Documentation ¶
Overview ¶
Package trust defines type Store, a unified interface for TRC and Certificate retrieval.
Index ¶
- Constants
- Variables
- func CreateSign(ia addr.IA, store infra.TrustStore) (*proto.SignS, error)
- func LoadKey(file string, algo string) (common.RawBytes, error)
- func VerifyChain(subject addr.IA, chain *cert.Chain, store infra.TrustStore) error
- type Config
- type KeyConf
- type Store
- func (store *Store) ChooseServer(destination addr.IA) (net.Addr, error)
- func (store *Store) GetChain(ctx context.Context, ia addr.IA, version uint64) (*cert.Chain, error)
- func (store *Store) GetTRC(ctx context.Context, isd addr.ISD, version uint64) (*trc.TRC, error)
- func (store *Store) GetValidChain(ctx context.Context, ia addr.IA, trail ...addr.ISD) (*cert.Chain, error)
- func (store *Store) GetValidTRC(ctx context.Context, isd addr.ISD, trail ...addr.ISD) (*trc.TRC, error)
- func (store *Store) LoadAuthoritativeChain(dir string) error
- func (store *Store) LoadAuthoritativeTRC(dir string) error
- func (store *Store) NewChainPushHandler() infra.Handler
- func (store *Store) NewChainReqHandler(recurse bool) infra.Handler
- func (store *Store) NewTRCPushHandler() infra.Handler
- func (store *Store) NewTRCReqHandler(recurse bool) infra.Handler
- func (store *Store) SetMessenger(msger infra.Messenger)
- type ValidateChainF
- type ValidateTRCF
Constants ¶
const ( IssSigKeyFile = "core-sig.seed" // TODO(roosd): rename "core-sig.key" -> "iss-sig.key" DecKeyFile = "as-decrypt.key" OffKeyFile = "offline-root.seed" OnKeyFile = "online-root.seed" SigKeyFile = "as-sig.seed" )
const ( ErrorOpen = "Unable to load key" ErrorParse = "Unable to parse key file" ErrorUnknown = "Unknown algorithm" )
const ( // Handler lifetime HandlerTimeout = 3 * time.Second )
const RawKey = "raw"
Variables ¶
var ( ErrEndOfTrail = "Reached end of trail, but no trusted TRC found" ErrMissingAuthoritative = "Trust store is authoritative for requested object, and object was not found" )
Functions ¶
func CreateSign ¶ added in v0.1.1
func LoadKey ¶ added in v0.1.1
LoadKey decodes a base64 encoded key stored in file and returns the raw bytes.
func VerifyChain ¶ added in v0.1.1
VerifyChain verifies the chain based on the TRCs present in the store.
Types ¶
type Config ¶ added in v0.1.1
type Config struct { // MustHaveLocalChain states that chain requests for the trust store's own // IA must always return a valid chain. This is set to true on CSes and to // false on others. MustHaveLocalChain bool // LocalCSes must have a length of 0 on CS nodes. On others, a random entry // is queried for TRCs and Chains. LocalCSes []net.Addr }
type KeyConf ¶ added in v0.1.1
type KeyConf struct { // IssSigKey is the AS issuer signing Key. IssSigKey common.RawBytes // DecryptKey is the AS decryption key. DecryptKey common.RawBytes // OffRootKey is the AS offline root key. OffRootKey common.RawBytes // OnRootKey is the AS online root key. OnRootKey common.RawBytes // SignKey is the AS signing key. SignKey common.RawBytes }
func LoadKeyConf ¶ added in v0.1.1
LoadKeyConf loads key configuration from specified path. issSigKey, onKey, offKey can be set true, to load the respective keys.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store manages requests for TRC and Certificate Chain objects.
Chain and TRC requests from the local process (running the trust store) are handled by GetValidChain/GetChain and GetValidTRC/GetTRC respectively, while requests from other services can be handled via NewXxxReqHandler methods.
By default, a Store object can only return objects that are already present in the database. To allow a Store to use the SCION network to retrieve objects from other infrastructure services, an infra.Messenger must be set with SetMessenger.
Store is backed by a sqlite3 database in package go/lib/infra/modules/trust/trustdb.
func NewStore ¶
func NewStore(db *trustdb.DB, local addr.IA, startID uint64, options *Config, logger log.Logger) (*Store, error)
NewStore initializes a TRC/Certificate Chain cache/resolver backed by db. Parameter local must specify the AS in which the trust store resides (which is used during request forwarding decisions). When sending infra messages, the trust store will use IDs starting from startID, and increment by one for each message.
func (*Store) ChooseServer ¶ added in v0.1.1
ChooseServer builds a CS address for crypto material regarding the destination AS.
func (*Store) GetChain ¶
GetChain asks the trust store to return a certificate chain of requested version without performing any verification. If the certificate chain is not available, it is requested from the authoritative CS.
func (*Store) GetTRC ¶
GetTRC asks the trust store to return a TRC of the requested version without performing any verification. If the TRC is not available, it is requested from the authoritative CS.
func (*Store) GetValidChain ¶
func (store *Store) GetValidChain(ctx context.Context, ia addr.IA, trail ...addr.ISD) (*cert.Chain, error)
GetValidChain asks the trust store to return a valid certificate chain for ia. Trail should contain a sequence of cross-signing ISDs to be used during validation, with the ISD of the certificate chain being the first one.
func (*Store) GetValidTRC ¶
func (store *Store) GetValidTRC(ctx context.Context, isd addr.ISD, trail ...addr.ISD) (*trc.TRC, error)
GetValidTRC asks the trust store to return a valid TRC for isd. Trail should contain a sequence of cross-signing ISDs to be used during validation, with the requested TRC being the first one.
func (*Store) LoadAuthoritativeChain ¶ added in v0.1.1
func (*Store) LoadAuthoritativeTRC ¶ added in v0.1.1
func (*Store) NewChainPushHandler ¶ added in v0.1.1
NewChainPushHandler returns an infra.Handler for Certifificate Chain pushes coming from a peer, backed by the trust store. Certificate chains are pushed by other ASes during core registration. Pushes are allowed from all local ISD sources.
func (*Store) NewChainReqHandler ¶
NewChainReqHandler returns an infra.Handler for Certificate Chain requests coming from a peer, backed by the trust store. If recurse is set to true, the handler is allowed to issue new TRC and Certificate Chain requests over the network. This method should only be used when servicing requests coming from remote nodes.
func (*Store) NewTRCPushHandler ¶ added in v0.1.1
NewTRCPushHandler returns an infra.Handler for TRC pushes coming from a peer, backed by the trust store. TRCs are pushed by local BSes during beaconing. Pushes are allowed from all local AS sources.
func (*Store) NewTRCReqHandler ¶
NewTRCReqHandler returns an infra.Handler for TRC requests coming from a peer, backed by the trust store. If recurse is set to true, the handler is allowed to issue new TRC requests over the network. This method should only be used when servicing requests coming from remote nodes.
func (*Store) SetMessenger ¶
SetMessenger enables network access for the trust store via msger. The messenger can only be set once.