ct

package
v0.0.0-...-3df3b04 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 30, 2015 License: Apache-2.0 Imports: 20 Imported by: 0

README

This is the really early beginnings of a certificate transparency log client written in Go, along with a log scanner tool.

You'll need go v1.1 or higher to compile.

Installation

This go code must be imported into your go workspace before you can use it, which can be done with:

go get github.com/google/certificate-transparency/go/client
go get github.com/google/certificate-transparency/go/scanner
etc.

Building the binaries

To compile the log scanner run:

go build github.com/google/certificate-transparency/go/scanner/main/scanner.go

Contributing

When sending pull requests, please ensure that everything's been run through gofmt beforehand so we can keep everything nice and tidy.

Documentation

Index

Constants

View Source 
const (
	CertificateLengthBytes      = 3
	PreCertificateLengthBytes   = 3
	ExtensionsLengthBytes       = 2
	CertificateChainLengthBytes = 3
	SignatureLengthBytes        = 2
)

Variable size structure prefix-header byte lengths

View Source 
const (
	MaxCertificateLength = (1 << 24) - 1
	MaxExtensionsLength  = (1 << 16) - 1
)

Max lengths

Variables

This section is empty.

Functions

func MarshalDigitallySigned 

func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)

MarshalDigitallySigned marshalls a DigitallySigned structure into a byte array

func ReadTimestampedEntryInto 

func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error

ReadTimestampedEntryInto parses the byte-stream representation of a TimestampedEntry from |r| and populates the struct |t| with the data. See RFC section 3.4 for details on the format. Returns a non-nil error if there was a problem.

func SerializeSCT 

func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)

SerializeSCT serializes the passed in sct into the format specified by RFC6962 section 3.2

func SerializeSCTSignatureInput 

func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)

SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.

func SerializeSTHSignatureInput 

func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)

SerializeSTHSignatureInput serializes the passed in sth into the correct format for signing.

Types

type ASN1Cert 

type ASN1Cert []byte

ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1)

func UnmarshalPrecertChainArray 

func UnmarshalPrecertChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalPrecertChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to a Precertificate leaf.

func UnmarshalX509ChainArray 

func UnmarshalX509ChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalX509ChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to an X509 leaf.

type AuditPath 

type AuditPath []MerkleTreeNode

AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5)

type CTExtensions 

type CTExtensions []byte

CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2)

type ConsistencyProof 

type ConsistencyProof []MerkleTreeNode

ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4)

type DigitallySigned 

type DigitallySigned struct {
	HashAlgorithm      HashAlgorithm
	SignatureAlgorithm SignatureAlgorithm
	Signature          []byte
}

DigitallySigned represents an RFC5246 DigitallySigned structure

func UnmarshalDigitallySigned 

func UnmarshalDigitallySigned(r io.Reader) (*DigitallySigned, error)

UnmarshalDigitallySigned reconstructs a DigitallySigned structure from a Reader

func (DigitallySigned) Base64String 

func (d DigitallySigned) Base64String() (string, error)

Base64String returns the base64 representation of the DigitallySigned struct.

func (*DigitallySigned) FromBase64String 

func (d *DigitallySigned) FromBase64String(b64 string) error

FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.

func (DigitallySigned) MarshalJSON 

func (d DigitallySigned) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface.

func (*DigitallySigned) UnmarshalJSON 

func (d *DigitallySigned) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type HashAlgorithm 

type HashAlgorithm byte

HashAlgorithm from the DigitallySigned struct 

const (
	None   HashAlgorithm = 0
	MD5    HashAlgorithm = 1
	SHA1   HashAlgorithm = 2
	SHA224 HashAlgorithm = 3
	SHA256 HashAlgorithm = 4
	SHA384 HashAlgorithm = 5
	SHA512 HashAlgorithm = 6
)

HashAlgorithm constants

func (HashAlgorithm) String 

func (h HashAlgorithm) String() string

type LeafInput 

type LeafInput []byte

LeafInput represents a serialized MerkleTreeLeaf structure

type LogEntry 

type LogEntry struct {
	Index    int64
	Leaf     MerkleTreeLeaf
	X509Cert *x509.Certificate
	Precert  *Precertificate
	Chain    []ASN1Cert
}

LogEntry represents the contents of an entry in a CT log, see section 3.1.

type LogEntryType 

type LogEntryType uint16

LogEntryType represents the LogEntryType enum from section 3.1 of the RFC: 

enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;

const (
	X509LogEntryType    LogEntryType = 0
	PrecertLogEntryType LogEntryType = 1
)

LogEntryType constants, see section 3.1 of RFC6962.

func (LogEntryType) String 

func (e LogEntryType) String() string

type MerkleLeafType 

type MerkleLeafType uint8

MerkleLeafType represents the MerkleLeafType enum from section 3.4 of the RFC: enum { timestamped_entry(0), (255) } MerkleLeafType; 

const (
	TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
)

MerkleLeafType constants, see section 3.4 of the RFC.

func (MerkleLeafType) String 

func (m MerkleLeafType) String() string

type MerkleTreeLeaf 

type MerkleTreeLeaf struct {
	Version          Version          // the version of the protocol to which the MerkleTreeLeaf corresponds
	LeafType         MerkleLeafType   // The type of the leaf input, currently only TimestampedEntry can exist
	TimestampedEntry TimestampedEntry // The entry data itself
}

MerkleTreeLeaf represents the deserialized sructure of the hash input for the leaves of a log's Merkle tree. See RFC section 3.4

func ReadMerkleTreeLeaf 

func ReadMerkleTreeLeaf(r io.Reader) (*MerkleTreeLeaf, error)

ReadMerkleTreeLeaf parses the byte-stream representation of a MerkleTreeLeaf and returns a pointer to a new MerkleTreeLeaf structure containing the parsed data. See RFC section 3.4 for details on the format. Returns a pointer to a new MerkleTreeLeaf or non-nil error if there was a problem

func (*MerkleTreeLeaf) X509Certificate 

func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)

X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf. Returns a pointer to an x509.Certificate or a non-nil error.

type MerkleTreeNode 

type MerkleTreeNode []byte

MerkleTreeNode represents an internal node in the CT tree

type PreCert 

type PreCert struct {
	IssuerKeyHash  [issuerKeyHashLength]byte
	TBSCertificate []byte
}

PreCert represents a Precertificate (section 3.2)

type Precertificate 

type Precertificate struct {
	// Raw DER bytes of the precert
	Raw []byte
	// SHA256 hash of the issuing key
	IssuerKeyHash [issuerKeyHashLength]byte
	// Parsed TBSCertificate structure (held in an x509.Certificate for ease of
	// access.
	TBSCertificate x509.Certificate
}

Precertificate represents the parsed CT Precertificate structure.

type SHA256Hash 

type SHA256Hash [sha256.Size]byte

SHA256Hash represents the output from the SHA256 hash function.

func PublicKeyFromPEM 

func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error)

PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.

func (SHA256Hash) Base64String 

func (s SHA256Hash) Base64String() string

Base64String returns the base64 representation of this SHA256Hash.

func (*SHA256Hash) FromBase64String 

func (s *SHA256Hash) FromBase64String(b64 string) error

FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.

func (SHA256Hash) MarshalJSON 

func (s SHA256Hash) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface for SHA256Hash.

func (*SHA256Hash) UnmarshalJSON 

func (s *SHA256Hash) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaller interface.

type SignatureAlgorithm 

type SignatureAlgorithm byte

SignatureAlgorithm from the the DigitallySigned struct 

const (
	Anonymous SignatureAlgorithm = 0
	RSA       SignatureAlgorithm = 1
	DSA       SignatureAlgorithm = 2
	ECDSA     SignatureAlgorithm = 3
)

SignatureAlgorithm constants

func (SignatureAlgorithm) String 

func (s SignatureAlgorithm) String() string

type SignatureType 

type SignatureType uint8

SignatureType differentiates STH signatures from SCT signatures, see RFC section 3.2 

const (
	CertificateTimestampSignatureType SignatureType = 0
	TreeHashSignatureType             SignatureType = 1
)

SignatureType constants, see RFC section 3.2

func (SignatureType) String 

func (st SignatureType) String() string

type SignatureVerifier 

type SignatureVerifier struct {
	// contains filtered or unexported fields
}

SignatureVerifier can verify signatures on SCTs and STHs

func NewSignatureVerifier 

func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)

NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.

func (SignatureVerifier) VerifySCTSignature 

func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error

VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry

func (SignatureVerifier) VerifySTHSignature 

func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error

VerifySTHSignature verifies that the STH's signature is valid.

type SignedCertificateTimestamp 

type SignedCertificateTimestamp struct {
	SCTVersion Version    // The version of the protocol to which the SCT conforms
	LogID      SHA256Hash // the SHA-256 hash of the log's public key, calculated over
	// the DER encoding of the key represented as SubjectPublicKeyInfo.
	Timestamp  uint64          // Timestamp (in ms since unix epoc) at which the SCT was issued
	Extensions CTExtensions    // For future extensions to the protocol
	Signature  DigitallySigned // The Log's signature for this SCT
}

SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding. (see RFC sections 3.2 ,4.1 and 4.2)

func DeserializeSCT 

func DeserializeSCT(r io.Reader) (*SignedCertificateTimestamp, error)

func (SignedCertificateTimestamp) String 

func (s SignedCertificateTimestamp) String() string

type SignedTreeHead 

type SignedTreeHead struct {
	Version           Version         `json:"sth_version"`         // The version of the protocol to which the STH conforms
	TreeSize          uint64          `json:"tree_size"`           // The number of entries in the new tree
	Timestamp         uint64          `json:"timestamp"`           // The time at which the STH was created
	SHA256RootHash    SHA256Hash      `json:"sha256_root_hash"`    // The root hash of the log's Merkle tree
	TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // The Log's signature for this STH (see RFC section 3.5)
	LogID             SHA256Hash      `json:"log_id"`              // The SHA256 hash of the log's public key
	CosiSignature     string          `json:"cosi_signature"`      // The additional cothority-signature
}

SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding. See sections 3.5 and 4.3 in the RFC)

type TimestampedEntry 

type TimestampedEntry struct {
	Timestamp    uint64
	EntryType    LogEntryType
	X509Entry    ASN1Cert
	PrecertEntry PreCert
	Extensions   CTExtensions
}

TimestampedEntry is part of the MerkleTreeLeaf structure. See RFC section 3.4

type Version 

type Version uint8

Version represents the Version enum from section 3.2 of the RFC: enum { v1(0), (255) } Version; 

const (
	V1 Version = 0
)

CT Version constants, see section 3.2 of the RFC.

func (Version) String 

func (v Version) String() string

Source Files

View all Source files

Directories

Path Synopsis
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
 Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
 Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
main
dumpscts/main
main
main
Package x509 parses X.509-encoded keys and certificates.
 Package x509 parses X.509-encoded keys and certificates.
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
 Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.