policy

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 11, 2019 License: AGPL-3.0 Imports: 5 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// Use Mozilla infosec team's recommendation for long lived keys:
	// https://infosec.mozilla.org/guidelines/key_management#recommended---generally-valid-for-up-to-10-years-default
	PrimaryKeyRsaKeyBits = 4096

	// EncryptionSubkeyRsaKeyBits is the number of bits to use for an
	// encryption subkey. These are short-lived so don't need to be as
	// large as the primary key.
	EncryptionSubkeyRsaKeyBits = 2048
)

Variables

View Source 
var (
	AdvertiseCipherPreferences = []uint8{
		symmetric.AES256,
		symmetric.AES192,
		symmetric.AES128,
		symmetric.CAST5,
	}

	// AcceptablePreferredSymmetricAlgorithms defines what combinations of
	// symmetric key ciphers we consider OK (e.g. we don't warn about).
	// Note that the order of algorithms matters, e.g. {AES256, CAST5} is
	// different from {CAST5, AES256}
	AcceptablePreferredSymmetricAlgorithms = [][]uint8{
		[]uint8{symmetric.AES256, symmetric.AES192, symmetric.AES128, symmetric.CAST5},
		[]uint8{symmetric.AES256, symmetric.AES192, symmetric.AES128},
	}

	// SupportedSymmetricKeyAlgorithms defines what algorithms we can
	// technically decrypt (but doesn't mean they're encouraged.)
	SupportedSymmetricKeyAlgorithms = []uint8{
		symmetric.AES128,
		symmetric.AES192,
		symmetric.AES256,
		symmetric.CAST5,
		symmetric.TripleDES,
	}

	// AdvertiseCompressionPreferences is added to the self signature to tell others
	// which compression (in order) that we prefer to use. Note that Golang
	// doesn't support BZIP, so we don't specify that.
	//
	// Riseup's OpenPGP best practice settings specify:
	//
	// > default-preference-list [...] ZLIB BZIP2 ZIP Uncompressed
	//
	// https://tools.ietf.org/html/rfc4880#section-9.3
	AdvertiseCompressionPreferences = []uint8{
		compression.ZLIB,
		compression.ZIP,
		compression.Uncompressed,
	}

	// AdvertiseHashPreferences is added to the self signature to tell
	// others which hashes (in order) that we prefer to use.
	//
	// Note that clients implicity support SHA1 if no other digest is
	// available.
	//
	// Riseup's OpenPGP best practice settings specify:
	//
	// > personal-digest-preferences SHA512 SHA384 SHA256 SHA224
	//
	// https://tools.ietf.org/html/rfc4880#section-9.4
	AdvertiseHashPreferences = []uint8{
		hash.Sha512,
		hash.Sha384,
		hash.Sha256,
		hash.Sha224,
	}

	// AcceptablePreferredHashAlgorithms defines what combinations of
	// hash algorithms we consider OK (e.g. we don't warn about).
	// Note that the order of algorithms matters, e.g. {SHA256, RIPEMD160}
	// is different from {RIPEMD160, SHA256}
	AcceptablePreferredHashAlgorithms = [][]uint8{
		[]uint8{hash.Sha512, hash.Sha384, hash.Sha256, hash.Sha224},
		[]uint8{hash.Sha512, hash.Sha384, hash.Sha256, hash.Sha224, hash.Ripemd160},
	}

	// SupportedHashAlgorithms defines what hash algorithms we can
	// technically support (but doesn't mean they're encouraged.)
	SupportedHashAlgorithms = []uint8{
		hash.Md5,
		hash.Sha1,
		hash.Ripemd160,
		hash.Sha224,
		hash.Sha256,
		hash.Sha384,
		hash.Sha512,
	}

	// AcceptableSignatureHashes defines the hash functions we consider
	// acceptable for self signatures (on UIDs) and subkey binding
	// signatures.
	AcceptableSignatureHashes = []crypto.Hash{
		crypto.SHA512,
		crypto.SHA256,
		crypto.SHA384,
		crypto.SHA224,
	}

	// SignatureHashFunction is the hash algorithm used for generating
	// subkey binding signatures and self signatures.
	SignatureHashFunction = crypto.SHA512
)

Functions

func IsDueForRotation 

func IsDueForRotation(nextRotation time.Time, now time.Time) bool

IsDueForRotation returns true if `now` is any time after the key's next rotation time

func IsExpiryTooLong 

func IsExpiryTooLong(expiry time.Time, now time.Time) bool

IsExpiryTooLong returns true if the expiry is too far in the future.

It's important not to raise this warning for expiries that we've set ourselves. We use `NextExpiryTime` such that when we set an expiry date it's *exactly* on the cusp of being too long, and can only get shorter after that point.

func IsOverdueForRotation 

func IsOverdueForRotation(nextRotation time.Time, now time.Time) bool

IsOverdueForRotation returns true if `now` is more than 10 days after nextRotation

func NextExpiryTime 

func NextExpiryTime(now time.Time) time.Time

NextExpiryTime returns the expiry time in UTC, according to the policy: 

"30 days after the 1st of the next month"

for example, if today is 15th September, nextExpiryTime would return 1st October + 30 days

func NextRotation 

func NextRotation(expiry time.Time) time.Time

NextRotation returns 30 days before the earliest expiry time on the key. If the key doesn't expire, it returns nil.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.