expauth

package
v0.0.0-...-9b7c71c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 20, 2024 License: BSD-3-Clause Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ClientAuthMode      string = "client"
	ServerAuthMode      string = "server"
	HandshakeLabel      string = "handshake context"
	FinishedLabel       string = "finished key"
	ExpAuthContextLabel string = "Exported Authenticator"
)

For labels.

View Source 
const (
	//ExpAuthTestSignatureScheme represents the signature scheme for exported authenticators.
	ExpAuthTestSignatureScheme mint.SignatureScheme = mint.ECDSA_P521_SHA512
)

Variables

This section is empty.

Functions

func AuthHashFromTLSConnState 

func AuthHashFromTLSConnState(connState *tls.ConnectionState) crypto.Hash

AuthHashFromTLSConnState returs a crypto.Hash from a TLS connection state.

Types

type ClientExportedAuthenticatorRequest 

type ClientExportedAuthenticatorRequest mint.CertificateRequestBody

ClientExportedAuthenticatorRequest is an EA request made by a Client.

func (*ClientExportedAuthenticatorRequest) GetContext 

func (req *ClientExportedAuthenticatorRequest) GetContext() []byte

GetContext returns the CertificateRequestContext for this Client EA request.

func (*ClientExportedAuthenticatorRequest) GetExtensions 

func (req *ClientExportedAuthenticatorRequest) GetExtensions() mint.ExtensionList

GetExtensions returns the extensions included in this Client EA request.

func (*ClientExportedAuthenticatorRequest) Marshal 

func (req *ClientExportedAuthenticatorRequest) Marshal() ([]byte, error)

Marshal returns the raw data for this Client EA request.

func (*ClientExportedAuthenticatorRequest) SupportedSignatureSchemes 

func (req *ClientExportedAuthenticatorRequest) SupportedSignatureSchemes() ([]mint.SignatureScheme, error)

SupportedSignatureSchemes returns a list of the signature algorithms advertised as supported by this Client EA request.

func (*ClientExportedAuthenticatorRequest) Unmarshal 

func (req *ClientExportedAuthenticatorRequest) Unmarshal(data []byte) (int, error)

Unmarshal converts the given raw data into a Client EA request and returns the number of bytes read.

type ExportedAuthenticator 

type ExportedAuthenticator struct {
	CertMsg    *mint.CertificateBody       // optional
	CertVerify *mint.CertificateVerifyBody // optional
	Finished   *mint.FinishedBody          // mandatory
	// contains filtered or unexported fields
}

ExportedAuthenticator is an exported authenticator. Non-empty EAs must contain Certificate, Certificate Verify and Finished messages. Empty EAs contain only a Finished message.

func (*ExportedAuthenticator) CertChain 

func (ea *ExportedAuthenticator) CertChain() []mint.CertificateEntry

CertChain returns the list of Certificate Entries that is inside this EA's Certificate message. If the EA is empty, an empty list is returned.

func (*ExportedAuthenticator) Extensions 

func (ea *ExportedAuthenticator) Extensions() mint.ExtensionList

Extensions returns the list of extensions in the given EA.

func (*ExportedAuthenticator) GetContext 

func (ea *ExportedAuthenticator) GetContext() []byte

GetContext returns the context associated with this EA. Must only be called on non-empty EAs. For empty EAs, the context should be extracted from the original Authenticator Request via its GetContext method.

func (*ExportedAuthenticator) IsEmpty 

func (ea *ExportedAuthenticator) IsEmpty() bool

IsEmpty returns whether the given EA is empty.

func (*ExportedAuthenticator) LeafPublicKey 

func (ea *ExportedAuthenticator) LeafPublicKey() crypto.PublicKey

LeafPublicKey returns the Public Key associated with this EA. If the EA has not been modified via SetPublicKey, it returns the public key associated with the leaf of the certificate chain in the Certificate message.

func (*ExportedAuthenticator) Marshal 

func (ea *ExportedAuthenticator) Marshal() ([]byte, error)

Marshal returns the raw data included in this EA. May be called on empty and non-empty EAs. The Certificate, CertificateVerify (if present) and Finished messages have standard TLS headers: one type byte and three length bytes.

func (*ExportedAuthenticator) SetPublicKey 

func (ea *ExportedAuthenticator) SetPublicKey(pubKey crypto.PublicKey)

SetPublicKey sets the public key to be used in verification of this EA. It should be called by the Verifier if the public key to be used is not present in the Certificate message. (For example, in the OPAQUE-EA protocol, the public key used for verification is secret and must not be revealed by the EA).

func (*ExportedAuthenticator) Unmarshal 

func (ea *ExportedAuthenticator) Unmarshal(data []byte) (int, error)

Unmarshal parses the given raw data into an EA struct and returns the number of bytes read. The given raw data may be longer than the raw EA. The raw data must be formatted as returned by Marshal.

type ExportedAuthenticatorRequest 

type ExportedAuthenticatorRequest interface {
	Marshal() ([]byte, error)
	Unmarshal([]byte) (int, error)
	GetContext() []byte
	SupportedSignatureSchemes() ([]mint.SignatureScheme, error)
	GetExtensions() mint.ExtensionList
	// contains filtered or unexported methods
}

ExportedAuthenticatorRequest is a request for an exported authenticator.

type ExportedKeyGetter 

type ExportedKeyGetter func(mode string, label string) ([]byte, error)

ExportedKeyGetter is a function that will be called by a party to get exported keys from labels. Can be set by caller or automatically set via a TLS connection.

func ExportedKeyGetterFromKeys 

func ExportedKeyGetterFromKeys(clientHandshakeContext, clientFinishedKey,
	serverHandshakeContext, serverFinishedKey []byte) ExportedKeyGetter

ExportedKeyGetterFromKeys takes in four keys and returns a function that returns the keys under the right circumstances Mainly used for testing.

func GetTestGetterAndHash 

func GetTestGetterAndHash() (ExportedKeyGetter, crypto.Hash)

GetTestGetterAndHash gets the getter and hasher.

func NewExportedKeyGetterFromTLSConnState 

func NewExportedKeyGetterFromTLSConnState(connState *tls.ConnectionState) ExportedKeyGetter

NewExportedKeyGetterFromTLSConnState returns an Exported KeyGetter from a TLS connection state.

type Party 

type Party struct {
	// contains filtered or unexported fields
}

Party is a participant (client or server) in the EA flow Should be unique per TLS session, as it keeps track of contexts which may not be re-used.

func Client 

func Client(conn *mint.Conn) *Party

Client creates a new Party in the Client role.

func ClientFromGetter 

func ClientFromGetter(getExportedKey ExportedKeyGetter, authHash crypto.Hash) *Party

ClientFromGetter returns a new Party in the client role. It takes a function which outputs exporter keys based on labels, and a hash function that will be used in message authentication.

func Server 

func Server(conn *mint.Conn) *Party

Server creates a new Party in the Server role. FUTURE: if TLS 1.2 and EMS was not negotiated, then return nil.

func ServerFromGetter 

func ServerFromGetter(getExportedKey ExportedKeyGetter, authHash crypto.Hash) *Party

ServerFromGetter returns a new Party in the server role. It takes a function which outputs exporter keys based on labels, and a hash function that will be used in message authentication.

func ServerFromTLSConnState 

func ServerFromTLSConnState(connState *tls.ConnectionState) *Party

ServerFromTLSConnState returns a server from a TLS connection state.

func (*Party) Authenticate 

func (p *Party) Authenticate(certs []*mint.Certificate, exts mint.ExtensionList,
	request ExportedAuthenticatorRequest) (*ExportedAuthenticator, error)

Authenticate returns a new ExportedAuthenticator for the defined Party.

func (*Party) AuthenticateSpontaneously 

func (p *Party) AuthenticateSpontaneously(certs []*mint.Certificate, exts mint.ExtensionList) (*ExportedAuthenticator, error)

AuthenticateSpontaneously returns a new ExportedAuthenticator. Must only be called by a Server. It creates a new spontaneous authenticator session for the Party.

func (*Party) GetRandomUnusedContext 

func (p *Party) GetRandomUnusedContext() ([]byte, error)

GetRandomUnusedContext returns an unused random context. FUTURE: consider making this thread-safe by locking the state table.

func (*Party) RefuseAuthentication 

func (p *Party) RefuseAuthentication(request ExportedAuthenticatorRequest) (*ExportedAuthenticator, error)

RefuseAuthentication takes an EA request and returns a new empty ExportedAuthenticator, indicating that the Party cannot or does not want to authenticate.

func (*Party) Request 

func (p *Party) Request(extensions mint.ExtensionList) (ExportedAuthenticatorRequest, error)

Request returns a new ExportedAuthenticatorRequest of the appropriate type (Client if the calling peer is a Client, else Server). It chooses a fresh context and creates a new requestor session for the Party.

func (*Party) Validate 

func (p *Party) Validate(ea *ExportedAuthenticator,
	request ExportedAuthenticatorRequest) ([]mint.CertificateEntry, mint.ExtensionList, error)

Validate takes in an EA and an EA request, and determines whether the EA is valid with respect to the request. A well-formed empty EA is invalid. It returns the certificate chain and extensions associated with the EA and errors if the EA is invalid. The calling function is responsible for verifying the certificate chain.

type ServerExportedAuthenticatorRequest 

type ServerExportedAuthenticatorRequest mint.CertificateRequestBody

ServerExportedAuthenticatorRequest is an EA request made by a Server.

func (*ServerExportedAuthenticatorRequest) GetContext 

func (req *ServerExportedAuthenticatorRequest) GetContext() []byte

GetContext returns the CertificateRequestContext for this Server EA request.

func (*ServerExportedAuthenticatorRequest) GetExtensions 

func (req *ServerExportedAuthenticatorRequest) GetExtensions() mint.ExtensionList

GetExtensions returns the extensions included in this Server EA request.

func (*ServerExportedAuthenticatorRequest) Marshal 

func (req *ServerExportedAuthenticatorRequest) Marshal() ([]byte, error)

Marshal returns the raw data for this Server EA request.

func (*ServerExportedAuthenticatorRequest) SupportedSignatureSchemes 

func (req *ServerExportedAuthenticatorRequest) SupportedSignatureSchemes() ([]mint.SignatureScheme, error)

SupportedSignatureSchemes returns a list of the signature algorithms advertised as supported by this Server EA request.

func (*ServerExportedAuthenticatorRequest) Unmarshal 

func (req *ServerExportedAuthenticatorRequest) Unmarshal(data []byte) (int, error)

Unmarshal converts the given raw data into a Server EA request and returns the number of bytes read.

type TLSMessage 

type TLSMessage struct {
	MessageType    mint.HandshakeType
	MessageBodyRaw []byte `tls:"head=3"`
}

TLSMessage is a wrapper for mint HandshakeMessageBody Similar to mint's HandshakeMessage but without DTLS info, and allows us to use mint/syntax marshal/unmarshal functionality.

func TLSMessageFromBody 

func TLSMessageFromBody(body mint.HandshakeMessageBody) (*TLSMessage, error)

TLSMessageFromBody returns a TLS Message from a body.

func (*TLSMessage) Marshal 

func (msg *TLSMessage) Marshal() ([]byte, error)

Marshal marshals a TLS Message.

func (*TLSMessage) ToBody 

func (msg *TLSMessage) ToBody() (mint.HandshakeMessageBody, error)

ToBody returns the body of a TLS Message.

func (*TLSMessage) Unmarshal 

func (msg *TLSMessage) Unmarshal(data []byte) (int, error)

Unmarshal unmarshals a TLS Message.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.