trustmanager

package
v0.0.0-...-f7d0ea7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 10, 2015 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrMemFileNotFound = errors.New("key not found in memory file store")

ErrMemFileNotFound is returned for a nonexistent "file" in the memory file store

View Source
var (
	// ErrPathOutsideStore indicates that the returned path would be
	// outside the store
	ErrPathOutsideStore = errors.New("path outside file store")
)

Functions

func CertToPEM

func CertToPEM(cert *x509.Certificate) []byte

CertToPEM is an utility function returns a PEM encoded x509 Certificate

func CertsToKeys

func CertsToKeys(certs []*x509.Certificate) map[string]data.PublicKey

CertsToKeys transforms each of the input certificates into it's corresponding PublicKey

func CreateDirectory

func CreateDirectory(dir string) error

CreateDirectory uses createDirectory to create a chmod 755 Directory

func CreatePrivateDirectory

func CreatePrivateDirectory(dir string) error

CreatePrivateDirectory uses createDirectory to create a chmod 700 Directory

func ECDSAToPrivateKey

func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)

ECDSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type

func ED25519ToPrivateKey

func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)

ED25519ToPrivateKey converts a serialized ED25519 key to a TUF data.PrivateKey type

func EncryptPrivateKey

func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error)

EncryptPrivateKey returns an encrypted PEM key given a Privatekey and a passphrase

func FingerprintCert

func FingerprintCert(cert *x509.Certificate) (string, error)

FingerprintCert returns a TUF compliant fingerprint for a X509 Certificate

func GenerateECDSAKey

func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)

GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey

func GenerateED25519Key

func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)

GenerateED25519Key generates an ED25519 private key and returns a TUF PrivateKey. The serialization format we use is just the public key bytes followed by the private key bytes

func GenerateRSAKey

func GenerateRSAKey(random io.Reader, bits int) (data.PrivateKey, error)

GenerateRSAKey generates an RSA private key and returns a TUF PrivateKey

func GetCertFromURL

func GetCertFromURL(urlStr string) (*x509.Certificate, error)

GetCertFromURL tries to get a X509 certificate given a HTTPS URL

func GetIntermediateCerts

func GetIntermediateCerts(certs []*x509.Certificate) (intCerts []*x509.Certificate)

GetIntermediateCerts parses a list of x509 Certificates and returns all of the ones marked as a CA, to be used as intermediates

func GetLeafCerts

func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate

GetLeafCerts parses a list of x509 Certificates and returns all of them that aren't CA

func KeyToPEM

func KeyToPEM(privKey data.PrivateKey) ([]byte, error)

KeyToPEM returns a PEM encoded key from a Private Key

func LoadCertBundleFromFile

func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)

LoadCertBundleFromFile loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertBundleFromPEM

func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

LoadCertBundleFromPEM loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromFile

func LoadCertFromFile(filename string) (*x509.Certificate, error)

LoadCertFromFile loads the first certificate from the file provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromPEM

func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)

LoadCertFromPEM returns the first certificate found in a bunch of bytes or error if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.

func NewCertificate

func NewCertificate(gun string) (*x509.Certificate, error)

NewCertificate returns an X509 Certificate following a template, given a GUN.

func ParsePEMPrivateKey

func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)

ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It only supports RSA (PKCS#1) and attempts to decrypt using the passphrase, if encrypted.

func RSAToPrivateKey

func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)

RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type

func Verify

func Verify(s X509Store, dnsName string, certList []*x509.Certificate) error

Verify operates on an X509Store and validates the existence of a chain of trust between a leafCertificate and a CA present inside of the X509 Store. It requires at least two certificates in certList, a leaf Certificate and an intermediate CA certificate.

Types

type CertID

type CertID string

CertID represent the ID used to identify certificates

type ErrAttemptsExceeded

type ErrAttemptsExceeded struct{}

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

func (ErrAttemptsExceeded) Error

func (err ErrAttemptsExceeded) Error() string

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

type ErrBadCertificateStore

type ErrBadCertificateStore struct {
}

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

func (ErrBadCertificateStore) Error

func (err ErrBadCertificateStore) Error() string

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

type ErrCertExists

type ErrCertExists struct {
}

ErrCertExists is returned when a Certificate already exists in the key store

func (ErrCertExists) Error

func (err ErrCertExists) Error() string

ErrCertExists is returned when a Certificate already exists in the key store

type ErrCertValidation

type ErrCertValidation struct {
}

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

func (ErrCertValidation) Error

func (err ErrCertValidation) Error() string

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

type ErrKeyNotFound

type ErrKeyNotFound struct {
	KeyID string
}

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

func (ErrKeyNotFound) Error

func (err ErrKeyNotFound) Error() string

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

type ErrNoCertificatesFound

type ErrNoCertificatesFound struct {
	// contains filtered or unexported fields
}

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

func (ErrNoCertificatesFound) Error

func (err ErrNoCertificatesFound) Error() string

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

type ErrPasswordInvalid

type ErrPasswordInvalid struct{}

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

func (ErrPasswordInvalid) Error

func (err ErrPasswordInvalid) Error() string

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

type FileStore

type FileStore interface {
	LimitedFileStore

	RemoveDir(directoryName string) error
	GetPath(fileName string) (string, error)
	ListDir(directoryName string, symlinks bool) []string
	Link(src, dst string) error
	BaseDir() string
}

FileStore is the interface for full-featured FileStores

type KeyFileStore

type KeyFileStore struct {
	sync.Mutex
	SimpleFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyFileStore persists and manages private keys on disk

func NewKeyFileStore

func NewKeyFileStore(baseDir string, passphraseRetriever passphrase.Retriever) (*KeyFileStore, error)

NewKeyFileStore returns a new KeyFileStore creating a private directory to hold the keys.

func (*KeyFileStore) AddKey

func (s *KeyFileStore) AddKey(name, alias string, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyFileStore) GetKey

func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyFileStore) ListKeys

func (s *KeyFileStore) ListKeys() map[string]string

ListKeys returns a list of unique PublicKeys present on the KeyFileStore. There might be symlinks associating Certificate IDs to Public Keys, so this method only returns the IDs that aren't symlinks

func (*KeyFileStore) RemoveKey

func (s *KeyFileStore) RemoveKey(name string) error

RemoveKey removes the key from the keyfilestore

type KeyMemoryStore

type KeyMemoryStore struct {
	sync.Mutex
	MemoryFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyMemoryStore manages private keys in memory

func NewKeyMemoryStore

func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore

NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory

func (*KeyMemoryStore) AddKey

func (s *KeyMemoryStore) AddKey(name, alias string, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyMemoryStore) GetKey

func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyMemoryStore) ListKeys

func (s *KeyMemoryStore) ListKeys() map[string]string

ListKeys returns a list of unique PublicKeys present on the KeyFileStore. There might be symlinks associating Certificate IDs to Public Keys, so this method only returns the IDs that aren't symlinks

func (*KeyMemoryStore) RemoveKey

func (s *KeyMemoryStore) RemoveKey(name string) error

RemoveKey removes the key from the keystore

type KeyStore

type KeyStore interface {
	AddKey(name, alias string, privKey data.PrivateKey) error
	GetKey(name string) (data.PrivateKey, string, error)
	ListKeys() map[string]string
	RemoveKey(name string) error
}

KeyStore is a generic interface for private key storage

type LimitedFileStore

type LimitedFileStore interface {
	Add(fileName string, data []byte) error
	Remove(fileName string) error
	Get(fileName string) ([]byte, error)
	ListFiles(symlinks bool) []string
}

LimitedFileStore implements the bare bones primitives (no symlinks or hierarchy)

type MemoryFileStore

type MemoryFileStore struct {
	sync.Mutex
	// contains filtered or unexported fields
}

MemoryFileStore is an implementation of LimitedFileStore that keeps the contents in memory.

func NewMemoryFileStore

func NewMemoryFileStore() *MemoryFileStore

NewMemoryFileStore creates a MemoryFileStore

func (*MemoryFileStore) Add

func (f *MemoryFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*MemoryFileStore) Get

func (f *MemoryFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*MemoryFileStore) ListFiles

func (f *MemoryFileStore) ListFiles(symlinks bool) []string

ListFiles lists all the files inside of a store

func (*MemoryFileStore) Remove

func (f *MemoryFileStore) Remove(name string) error

Remove removes a file identified by name

type SimpleFileStore

type SimpleFileStore struct {
	// contains filtered or unexported fields
}

SimpleFileStore implements FileStore

func NewPrivateSimpleFileStore

func NewPrivateSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)

NewPrivateSimpleFileStore creates a directory with 700 permissions

func NewSimpleFileStore

func NewSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)

NewSimpleFileStore creates a directory with 755 permissions

func (*SimpleFileStore) Add

func (f *SimpleFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*SimpleFileStore) BaseDir

func (f *SimpleFileStore) BaseDir() string

BaseDir returns the base directory of the filestore

func (*SimpleFileStore) Get

func (f *SimpleFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*SimpleFileStore) GetPath

func (f *SimpleFileStore) GetPath(name string) (string, error)

GetPath returns the full final path of a file with a given name

func (f *SimpleFileStore) Link(oldname, newname string) error

Link creates a symlink between the ID of the certificate used by a repository and the ID of the root key that is being used. We use full path for the source and local for the destination to use relative path for the symlink

func (*SimpleFileStore) ListDir

func (f *SimpleFileStore) ListDir(name string, symlinks bool) []string

ListDir lists all the files inside of a directory identified by a name

func (*SimpleFileStore) ListFiles

func (f *SimpleFileStore) ListFiles(symlinks bool) []string

ListFiles lists all the files inside of a store

func (*SimpleFileStore) Remove

func (f *SimpleFileStore) Remove(name string) error

Remove removes a file identified by name

func (*SimpleFileStore) RemoveDir

func (f *SimpleFileStore) RemoveDir(name string) error

RemoveDir removes the directory identified by name

type Validator

type Validator interface {
	Validate(cert *x509.Certificate) bool
}

Validator is a convenience type to create validating function that filters certificates that get added to the store

type ValidatorFunc

type ValidatorFunc func(cert *x509.Certificate) bool

ValidatorFunc is a convenience type to create functions that implement the Validator interface

func (ValidatorFunc) Validate

func (vf ValidatorFunc) Validate(cert *x509.Certificate) bool

Validate implements the Validator interface to allow for any func() bool method to be passed as a Validator

type X509FileStore

type X509FileStore struct {
	// contains filtered or unexported fields
}

X509FileStore implements X509Store that persists on disk

func NewX509FileStore

func NewX509FileStore(directory string) (*X509FileStore, error)

NewX509FileStore returns a new X509FileStore.

func NewX509FilteredFileStore

func NewX509FilteredFileStore(directory string, validate func(*x509.Certificate) bool) (*X509FileStore, error)

NewX509FilteredFileStore returns a new X509FileStore that validates certificates that are added.

func (*X509FileStore) AddCert

func (s *X509FileStore) AddCert(cert *x509.Certificate) error

AddCert creates a filename for a given cert and adds a certificate with that name

func (*X509FileStore) AddCertFromFile

func (s *X509FileStore) AddCertFromFile(filename string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (X509FileStore) AddCertFromPEM

func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds the first certificate that it finds in the byte[], returning an error if no Certificates are found

func (*X509FileStore) GetCertificateByCertID

func (s *X509FileStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509FileStore) GetCertificatePool

func (s *X509FileStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509FileStore) GetCertificates

func (s *X509FileStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509FileStore) GetCertificatesByCN

func (s *X509FileStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509FileStore) GetVerifyOptions

func (s *X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509FileStore) RemoveAll

func (s *X509FileStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509FileStore) RemoveCert

func (s *X509FileStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509FileStore.

type X509MemStore

type X509MemStore struct {
	// contains filtered or unexported fields
}

X509MemStore implements X509Store as an in-memory object with no persistence

func NewX509FilteredMemStore

func NewX509FilteredMemStore(validate func(*x509.Certificate) bool) *X509MemStore

NewX509FilteredMemStore returns a new X509Memstore that validates certificates that are added.

func NewX509MemStore

func NewX509MemStore() *X509MemStore

NewX509MemStore returns a new X509MemStore.

func (*X509MemStore) AddCert

func (s *X509MemStore) AddCert(cert *x509.Certificate) error

AddCert adds a certificate to the store

func (*X509MemStore) AddCertFromFile

func (s *X509MemStore) AddCertFromFile(originFilname string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (*X509MemStore) AddCertFromPEM

func (s *X509MemStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds a certificate to the store from a PEM blob

func (*X509MemStore) GetCertificateByCertID

func (s *X509MemStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509MemStore) GetCertificatePool

func (s *X509MemStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509MemStore) GetCertificates

func (s *X509MemStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509MemStore) GetCertificatesByCN

func (s *X509MemStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509MemStore) GetVerifyOptions

func (s *X509MemStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509MemStore) RemoveAll

func (s *X509MemStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509MemStore) RemoveCert

func (s *X509MemStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509MemStore.

type X509Store

type X509Store interface {
	AddCert(cert *x509.Certificate) error
	AddCertFromPEM(pemCerts []byte) error
	AddCertFromFile(filename string) error
	RemoveCert(cert *x509.Certificate) error
	RemoveAll() error
	GetCertificateByCertID(certID string) (*x509.Certificate, error)
	GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
	GetCertificates() []*x509.Certificate
	GetCertificatePool() *x509.CertPool
	GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
}

X509Store is the interface for all X509Stores

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL