ct

package
v0.0.0-...-96b92c5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 21, 2023 License: Apache-2.0, ISC, MIT Imports: 19 Imported by: 0

README

This is the really early beginnings of a certificate transparency log client written in Go, along with a log scanner tool.

You'll need go v1.1 or higher to compile.

Installation

This go code must be imported into your go workspace before you can use it, which can be done with:

go get github.com/google/certificate-transparency/go/client
go get github.com/google/certificate-transparency/go/scanner
etc.

Building the binaries

To compile the log scanner run:

go build github.com/google/certificate-transparency/go/scanner/main/scanner.go

Contributing

When sending pull requests, please ensure that everything's been run through gofmt beforehand so we can keep everything nice and tidy.

Documentation

Index

Constants

View Source
const (
	CertificateLengthBytes      = 3
	PreCertificateLengthBytes   = 3
	ExtensionsLengthBytes       = 2
	CertificateChainLengthBytes = 3
	SignatureLengthBytes        = 2
)

Variable size structure prefix-header byte lengths

View Source
const (
	MaxCertificateLength = (1 << 24) - 1
	MaxExtensionsLength  = (1 << 16) - 1
)

Max lengths

Variables

View Source
var (
	ErrInvalidVersion  error = sctError(1)
	ErrNotEnoughBuffer error = sctError(2)
)

Preallocate errors for performance

Functions

func MarshalDigitallySigned

func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)

MarshalDigitallySigned marshalls a DigitallySigned structure into a byte array

func ReadTimestampedEntryInto

func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error

ReadTimestampedEntryInto parses the byte-stream representation of a TimestampedEntry from |r| and populates the struct |t| with the data. See RFC section 3.4 for details on the format. Returns a non-nil error if there was a problem.

func SerializeSCT

func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)

SerializeSCT serializes the passed in sct into the format specified by RFC6962 section 3.2 Equivalent to SerializeSCTHere(sct, nil)

func SerializeSCTHere

func SerializeSCTHere(sct SignedCertificateTimestamp, here []byte) ([]byte, error)

SerializeSCTHere serializes the passed in sct into the format specified by RFC6962 section 3.2. If a bytes slice here is provided then it will attempt to serialize into the provided byte slice, ErrNotEnoughBuffer will be returned if the buffer is too small. If a nil byte slice is provided, a buffer for will be allocated for you The returned slice will be sliced to the correct length.

func SerializeSCTSignatureInput

func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)

SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.

func SerializeSTHSignatureInput

func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)

SerializeSTHSignatureInput serializes the passed in sth into the correct format for signing.

Types

type ASN1Cert

type ASN1Cert []byte

ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1)

func UnmarshalPrecertChainArray

func UnmarshalPrecertChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalPrecertChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to a Precertificate leaf.

func UnmarshalX509ChainArray

func UnmarshalX509ChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalX509ChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to an X509 leaf.

type AuditPath

type AuditPath []MerkleTreeNode

AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5)

type CTExtensions

type CTExtensions []byte

CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2)

type ConsistencyProof

type ConsistencyProof []MerkleTreeNode

ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4)

type DigitallySigned

type DigitallySigned struct {
	HashAlgorithm      HashAlgorithm
	SignatureAlgorithm SignatureAlgorithm
	Signature          []byte
}

DigitallySigned represents an RFC5246 DigitallySigned structure

func UnmarshalDigitallySigned

func UnmarshalDigitallySigned(r io.Reader) (*DigitallySigned, error)

UnmarshalDigitallySigned reconstructs a DigitallySigned structure from a Reader

func (DigitallySigned) Base64String

func (d DigitallySigned) Base64String() (string, error)

Base64String returns the base64 representation of the DigitallySigned struct.

func (*DigitallySigned) FromBase64String

func (d *DigitallySigned) FromBase64String(b64 string) error

FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.

func (DigitallySigned) MarshalJSON

func (d DigitallySigned) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface.

func (*DigitallySigned) UnmarshalJSON

func (d *DigitallySigned) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type HashAlgorithm

type HashAlgorithm byte

HashAlgorithm from the DigitallySigned struct

const (
	None   HashAlgorithm = 0
	MD5    HashAlgorithm = 1
	SHA1   HashAlgorithm = 2
	SHA224 HashAlgorithm = 3
	SHA256 HashAlgorithm = 4
	SHA384 HashAlgorithm = 5
	SHA512 HashAlgorithm = 6
)

HashAlgorithm constants

func (HashAlgorithm) String

func (h HashAlgorithm) String() string

type LeafInput

type LeafInput []byte

LeafInput represents a serialized MerkleTreeLeaf structure

type LogEntry

type LogEntry struct {
	Index     int64
	Leaf      MerkleTreeLeaf
	RawCert   []byte
	IsPrecert bool
	Chain     []ASN1Cert
	Server    string
	// When the raw cert is parseable, and not a precert,
	// X509Cert contains the parsed certificate for convenience.
	X509Cert *x509.Certificate
	Precert  *Precertificate
}

LogEntry represents the contents of an entry in a CT log, see section 3.1.

type LogEntryType

type LogEntryType uint16

LogEntryType represents the LogEntryType enum from section 3.1 of the RFC:

enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const (
	X509LogEntryType    LogEntryType = 0
	PrecertLogEntryType LogEntryType = 1
)

LogEntryType constants, see section 3.1 of RFC6962.

func (LogEntryType) String

func (e LogEntryType) String() string

type MerkleLeafType

type MerkleLeafType uint8

MerkleLeafType represents the MerkleLeafType enum from section 3.4 of the RFC: enum { timestamped_entry(0), (255) } MerkleLeafType;

const (
	TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
)

MerkleLeafType constants, see section 3.4 of the RFC.

func (MerkleLeafType) String

func (m MerkleLeafType) String() string

type MerkleTreeLeaf

type MerkleTreeLeaf struct {
	Version          Version          // the version of the protocol to which the MerkleTreeLeaf corresponds
	LeafType         MerkleLeafType   // The type of the leaf input, currently only TimestampedEntry can exist
	TimestampedEntry TimestampedEntry // The entry data itself
}

MerkleTreeLeaf represents the deserialized sructure of the hash input for the leaves of a log's Merkle tree. See RFC section 3.4

func ReadMerkleTreeLeaf

func ReadMerkleTreeLeaf(r io.Reader) (*MerkleTreeLeaf, error)

ReadMerkleTreeLeaf parses the byte-stream representation of a MerkleTreeLeaf and returns a pointer to a new MerkleTreeLeaf structure containing the parsed data. See RFC section 3.4 for details on the format. Returns a pointer to a new MerkleTreeLeaf or non-nil error if there was a problem

func (*MerkleTreeLeaf) X509Certificate

func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)

X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf. Returns a pointer to an x509.Certificate or a non-nil error.

type MerkleTreeNode

type MerkleTreeNode []byte

MerkleTreeNode represents an internal node in the CT tree

type PreCert

type PreCert struct {
	IssuerKeyHash  [issuerKeyHashLength]byte
	TBSCertificate []byte
}

PreCert represents a Precertificate (section 3.2)

type Precertificate

type Precertificate struct {
	// Raw DER bytes of the precert
	Raw []byte
	// SHA256 hash of the issuing key
	IssuerKeyHash [issuerKeyHashLength]byte
	// Parsed TBSCertificate structure (held in an x509.Certificate for ease of
	// access), when possible.
	TBSCertificate *x509.Certificate
}

Precertificate represents the parsed CT Precertificate structure.

type SHA256Hash

type SHA256Hash [sha256.Size]byte

SHA256Hash represents the output from the SHA256 hash function.

func PublicKeyFromPEM

func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error)

PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.

func (SHA256Hash) Base64String

func (s SHA256Hash) Base64String() string

Base64String returns the base64 representation of this SHA256Hash.

func (*SHA256Hash) FromBase64String

func (s *SHA256Hash) FromBase64String(b64 string) error

FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.

func (SHA256Hash) MarshalJSON

func (s SHA256Hash) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface for SHA256Hash.

func (*SHA256Hash) UnmarshalJSON

func (s *SHA256Hash) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaller interface.

type SignatureAlgorithm

type SignatureAlgorithm byte

SignatureAlgorithm from the the DigitallySigned struct

const (
	Anonymous SignatureAlgorithm = 0
	RSA       SignatureAlgorithm = 1
	DSA       SignatureAlgorithm = 2
	ECDSA     SignatureAlgorithm = 3
)

SignatureAlgorithm constants

func (SignatureAlgorithm) String

func (s SignatureAlgorithm) String() string

type SignatureType

type SignatureType uint8

SignatureType differentiates STH signatures from SCT signatures, see RFC section 3.2

const (
	CertificateTimestampSignatureType SignatureType = 0
	TreeHashSignatureType             SignatureType = 1
)

SignatureType constants, see RFC section 3.2

func (SignatureType) String

func (st SignatureType) String() string

type SignatureVerifier

type SignatureVerifier struct {
	// contains filtered or unexported fields
}

SignatureVerifier can verify signatures on SCTs and STHs

func NewSignatureVerifier

func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)

NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.

func (SignatureVerifier) VerifySCTSignature

func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error

VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry

func (SignatureVerifier) VerifySTHSignature

func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error

VerifySTHSignature verifies that the STH's signature is valid.

type SignedCertificateTimestamp

type SignedCertificateTimestamp struct {
	SCTVersion Version    `json:"version"` // The version of the protocol to which the SCT conforms
	LogID      SHA256Hash `json:"log_id"`  // the SHA-256 hash of the log's public key, calculated over
	// the DER encoding of the key represented as SubjectPublicKeyInfo.
	Timestamp  uint64          `json:"timestamp,omitempty"`  // Timestamp (in ms since unix epoc) at which the SCT was issued. NOTE: When this is serialized, the output is in seconds, not milliseconds.
	Extensions CTExtensions    `json:"extensions,omitempty"` // For future extensions to the protocol
	Signature  DigitallySigned `json:"signature"`            // The Log's signature for this SCT
}

SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding. (see RFC sections 3.2 ,4.1 and 4.2)

func DeserializeSCT

func DeserializeSCT(r io.Reader) (*SignedCertificateTimestamp, error)

func (*SignedCertificateTimestamp) MarshalJSON

func (sct *SignedCertificateTimestamp) MarshalJSON() ([]byte, error)

MarshalJSON implements the JSON.Marshaller interface.

func (SignedCertificateTimestamp) SerializedLength

func (sct SignedCertificateTimestamp) SerializedLength() (int, error)

SerializedLength will return the space (in bytes)

func (SignedCertificateTimestamp) String

type SignedTreeHead

type SignedTreeHead struct {
	Version           Version         `json:"sth_version"`         // The version of the protocol to which the STH conforms
	TreeSize          uint64          `json:"tree_size"`           // The number of entries in the new tree
	Timestamp         uint64          `json:"timestamp"`           // The time at which the STH was created
	SHA256RootHash    SHA256Hash      `json:"sha256_root_hash"`    // The root hash of the log's Merkle tree
	TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // The Log's signature for this STH (see RFC section 3.5)
	LogID             SHA256Hash      `json:"log_id"`              // The SHA256 hash of the log's public key
}

SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding. See sections 3.5 and 4.3 in the RFC)

type TimestampedEntry

type TimestampedEntry struct {
	Timestamp    uint64
	EntryType    LogEntryType
	X509Entry    ASN1Cert
	PrecertEntry PreCert
	Extensions   CTExtensions
}

TimestampedEntry is part of the MerkleTreeLeaf structure. See RFC section 3.4

type Version

type Version uint8

Version represents the Version enum from section 3.2 of the RFC: enum { v1(0), (255) } Version;

const (
	V1 Version = 0
)

CT Version constants, see section 3.2 of the RFC.

func (Version) String

func (v Version) String() string

Directories

Path Synopsis
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
Package x509 parses X.509-encoded keys and certificates.
Package x509 parses X.509-encoded keys and certificates.
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL