pki

package
v0.0.31 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2024 License: AGPL-3.0, AGPL-3.0 Imports: 22 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// LayerProvider is the Layer that providers list in their MixDescriptors.
	LayerProvider           = 255
	PublicKeyHashSize       = 32
	SharedRandomLength      = 40
	SharedRandomValueLength = 32

	// DocumentVersion identifies the document format version
	DocumentVersion = "v0"
)
View Source 
const (
	DescriptorVersion = "v0"
)

Variables

View Source 
var (
	ErrNoSignature       = errors.New("MixDescriptor has no signature")
	ErrInvalidSignature  = errors.New("MixDescriptor has an invalid signature")
	ErrTooManySignatures = errors.New("MixDescriptor has more than one signature")
)
View Source 
var (
	// ErrNoDocument is the error returned when there never will be a document
	// for a given epoch.
	ErrNoDocument = errors.New("pki: requested epoch will never get a document")

	// ErrInvalidPostEpoch is the error returned when the server rejects a
	// descriptor upload for a given epoch due to time reasons.
	ErrInvalidPostEpoch = errors.New("pki: post for epoch will never succeeed")

	// ErrInvalidEpoch is the error to return when the document epoch is invalid.
	ErrInvalidEpoch = errors.New("invalid document epoch")

	// ErrDocumentNotSigned is the error returned when deserializing an unsigned
	// document
	ErrDocumentNotSigned = errors.New("document not signed")

	// TrustOnFirstUseAuth is a MixDescriptor.AuthenticationType
	TrustOnFirstUseAuth = "tofu"

	// OutOfBandAuth is a MixDescriptor.AuthenticationType
	OutOfBandAuth = "oob"
)

Functions

func GetVerifierFromDescriptor 

func GetVerifierFromDescriptor(rawDesc []byte) (sign.PublicKey, error)

GetVerifierFromDescriptor returns a verifier for the given mix descriptor certificate.

func IsDescriptorWellFormed 

func IsDescriptorWellFormed(d *MixDescriptor, epoch uint64) error

IsDescriptorWellFormed validates the descriptor and returns a descriptive error iff there are any problems that would make it unusable as part of a PKI Document.

func IsDocumentWellFormed 

func IsDocumentWellFormed(d *Document, verifiers []sign.PublicKey) error

IsDocumentWellFormed validates the document and returns a descriptive error iff there are any problems that invalidates the document.

func MultiSignDocument 

func MultiSignDocument(signer sign.PrivateKey, verifier sign.PublicKey, peerSignatures []*cert.Signature, verifiers map[[32]byte]sign.PublicKey, d *Document) ([]byte, error)

MultiSignDocument signs and serializes the document with the provided signing key, adding the signature to the existing signatures.

func SignDescriptor 

func SignDescriptor(signer sign.PrivateKey, verifier sign.PublicKey, desc *MixDescriptor) ([]byte, error)

SignDescriptor signs and serializes the descriptor with the provided signing key.

func SignDocument 

func SignDocument(signer sign.PrivateKey, verifier sign.PublicKey, d *Document) ([]byte, error)

SignDocument signs and serializes the document with the provided signing key.

Types

type Client 

type Client interface {
	// Get returns the PKI document along with the raw serialized form for the provided epoch.
	Get(ctx context.Context, epoch uint64) (*Document, []byte, error)

	// Post posts the node's descriptor to the PKI for the provided epoch.
	Post(ctx context.Context, epoch uint64, signingPrivateKey sign.PrivateKey, signingPublicKey sign.PublicKey, d *MixDescriptor) error

	// Deserialize returns PKI document given the raw bytes.
	Deserialize(raw []byte) (*Document, error)
}

Client is the abstract interface used for PKI interaction.

type Document 

type Document struct {
	// Epoch is the epoch for which this Document instance is valid for.
	Epoch uint64

	// GenesisEpoch is the epoch on which authorities started consensus
	GenesisEpoch uint64

	// SendRatePerMinute is the number of packets per minute a client can send.
	SendRatePerMinute uint64

	// Mu is the inverse of the mean of the exponential distribution
	// that the Sphinx packet per-hop mixing delay will be sampled from.
	Mu float64

	// MuMaxDelay is the maximum Sphinx packet per-hop mixing delay in
	// milliseconds.
	MuMaxDelay uint64

	// LambdaP is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// messages from it's FIFO egress queue or drop decoy messages if the queue
	// is empty.
	LambdaP float64

	// LambdaPMaxDelay is the maximum time interval in milliseconds.
	LambdaPMaxDelay uint64

	// LambdaL is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// decoy loop messages.
	LambdaL float64

	// LambdaLMaxDelay is the maximum time interval in milliseconds.
	LambdaLMaxDelay uint64

	// LambdaD is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// decoy drop messages.
	LambdaD float64

	// LambdaDMaxDelay is the maximum time interval in milliseconds.
	LambdaDMaxDelay uint64

	// LambdaM is the inverse of the mean of the exponential distribution
	// that mixes will sample to determine send timing of mix loop decoy traffic.
	LambdaM float64

	// LambdaMMaxDelay is the maximum send interval in milliseconds.
	LambdaMMaxDelay uint64

	// Topology is the mix network topology, excluding providers.
	Topology [][]*MixDescriptor

	// Providers is the list of providers that can interact with the mix
	// network.
	Providers []*MixDescriptor

	// Signatures holds detached Signatures from deserializing a signed Document
	Signatures map[[PublicKeyHashSize]byte]cert.Signature `cbor:"-"`

	// SharedRandomCommit used by the voting process.
	SharedRandomCommit map[[PublicKeyHashSize]byte][]byte

	// SharedRandomReveal used by the voting process.
	SharedRandomReveal map[[PublicKeyHashSize]byte][]byte

	// SharedRandomValue produced by voting process.
	SharedRandomValue []byte

	// PriorSharedRandom used by applications that need a longer lived SRV.
	PriorSharedRandom [][]byte

	// SphinxGeometryHash is used to ensure all mixnet actors have the same
	// Sphinx Geometry.
	SphinxGeometryHash []byte

	// Version uniquely identifies the document format as being for the
	// specified version so that it can be rejected if the format changes.
	Version string
}

Document is a PKI document.

func FromPayload 

func FromPayload(verifier sign.PublicKey, payload []byte) (*Document, error)

FromPayload deserializes, then verifies a Document, and returns the Document or error.

func ParseDocument 

func ParseDocument(b []byte) (*Document, error)

ParseDocument deserializes the document.

func (*Document) AddSignature 

func (d *Document) AddSignature(verifier sign.PublicKey, signature cert.Signature) error

AddSignature will add a Signature over this Document if it is signed by verifier.

func (*Document) GetMix 

func (d *Document) GetMix(name string) (*MixDescriptor, error)

GetMix returns the MixDescriptor for the given mix Name.

func (*Document) GetMixByKeyHash 

func (d *Document) GetMixByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetMixByKey returns the specific mix descriptor corresponding to the specified IdentityKey hash.

func (*Document) GetMixLayer 

func (d *Document) GetMixLayer(keyhash *[32]byte) (uint8, error)

GetMixLayer returns the assigned layer for the given mix from Topology

func (*Document) GetMixesInLayer 

func (d *Document) GetMixesInLayer(layer uint8) ([]*MixDescriptor, error)

GetMixesInLayer returns all the mix descriptors for a given layer.

func (*Document) GetNode 

func (d *Document) GetNode(name string) (*MixDescriptor, error)

GetNode returns the specific descriptor corresponding to the specified node Name.

func (*Document) GetNodeByKeyHash 

func (d *Document) GetNodeByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetNodeByKeyHash returns the specific descriptor corresponding to the specified IdentityKey hash.

func (*Document) GetProvider 

func (d *Document) GetProvider(name string) (*MixDescriptor, error)

GetProvider returns the MixDescriptor for the given provider Name.

func (*Document) GetProviderByKeyHash 

func (d *Document) GetProviderByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetProviderByKeyHash returns the specific provider descriptor corresponding to the specified IdentityKey hash.

func (*Document) MarshalBinary 

func (d *Document) MarshalBinary() ([]byte, error)

MarshalBinary implements encoding.BinaryMarshaler interface and wraps a Document with a cert.Certificate

func (*Document) String 

func (d *Document) String() string

String returns a string representation of a Document.

func (*Document) Sum256 

func (d *Document) Sum256() [32]byte

func (*Document) UnmarshalBinary 

func (d *Document) UnmarshalBinary(data []byte) error

UnmarshalBinary implements encoding.BinaryUnmarshaler interface and populates Document with detached Signatures

type MixDescriptor 

type MixDescriptor struct {
	// Name is the human readable (descriptive) node identifier.
	Name string

	// Epoch is the Epoch in which this descriptor was created
	Epoch uint64

	// IdentityKey is the node's identity (signing) key.
	IdentityKey []byte

	// Signature is the raw cert.Signature over the serialized MixDescriptor
	Signature *cert.Signature `cbor:"-"`

	// LinkKey is the node's wire protocol public key.
	LinkKey []byte

	// MixKeys is a map of epochs to Sphinx keys.
	MixKeys map[uint64][]byte

	// Addresses is the map of transport to address combinations that can
	// be used to reach the node.
	Addresses map[Transport][]string

	// Kaetzchen is the map of provider autoresponder agents by capability
	// to parameters.
	Kaetzchen map[string]map[string]interface{} `cbor:"omitempty"`

	// Provider indicates that this Mix is a Provider
	Provider bool

	// LoadWeight is the node's load balancing weight (unused).
	LoadWeight uint8

	// AuthenticationType is the authentication mechanism required
	AuthenticationType string

	// Version uniquely identifies the descriptor format as being for the
	// specified version so that it can be rejected if the format changes.
	Version string
}

MixDescriptor is a description of a given Mix or Provider (node).

func VerifyDescriptor 

func VerifyDescriptor(rawDesc []byte) (*MixDescriptor, error)

VerifyDescriptor parses a self-signed MixDescriptor and returns an instance of MixDescriptor or error

func (*MixDescriptor) MarshalBinary 

func (d *MixDescriptor) MarshalBinary() ([]byte, error)

MarshalBinary implmements encoding.BinaryMarshaler

func (*MixDescriptor) String 

func (d *MixDescriptor) String() string

String returns a human readable MixDescriptor suitable for terse logging.

func (*MixDescriptor) UnmarshalBinary 

func (d *MixDescriptor) UnmarshalBinary(data []byte) error

UnmarshalBinary implements encoding.BinaryUnmarshaler interface

func (*MixDescriptor) UnmarshalMixKeyAsKEM 

func (d *MixDescriptor) UnmarshalMixKeyAsKEM(epoch uint64, g *geo.Geometry) (kem.PublicKey, error)

func (*MixDescriptor) UnmarshalMixKeyAsNike 

func (d *MixDescriptor) UnmarshalMixKeyAsNike(epoch uint64, g *geo.Geometry) (nike.PublicKey, error)

type SharedRandom 

type SharedRandom struct {
	// contains filtered or unexported fields
}

SharedRandom is a container for commit-and-reveal protocol messages

func (*SharedRandom) Commit 

func (s *SharedRandom) Commit(epoch uint64) ([]byte, error)

Commit produces a SharedRandom commit value for the given epoch

func (*SharedRandom) GetCommit 

func (s *SharedRandom) GetCommit() []byte

GetCommit returns the commit value

func (*SharedRandom) GetEpoch 

func (s *SharedRandom) GetEpoch() uint64

GetEpoch returns the epoch value

func (*SharedRandom) Reveal 

func (s *SharedRandom) Reveal() []byte

Reveal returns the reveal value

func (*SharedRandom) SetCommit 

func (s *SharedRandom) SetCommit(rawCommit []byte)

SetCommit sets the commit value

func (*SharedRandom) Verify 

func (s *SharedRandom) Verify(reveal []byte) bool

Verify checks that the reveal value verifies the commit value

type Transport 

type Transport string

Transport is a link transport protocol. 

var (
	// TransportInvalid is the invalid transport.
	TransportInvalid Transport

	// TransportTCP is TCP, with the IP version determined by the results of
	// a name server lookup.
	TransportTCP Transport = "tcp"

	// TransportTCPv4 is TCP over IPv4.
	TransportTCPv4 Transport = "tcp4"

	// TransportTCPv6 is TCP over IPv6.
	TransportTCPv6 Transport = "tcp6"

	// InternalTransports is the list of transports used for non-client related
	// communications.
	InternalTransports = []Transport{TransportTCPv4, TransportTCPv6}

	// ClientTransports is the list of transports used by default for client
	// to provider communication.
	ClientTransports = []Transport{TransportTCP, TransportTCPv4, TransportTCPv6}
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.