Documentation ¶
Overview ¶
Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API.
IMPORTANT: Only code rooted within this part of the tree should refer to the CT Github repository. Other parts of the system must not assume that the data they're processing is X.509 or CT related.
The CT repository can be found at: https://github.com/google/certificate-transparency
Index ¶
- Constants
- Variables
- func GetCTLogID(pk crypto.PublicKey) ([sha256.Size]byte, error)
- func GetTreeHead(ctx context.Context, client trillian.TrillianLogClient, logID int64, ...) (*ct.SignedTreeHead, error)
- func IsPrecertificate(cert *x509.Certificate) (bool, error)
- func LogConfigFromFile(filename string) ([]*configpb.LogConfig, error)
- func MultiLogConfigFromFile(filename string) (*configpb.LogMultiConfig, error)
- func ToMultiLogConfig(cfg []*configpb.LogConfig, beSpec string) *configpb.LogMultiConfig
- func ValidateChain(rawChain [][]byte, validationOpts CertValidationOpts) ([]*x509.Certificate, error)
- func ValidateLogMultiConfig(cfg *configpb.LogMultiConfig) (map[string]*configpb.LogBackend, error)
- type AppHandler
- type CertValidationOpts
- type DefaultRequestLog
- func (dlr *DefaultRequestLog) AddCertToChain(_ context.Context, cert *x509.Certificate)
- func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte)
- func (dlr *DefaultRequestLog) FirstAndSecond(_ context.Context, f, s int64)
- func (dlr *DefaultRequestLog) LeafHash(_ context.Context, lh []byte)
- func (dlr *DefaultRequestLog) LeafIndex(_ context.Context, li int64)
- func (dlr *DefaultRequestLog) LogPrefix(_ context.Context, p string)
- func (dlr *DefaultRequestLog) Start(ctx context.Context) context.Context
- func (dlr *DefaultRequestLog) StartAndEnd(_ context.Context, s, e int64)
- func (dlr *DefaultRequestLog) Status(_ context.Context, s int)
- func (dlr *DefaultRequestLog) TreeSize(_ context.Context, ts int64)
- type EntrypointName
- type InstanceOptions
- type LogContext
- type LogEntry
- type PEMCertPool
- func (p *PEMCertPool) AddCert(cert *x509.Certificate)
- func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
- func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error
- func (p *PEMCertPool) CertPool() *x509.CertPool
- func (p *PEMCertPool) RawCertificates() []*x509.Certificate
- func (p *PEMCertPool) Subjects() (res [][]byte)
- type PathHandlers
- type RequestLog
Constants ¶
const ( AddChainName = EntrypointName("AddChain") AddPreChainName = EntrypointName("AddPreChain") GetSTHName = EntrypointName("GetSTH") GetSTHConsistencyName = EntrypointName("GetSTHConsistency") GetProofByHashName = EntrypointName("GetProofByHash") GetEntriesName = EntrypointName("GetEntries") GetRootsName = EntrypointName("GetRoots") GetEntryAndProofName = EntrypointName("GetEntryAndProof") )
Constants for entrypoint names, as exposed in statistics/logging.
Variables ¶
var Entrypoints = []EntrypointName{AddChainName, AddPreChainName, GetSTHName, GetSTHConsistencyName, GetProofByHashName, GetEntriesName, GetRootsName, GetEntryAndProofName}
Entrypoints is a list of entrypoint names as exposed in statistics/logging.
var ( // MaxGetEntriesAllowed is the number of entries we allow in a get-entries request MaxGetEntriesAllowed int64 = 1000 )
Functions ¶
func GetCTLogID ¶
GetCTLogID takes the key manager for a log and returns the LogID. (see RFC 6962 S3.2) In CT V1 the log id is a hash of the public key.
func GetTreeHead ¶
func GetTreeHead(ctx context.Context, client trillian.TrillianLogClient, logID int64, prefix string) (*ct.SignedTreeHead, error)
GetTreeHead retrieves and builds a tree head structure for the given log; the returned tree head is not yet signed.
func IsPrecertificate ¶
func IsPrecertificate(cert *x509.Certificate) (bool, error)
IsPrecertificate tests if a certificate is a pre-certificate as defined in CT. An error is returned if the CT extension is present but is not ASN.1 NULL as defined by the spec.
func LogConfigFromFile ¶
LogConfigFromFile creates a slice of LogConfig options from the given filename, which should contain text-protobuf encoded configuration data.
func MultiLogConfigFromFile ¶
func MultiLogConfigFromFile(filename string) (*configpb.LogMultiConfig, error)
MultiLogConfigFromFile creates a LogMultiConfig proto from the given filename, which should contain text-protobuf encoded configuration data. Does not do full validation of the config but checks that it is non empty.
func ToMultiLogConfig ¶
func ToMultiLogConfig(cfg []*configpb.LogConfig, beSpec string) *configpb.LogMultiConfig
ToMultiLogConfig creates a multi backend config proto from the data loaded from a single-backend configuration file. All the log configs reference a default backend spec as provided.
func ValidateChain ¶
func ValidateChain(rawChain [][]byte, validationOpts CertValidationOpts) ([]*x509.Certificate, error)
ValidateChain takes the certificate chain as it was parsed from a JSON request. Ensures all elements in the chain decode as X.509 certificates. Ensures that there is a valid path from the end entity certificate in the chain to a trusted root cert, possibly using the intermediates supplied in the chain. Then applies the RFC requirement that the path must involve all the submitted chain in the order of submission.
func ValidateLogMultiConfig ¶
func ValidateLogMultiConfig(cfg *configpb.LogMultiConfig) (map[string]*configpb.LogBackend, error)
ValidateLogMultiConfig checks that a config is valid for use with multiple backend log servers. The rules applied are:
1. The backend set must define a set of log backends with distinct (non empty) names and non empty backend specs. 2. The backend specs must all be distinct. 3. The log configs must all specify a log backend and each must be one of those defined in the backend set. 4. If NotBeforeStart or NotBeforeLimit are set for a log then these fields must be valid timestamp protos. If both are set then NotBeforeLimit must not be before NotBeforeStart. 5. The prefixes of configured logs must all be distinct and must not be empty. 6. The set of tree ids for each configured backend must be distinct.
Types ¶
type AppHandler ¶
type AppHandler struct { Context *LogContext Handler func(context.Context, *LogContext, http.ResponseWriter, *http.Request) (int, error) Name EntrypointName Method string // http.MethodGet or http.MethodPost }
AppHandler holds a LogContext and a handler function that uses it, and is an implementation of the http.Handler interface.
func (AppHandler) ServeHTTP ¶
func (a AppHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP for an AppHandler invokes the underlying handler function but does additional common error and stats processing.
type CertValidationOpts ¶
type CertValidationOpts struct {
// contains filtered or unexported fields
}
CertValidationOpts contains various parameters for certificate chain validation
type DefaultRequestLog ¶
type DefaultRequestLog struct { }
DefaultRequestLog is an implementation of RequestLog that does nothing except log the calls at a high level of verbosity.
func (*DefaultRequestLog) AddCertToChain ¶
func (dlr *DefaultRequestLog) AddCertToChain(_ context.Context, cert *x509.Certificate)
AddCertToChain logs some issuer / subject / timing fields from a certificate that is part of a submitted chain.
func (*DefaultRequestLog) AddDERToChain ¶
func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte)
AddDERToChain logs the raw bytes of a submitted certificate.
func (*DefaultRequestLog) FirstAndSecond ¶
func (dlr *DefaultRequestLog) FirstAndSecond(_ context.Context, f, s int64)
FirstAndSecond logs request parameters.
func (*DefaultRequestLog) LeafHash ¶
func (dlr *DefaultRequestLog) LeafHash(_ context.Context, lh []byte)
LeafHash logs request parameters.
func (*DefaultRequestLog) LeafIndex ¶
func (dlr *DefaultRequestLog) LeafIndex(_ context.Context, li int64)
LeafIndex logs request parameters.
func (*DefaultRequestLog) LogPrefix ¶
func (dlr *DefaultRequestLog) LogPrefix(_ context.Context, p string)
LogPrefix logs the prefix of the CT log that this request is for.
func (*DefaultRequestLog) Start ¶
func (dlr *DefaultRequestLog) Start(ctx context.Context) context.Context
Start logs the start of request processing.
func (*DefaultRequestLog) StartAndEnd ¶
func (dlr *DefaultRequestLog) StartAndEnd(_ context.Context, s, e int64)
StartAndEnd logs request parameters.
type EntrypointName ¶
type EntrypointName string
EntrypointName identifies a CT entrypoint as defined in section 4 of RFC 6962.
type InstanceOptions ¶
type InstanceOptions struct { Deadline time.Duration MetricFactory monitoring.MetricFactory // ErrorMapper converts an error from an RPC request to an HTTP status, plus // a boolean to indicate whether the conversion succeeded. ErrorMapper func(error) (int, bool) RequestLog RequestLog }
InstanceOptions describes the options for a log instance.
type LogContext ¶
type LogContext struct { // LogPrefix is a pre-formatted string identifying the log for diagnostics LogPrefix string // TimeSource is a util.TimeSource that can be injected for testing TimeSource util.TimeSource // RequestLog is a logger for various request / processing / response debug // information. RequestLog RequestLog // contains filtered or unexported fields }
LogContext holds information for a specific log instance.
func NewLogContext ¶
func NewLogContext(logID int64, prefix string, validationOpts CertValidationOpts, rpcClient trillian.TrillianLogClient, signer *crypto.Signer, instanceOpts InstanceOptions, timeSource util.TimeSource) *LogContext
NewLogContext creates a new instance of LogContext.
func (*LogContext) Handlers ¶
func (c *LogContext) Handlers(prefix string) PathHandlers
Handlers returns a map from URL paths (with the given prefix) and AppHandler instances to handle those entrypoints.
type LogEntry ¶
type LogEntry struct { // The leaf structure that was built from the client submission Leaf ct.MerkleTreeLeaf // The complete chain for the certificate or precertificate as raw bytes Chain []ct.ASN1Cert `tls:"minlen:0,maxlen:16777215"` }
LogEntry holds the data we send to the backend with the leaf. There is a LogEntry type in the CT code but it is a superset of what we need. These structs are purely containers for data passed between the frontend and backend. They are not responsible for request validation or chain checking. Validation of submitted chains is the responsibility of the frontend. The backend handles generic blobs and does not know their format.
func NewLogEntry ¶
func NewLogEntry(leaf ct.MerkleTreeLeaf, certChain []*x509.Certificate) *LogEntry
NewLogEntry creates a new LogEntry instance based on the given Merkle tree leaf and certificate chain.
type PEMCertPool ¶
type PEMCertPool struct {
// contains filtered or unexported fields
}
PEMCertPool is a wrapper / extension to x509.CertPool. It allows us to access the raw certs, which we need to serve get-roots request and has stricter handling on loading certs into the pool. CertPool ignores errors if at least one cert loads correctly but PEMCertPool requires all certs to load.
func NewPEMCertPool ¶
func NewPEMCertPool() *PEMCertPool
NewPEMCertPool creates a new, empty, instance of PEMCertPool.
func (*PEMCertPool) AddCert ¶
func (p *PEMCertPool) AddCert(cert *x509.Certificate)
AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates. cert must not be nil.
func (*PEMCertPool) AppendCertsFromPEM ¶
func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
AppendCertsFromPEM adds certs to the pool from a byte slice assumed to contain PEM encoded data. Skips over non certificate blocks in the data. Returns true if all certificates in the data were parsed and added to the pool successfully and at least one certificate was found.
func (*PEMCertPool) AppendCertsFromPEMFile ¶
func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error
AppendCertsFromPEMFile adds certs from a file that contains concatenated PEM data.
func (*PEMCertPool) CertPool ¶
func (p *PEMCertPool) CertPool() *x509.CertPool
CertPool returns the underlying CertPool.
func (*PEMCertPool) RawCertificates ¶
func (p *PEMCertPool) RawCertificates() []*x509.Certificate
RawCertificates returns a list of the raw bytes of certificates that are in this pool
func (*PEMCertPool) Subjects ¶
func (p *PEMCertPool) Subjects() (res [][]byte)
Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.
type PathHandlers ¶
type PathHandlers map[string]AppHandler
PathHandlers maps from a path to the relevant AppHandler instance.
func SetUpInstance ¶
func SetUpInstance(ctx context.Context, client trillian.TrillianLogClient, cfg *configpb.LogConfig, opts InstanceOptions) (*PathHandlers, error)
SetUpInstance sets up a log instance that uses the specified client to communicate with the Trillian RPC back end.
type RequestLog ¶
type RequestLog interface { // Start will be called once at the beginning of handling each request. // The supplied context will be the one used for request processing and // can be used by the logger to set values on the returned context. // The returned context should be used in all the following calls to // this API. This is normally arranged by the request handler code. Start(context.Context) context.Context // LogPrefix will be called once per request to set the log prefix. LogPrefix(context.Context, string) // AddDERToChain will be called once for each certificate in a submitted // chain. It's called early in request processing so the supplied bytes // have not been checked for validity. Calls will be in order of the // certificates as presented in the request with the root last. AddDERToChain(context.Context, []byte) // AddCertToChain will be called once for each certificate in the chain // after it has been parsed and verified. Calls will be in order of the // certificates as presented in the request with the root last. AddCertToChain(context.Context, *x509.Certificate) // FirstAndSecond will be called once for a consistency proof request with // the first and second tree sizes involved (if they parse correctly). FirstAndSecond(context.Context, int64, int64) // StartAndEnd will be called once for a get entries request with the // endpoints of the range requested (if they parse correctly). StartAndEnd(context.Context, int64, int64) // LeafIndex will be called once with the index of a leaf being requested // by get entry and proof (if the request params parse correctly). LeafIndex(context.Context, int64) // TreeSize will be called once with the requested tree size for get entry // and proof requests (if the request params parse correctly). TreeSize(context.Context, int64) // LeafHash will be called once for get proof by hash requests with the // requested hash value (if the parameters parse correctly). LeafHash(context.Context, []byte) // Status will be called once to set the HTTP status code that was the // the result after the request has been handled. Status(context.Context, int) }
RequestLog allows implementations to do structured logging of CTFE request parameters, submitted chains and other internal details that are useful for log operators when debugging issues. CTFE handlers will call the appropriate methods during request processing. The implementation is responsible for collating and storing the resulting logging information.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package configpb is a generated protocol buffer package.
|
Package configpb is a generated protocol buffer package. |
The ct_server binary runs the CT personality.
|
The ct_server binary runs the CT personality. |
Package testonly contains code and data that should only be used by tests.
|
Package testonly contains code and data that should only be used by tests. |