Documentation ¶
Overview ¶
Package ct holds core types and utilities for Certificate Transparency.
Index ¶
- Constants
- func IsPreIssuer(issuer *x509.Certificate) bool
- func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
- func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
- type ASN1Cert
- type AddChainRequest
- type AddChainResponse
- type AddJSONRequest
- type AuditPath
- type CTExtensions
- type CertificateChain
- type CertificateTimestamp
- type ConsistencyProof
- type DigitallySigned
- type GetEntriesResponse
- type GetEntryAndProofResponse
- type GetProofByHashResponse
- type GetRootsResponse
- type GetSTHConsistencyResponse
- type GetSTHResponse
- type JSONDataEntry
- type LeafEntry
- type LeafInput
- type LogEntry
- type LogEntryType
- type LogID
- type MerkleLeafType
- type MerkleTreeLeaf
- func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf
- func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf
- func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
- func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
- type MerkleTreeNode
- type PreCert
- type PrecertChainEntry
- type Precertificate
- type SHA256Hash
- type SignatureType
- type SignatureVerifier
- type SignedCertificateTimestamp
- type SignedTreeHead
- type TimestampedEntry
- type TreeHeadSignature
- type Version
Constants ¶
const ( AddChainPath = "/ct/v1/add-chain" AddPreChainPath = "/ct/v1/add-pre-chain" GetSTHPath = "/ct/v1/get-sth" GetEntriesPath = "/ct/v1/get-entries" GetProofByHashPath = "/ct/v1/get-proof-by-hash" GetSTHConsistencyPath = "/ct/v1/get-sth-consistency" GetRootsPath = "/ct/v1/get-roots" GetEntryAndProofPath = "/ct/v1/get-entry-and-proof" AddJSONPath = "/ct/v1/add-json" // Experimental addition )
URI paths for Log requests; see section 4.
Variables ¶
This section is empty.
Functions ¶
func IsPreIssuer ¶
func IsPreIssuer(issuer *x509.Certificate) bool
IsPreIssuer indicates whether a certificate is a pre-cert issuer with the specific certificate transparency extended key usage.
func SerializeSCTSignatureInput ¶
func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.
func SerializeSTHSignatureInput ¶
func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
SerializeSTHSignatureInput serializes the passed in STH into the correct format for signing.
Types ¶
type ASN1Cert ¶
type ASN1Cert struct {
Data []byte `tls:"minlen:1,maxlen:16777215"`
}
ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1).
type AddChainRequest ¶
type AddChainRequest struct {
Chain [][]byte `json:"chain"`
}
AddChainRequest represents the JSON request body sent to the add-chain and add-pre-chain POST methods from sections 4.1 and 4.2.
type AddChainResponse ¶
type AddChainResponse struct { SCTVersion Version `json:"sct_version"` // SCT structure version ID []byte `json:"id"` // Log ID Timestamp uint64 `json:"timestamp"` // Timestamp of issuance Extensions string `json:"extensions"` // Holder for any CT extensions Signature []byte `json:"signature"` // Log signature for this SCT }
AddChainResponse represents the JSON response to the add-chain and add-pre-chain POST methods. An SCT represents a Log's promise to integrate a [pre-]certificate into the log within a defined period of time.
type AddJSONRequest ¶
type AddJSONRequest struct {
Data interface{} `json:"data"`
}
AddJSONRequest represents the JSON request body sent to the add-json POST method. The corresponding response re-uses AddChainResponse. This is an experimental addition not covered by RFC6962.
type AuditPath ¶
type AuditPath []MerkleTreeNode
AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5).
type CTExtensions ¶
type CTExtensions []byte // tls:"minlen:0,maxlen:65535"`
CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2).
type CertificateChain ¶
type CertificateChain struct {
Entries []ASN1Cert `tls:"minlen:0,maxlen:16777215"`
}
CertificateChain holds a chain of certificates, as returned as extra data for get-entries (section 4.6).
type CertificateTimestamp ¶
type CertificateTimestamp struct { SCTVersion Version `tls:"maxval:255"` SignatureType SignatureType `tls:"maxval:255"` Timestamp uint64 EntryType LogEntryType `tls:"maxval:65535"` X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"` PrecertEntry *PreCert `tls:"selector:EntryType,val:1"` JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"` Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` }
CertificateTimestamp is the collection of data that the signature in an SCT is over; see section 3.2.
type ConsistencyProof ¶
type ConsistencyProof []MerkleTreeNode
ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4).
type DigitallySigned ¶
type DigitallySigned tls.DigitallySigned
DigitallySigned is a local alias for tls.DigitallySigned so that we can attach a MarshalJSON method.
func (DigitallySigned) Base64String ¶
func (d DigitallySigned) Base64String() (string, error)
Base64String returns the base64 representation of the DigitallySigned struct.
func (*DigitallySigned) FromBase64String ¶
func (d *DigitallySigned) FromBase64String(b64 string) error
FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.
func (DigitallySigned) MarshalJSON ¶
func (d DigitallySigned) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface.
func (*DigitallySigned) UnmarshalJSON ¶
func (d *DigitallySigned) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface.
type GetEntriesResponse ¶
type GetEntriesResponse struct {
Entries []LeafEntry `json:"entries"` // the list of returned entries
}
GetEntriesResponse respresents the JSON response to the get-entries GET method from section 4.6.
type GetEntryAndProofResponse ¶
type GetEntryAndProofResponse struct { LeafInput []byte `json:"leaf_input"` // the entry itself ExtraData []byte `json:"extra_data"` // any chain provided when the entry was added to the log AuditPath [][]byte `json:"audit_path"` // the corresponding proof }
GetEntryAndProofResponse represents the JSON response to the get-entry-and-proof GET method from section 4.8. (The corresponding GET request has parameters 'leaf_index' and 'tree_size'.)
type GetProofByHashResponse ¶
type GetProofByHashResponse struct { LeafIndex int64 `json:"leaf_index"` // The 0-based index of the end entity corresponding to the "hash" parameter. AuditPath [][]byte `json:"audit_path"` // An array of base64-encoded Merkle Tree nodes proving the inclusion of the chosen certificate. }
GetProofByHashResponse represents the JSON response to the get-proof-by-hash GET method from section 4.5. (The corresponding GET request has parameters 'hash' and 'tree_size'.)
type GetRootsResponse ¶
type GetRootsResponse struct {
Certificates []string `json:"certificates"`
}
GetRootsResponse represents the JSON response to the get-roots GET method from section 4.7.
type GetSTHConsistencyResponse ¶
type GetSTHConsistencyResponse struct {
Consistency [][]byte `json:"consistency"`
}
GetSTHConsistencyResponse represents the JSON response to the get-sth-consistency GET method from section 4.4. (The corresponding GET request has parameters 'first' and 'second'.)
type GetSTHResponse ¶
type GetSTHResponse struct { TreeSize uint64 `json:"tree_size"` // Number of certs in the current tree Timestamp uint64 `json:"timestamp"` // Time that the tree was created SHA256RootHash []byte `json:"sha256_root_hash"` // Root hash of the tree TreeHeadSignature []byte `json:"tree_head_signature"` // Log signature for this STH }
GetSTHResponse respresents the JSON response to the get-sth GET method from section 4.3.
type JSONDataEntry ¶
type JSONDataEntry struct {
Data []byte `tls:"minlen:0,maxlen:1677215"`
}
JSONDataEntry holds arbitrary data.
type LeafEntry ¶
type LeafEntry struct { // LeafInput is a TLS-encoded MerkleTreeLeaf LeafInput []byte `json:"leaf_input"` // ExtraData holds (unsigned) extra data, normally the cert validation chain. ExtraData []byte `json:"extra_data"` }
LeafEntry represents a leaf in the Log's Merkle tree
type LogEntry ¶
type LogEntry struct { Index int64 Leaf MerkleTreeLeaf // Exactly one of the following three fields should be non-empty. X509Cert *x509.Certificate // Parsed X.509 certificate Precert *Precertificate // Extracted precertificate JSONData []byte Chain []ASN1Cert }
LogEntry represents the contents of an entry in a CT log. This is described in section 3.1, but note that this structure does *not* match the TLS structure defined there (the TLS structure is never used directly in RFC6962).
type LogEntryType ¶
LogEntryType represents the LogEntryType enum from section 3.1:
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const ( X509LogEntryType LogEntryType = 0 PrecertLogEntryType LogEntryType = 1 XJSONLogEntryType LogEntryType = 0x8000 // Experimental. Don't rely on this! )
LogEntryType constants from section 3.1.
func (LogEntryType) String ¶
func (e LogEntryType) String() string
type MerkleLeafType ¶
MerkleLeafType represents the MerkleLeafType enum from section 3.4:
enum { timestamped_entry(0), (255) } MerkleLeafType;
const TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
TimestampedEntryLeafType is the only defined MerkleLeafType constant from section 3.4.
func (MerkleLeafType) String ¶
func (m MerkleLeafType) String() string
type MerkleTreeLeaf ¶
type MerkleTreeLeaf struct { Version Version `tls:"maxval:255"` LeafType MerkleLeafType `tls:"maxval:255"` TimestampedEntry *TimestampedEntry `tls:"selector:LeafType,val:0"` }
MerkleTreeLeaf represents the deserialized structure of the hash input for the leaves of a log's Merkle tree; see section 3.4.
func CreateJSONMerkleTreeLeaf ¶
func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf
CreateJSONMerkleTreeLeaf creates the merkle tree leaf for json data.
func CreateX509MerkleTreeLeaf ¶
func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf
CreateX509MerkleTreeLeaf generates a MerkleTreeLeaf for an X509 cert
func MerkleTreeLeafFromChain ¶
func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
MerkleTreeLeafFromChain generates a MerkleTreeLeaf from a chain and timestamp.
func MerkleTreeLeafFromRawChain ¶
func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
MerkleTreeLeafFromRawChain generates a MerkleTreeLeaf from a chain (in DER-encoded form) and timestamp.
func (*MerkleTreeLeaf) X509Certificate ¶
func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)
X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf.
type MerkleTreeNode ¶
type MerkleTreeNode []byte
MerkleTreeNode represents an internal node in the CT tree.
type PreCert ¶
type PreCert struct { IssuerKeyHash [sha256.Size]byte TBSCertificate []byte `tls:"minlen:1,maxlen:16777215"` // DER-encoded TBSCertificate }
PreCert represents a Precertificate (section 3.2).
type PrecertChainEntry ¶
type PrecertChainEntry struct { PreCertificate ASN1Cert `tls:"minlen:1,maxlen:16777215"` CertificateChain []ASN1Cert `tls:"minlen:0,maxlen:16777215"` }
PrecertChainEntry holds an precertificate together with a validation chain for it; see section 3.1.
type Precertificate ¶
type Precertificate struct { // Raw DER bytes of the precert Raw []byte // SHA256 hash of the issuing key IssuerKeyHash [sha256.Size]byte // Parsed TBSCertificate structure, held in an x509.Certificate for convenience. TBSCertificate x509.Certificate }
Precertificate represents the parsed CT Precertificate structure.
type SHA256Hash ¶
SHA256Hash represents the output from the SHA256 hash function.
func PublicKeyFromPEM ¶
PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
func (SHA256Hash) Base64String ¶
func (s SHA256Hash) Base64String() string
Base64String returns the base64 representation of this SHA256Hash.
func (*SHA256Hash) FromBase64String ¶
func (s *SHA256Hash) FromBase64String(b64 string) error
FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.
func (SHA256Hash) MarshalJSON ¶
func (s SHA256Hash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface for SHA256Hash.
func (*SHA256Hash) UnmarshalJSON ¶
func (s *SHA256Hash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaller interface.
type SignatureType ¶
SignatureType differentiates STH signatures from SCT signatures, see section 3.2.
enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType;
const ( CertificateTimestampSignatureType SignatureType = 0 TreeHashSignatureType SignatureType = 1 )
SignatureType constants from section 3.2.
func (SignatureType) String ¶
func (st SignatureType) String() string
type SignatureVerifier ¶
type SignatureVerifier struct {
// contains filtered or unexported fields
}
SignatureVerifier can verify signatures on SCTs and STHs
func NewSignatureVerifier ¶
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)
NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.
func (SignatureVerifier) VerifySCTSignature ¶
func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error
VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry.
func (SignatureVerifier) VerifySTHSignature ¶
func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error
VerifySTHSignature verifies that the STH's signature is valid.
func (SignatureVerifier) VerifySignature ¶
func (s SignatureVerifier) VerifySignature(data []byte, sig tls.DigitallySigned) error
VerifySignature verifies the given signature sig matches the data.
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct { SCTVersion Version `tls:"maxval:255"` LogID LogID Timestamp uint64 Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` Signature DigitallySigned // Signature over TLS-encoded CertificateTimestamp }
SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding; see sections 3.2, 4.1 and 4.2.
func (SignedCertificateTimestamp) String ¶
func (s SignedCertificateTimestamp) String() string
type SignedTreeHead ¶
type SignedTreeHead struct { Version Version `json:"sth_version"` // The version of the protocol to which the STH conforms TreeSize uint64 `json:"tree_size"` // The number of entries in the new tree Timestamp uint64 `json:"timestamp"` // The time at which the STH was created SHA256RootHash SHA256Hash `json:"sha256_root_hash"` // The root hash of the log's Merkle tree TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // Log's signature over a TLS-encoded TreeHeadSignature LogID SHA256Hash `json:"log_id"` // The SHA256 hash of the log's public key }
SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding; see sections 3.5 and 4.3.
type TimestampedEntry ¶
type TimestampedEntry struct { Timestamp uint64 EntryType LogEntryType `tls:"maxval:65535"` X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"` PrecertEntry *PreCert `tls:"selector:EntryType,val:1"` JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"` Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` }
TimestampedEntry is part of the MerkleTreeLeaf structure; see section 3.4.
type TreeHeadSignature ¶
type TreeHeadSignature struct { Version Version `tls:"maxval:255"` SignatureType SignatureType `tls:"maxval:255"` // == TreeHashSignatureType Timestamp uint64 TreeSize uint64 SHA256RootHash SHA256Hash }
TreeHeadSignature holds the data over which the signature in an STH is generated; see section 3.5
Directories ¶
Path | Synopsis |
---|---|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690. |
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
|
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances. |
ctclient
ctclient is a command-line utility for interacting with CT logs.
|
ctclient is a command-line utility for interacting with CT logs. |
Package fixchain holds code to help fix the validation chains for certificates.
|
Package fixchain holds code to help fix the validation chains for certificates. |
main
fixchain is a utility program for fixing the validation chains for certificates.
|
fixchain is a utility program for fixing the validation chains for certificates. |
ratelimiter
Package ratelimiter provides an exceedingly simple rate limiter.
|
Package ratelimiter provides an exceedingly simple rate limiter. |
Package gossip holds code for spreading CT log information via a gossip protocol.
|
Package gossip holds code for spreading CT log information via a gossip protocol. |
Package merkletree holds code to manipulate Merkle trees.
|
Package merkletree holds code to manipulate Merkle trees. |
Package preload holds code for adding batches of certificates to CT logs.
|
Package preload holds code for adding batches of certificates to CT logs. |
Package scanner holds code for iterating through the contents of a CT log.
|
Package scanner holds code for iterating through the contents of a CT log. |
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246.
|
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246. |
trillian
|
|
ctfe
Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API.
|
Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API. |
ctfe/configpb
Package configpb is a generated protocol buffer package.
|
Package configpb is a generated protocol buffer package. |
ctfe/ct_server
The ct_server binary runs the CT personality.
|
The ct_server binary runs the CT personality. |
ctfe/testonly
Package testonly contains code and data that should only be used by tests.
|
Package testonly contains code and data that should only be used by tests. |
integration
Package integration holds test-only code for running tests on an integrated system of the CT personality and a Trillian log.
|
Package integration holds test-only code for running tests on an integrated system of the CT personality and a Trillian log. |
integration/ct_hammer
ct_hammer is a stress/load test for a CT log.
|
ct_hammer is a stress/load test for a CT log. |
mockclient
Package mockclient provides a mockable version of the Trillian log client API.
|
Package mockclient provides a mockable version of the Trillian log client API. |
util
Package util provides general utility functions for the CT personality.
|
Package util provides general utility functions for the CT personality. |
Package x509 parses X.509-encoded keys and certificates.
|
Package x509 parses X.509-encoded keys and certificates. |
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
|
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP. |
Package x509util includes utility code for working with X.509 certificates from the x509 package.
|
Package x509util includes utility code for working with X.509 certificates from the x509 package. |