Documentation ¶
Index ¶
- Constants
- Variables
- func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)
- func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error
- func SCTListSerializedLength(scts []SignedCertificateTimestamp) (int, error)
- func SerializeMerkleTreeLeaf(w io.Writer, m *MerkleTreeLeaf) error
- func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)
- func SerializeSCTHere(sct SignedCertificateTimestamp, here []byte) ([]byte, error)
- func SerializeSCTList(scts []SignedCertificateTimestamp) ([]byte, error)
- func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
- func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
- func SerializeTimestampedEntry(w io.Writer, t *TimestampedEntry) error
- type ASN1Cert
- type AddJSONRequest
- type AuditPath
- type CTExtensions
- type ConsistencyProof
- type DigitallySigned
- type HashAlgorithm
- type LeafInput
- type LogEntry
- type LogEntryType
- type MerkleLeafType
- type MerkleTreeLeaf
- type MerkleTreeNode
- type PreCert
- type Precertificate
- type SHA256Hash
- type SignatureAlgorithm
- type SignatureType
- type SignatureVerifier
- type SignedCertificateTimestamp
- type SignedTreeHead
- type TimestampedEntry
- type Version
Constants ¶
const ( CertificateLengthBytes = 3 PreCertificateLengthBytes = 3 ExtensionsLengthBytes = 2 CertificateChainLengthBytes = 3 SignatureLengthBytes = 2 JSONLengthBytes = 3 )
Variable size structure prefix-header byte lengths
const ( MaxCertificateLength = (1 << 24) - 1 MaxExtensionsLength = (1 << 16) - 1 MaxSCTInListLength = (1 << 16) - 1 MaxSCTListLength = (1 << 16) - 1 )
Max lengths
Variables ¶
var ( ErrInvalidVersion error = sctError(1) ErrNotEnoughBuffer error = sctError(2) )
Preallocate errors for performance
Functions ¶
func MarshalDigitallySigned ¶
func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)
MarshalDigitallySigned marshalls a DigitallySigned structure into a byte array
func ReadTimestampedEntryInto ¶
func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error
ReadTimestampedEntryInto parses the byte-stream representation of a TimestampedEntry from |r| and populates the struct |t| with the data. See RFC section 3.4 for details on the format. Returns a non-nil error if there was a problem.
func SCTListSerializedLength ¶
func SCTListSerializedLength(scts []SignedCertificateTimestamp) (int, error)
SCTListSerializedLength determines the length of the required buffer should a SCT List need to be serialized
func SerializeMerkleTreeLeaf ¶
func SerializeMerkleTreeLeaf(w io.Writer, m *MerkleTreeLeaf) error
SerializeMerkleTreeLeaf writes MerkleTreeLeaf to Writer. In case of error, w may contain garbage.
func SerializeSCT ¶
func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)
SerializeSCT serializes the passed in sct into the format specified by RFC6962 section 3.2 Equivalent to SerializeSCTHere(sct, nil)
func SerializeSCTHere ¶
func SerializeSCTHere(sct SignedCertificateTimestamp, here []byte) ([]byte, error)
SerializeSCTHere serializes the passed in sct into the format specified by RFC6962 section 3.2. If a bytes slice here is provided then it will attempt to serialize into the provided byte slice, ErrNotEnoughBuffer will be returned if the buffer is too small. If a nil byte slice is provided, a buffer for will be allocated for you The returned slice will be sliced to the correct length.
func SerializeSCTList ¶
func SerializeSCTList(scts []SignedCertificateTimestamp) ([]byte, error)
SerializeSCTList serializes the passed-in slice of SignedCertificateTimestamp into a byte slice as a SignedCertificateTimestampList (see RFC6962 Section 3.3)
func SerializeSCTSignatureInput ¶
func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.
func SerializeSTHSignatureInput ¶
func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
SerializeSTHSignatureInput serializes the passed in sth into the correct format for signing.
func SerializeTimestampedEntry ¶
func SerializeTimestampedEntry(w io.Writer, t *TimestampedEntry) error
SerializeTimestampedEntry writes timestamped entry to Writer. In case of error, w may contain garbage.
Types ¶
type ASN1Cert ¶
type ASN1Cert []byte
ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1)
func UnmarshalPrecertChainArray ¶
UnmarshalPrecertChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to a Precertificate leaf.
func UnmarshalX509ChainArray ¶
UnmarshalX509ChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to an X509 leaf.
type AddJSONRequest ¶
type AddJSONRequest struct {
Data interface{} `json:"data"`
}
AddJSONRequest represents the JSON request body sent ot the add-json CT method.
type AuditPath ¶
type AuditPath []MerkleTreeNode
AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5)
type CTExtensions ¶
type CTExtensions []byte
CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2)
type ConsistencyProof ¶
type ConsistencyProof []MerkleTreeNode
ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4)
type DigitallySigned ¶
type DigitallySigned struct { HashAlgorithm HashAlgorithm SignatureAlgorithm SignatureAlgorithm Signature []byte }
DigitallySigned represents an RFC5246 DigitallySigned structure
func UnmarshalDigitallySigned ¶
func UnmarshalDigitallySigned(r io.Reader) (*DigitallySigned, error)
UnmarshalDigitallySigned reconstructs a DigitallySigned structure from a Reader
func (DigitallySigned) Base64String ¶
func (d DigitallySigned) Base64String() (string, error)
Base64String returns the base64 representation of the DigitallySigned struct.
func (*DigitallySigned) FromBase64String ¶
func (d *DigitallySigned) FromBase64String(b64 string) error
FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.
func (DigitallySigned) MarshalJSON ¶
func (d DigitallySigned) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface.
func (*DigitallySigned) UnmarshalJSON ¶
func (d *DigitallySigned) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface.
type HashAlgorithm ¶
type HashAlgorithm byte
HashAlgorithm from the DigitallySigned struct
const ( None HashAlgorithm = 0 MD5 HashAlgorithm = 1 SHA1 HashAlgorithm = 2 SHA224 HashAlgorithm = 3 SHA256 HashAlgorithm = 4 SHA384 HashAlgorithm = 5 SHA512 HashAlgorithm = 6 )
HashAlgorithm constants
func (HashAlgorithm) String ¶
func (h HashAlgorithm) String() string
type LogEntry ¶
type LogEntry struct { Index int64 Leaf MerkleTreeLeaf X509Cert *x509.Certificate Precert *Precertificate JSONData []byte Chain []ASN1Cert }
LogEntry represents the contents of an entry in a CT log, see section 3.1.
type LogEntryType ¶
type LogEntryType uint16
LogEntryType represents the LogEntryType enum from section 3.1 of the RFC:
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const ( X509LogEntryType LogEntryType = 0 PrecertLogEntryType LogEntryType = 1 XJSONLogEntryType LogEntryType = 0x8000 // Experimental. Don't rely on this! )
LogEntryType constants, see section 3.1 of RFC6962.
func (LogEntryType) String ¶
func (e LogEntryType) String() string
type MerkleLeafType ¶
type MerkleLeafType uint8
MerkleLeafType represents the MerkleLeafType enum from section 3.4 of the RFC: enum { timestamped_entry(0), (255) } MerkleLeafType;
const (
TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
)
MerkleLeafType constants, see section 3.4 of the RFC.
func (MerkleLeafType) String ¶
func (m MerkleLeafType) String() string
type MerkleTreeLeaf ¶
type MerkleTreeLeaf struct { Version Version // the version of the protocol to which the MerkleTreeLeaf corresponds LeafType MerkleLeafType // The type of the leaf input, currently only TimestampedEntry can exist TimestampedEntry TimestampedEntry // The entry data itself }
MerkleTreeLeaf represents the deserialized sructure of the hash input for the leaves of a log's Merkle tree. See RFC section 3.4
func CreateJSONMerkleTreeLeaf ¶
func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf
CreateJSONMerkleTreeLeaf creates the merkle tree leaf for json data.
func CreateX509MerkleTreeLeaf ¶
func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf
CreateX509MerkleTreeLeaf generates a MerkleTreeLeaf for an X509 cert
func ReadMerkleTreeLeaf ¶
func ReadMerkleTreeLeaf(r io.Reader) (*MerkleTreeLeaf, error)
ReadMerkleTreeLeaf parses the byte-stream representation of a MerkleTreeLeaf and returns a pointer to a new MerkleTreeLeaf structure containing the parsed data. See RFC section 3.4 for details on the format. Returns a pointer to a new MerkleTreeLeaf or non-nil error if there was a problem
func (*MerkleTreeLeaf) X509Certificate ¶
func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)
X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf. Returns a pointer to an x509.Certificate or a non-nil error.
type MerkleTreeNode ¶
type MerkleTreeNode []byte
MerkleTreeNode represents an internal node in the CT tree
type Precertificate ¶
type Precertificate struct { // Raw DER bytes of the precert Raw []byte // SHA256 hash of the issuing key IssuerKeyHash [issuerKeyHashLength]byte // Parsed TBSCertificate structure (held in an x509.Certificate for ease of // access. TBSCertificate x509.Certificate }
Precertificate represents the parsed CT Precertificate structure.
type SHA256Hash ¶
SHA256Hash represents the output from the SHA256 hash function.
func PublicKeyFromPEM ¶
PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
func (SHA256Hash) Base64String ¶
func (s SHA256Hash) Base64String() string
Base64String returns the base64 representation of this SHA256Hash.
func (*SHA256Hash) FromBase64String ¶
func (s *SHA256Hash) FromBase64String(b64 string) error
FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.
func (SHA256Hash) MarshalJSON ¶
func (s SHA256Hash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface for SHA256Hash.
func (*SHA256Hash) UnmarshalJSON ¶
func (s *SHA256Hash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaller interface.
type SignatureAlgorithm ¶
type SignatureAlgorithm byte
SignatureAlgorithm from the the DigitallySigned struct
const ( Anonymous SignatureAlgorithm = 0 RSA SignatureAlgorithm = 1 DSA SignatureAlgorithm = 2 ECDSA SignatureAlgorithm = 3 )
SignatureAlgorithm constants
func (SignatureAlgorithm) String ¶
func (s SignatureAlgorithm) String() string
type SignatureType ¶
type SignatureType uint8
SignatureType differentiates STH signatures from SCT signatures, see RFC section 3.2
const ( CertificateTimestampSignatureType SignatureType = 0 TreeHashSignatureType SignatureType = 1 )
SignatureType constants, see RFC section 3.2
func (SignatureType) String ¶
func (st SignatureType) String() string
type SignatureVerifier ¶
type SignatureVerifier struct {
// contains filtered or unexported fields
}
SignatureVerifier can verify signatures on SCTs and STHs
func NewSignatureVerifier ¶
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)
NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.
func (SignatureVerifier) VerifySCTSignature ¶
func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error
VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry
func (SignatureVerifier) VerifySTHSignature ¶
func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error
VerifySTHSignature verifies that the STH's signature is valid.
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct { SCTVersion Version // The version of the protocol to which the SCT conforms LogID SHA256Hash // the SHA-256 hash of the log's public key, calculated over // the DER encoding of the key represented as SubjectPublicKeyInfo. Timestamp uint64 // Timestamp (in ms since unix epoc) at which the SCT was issued Extensions CTExtensions // For future extensions to the protocol Signature DigitallySigned // The Log's signature for this SCT }
SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding. (see RFC sections 3.2 ,4.1 and 4.2)
func DeserializeSCT ¶
func DeserializeSCT(r io.Reader) (*SignedCertificateTimestamp, error)
DeserializeSCT reads an SCT from Reader.
func (SignedCertificateTimestamp) SerializedLength ¶
func (sct SignedCertificateTimestamp) SerializedLength() (int, error)
SerializedLength will return the space (in bytes)
func (SignedCertificateTimestamp) String ¶
func (s SignedCertificateTimestamp) String() string
type SignedTreeHead ¶
type SignedTreeHead struct { Version Version `json:"sth_version"` // The version of the protocol to which the STH conforms TreeSize uint64 `json:"tree_size"` // The number of entries in the new tree Timestamp uint64 `json:"timestamp"` // The time at which the STH was created SHA256RootHash SHA256Hash `json:"sha256_root_hash"` // The root hash of the log's Merkle tree TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // The Log's signature for this STH (see RFC section 3.5) LogID SHA256Hash `json:"log_id"` // The SHA256 hash of the log's public key }
SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding. See sections 3.5 and 4.3 in the RFC)
type TimestampedEntry ¶
type TimestampedEntry struct { Timestamp uint64 EntryType LogEntryType X509Entry ASN1Cert JSONData []byte PrecertEntry PreCert Extensions CTExtensions }
TimestampedEntry is part of the MerkleTreeLeaf structure. See RFC section 3.4
Directories ¶
Path | Synopsis |
---|---|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690. |
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
|
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances. |
ratelimiter
Package ratelimiter provides an exceedingly simple rate limiter.
|
Package ratelimiter provides an exceedingly simple rate limiter. |
Package x509 parses X.509-encoded keys and certificates.
|
Package x509 parses X.509-encoded keys and certificates. |
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
|
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP. |