witness/

directory
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2024 License: Apache-2.0

README

CT Witness

The witness is an HTTP service that stores STHs it has seen from a configurable list of Certificate Transparency logs in a sqlite database. This is a lightweight way to help detect or even prevent split-view attacks. An overview of witnessing can be found in trillian-examples, along with "generic" witness implementations. This witness is designed to be compatible with the specific formats used by CT.

Once up and running, the witness provides three API endpoints (as defined in api/http.go):

  • /ctwitness/v0/logs returns a list of all logs for which the witness is currently storing an STH.
  • /ctwitness/v0/logs/<logid>/update acts to update the STH stored for logid.
  • /ctwitness/v0/logs/<logid>/sth returns the latest STH for logid.

Running the witness

Running the witness is as simple as running go run ./cmd/witness/main.go from this directory, with the following flags:

  • listen, which specifies the address and port to listen on.
  • db_file, which specifies the desired location of the sqlite database. The use of sqlite limits the scalability and reliability of the witness (because this is a local file), so if that is required a different database backend would be needed.
  • config_file, which specifies configuration information for the logs. This repository contains a sample configuration file, and in general it is necessary to specify the following fields for each log:
    • logID, which is the alphanumeric identifier for the log.
    • pubKey, which is the base64-encoded public key of the log. Both of these fields should be populated using an "official" CT log list.
  • private_key, which specifies the private signing key of the witness. In its current state the witness does not sign STHs so this can exist in any form.

Directories

Path Synopsis
Package api provides the API endpoints for the witness.
Package api provides the API endpoints for the witness.
client
http
Package http is a simple client for interacting with witnesses over HTTP.
Package http is a simple client for interacting with witnesses over HTTP.
cmd
client
client fetches and verifies new STHs for a set of logs from a single witness.
client fetches and verifies new STHs for a set of logs from a single witness.
feeder
feeder polls the sumdb log and pushes the results to a generic witness.
feeder polls the sumdb log and pushes the results to a generic witness.
witness
Package witness is designed to make sure the STHs of CT logs are consistent and store/serve/sign them if so.
Package witness is designed to make sure the STHs of CT logs are consistent and store/serve/sign them if so.
witness/config
config is a tool to populate the witness config file according to a set of logs.
config is a tool to populate the witness config file according to a set of logs.
witness/impl
Package impl is the implementation of the witness server.
Package impl is the implementation of the witness server.
witness/internal/http
Package http contains private implementation details for the witness server.
Package http contains private implementation details for the witness server.
witness/internal/witness
Package witness is designed to make sure the STHs of CT logs are consistent and store/serve/sign them if so.
Package witness is designed to make sure the STHs of CT logs are consistent and store/serve/sign them if so.
Package verifier is designed to verify the signatures produced by a witness.
Package verifier is designed to verify the signatures produced by a witness.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL