Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidSignature = errors.New("invalid signature")
Functions ¶
This section is empty.
Types ¶
type DiskSigner ¶
type DiskSigner struct {
// contains filtered or unexported fields
}
DiskSigner implements the Signer interface using a CA private key and CA cert stored on disk. It uses one-time-use keys to sign payloads, and returns the signed payload along with a new certificate signed by the caCert. Each signing operation generates a new private key and a new certificate signed by the CA private key.
func NewDiskSigner ¶
func NewDiskSigner(config *DiskSignerConfig) (*DiskSigner, error)
NewDiskSigner creates a new DiskSigner with the given configuration.
func (*DiskSigner) Sign ¶
func (s *DiskSigner) Sign(payload []byte) ([]byte, []*x509.Certificate, error)
Sign computes a signature for the given payload by first hashing it using SHA256, and returns the signature as a byte slice of bytes along with the certificate chain that has as a leaf the certificate of the public key that can be used to verify the signature.
type DiskSignerConfig ¶
type DiskSignerConfig struct {
// the path to the CA private key file
CAPrivateKeyPath string
// the path to the CA certificate file
CACertPath string
Clk clock.Clock
}
DiskSignerConfig is a configuration struct for creating a new DiskSigner
func NewDiskSignerConfig ¶
func NewDiskSignerConfig(CAPrivateKeyPath, CACertPath string) *DiskSignerConfig
NewDiskSignerConfig creates a new DiskSignerConfig function with the given CA private key and CA certificate paths
type DiskVerifier ¶
type DiskVerifier struct {
// contains filtered or unexported fields
}
DiskVerifier implements the Verifier interface using a trust bundle stored on disk.
func NewDiskVerifier ¶
func NewDiskVerifier(config *DiskVerifierConfig) (*DiskVerifier, error)
NewDiskVerifier creates a new DiskVerifier with the given configuration
func (*DiskVerifier) Verify ¶
func (v *DiskVerifier) Verify(payload, signature []byte, chain []*x509.Certificate) error
Verify checks if the signature of the given payload matches the expected signature. It also verifies that the certificate provided in the signature is signed by a trusted root CA.
type DiskVerifierConfig ¶
type DiskVerifierConfig struct {
// the path to the public key file
TrustBundlePath string
Clk clock.Clock
}
DiskVerifierConfig is a configuration struct for creating a new DiskVerifier
func NewDiskVerifierConfig ¶
func NewDiskVerifierConfig(TrustBundlePath string) *DiskVerifierConfig
NewDiskVerifierConfig function creates a new DiskVerifierConfig function with the given trust bundle path
type NoOpSigner ¶
type NoOpSigner struct{}
NoOpSigner is a no-op implementation of the Signer interface.
func NewNoOpSigner ¶
func NewNoOpSigner() *NoOpSigner
func (NoOpSigner) Sign ¶
func (s NoOpSigner) Sign(payload []byte) ([]byte, []*x509.Certificate, error)
Sign computes a signature for the given payload and returns a no-op signature.
type NoOpVerifier ¶
type NoOpVerifier struct{}
NoOpVerifier is a no-op implementation of the Verifier interface.
func NewNoOpVerifier ¶
func NewNoOpVerifier() *NoOpVerifier
func (NoOpVerifier) Verify ¶
func (v NoOpVerifier) Verify(payload, signature []byte, certChain []*x509.Certificate) error
Verify checks if the signature of the given payload matches the expected signature, which is always considered valid.
type Signer ¶
type Signer interface {
// Sign computes a signature for the given payload and returns it as a byte slice, and optionally the certificate
// used for signing along with intermediate certificates.
Sign(payload []byte) ([]byte, []*x509.Certificate, error)
}
Signer is an interface for signing payloads.
type Verifier ¶
type Verifier interface {
// Verify checks if the signature of the given payload matches the expected signature, using optionally a provided certificate chain for verification.
Verify(payload, signature []byte, certChain []*x509.Certificate) error
}
Verifier is an interface for verifying signatures on payloads.
Source Files