submission

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 30, 2024 License: Apache-2.0 Imports: 27 Imported by: 10

Documentation

Overview

Package submission contains code and structs for certificates submission proxy.

Index

Examples

Constants

View Source 
const (
	// PostBatchInterval is duration between parallel batch call and subsequent
	// requests to Logs within group.
	// TODO(Mercurrent): optimize to avoid excessive requests.
	PostBatchInterval = time.Second
)

Variables

View Source 
var (
	ErrDistributorNotEnoughCompatibleLogs   = errors.New("distributor does not have enough compatible Logs to comply with the policy")
	ErrDistributorUnableToProcessEmptyChain = errors.New("distributor unable to process empty chain")
)

Functions

func ASN1MarshalSCTs 

func ASN1MarshalSCTs(scts []*AssignedSCT) ([]byte, error)

ASN1MarshalSCTs serializes list of AssignedSCTs according to RFC6962 3.3

func BuildLogClient 

func BuildLogClient(log *loglist3.Log) (client.AddLogClient, error)

BuildLogClient is default (non-mock) LogClientBuilder.

func NewStubLogClient 

func NewStubLogClient(log *loglist3.Log) (client.AddLogClient, error)

NewStubLogClient is builder for log-client stubs. Used for dry-runs and testing.

Types

type AssignedSCT 

type AssignedSCT struct {
	LogURL string
	SCT    *ct.SignedCertificateTimestamp
}

AssignedSCT represents SCT with logURL of log-producer.

func GetSCTs 

func GetSCTs(ctx context.Context, submitter Submitter, chain []ct.ASN1Cert, asPreChain bool, groups ctpolicy.LogPolicyData) ([]*AssignedSCT, error)

GetSCTs picks required number of Logs according to policy-group logic and collects SCTs from them. Emits all collected SCTs even when any error produced.

type CTPolicyType 

type CTPolicyType int

CTPolicyType indicates CT-policy used for certificate submission. 

const (
	ChromeCTPolicy CTPolicyType = iota
	AppleCTPolicy
)

Policy type values:

type DisableRootCompatibilityCheckingDistributorOption added in v1.2.0 

type DisableRootCompatibilityCheckingDistributorOption struct{}

DisableRootCompatibilityCheckingDistributorOption disables the root compatibility checking that the distributor does before submitting a certificate to CT logs.

func (DisableRootCompatibilityCheckingDistributorOption) Apply added in v1.2.0 

func (DisableRootCompatibilityCheckingDistributorOption) Apply(d *Distributor) error

type Distributor 

type Distributor struct {
	// contains filtered or unexported fields
}

Distributor operates policy-based submission across Logs.

Example 
ctx, cancel := context.WithCancel(context.Background())
defer cancel()

d, err := NewDistributor(sampleValidLogList(), buildStubCTPolicy(1), newLocalStubLogClient, monitoring.InertMetricFactory{})
if err != nil {
	panic(err)
}

// Refresh roots periodically so they stay up-to-date.
// Not necessary for this example, but appropriate for long-running systems.
refresh := make(chan struct{})
go schedule.Every(ctx, time.Hour, func(ctx context.Context) {
	if errs := d.RefreshRoots(ctx); len(errs) > 0 {
		klog.Error(errs)
	}
	refresh <- struct{}{}
})

select {
case <-refresh:
	break
case <-ctx.Done():
	panic("Context expired")
}

scts, err := d.AddPreChain(ctx, pemFileToDERChain("../trillian/testdata/subleaf-pre.chain"), false /* loadPendingLogs */)
if err != nil {
	panic(err)
}
for _, sct := range scts {
	fmt.Printf("%s\n", *sct)
}

Output:

{https://ct.googleapis.com/rocketeer/ {Version:0 LogId:aHR0cHM6Ly9jdC5nb29nbGVhcGlzLmNvbS9yb2NrZXQ= Timestamp:1234 Extensions:'' Signature:{{SHA256 ECDSA} []}}}

func NewDistributor 

func NewDistributor(ll *loglist3.LogList, plc ctpolicy.CTPolicy, lcBuilder LogClientBuilder, mf monitoring.MetricFactory, distributorOptions ...DistributorOption) (*Distributor, error)

NewDistributor creates and inits a Distributor instance. The Distributor will asynchronously fetch the latest roots from all of the logs when active. Call Run() to fetch roots and init regular updates to keep the local copy of the roots up-to-date.

func (*Distributor) AddChain 

func (d *Distributor) AddChain(ctx context.Context, rawChain [][]byte, loadPendingLogs bool) ([]*AssignedSCT, error)

AddChain runs add-chain calls across subset of logs according to Distributor's policy. May emit both SCTs array and error when SCTs collected do not satisfy the policy.

func (*Distributor) AddPreChain 

func (d *Distributor) AddPreChain(ctx context.Context, rawChain [][]byte, loadPendingLogs bool) ([]*AssignedSCT, error)

AddPreChain runs add-pre-chain calls across subset of logs according to Distributor's policy. May emit both SCTs array and error when SCTs collected do not satisfy the policy.

func (*Distributor) RefreshRoots 

func (d *Distributor) RefreshRoots(ctx context.Context) map[string]error

RefreshRoots requests roots from Logs and updates local copy. Returns error map keyed by log-URL for any Log experiencing roots retrieval problems If at least one root was successfully parsed for a log, log roots set gets the update.

func (*Distributor) SubmitToLog 

func (d *Distributor) SubmitToLog(ctx context.Context, logURL string, chain []ct.ASN1Cert, asPreChain bool) (*ct.SignedCertificateTimestamp, error)

SubmitToLog implements Submitter interface.

type DistributorBuilder 

type DistributorBuilder func(*loglist3.LogList) (*Distributor, error)

DistributorBuilder builds distributor instance for a given Log list.

func GetDistributorBuilder 

func GetDistributorBuilder(plc CTPolicyType, lcBuilder LogClientBuilder, mf monitoring.MetricFactory) DistributorBuilder

GetDistributorBuilder given CT-policy type and Log-client builder produces Distributor c-tor.

type DistributorOption added in v1.2.0 

type DistributorOption interface {
	// Apply applies a change to the distributor.
	Apply(d *Distributor) error
}

DistributorOption allows the setting of internal behavior on the distributor.

type InfoData 

type InfoData struct {
	PolicyName  string
	LogListPath template.HTML
	LogListJSON template.HTML
}

InfoData wraps data field required for info-page.

type LogClientBuilder 

type LogClientBuilder func(*loglist3.Log) (client.AddLogClient, error)

LogClientBuilder builds client-interface instance for a given Log.

type LogListData 

type LogListData struct {
	JSON         []byte
	List         *loglist3.LogList
	DownloadTime time.Time
}

LogListData wraps info on external LogList, keeping its JSON source and time of download.

type LogListManager 

type LogListManager struct {
	Errors    chan error
	LLUpdates chan LogListData
	// contains filtered or unexported fields
}

LogListManager runs loglist updates and keeps two latest versions of Log list.

func NewLogListManager 

func NewLogListManager(llr LogListRefresher, mf monitoring.MetricFactory) *LogListManager

NewLogListManager creates and inits a LogListManager instance.

func (*LogListManager) GetTwoLatestLogLists 

func (llm *LogListManager) GetTwoLatestLogLists() (*LogListData, *LogListData)

GetTwoLatestLogLists returns last version of Log list and a previous one.

func (*LogListManager) LastJSON 

func (llm *LogListManager) LastJSON() []byte

LastJSON returns last version of Log list in JSON.

func (*LogListManager) ProduceClientLogList 

func (llm *LogListManager) ProduceClientLogList() LogListData

ProduceClientLogList applies client filtration on Log list.

func (*LogListManager) RefreshLogList 

func (llm *LogListManager) RefreshLogList(ctx context.Context) (*LogListData, error)

RefreshLogList reads Log List one time and runs updates if necessary.

func (*LogListManager) Run 

func (llm *LogListManager) Run(ctx context.Context, llRefresh time.Duration)

Run starts regular LogList checks and associated versions archiving. Emits errors and Loglist-updates into its corresponding channels, expected to have readers listening.

func (*LogListManager) Source 

func (llm *LogListManager) Source() string

Source exposes internal Log list path.

type LogListRefresher 

type LogListRefresher interface {
	Refresh() (*LogListData, error)
	LastJSON() []byte
	Source() string
}

LogListRefresher is interface for Log List updates watcher.

Example 
ctx, cancel := context.WithCancel(context.Background())
defer cancel()

f, err := createTempFile(`{"operators": [{"name":"Google"}]}`)
if err != nil {
	panic(err)
}
defer func() {
	if err := os.Remove(f); err != nil {
		log.Fatalf("Operation to remove temp file failed: %v", err)
	}
}()

llr := NewLogListRefresher(f)

// Refresh log list periodically so it stays up-to-date.
// Not necessary for this example, but appropriate for long-running systems.
llChan := make(chan *LogListData)
errChan := make(chan error)
go schedule.Every(ctx, time.Hour, func(ctx context.Context) {
	if ll, err := llr.Refresh(); err != nil {
		errChan <- err
	} else {
		llChan <- ll
	}
})

select {
case ll := <-llChan:
	fmt.Printf("# Log Operators: %d\n", len(ll.List.Operators))
case err := <-errChan:
	panic(err)
case <-ctx.Done():
	panic("Context expired")
}

Output:

# Log Operators: 1

func NewCustomLogListRefresher 

func NewCustomLogListRefresher(client *http.Client, llPath string) LogListRefresher

NewCustomLogListRefresher creates and inits a LogListRefresherImpl instance.

func NewLogListRefresher 

func NewLogListRefresher(llPath string) LogListRefresher

NewLogListRefresher creates and inits a LogListRefresherImpl instance using default http.Client

type Proxy 

type Proxy struct {
	Init chan bool
	// contains filtered or unexported fields
}

Proxy wraps Log List updates watcher and Distributor running on fresh Log List.

func NewProxy 

func NewProxy(llm *LogListManager, db DistributorBuilder, mf monitoring.MetricFactory) *Proxy

NewProxy creates an inactive Proxy instance. Call Run() to activate.

func (*Proxy) AddChain 

func (p *Proxy) AddChain(ctx context.Context, rawChain [][]byte, loadPendingLogs bool) ([]*AssignedSCT, error)

AddChain passes call to underlying Distributor instance.

func (*Proxy) AddPreChain 

func (p *Proxy) AddPreChain(ctx context.Context, rawChain [][]byte, loadPendingLogs bool) ([]*AssignedSCT, error)

AddPreChain passes call to underlying Distributor instance.

func (*Proxy) Run 

func (p *Proxy) Run(ctx context.Context, llRefresh time.Duration, rootsRefresh time.Duration)

Run starts regular LogList checks and associated Distributor initialization. Sends true via Init channel when init is complete. Terminates upon context cancellation.

type ProxyServer 

type ProxyServer struct {
	// contains filtered or unexported fields
}

ProxyServer wraps Proxy and handles HTTP-requests for it.

func NewProxyServer 

func NewProxyServer(logListPath string, dBuilder DistributorBuilder, reqTimeout time.Duration, mf monitoring.MetricFactory) *ProxyServer

NewProxyServer creates ProxyServer instance. Call Run() to init.

func (*ProxyServer) HandleAddChain 

func (s *ProxyServer) HandleAddChain(w http.ResponseWriter, r *http.Request)

HandleAddChain handles multiplexed add-chain HTTP request.

func (*ProxyServer) HandleAddPreChain 

func (s *ProxyServer) HandleAddPreChain(w http.ResponseWriter, r *http.Request)

HandleAddPreChain handles multiplexed add-pre-chain HTTP request.

func (*ProxyServer) HandleInfo 

func (s *ProxyServer) HandleInfo(w http.ResponseWriter, r *http.Request)

HandleInfo handles info-page request.

func (*ProxyServer) Run 

func (s *ProxyServer) Run(ctx context.Context, logListRefreshInterval time.Duration, rootsRefreshInterval time.Duration, loadPendingLogs bool)

Run starts regular Log list updates in the background, running until the context is canceled. Blocks until initialization happens.

type SCTBatch 

type SCTBatch struct {
	SCTs []ct.SignedCertificateTimestamp `json:"scts"`
}

SCTBatch represents JSON response to add-pre-chain method of proxy.

type Submitter 

type Submitter interface {
	SubmitToLog(ctx context.Context, logURL string, chain []ct.ASN1Cert, asPreChain bool) (*ct.SignedCertificateTimestamp, error)
}

Submitter is interface wrapping Log-request-response cycle and any processing.

Source Files

View all Source files

Directories

Path Synopsis
Hammer tool sends multiple add-pre-chain requests to Submission proxy at the same time.
 Hammer tool sends multiple add-pre-chain requests to Submission proxy at the same time.
The submission_server runs (pre-)certs multi-Log submission complying with CT-policy provided.
 The submission_server runs (pre-)certs multi-Log submission complying with CT-policy provided.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.