README
¶
This is the really early beginnings of a certificate transparency log client written in Go, along with a log scanner tool.
You'll need go v1.1 or higher to compile.
Installation
This go code must be imported into your go workspace before you can use it, which can be done with:
go get github.com/google/certificate-transparency/go/client
go get github.com/google/certificate-transparency/go/scanner
etc.
Building the binaries
To compile the log scanner run:
go build github.com/google/certificate-transparency/go/scanner/main/scanner.go
Contributing
When sending pull requests, please ensure that everything's been run
through gofmt beforehand so we can keep everything nice and
tidy.
Documentation
¶
Index ¶
- Constants
- Variables
- func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)
- func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error
- func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)
- func SerializeSCTHere(sct SignedCertificateTimestamp, here []byte) ([]byte, error)
- func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
- func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
- type ASN1Cert
- type AuditPath
- type CTExtensions
- type ConsistencyProof
- type DigitallySigned
- type HashAlgorithm
- type LeafInput
- type LogEntry
- type LogEntryType
- type MerkleLeafType
- type MerkleTreeLeaf
- type MerkleTreeNode
- type PreCert
- type Precertificate
- type SHA256Hash
- type SignatureAlgorithm
- type SignatureType
- type SignatureVerifier
- type SignedCertificateTimestamp
- type SignedTreeHead
- type TimestampedEntry
- type Version
Constants ¶
const ( CertificateLengthBytes = 3 PreCertificateLengthBytes = 3 ExtensionsLengthBytes = 2 CertificateChainLengthBytes = 3 SignatureLengthBytes = 2 )
Variable size structure prefix-header byte lengths
const ( MaxCertificateLength = (1 << 24) - 1 MaxExtensionsLength = (1 << 16) - 1 )
Max lengths
Variables ¶
var ( ErrInvalidVersion error = sctError(1) ErrNotEnoughBuffer error = sctError(2) )
Preallocate errors for performance
Functions ¶
func MarshalDigitallySigned ¶
func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)
MarshalDigitallySigned marshalls a DigitallySigned structure into a byte array
func ReadTimestampedEntryInto ¶
func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error
ReadTimestampedEntryInto parses the byte-stream representation of a TimestampedEntry from |r| and populates the struct |t| with the data. See RFC section 3.4 for details on the format. Returns a non-nil error if there was a problem.
func SerializeSCT ¶
func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)
SerializeSCT serializes the passed in sct into the format specified by RFC6962 section 3.2 Equivalent to SerializeSCTHere(sct, nil)
func SerializeSCTHere ¶
func SerializeSCTHere(sct SignedCertificateTimestamp, here []byte) ([]byte, error)
SerializeSCTHere serializes the passed in sct into the format specified by RFC6962 section 3.2. If a bytes slice here is provided then it will attempt to serialize into the provided byte slice, ErrNotEnoughBuffer will be returned if the buffer is too small. If a nil byte slice is provided, a buffer for will be allocated for you The returned slice will be sliced to the correct length.
func SerializeSCTSignatureInput ¶
func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.
func SerializeSTHSignatureInput ¶
func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
SerializeSTHSignatureInput serializes the passed in sth into the correct format for signing.
Types ¶
type ASN1Cert ¶
type ASN1Cert []byte
ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1)
func UnmarshalPrecertChainArray ¶
UnmarshalPrecertChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to a Precertificate leaf.
func UnmarshalX509ChainArray ¶
UnmarshalX509ChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to an X509 leaf.
type AuditPath ¶
type AuditPath []MerkleTreeNode
AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5)
type CTExtensions ¶
type CTExtensions []byte
CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2)
type ConsistencyProof ¶
type ConsistencyProof []MerkleTreeNode
ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4)
type DigitallySigned ¶
type DigitallySigned struct {
HashAlgorithm HashAlgorithm
SignatureAlgorithm SignatureAlgorithm
Signature []byte
}
DigitallySigned represents an RFC5246 DigitallySigned structure
func UnmarshalDigitallySigned ¶
func UnmarshalDigitallySigned(r io.Reader) (*DigitallySigned, error)
UnmarshalDigitallySigned reconstructs a DigitallySigned structure from a Reader
func (DigitallySigned) Base64String ¶
func (d DigitallySigned) Base64String() (string, error)
Base64String returns the base64 representation of the DigitallySigned struct.
func (*DigitallySigned) FromBase64String ¶
func (d *DigitallySigned) FromBase64String(b64 string) error
FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.
func (DigitallySigned) MarshalJSON ¶
func (d DigitallySigned) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface.
func (*DigitallySigned) UnmarshalJSON ¶
func (d *DigitallySigned) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface.
type HashAlgorithm ¶
type HashAlgorithm byte
HashAlgorithm from the DigitallySigned struct
const ( None HashAlgorithm = 0 MD5 HashAlgorithm = 1 SHA1 HashAlgorithm = 2 SHA224 HashAlgorithm = 3 SHA256 HashAlgorithm = 4 SHA384 HashAlgorithm = 5 SHA512 HashAlgorithm = 6 )
HashAlgorithm constants
func (HashAlgorithm) String ¶
func (h HashAlgorithm) String() string
type LogEntry ¶
type LogEntry struct {
Index int64
Leaf MerkleTreeLeaf
X509Cert *x509.Certificate
Precert *Precertificate
Chain []ASN1Cert
Server string
}
LogEntry represents the contents of an entry in a CT log, see section 3.1.
type LogEntryType ¶
type LogEntryType uint16
LogEntryType represents the LogEntryType enum from section 3.1 of the RFC:
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const ( X509LogEntryType LogEntryType = 0 PrecertLogEntryType LogEntryType = 1 )
LogEntryType constants, see section 3.1 of RFC6962.
func (LogEntryType) String ¶
func (e LogEntryType) String() string
type MerkleLeafType ¶
type MerkleLeafType uint8
MerkleLeafType represents the MerkleLeafType enum from section 3.4 of the RFC: enum { timestamped_entry(0), (255) } MerkleLeafType;
const (
TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
)
MerkleLeafType constants, see section 3.4 of the RFC.
func (MerkleLeafType) String ¶
func (m MerkleLeafType) String() string
type MerkleTreeLeaf ¶
type MerkleTreeLeaf struct {
Version Version // the version of the protocol to which the MerkleTreeLeaf corresponds
LeafType MerkleLeafType // The type of the leaf input, currently only TimestampedEntry can exist
TimestampedEntry TimestampedEntry // The entry data itself
}
MerkleTreeLeaf represents the deserialized sructure of the hash input for the leaves of a log's Merkle tree. See RFC section 3.4
func ReadMerkleTreeLeaf ¶
func ReadMerkleTreeLeaf(r io.Reader) (*MerkleTreeLeaf, error)
ReadMerkleTreeLeaf parses the byte-stream representation of a MerkleTreeLeaf and returns a pointer to a new MerkleTreeLeaf structure containing the parsed data. See RFC section 3.4 for details on the format. Returns a pointer to a new MerkleTreeLeaf or non-nil error if there was a problem
func (*MerkleTreeLeaf) X509Certificate ¶
func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)
X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf. Returns a pointer to an x509.Certificate or a non-nil error.
type MerkleTreeNode ¶
type MerkleTreeNode []byte
MerkleTreeNode represents an internal node in the CT tree
type Precertificate ¶
type Precertificate struct {
// Raw DER bytes of the precert
Raw []byte
// SHA256 hash of the issuing key
IssuerKeyHash [issuerKeyHashLength]byte
// Parsed TBSCertificate structure (held in an x509.Certificate for ease of
// access.
TBSCertificate x509.Certificate
}
Precertificate represents the parsed CT Precertificate structure.
type SHA256Hash ¶
SHA256Hash represents the output from the SHA256 hash function.
func PublicKeyFromPEM ¶
PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
func (SHA256Hash) Base64String ¶
func (s SHA256Hash) Base64String() string
Base64String returns the base64 representation of this SHA256Hash.
func (*SHA256Hash) FromBase64String ¶
func (s *SHA256Hash) FromBase64String(b64 string) error
FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.
func (SHA256Hash) MarshalJSON ¶
func (s SHA256Hash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface for SHA256Hash.
func (*SHA256Hash) UnmarshalJSON ¶
func (s *SHA256Hash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaller interface.
type SignatureAlgorithm ¶
type SignatureAlgorithm byte
SignatureAlgorithm from the the DigitallySigned struct
const ( Anonymous SignatureAlgorithm = 0 RSA SignatureAlgorithm = 1 DSA SignatureAlgorithm = 2 ECDSA SignatureAlgorithm = 3 )
SignatureAlgorithm constants
func (SignatureAlgorithm) String ¶
func (s SignatureAlgorithm) String() string
type SignatureType ¶
type SignatureType uint8
SignatureType differentiates STH signatures from SCT signatures, see RFC section 3.2
const ( CertificateTimestampSignatureType SignatureType = 0 TreeHashSignatureType SignatureType = 1 )
SignatureType constants, see RFC section 3.2
func (SignatureType) String ¶
func (st SignatureType) String() string
type SignatureVerifier ¶
type SignatureVerifier struct {
// contains filtered or unexported fields
}
SignatureVerifier can verify signatures on SCTs and STHs
func NewSignatureVerifier ¶
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)
NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.
func (SignatureVerifier) VerifySCTSignature ¶
func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error
VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry
func (SignatureVerifier) VerifySTHSignature ¶
func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error
VerifySTHSignature verifies that the STH's signature is valid.
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct {
SCTVersion Version `json:"version"` // The version of the protocol to which the SCT conforms
LogID SHA256Hash `json:"log_id"` // the SHA-256 hash of the log's public key, calculated over
// the DER encoding of the key represented as SubjectPublicKeyInfo.
Timestamp uint64 `json:"timestamp,omitempty"` // Timestamp (in ms since unix epoc) at which the SCT was issued. NOTE: When this is serialized, the output is in seconds, not milliseconds.
Extensions CTExtensions `json:"extensions,omitempty"` // For future extensions to the protocol
Signature DigitallySigned `json:"signature"` // The Log's signature for this SCT
}
SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding. (see RFC sections 3.2 ,4.1 and 4.2)
func DeserializeSCT ¶
func DeserializeSCT(r io.Reader) (*SignedCertificateTimestamp, error)
func (*SignedCertificateTimestamp) MarshalJSON ¶
func (sct *SignedCertificateTimestamp) MarshalJSON() ([]byte, error)
MarshalJSON implements the JSON.Marshaller interface.
func (SignedCertificateTimestamp) SerializedLength ¶
func (sct SignedCertificateTimestamp) SerializedLength() (int, error)
SerializedLength will return the space (in bytes)
func (SignedCertificateTimestamp) String ¶
func (s SignedCertificateTimestamp) String() string
type SignedTreeHead ¶
type SignedTreeHead struct {
Version Version `json:"sth_version"` // The version of the protocol to which the STH conforms
TreeSize uint64 `json:"tree_size"` // The number of entries in the new tree
Timestamp uint64 `json:"timestamp"` // The time at which the STH was created
SHA256RootHash SHA256Hash `json:"sha256_root_hash"` // The root hash of the log's Merkle tree
TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // The Log's signature for this STH (see RFC section 3.5)
LogID SHA256Hash `json:"log_id"` // The SHA256 hash of the log's public key
}
SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding. See sections 3.5 and 4.3 in the RFC)
type TimestampedEntry ¶
type TimestampedEntry struct {
Timestamp uint64
EntryType LogEntryType
X509Entry ASN1Cert
PrecertEntry PreCert
Extensions CTExtensions
}
TimestampedEntry is part of the MerkleTreeLeaf structure. See RFC section 3.4
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690. |
|
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
|
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances. |
|
Package x509 parses X.509-encoded keys and certificates.
|
Package x509 parses X.509-encoded keys and certificates. |
|
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
|
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP. |