromURL tries to get a X509 certificate given a HTTPS URL

func GetIntermediateCerts 

func GetIntermediateCerts(certs []*x509.Certificate) (intCerts []*x509.Certificate)

GetIntermediateCerts parses a list of x509 Certificates and returns all of the ones marked as a CA, to be used as intermediates

func GetLeafCerts 

func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate

GetLeafCerts parses a list of x509 Certificates and returns all of them that aren't CA

func GetPasswdDecryptBytes 

func GetPasswdDecryptBytes(passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error)

GetPasswdDecryptBytes gets the password to decript the given pem bytes. Returns the password and private key

func KeyToPEM 

func KeyToPEM(privKey data.PrivateKey, role string) ([]byte, error)

KeyToPEM returns a PEM encoded key from a Private Key

func LoadCertBundleFromFile 

func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)

LoadCertBundleFromFile loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertBundleFromPEM 

func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

LoadCertBundleFromPEM loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromFile 

func LoadCertFromFile(filename string) (*x509.Certificate, error)

LoadCertFromFile loads the first certificate from the file provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromPEM 

func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)

LoadCertFromPEM returns the first certificate found in a bunch of bytes or error if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.

func NewCertificate 

func NewCertificate(gun string, startTime, endTime time.Time) (*x509.Certificate, error)

NewCertificate returns an X509 Certificate following a template, given a GUN and validity interval.

func ParsePEMPrivateKey 

func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)

ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It only supports RSA (PKCS#1) and attempts to decrypt using the passphrase, if encrypted.

func RSAToPrivateKey 

func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)

RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type

func Verify 

func Verify(s X509Store, dnsName string, certList []*x509.Certificate) error

Verify operates on an X509Store and validates the existence of a chain of trust between a leafCertificate and a CA present inside of the X509 Store. It requires at least two certificates in certList, a leaf Certificate and an intermediate CA certificate.

func X509PublicKeyID 

func X509PublicKeyID(certPubKey data.PublicKey) (string, error)

X509PublicKeyID returns a public key ID as a string, given a data.PublicKey that contains an X509 Certificate

Types

type CertID 

type CertID string

CertID represent the ID used to identify certificates

type ErrAttemptsExceeded 

type ErrAttemptsExceeded struct{}

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

func (ErrAttemptsExceeded) Error 

func (err ErrAttemptsExceeded) Error() string

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

type ErrBadCertificateStore 

type ErrBadCertificateStore struct {
}

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

func (ErrBadCertificateStore) Error 

func (err ErrBadCertificateStore) Error() string

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

type ErrCertExists 

type ErrCertExists struct {
}

ErrCertExists is returned when a Certificate already exists in the key store

func (ErrCertExists) Error 

func (err ErrCertExists) Error() string

ErrCertExists is returned when a Certificate already exists in the key store

type ErrCertValidation 

type ErrCertValidation struct {
}

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

func (ErrCertValidation) Error 

func (err ErrCertValidation) Error() string

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

type ErrKeyNotFound 

type ErrKeyNotFound struct {
	KeyID string
}

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

func (ErrKeyNotFound) Error 

func (err ErrKeyNotFound) Error() string

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

type ErrNoCertificatesFound 

type ErrNoCertificatesFound struct {
	// contains filtered or unexported fields
}

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

func (ErrNoCertificatesFound) Error 

func (err ErrNoCertificatesFound) Error() string

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

type ErrPasswordInvalid 

type ErrPasswordInvalid struct{}

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

func (ErrPasswordInvalid) Error 

func (err ErrPasswordInvalid) Error() string

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

type FileStore 

type FileStore interface {
	LimitedFileStore

	RemoveDir(directoryName string) error
	GetPath(fileName string) (string, error)
	ListDir(directoryName string) []string
	BaseDir() string
}

FileStore is the interface for full-featured FileStores

type KeyFileStore 

type KeyFileStore struct {
	sync.Mutex
	SimpleFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyFileStore persists and manages private keys on disk

func NewKeyFileStore 

func NewKeyFileStore(baseDir string, passphraseRetriever passphrase.Retriever) (*KeyFileStore, error)

NewKeyFileStore returns a new KeyFileStore creating a private directory to hold the keys.

func (*KeyFileStore) AddKey 

func (s *KeyFileStore) AddKey(name, role string, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyFileStore) ExportKey 

func (s *KeyFileStore) ExportKey(name string) ([]byte, error)

ExportKey exportes the encrypted bytes from the keystore and writes it to dest.

func (*KeyFileStore) GetKey 

func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyFileStore) ImportKey 

func (s *KeyFileStore) ImportKey(pemBytes []byte, alias string) error

ImportKey imports the private key in the encrypted bytes into the keystore with the given key ID and alias.

func (*KeyFileStore) ListKeys 

func (s *KeyFileStore) ListKeys() map[string]string

ListKeys returns a list of unique PublicKeys present on the KeyFileStore.

func (*KeyFileStore) Name 

func (s *KeyFileStore) Name() string

Name returns a user friendly name for the location this store keeps its data

func (*KeyFileStore) RemoveKey 

func (s *KeyFileStore) RemoveKey(name string) error

RemoveKey removes the key from the keyfilestore

type KeyMemoryStore 

type KeyMemoryStore struct {
	sync.Mutex
	MemoryFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyMemoryStore manages private keys in memory

func NewKeyMemoryStore 

func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore

NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory

func (*KeyMemoryStore) AddKey 

func (s *KeyMemoryStore) AddKey(name, alias string, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyMemoryStore) ExportKey 

func (s *KeyMemoryStore) ExportKey(name string) ([]byte, error)

ExportKey exportes the encrypted bytes from the keystore and writes it to dest.

func (*KeyMemoryStore) GetKey 

func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyMemoryStore) ImportKey 

func (s *KeyMemoryStore) ImportKey(pemBytes []byte, alias string) error

ImportKey imports the private key in the encrypted bytes into the keystore with the given key ID and alias.

func (*KeyMemoryStore) ListKeys 

func (s *KeyMemoryStore) ListKeys() map[string]string

ListKeys returns a list of unique PublicKeys present on the KeyFileStore.

func (*KeyMemoryStore) Name 

func (s *KeyMemoryStore) Name() string

Name returns a user friendly name for the location this store keeps its data

func (*KeyMemoryStore) RemoveKey 

func (s *KeyMemoryStore) RemoveKey(name string) error

RemoveKey removes the key from the keystore

type KeyStore 

type KeyStore interface {
	// Add Key adds a key to the KeyStore, and if the key already exists,
	// succeeds.  Otherwise, returns an error if it cannot add.
	AddKey(name, alias string, privKey data.PrivateKey) error
	GetKey(name string) (data.PrivateKey, string, error)
	ListKeys() map[string]string
	RemoveKey(name string) error
	ExportKey(name string) ([]byte, error)
	ImportKey(pemBytes []byte, alias string) error
	Name() string
}

KeyStore is a generic interface for private key storage

type LimitedFileStore 

type LimitedFileStore interface {
	// Add writes a file to the specified location, returning an error if this
	// is not possible (reasons may include permissions errors). The path is cleaned
	// before being made absolute against the store's base dir.
	Add(fileName string, data []byte) error

	// Remove deletes a file from the store relative to the store's base directory.
	// The path is cleaned before being made absolute to ensure no path traversal
	// outside the base directory is possible.
	Remove(fileName string) error

	// Get returns the file content found at fileName relative to the base directory
	// of the file store. The path is cleaned before being made absolute to ensure
	// path traversal outside the store is not possible. If the file is not found
	// an error to that effect is returned.
	Get(fileName string) ([]byte, error)

	// ListFiles returns a list of paths relative to the base directory of the
	// filestore. Any of these paths must be retrievable via the
	// LimitedFileStore.Get method.
	ListFiles() []string
}

LimitedFileStore implements the bare bones primitives (no hierarchy)

type MemoryFileStore 

type MemoryFileStore struct {
	sync.Mutex
	// contains filtered or unexported fields
}

MemoryFileStore is an implementation of LimitedFileStore that keeps the contents in memory.

func NewMemoryFileStore 

func NewMemoryFileStore() *MemoryFileStore

NewMemoryFileStore creates a MemoryFileStore

func (*MemoryFileStore) Add 

func (f *MemoryFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*MemoryFileStore) Get 

func (f *MemoryFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*MemoryFileStore) ListFiles 

func (f *MemoryFileStore) ListFiles() []string

ListFiles lists all the files inside of a store

func (*MemoryFileStore) Remove 

func (f *MemoryFileStore) Remove(name string) error

Remove removes a file identified by name

type SimpleFileStore 

type SimpleFileStore struct {
	// contains filtered or unexported fields
}

SimpleFileStore implements FileStore

func NewPrivateSimpleFileStore 

func NewPrivateSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)

NewPrivateSimpleFileStore creates a directory with 700 permissions

func NewSimpleFileStore 

func NewSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)

NewSimpleFileStore creates a directory with 755 permissions

func (*SimpleFileStore) Add 

func (f *SimpleFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*SimpleFileStore) BaseDir 

func (f *SimpleFileStore) BaseDir() string

BaseDir returns the base directory of the filestore

func (*SimpleFileStore) Get 

func (f *SimpleFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*SimpleFileStore) GetPath 

func (f *SimpleFileStore) GetPath(name string) (string, error)

GetPath returns the full final path of a file with a given name

func (*SimpleFileStore) ListDir 

func (f *SimpleFileStore) ListDir(name string) []string

ListDir lists all the files inside of a directory identified by a name

func (*SimpleFileStore) ListFiles 

func (f *SimpleFileStore) ListFiles() []string

ListFiles lists all the files inside of a store

func (*SimpleFileStore) Remove 

func (f *SimpleFileStore) Remove(name string) error

Remove removes a file identified by name

func (*SimpleFileStore) RemoveDir 

func (f *SimpleFileStore) RemoveDir(name string) error

RemoveDir removes the directory identified by name

type Validator 

type Validator interface {
	Validate(cert *x509.Certificate) bool
}

Validator is a convenience type to create validating function that filters certificates that get added to the store

type ValidatorFunc 

type ValidatorFunc func(cert *x509.Certificate) bool

ValidatorFunc is a convenience type to create functions that implement the Validator interface

func (ValidatorFunc) Validate 

func (vf ValidatorFunc) Validate(cert *x509.Certificate) bool

Validate implements the Validator interface to allow for any func() bool method to be passed as a Validator

type X509FileStore 

type X509FileStore struct {
	// contains filtered or unexported fields
}

X509FileStore implements X509Store that persists on disk

func NewX509FileStore 

func NewX509FileStore(directory string) (*X509FileStore, error)

NewX509FileStore returns a new X509FileStore.

func NewX509FilteredFileStore 

func NewX509FilteredFileStore(directory string, validate func(*x509.Certificate) bool) (*X509FileStore, error)

NewX509FilteredFileStore returns a new X509FileStore that validates certificates that are added.

func (*X509FileStore) AddCert 

func (s *X509FileStore) AddCert(cert *x509.Certificate) error

AddCert creates a filename for a given cert and adds a certificate with that name

func (*X509FileStore) AddCertFromFile 

func (s *X509FileStore) AddCertFromFile(filename string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (X509FileStore) AddCertFromPEM 

func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds the first certificate that it finds in the byte[], returning an error if no Certificates are found

func (*X509FileStore) Empty 

func (s *X509FileStore) Empty() bool

Empty returns true if there are no certificates in the X509FileStore, false otherwise.

func (*X509FileStore) GetCertificateByCertID 

func (s *X509FileStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509FileStore) GetCertificatePool 

func (s *X509FileStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509FileStore) GetCertificates 

func (s *X509FileStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509FileStore) GetCertificatesByCN 

func (s *X509FileStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509FileStore) GetVerifyOptions 

func (s *X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509FileStore) RemoveAll 

func (s *X509FileStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509FileStore) RemoveCert 

func (s *X509FileStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509FileStore.

type X509MemStore 

type X509MemStore struct {
	// contains filtered or unexported fields
}

X509MemStore implements X509Store as an in-memory object with no persistence

func NewX509FilteredMemStore 

func NewX509FilteredMemStore(validate func(*x509.Certificate) bool) *X509MemStore

NewX509FilteredMemStore returns a new X509Memstore that validates certificates that are added.

func NewX509MemStore 

func NewX509MemStore() *X509MemStore

NewX509MemStore returns a new X509MemStore.

func (*X509MemStore) AddCert 

func (s *X509MemStore) AddCert(cert *x509.Certificate) error

AddCert adds a certificate to the store

func (*X509MemStore) AddCertFromFile 

func (s *X509MemStore) AddCertFromFile(originFilname string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (*X509MemStore) AddCertFromPEM 

func (s *X509MemStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds a certificate to the store from a PEM blob

func (*X509MemStore) GetCertificateByCertID 

func (s *X509MemStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509MemStore) GetCertificatePool 

func (s *X509MemStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509MemStore) GetCertificates 

func (s *X509MemStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509MemStore) GetCertificatesByCN 

func (s *X509MemStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509MemStore) GetVerifyOptions 

func (s *X509MemStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509MemStore) RemoveAll 

func (s *X509MemStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509MemStore) RemoveCert 

func (s *X509MemStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509MemStore.

type X509Store 

type X509Store interface {
	AddCert(cert *x509.Certificate) error
	AddCertFromPEM(pemCerts []byte) error
	AddCertFromFile(filename string) error
	RemoveCert(cert *x509.Certificate) error
	RemoveAll() error
	GetCertificateByCertID(certID string) (*x509.Certificate, error)
	GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
	GetCertificates() []*x509.Certificate
	GetCertificatePool() *x509.CertPool
	GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
}

X509Store is the interface for all X509Stores

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.