Documentation ¶
Index ¶
- Constants
- Variables
- func GenerateSigningKeypair(scheme SignatureScheme) (Signer, Verifier, error)
- func TreeNodeCount(nLeaves uint64) uint
- func UnmarshalAbridgedAssertions(r io.Reader, f func(int, *AbridgedAssertion) error) error
- func VerifierFingerprint(v Verifier) string
- type AbridgedAssertion
- type AbridgedSubject
- type AbridgedTLSSubject
- type Assertion
- type Batch
- func (batch *Batch) Anchor() *MerkleTreeTrustAnchor
- func (batch *Batch) ComputeRootFromAuthenticationPath(index uint64, path []byte, aa *AbridgedAssertion) ([]byte, error)
- func (batch *Batch) ComputeTree(r io.Reader) (*Tree, error)
- func (batch *Batch) SignValidityWindow(signer Signer, prevHeads []byte, root []byte) (SignedValidityWindow, error)
- func (batch *Batch) VerifyAuthenticationPath(index uint64, path, root []byte, aa *AbridgedAssertion) error
- type BatchRange
- type BikeshedCertificate
- type CAParams
- func (p *CAParams) ActiveBatches(dt time.Time) BatchRange
- func (p *CAParams) MarshalBinary() ([]byte, error)
- func (p *CAParams) NextBatchAt(dt time.Time) time.Time
- func (p *CAParams) PreEpochRoots() []byte
- func (p *CAParams) StoredBatches(dt time.Time) BatchRange
- func (p *CAParams) UnmarshalBinary(data []byte) error
- func (p *CAParams) Validate() error
- type ClaimType
- type Claims
- type MerkleTreeProof
- type MerkleTreeTrustAnchor
- type Proof
- type ProofType
- type SignatureScheme
- type SignedValidityWindow
- type Signer
- type Subject
- type SubjectBase
- type SubjectType
- type TLSSubject
- type Tree
- type TrustAnchor
- type UnknownClaim
- type UnknownProof
- type UnknownSubject
- type UnknownTrustAnchor
- type ValidityWindow
- type Verifier
Constants ¶
const (
HashLen = 32
)
Variables ¶
var ( // ErrTruncated is a parsing error returned when the input seems to have // been truncated. ErrTruncated = errors.New("Input truncated") // ErrExtraBytes is a parsing error returned when there are extraneous // bytes at the end of, or within, the data. ErrExtraBytes = errors.New("Unexpected extra (internal) bytes") )
Functions ¶
func GenerateSigningKeypair ¶
func GenerateSigningKeypair(scheme SignatureScheme) (Signer, Verifier, error)
func TreeNodeCount ¶
Returns the number of nodes in the Merkle tree for a batch, which has nLeaves assertions.
func UnmarshalAbridgedAssertions ¶
Unmarshals AbridgedAssertions from r and calls f for each, with the offset in the stream as first argument, and the abridged assertion as second argument.
Returns early one rror.
Types ¶
type AbridgedAssertion ¶
type AbridgedAssertion struct { Subject AbridgedSubject Claims Claims }
func (*AbridgedAssertion) Hash ¶
func (a *AbridgedAssertion) Hash(out []byte, batch *Batch, index uint64) error
Computes the leaf hash of the AbridgedAssertion in the Merkle tree computed for the batch.
func (*AbridgedAssertion) Key ¶
func (a *AbridgedAssertion) Key(out []byte) error
Computes the key of the AbridgedAssertion used in the index.
func (*AbridgedAssertion) MarshalBinary ¶
func (a *AbridgedAssertion) MarshalBinary() ([]byte, error)
func (*AbridgedAssertion) UnmarshalBinary ¶
func (a *AbridgedAssertion) UnmarshalBinary(data []byte) error
type AbridgedSubject ¶
type AbridgedSubject interface { SubjectBase }
type AbridgedTLSSubject ¶
type AbridgedTLSSubject struct { SignatureScheme SignatureScheme PublicKeyHash [HashLen]byte }
func (*AbridgedTLSSubject) Info ¶
func (s *AbridgedTLSSubject) Info() []byte
func (*AbridgedTLSSubject) Type ¶
func (s *AbridgedTLSSubject) Type() SubjectType
type Assertion ¶
func (*Assertion) Abridge ¶
func (a *Assertion) Abridge() (ret AbridgedAssertion)
func (*Assertion) MarshalBinary ¶
func (*Assertion) UnmarshalBinary ¶
type Batch ¶
func (*Batch) Anchor ¶
func (batch *Batch) Anchor() *MerkleTreeTrustAnchor
func (*Batch) ComputeRootFromAuthenticationPath ¶
func (batch *Batch) ComputeRootFromAuthenticationPath(index uint64, path []byte, aa *AbridgedAssertion) ([]byte, error)
Compute batch root from authentication path.
To verify a certificate/proof, use VerifyAuthenticationPath instead.
func (*Batch) ComputeTree ¶
Compute Merkle tree from a stream of AbridgedAssertion from in.
func (*Batch) SignValidityWindow ¶
func (*Batch) VerifyAuthenticationPath ¶
func (batch *Batch) VerifyAuthenticationPath(index uint64, path, root []byte, aa *AbridgedAssertion) error
Check validity of authentication path.
Return nil on valid authentication path.
type BatchRange ¶
Range of batch numbers Begin, …, End-1.
func (BatchRange) AreAllPast ¶
func (r BatchRange) AreAllPast(batch uint32) bool
Returns whether each batch in the range is after the given batch
func (BatchRange) Contains ¶
func (r BatchRange) Contains(batch uint32) bool
Returns whether r contains the batch with the given number.
func (BatchRange) Len ¶
func (r BatchRange) Len() int
func (BatchRange) String ¶
func (r BatchRange) String() string
type BikeshedCertificate ¶
func (*BikeshedCertificate) MarshalBinary ¶
func (c *BikeshedCertificate) MarshalBinary() ([]byte, error)
func (*BikeshedCertificate) UnmarshalBinary ¶
func (c *BikeshedCertificate) UnmarshalBinary(data []byte) error
type CAParams ¶
type CAParams struct { IssuerId string PublicKey Verifier StartTime uint64 BatchDuration uint64 Lifetime uint64 ValidityWindowSize uint64 StorageWindowSize uint64 HttpServer string }
Public parameters of a Merkle Tree CA
func (*CAParams) ActiveBatches ¶
func (p *CAParams) ActiveBatches(dt time.Time) BatchRange
Batches that are non-expired, and either issued or ready, at the given time.
func (*CAParams) MarshalBinary ¶
func (*CAParams) NextBatchAt ¶ added in v0.1.1
Returns the the time when the next batch starts.
func (*CAParams) PreEpochRoots ¶
Returns the roots of the validity window prior the epoch.
func (*CAParams) StoredBatches ¶
func (p *CAParams) StoredBatches(dt time.Time) BatchRange
Batches that are expected to be available at this CA, at the given time. The last few might not yet have been published.
func (*CAParams) UnmarshalBinary ¶
type Claims ¶
type Claims struct { DNS []string DNSWildcard []string IPv4 []net.IP IPv6 []net.IP Unknown []UnknownClaim }
List of claims.
func (*Claims) MarshalBinary ¶
func (*Claims) UnmarshalBinary ¶
type MerkleTreeProof ¶
type MerkleTreeProof struct {
// contains filtered or unexported fields
}
func NewMerkleTreeProof ¶
func NewMerkleTreeProof(batch *Batch, index uint64, path []byte) *MerkleTreeProof
func (*MerkleTreeProof) Index ¶
func (p *MerkleTreeProof) Index() uint64
func (*MerkleTreeProof) Info ¶
func (p *MerkleTreeProof) Info() []byte
func (*MerkleTreeProof) Path ¶
func (p *MerkleTreeProof) Path() []byte
func (*MerkleTreeProof) TrustAnchor ¶
func (p *MerkleTreeProof) TrustAnchor() TrustAnchor
type MerkleTreeTrustAnchor ¶
type MerkleTreeTrustAnchor struct {
// contains filtered or unexported fields
}
func (*MerkleTreeTrustAnchor) BatchNumber ¶
func (t *MerkleTreeTrustAnchor) BatchNumber() uint32
func (*MerkleTreeTrustAnchor) Info ¶
func (t *MerkleTreeTrustAnchor) Info() []byte
func (*MerkleTreeTrustAnchor) IssuerId ¶
func (t *MerkleTreeTrustAnchor) IssuerId() string
func (*MerkleTreeTrustAnchor) ProofType ¶
func (t *MerkleTreeTrustAnchor) ProofType() ProofType
type Proof ¶
type Proof interface { TrustAnchor() TrustAnchor Info() []byte }
type SignatureScheme ¶
type SignatureScheme uint16
Copy of tls.SignatureScheme to prevent cycling dependencies
const ( TLSPSSWithSHA256 SignatureScheme = 0x0804 TLSPSSWithSHA384 SignatureScheme = 0x0805 TLSPSSWithSHA512 SignatureScheme = 0x0806 TLSECDSAWithP256AndSHA256 SignatureScheme = 0x0403 TLSECDSAWithP384AndSHA384 SignatureScheme = 0x0503 TLSECDSAWithP521AndSHA512 SignatureScheme = 0x0603 TLSEd25519 SignatureScheme = 0x0807 // Just for testing we use round 3 Dilithium5 with a codepoint in the // private use region. For production SPHINCS⁺-128s would be a better // choice. TLSDilitihium5r3 SignatureScheme = 0xfe3c )
func SignatureSchemeFromString ¶
func SignatureSchemeFromString(s string) SignatureScheme
func SignatureSchemesFor ¶
func SignatureSchemesFor(pk crypto.PublicKey) []SignatureScheme
Returns valid signature schemes for given public key
func (SignatureScheme) String ¶
func (s SignatureScheme) String() string
type SignedValidityWindow ¶
type SignedValidityWindow struct { ValidityWindow Signature []byte }
func (*SignedValidityWindow) MarshalBinary ¶
func (w *SignedValidityWindow) MarshalBinary() ([]byte, error)
func (*SignedValidityWindow) UnmarshalBinary ¶
func (w *SignedValidityWindow) UnmarshalBinary(data []byte, p *CAParams) error
func (*SignedValidityWindow) UnmarshalBinaryWithoutVerification ¶
func (w *SignedValidityWindow) UnmarshalBinaryWithoutVerification( data []byte, p *CAParams) error
Like UnmarshalBinary() but doesn't check the signature.
type Signer ¶
type Signer interface { Sign(message []byte) []byte Scheme() SignatureScheme Bytes() []byte }
Signing private key with specific hash and options.
func UnmarshalSigner ¶
func UnmarshalSigner(scheme SignatureScheme, data []byte) ( Signer, error)
type Subject ¶
type Subject interface { SubjectBase Abridge() AbridgedSubject }
type SubjectBase ¶
type SubjectBase interface { Type() SubjectType Info() []byte }
type SubjectType ¶
type SubjectType uint16
const (
TLSSubjectType SubjectType = iota
)
func (SubjectType) String ¶
func (s SubjectType) String() string
type TLSSubject ¶
type TLSSubject struct {
// contains filtered or unexported fields
}
func NewTLSSubject ¶
func NewTLSSubject(scheme SignatureScheme, pk crypto.PublicKey) (*TLSSubject, error)
func (*TLSSubject) Abridge ¶
func (s *TLSSubject) Abridge() AbridgedSubject
func (*TLSSubject) Info ¶
func (s *TLSSubject) Info() []byte
func (*TLSSubject) Type ¶
func (s *TLSSubject) Type() SubjectType
func (*TLSSubject) Verifier ¶
func (s *TLSSubject) Verifier() (Verifier, error)
type Tree ¶
type Tree struct {
// contains filtered or unexported fields
}
Merkle tree built upon the assertions of a batch.
func (*Tree) AuthenticationPath ¶
Return authentication path proving that the leaf at the given index is included in the Merkle tree.
func (*Tree) UnmarshalBinary ¶
type TrustAnchor ¶
type UnknownClaim ¶
Represents a claim we do not how to interpret.
type UnknownProof ¶
type UnknownProof struct {
// contains filtered or unexported fields
}
func (*UnknownProof) Info ¶
func (p *UnknownProof) Info() []byte
func (*UnknownProof) TrustAnchor ¶
func (p *UnknownProof) TrustAnchor() TrustAnchor
type UnknownSubject ¶
type UnknownSubject struct {
// contains filtered or unexported fields
}
Used for either an unknown (abridged) subject
func (*UnknownSubject) Abridge ¶
func (s *UnknownSubject) Abridge() AbridgedSubject
func (*UnknownSubject) Info ¶
func (s *UnknownSubject) Info() []byte
func (*UnknownSubject) Type ¶
func (s *UnknownSubject) Type() SubjectType
type UnknownTrustAnchor ¶
type UnknownTrustAnchor struct {
// contains filtered or unexported fields
}
func (*UnknownTrustAnchor) Info ¶
func (t *UnknownTrustAnchor) Info() []byte
func (*UnknownTrustAnchor) ProofType ¶
func (t *UnknownTrustAnchor) ProofType() ProofType
type ValidityWindow ¶
func (*ValidityWindow) LabeledValdityWindow ¶
func (w *ValidityWindow) LabeledValdityWindow(ca *CAParams) ([]byte, error)
Returns the corresponding marshalled LabeledValdityWindow, which is signed by the CA.
func (*ValidityWindow) MarshalBinary ¶
func (w *ValidityWindow) MarshalBinary() ([]byte, error)
type Verifier ¶
type Verifier interface { Verify(message, signature []byte) error Scheme() SignatureScheme Bytes() []byte }
Signing public key with specific hash and options.
func NewVerifier ¶
func NewVerifier(scheme SignatureScheme, pk crypto.PublicKey) ( Verifier, error)
func UnmarshalVerifier ¶
func UnmarshalVerifier(scheme SignatureScheme, data []byte) ( Verifier, error)