Documentation ¶
Index ¶
- Constants
- Variables
- type Certificate
- func (c *Certificate) Copy() *Certificate
- func (c *Certificate) Equal(o *Certificate) bool
- func (c *Certificate) JSON(indent bool) ([]byte, error)
- func (c *Certificate) Sign(signKey common.RawBytes, signAlgo string) error
- func (c *Certificate) String() string
- func (c *Certificate) UnmarshalJSON(b []byte) error
- func (c *Certificate) Verify(subject addr.IA, verifyKey common.RawBytes, signAlgo string) error
- func (c *Certificate) VerifySignature(verifyKey common.RawBytes, signAlgo string) error
- func (c *Certificate) VerifyTime(ts uint32) error
- type Chain
- func (c *Chain) Compress() (common.RawBytes, error)
- func (c *Chain) Copy() *Chain
- func (c *Chain) Equal(o *Chain) bool
- func (c *Chain) IAVer() (addr.IA, scrypto.Version)
- func (c *Chain) JSON(indent bool) ([]byte, error)
- func (c *Chain) Key() *Key
- func (c *Chain) String() string
- func (c *Chain) UnmarshalJSON(b []byte) error
- func (c *Chain) Verify(subject addr.IA, t *trc.TRC) error
- type Key
Constants ¶
const ( ErrEarlyUsage common.ErrMsg = "Certificate IssuingTime in the future" ErrExpired common.ErrMsg = "Certificate expired" ErrInvalidSubject common.ErrMsg = "Invalid subject" ErrReservedVersion common.ErrMsg = "Invalid version 0" ErrUnableSigPack common.ErrMsg = "Cert: Unable to create signature input" )
const ( MaxChainByteLength uint32 = 1 << 20 // DefaultLeafCertValidity is the default validity time of a leaf certificate in seconds. DefaultLeafCertValidity = 3 * 24 * 60 * 60 // DefaultIssuerCertValidity is the default validity time of an issuer certificate in seconds. DefaultIssuerCertValidity = 7 * 24 * 60 * 60 )
Variables ¶
var ( ErrIssCertInvalid = serrors.New("issuer certificate invalid") ErrIssExpiresAfter = serrors.New("issuer certificate expires after TRC") ErrIssASNotFound = serrors.New("issuing AS not found") ErrLeafCertInvalid = serrors.New("leaf certificate invalid") ErrLeafExpiresAfter = serrors.New("leaf certificate expires after issuer certificate") ErrLeafIssuedBefore = serrors.New("leaf certificate issued before issuer certificate") )
Errors
Functions ¶
This section is empty.
Types ¶
type Certificate ¶
type Certificate struct { // CanIssue describes whether the subject is able to issue certificates. CanIssue bool // Comment is an arbitrary and optional string used by the subject to describe the certificate. Comment string // EncAlgorithm is the algorithm associated with SubjectEncKey. EncAlgorithm string // ExpirationTime is the unix timestamp in seconds at which the certificate expires. ExpirationTime uint32 // Issuer is the certificate issuer. It can only be a issuing AS. Issuer addr.IA // IssuingTime is the unix timestamp in seconds at which the certificate was created. IssuingTime uint32 // SignAlgorithm is the algorithm associated with SubjectSigKey. SignAlgorithm string // Signature is the certificate signature. It is computed over the rest of the certificate. Signature common.RawBytes `json:",omitempty"` // Subject is the certificate subject. Subject addr.IA // SubjectEncKey is the public key used for encryption. SubjectEncKey common.RawBytes // SubjectSignKey the public key used for signature verification. SubjectSignKey common.RawBytes // TRCVersion is the version of the issuing trc. TRCVersion scrypto.Version // Version is the certificate version. // The value scrypto.LatestVer is reserved and shall not be used. Version scrypto.Version }
func CertificateFromRaw ¶
func CertificateFromRaw(raw common.RawBytes) (*Certificate, error)
func (*Certificate) Copy ¶
func (c *Certificate) Copy() *Certificate
func (*Certificate) Equal ¶ added in v0.4.0
func (c *Certificate) Equal(o *Certificate) bool
func (*Certificate) Sign ¶
func (c *Certificate) Sign(signKey common.RawBytes, signAlgo string) error
Sign adds signature to the certificate. The signature is computed over the certificate without the signature field.
func (*Certificate) String ¶
func (c *Certificate) String() string
func (*Certificate) UnmarshalJSON ¶
func (c *Certificate) UnmarshalJSON(b []byte) error
func (*Certificate) Verify ¶
Verify checks the signature of the certificate based on a trusted verifying key and the associated signature algorithm. Further, it verifies that the certificate belongs to the given subject, and that it is valid at the current time.
func (*Certificate) VerifySignature ¶
func (c *Certificate) VerifySignature(verifyKey common.RawBytes, signAlgo string) error
VerifySignature checks the signature of the certificate based on a trusted verifying key and the associated signature algorithm.
func (*Certificate) VerifyTime ¶
func (c *Certificate) VerifyTime(ts uint32) error
VerifyTime checks that the time ts is between issuing and expiration time. This function does not check the validity of the signature.
type Chain ¶
type Chain struct { // Leaf is the leaf certificate of the chain. It is signed by the Issuer certificate. Leaf *Certificate `json:"0"` // Issuer is the issuer AS certificate of the chain. It is signed by the TRC of the ISD. Issuer *Certificate `json:"1"` }
Chain contains two certificates, one for the leaf and one for the issuer. The leaf certificate is signed by the issuer certificate, which is signed by the TRC of the corresponding ISD.
func ChainFromDir ¶
ChainFromDir reads all the {IA}-V*.crt (e.g., ISD1-ASff00_0_1-V17.crt) files contained directly in dir (no subdirectories), and out of those that match IA ia returns the newest one. The chains must not be compressed. If an error occurs when parsing one of the files, f() is called with the error as argument. Execution continues with the remaining files.
If no chain is found, the returned chain is nil and the error is set to nil.
func ChainFromSlice ¶
func ChainFromSlice(certs []*Certificate) (*Chain, error)
ChainFromSlice creates a certificate chain from a list of certificates. The first certificate is the leaf certificate. The second certificate is the issuer certificate. Only chains with length of two are supported.
func (*Chain) Compress ¶
Compress compresses the JSON generated from the certificate chain using lz4 block mode and prepends the original length (4 bytes, little endian, unsigned). This is necessary, since the python lz4 library expects this format.