Documentation ¶
Overview ¶
Package ct holds core types and utilities for Certificate Transparency.
Index ¶
- Constants
- func IsPreIssuer(issuer *x509.Certificate) bool
- func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
- func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
- type ASN1Cert
- type AddChainRequest
- type AddChainResponse
- type AddJSONRequest
- type AuditPath
- type CTExtensions
- type CertificateChain
- type CertificateTimestamp
- type ConsistencyProof
- type DigitallySigned
- type GetEntriesResponse
- type GetEntryAndProofResponse
- type GetProofByHashResponse
- type GetRootsResponse
- type GetSTHConsistencyResponse
- type GetSTHResponse
- type JSONDataEntry
- type LeafEntry
- type LeafInput
- type LogEntry
- type LogEntryType
- type LogID
- type MerkleLeafType
- type MerkleTreeLeaf
- func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf
- func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf
- func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
- func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
- type MerkleTreeNode
- type PreCert
- type PrecertChainEntry
- type Precertificate
- type SHA256Hash
- type SignatureType
- type SignatureVerifier
- type SignedCertificateTimestamp
- type SignedTreeHead
- type TimestampedEntry
- type TreeHeadSignature
- type Version
Constants ¶
const ( AddChainPath = "/ct/v1/add-chain" AddPreChainPath = "/ct/v1/add-pre-chain" GetSTHPath = "/ct/v1/get-sth" GetEntriesPath = "/ct/v1/get-entries" GetProofByHashPath = "/ct/v1/get-proof-by-hash" GetSTHConsistencyPath = "/ct/v1/get-sth-consistency" GetRootsPath = "/ct/v1/get-roots" GetEntryAndProofPath = "/ct/v1/get-entry-and-proof" AddJSONPath = "/ct/v1/add-json" // Experimental addition )
URI paths for Log requests; see section 4.
Variables ¶
This section is empty.
Functions ¶
func IsPreIssuer ¶
func IsPreIssuer(issuer *x509.Certificate) bool
IsPreIssuer indicates whether a certificate is a pre-cert issuer with the specific certificate transparency extended key usage.
func SerializeSCTSignatureInput ¶
func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)
SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.
func SerializeSTHSignatureInput ¶
func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)
SerializeSTHSignatureInput serializes the passed in STH into the correct format for signing.
Types ¶
type ASN1Cert ¶
type ASN1Cert struct {
Data []byte `tls:"minlen:1,maxlen:16777215"`
}
ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1).
type AddChainRequest ¶
type AddChainRequest struct {
Chain [][]byte `json:"chain"`
}
AddChainRequest represents the JSON request body sent to the add-chain and add-pre-chain POST methods from sections 4.1 and 4.2.
type AddChainResponse ¶
type AddChainResponse struct { SCTVersion Version `json:"sct_version"` // SCT structure version ID []byte `json:"id"` // Log ID Timestamp uint64 `json:"timestamp"` // Timestamp of issuance Extensions string `json:"extensions"` // Holder for any CT extensions Signature []byte `json:"signature"` // Log signature for this SCT }
AddChainResponse represents the JSON response to the add-chain and add-pre-chain POST methods. An SCT represents a Log's promise to integrate a [pre-]certificate into the log within a defined period of time.
type AddJSONRequest ¶
type AddJSONRequest struct {
Data interface{} `json:"data"`
}
AddJSONRequest represents the JSON request body sent to the add-json POST method. The corresponding response re-uses AddChainResponse. This is an experimental addition not covered by RFC6962.
type AuditPath ¶
type AuditPath []MerkleTreeNode
AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5).
type CTExtensions ¶
type CTExtensions []byte // tls:"minlen:0,maxlen:65535"`
CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2). nolint: golint
type CertificateChain ¶
type CertificateChain struct {
Entries []ASN1Cert `tls:"minlen:0,maxlen:16777215"`
}
CertificateChain holds a chain of certificates, as returned as extra data for get-entries (section 4.6).
type CertificateTimestamp ¶
type CertificateTimestamp struct { SCTVersion Version `tls:"maxval:255"` SignatureType SignatureType `tls:"maxval:255"` Timestamp uint64 EntryType LogEntryType `tls:"maxval:65535"` X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"` PrecertEntry *PreCert `tls:"selector:EntryType,val:1"` JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"` Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` }
CertificateTimestamp is the collection of data that the signature in an SCT is over; see section 3.2.
type ConsistencyProof ¶
type ConsistencyProof []MerkleTreeNode
ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4).
type DigitallySigned ¶
type DigitallySigned tls.DigitallySigned
DigitallySigned is a local alias for tls.DigitallySigned so that we can attach a MarshalJSON method.
func (DigitallySigned) Base64String ¶
func (d DigitallySigned) Base64String() (string, error)
Base64String returns the base64 representation of the DigitallySigned struct.
func (*DigitallySigned) FromBase64String ¶
func (d *DigitallySigned) FromBase64String(b64 string) error
FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.
func (DigitallySigned) MarshalJSON ¶
func (d DigitallySigned) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface.
func (*DigitallySigned) UnmarshalJSON ¶
func (d *DigitallySigned) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface.
type GetEntriesResponse ¶
type GetEntriesResponse struct {
Entries []LeafEntry `json:"entries"` // the list of returned entries
}
GetEntriesResponse respresents the JSON response to the get-entries GET method from section 4.6.
type GetEntryAndProofResponse ¶
type GetEntryAndProofResponse struct { LeafInput []byte `json:"leaf_input"` // the entry itself ExtraData []byte `json:"extra_data"` // any chain provided when the entry was added to the log AuditPath [][]byte `json:"audit_path"` // the corresponding proof }
GetEntryAndProofResponse represents the JSON response to the get-entry-and-proof GET method from section 4.8. (The corresponding GET request has parameters 'leaf_index' and 'tree_size'.)
type GetProofByHashResponse ¶
type GetProofByHashResponse struct { LeafIndex int64 `json:"leaf_index"` // The 0-based index of the end entity corresponding to the "hash" parameter. AuditPath [][]byte `json:"audit_path"` // An array of base64-encoded Merkle Tree nodes proving the inclusion of the chosen certificate. }
GetProofByHashResponse represents the JSON response to the get-proof-by-hash GET method from section 4.5. (The corresponding GET request has parameters 'hash' and 'tree_size'.)
type GetRootsResponse ¶
type GetRootsResponse struct {
Certificates []string `json:"certificates"`
}
GetRootsResponse represents the JSON response to the get-roots GET method from section 4.7.
type GetSTHConsistencyResponse ¶
type GetSTHConsistencyResponse struct {
Consistency [][]byte `json:"consistency"`
}
GetSTHConsistencyResponse represents the JSON response to the get-sth-consistency GET method from section 4.4. (The corresponding GET request has parameters 'first' and 'second'.)
type GetSTHResponse ¶
type GetSTHResponse struct { TreeSize uint64 `json:"tree_size"` // Number of certs in the current tree Timestamp uint64 `json:"timestamp"` // Time that the tree was created SHA256RootHash []byte `json:"sha256_root_hash"` // Root hash of the tree TreeHeadSignature []byte `json:"tree_head_signature"` // Log signature for this STH }
GetSTHResponse respresents the JSON response to the get-sth GET method from section 4.3.
type JSONDataEntry ¶
type JSONDataEntry struct {
Data []byte `tls:"minlen:0,maxlen:1677215"`
}
JSONDataEntry holds arbitrary data.
type LeafEntry ¶
type LeafEntry struct { // LeafInput is a TLS-encoded MerkleTreeLeaf LeafInput []byte `json:"leaf_input"` // ExtraData holds (unsigned) extra data, normally the cert validation chain. ExtraData []byte `json:"extra_data"` }
LeafEntry represents a leaf in the Log's Merkle tree, as returned by the get-entries GET method from section 4.6.
type LogEntry ¶
type LogEntry struct { Index int64 Leaf MerkleTreeLeaf // Exactly one of the following three fields should be non-empty. X509Cert *x509.Certificate // Parsed X.509 certificate Precert *Precertificate // Extracted precertificate JSONData []byte // Chain holds the issuing certificate chain, starting with the // issuer of the leaf certificate / pre-certificate. Chain []ASN1Cert }
LogEntry represents the (parsed) contents of an entry in a CT log. This is described in section 3.1, but note that this structure does *not* match the TLS structure defined there (the TLS structure is never used directly in RFC6962).
func LogEntryFromLeaf ¶
LogEntryFromLeaf converts a LeafEntry object (which has the raw leaf data after JSON parsing) into a LogEntry object (which includes x509.Certificate objects, after TLS and ASN.1 parsing). Note that this function may return a valid LogEntry object and a non-nil error value, when the error indicates a non-fatal parsing error (of type x509.NonFatalErrors).
type LogEntryType ¶
LogEntryType represents the LogEntryType enum from section 3.1:
enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const ( X509LogEntryType LogEntryType = 0 PrecertLogEntryType LogEntryType = 1 XJSONLogEntryType LogEntryType = 0x8000 // Experimental. Don't rely on this! )
LogEntryType constants from section 3.1.
func (LogEntryType) String ¶
func (e LogEntryType) String() string
type LogID ¶
LogID holds the hash of the Log's public key (section 3.2). TODO(pphaneuf): Users should be migrated to the one in the logid package.
type MerkleLeafType ¶
MerkleLeafType represents the MerkleLeafType enum from section 3.4:
enum { timestamped_entry(0), (255) } MerkleLeafType;
const TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
TimestampedEntryLeafType is the only defined MerkleLeafType constant from section 3.4.
func (MerkleLeafType) String ¶
func (m MerkleLeafType) String() string
type MerkleTreeLeaf ¶
type MerkleTreeLeaf struct { Version Version `tls:"maxval:255"` LeafType MerkleLeafType `tls:"maxval:255"` TimestampedEntry *TimestampedEntry `tls:"selector:LeafType,val:0"` }
MerkleTreeLeaf represents the deserialized structure of the hash input for the leaves of a log's Merkle tree; see section 3.4.
func CreateJSONMerkleTreeLeaf ¶
func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf
CreateJSONMerkleTreeLeaf creates the merkle tree leaf for json data.
func CreateX509MerkleTreeLeaf ¶
func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf
CreateX509MerkleTreeLeaf generates a MerkleTreeLeaf for an X509 cert
func MerkleTreeLeafFromChain ¶
func MerkleTreeLeafFromChain(chain []*x509.Certificate, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
MerkleTreeLeafFromChain generates a MerkleTreeLeaf from a chain and timestamp.
func MerkleTreeLeafFromRawChain ¶
func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error)
MerkleTreeLeafFromRawChain generates a MerkleTreeLeaf from a chain (in DER-encoded form) and timestamp.
func (*MerkleTreeLeaf) Precertificate ¶
func (m *MerkleTreeLeaf) Precertificate() (*x509.Certificate, error)
Precertificate returns the X.509 Precertificate contained within the MerkleTreeLeaf.
The returned precertificate is embedded in an x509.Certificate, but is in the form stored internally in the log rather than the original submitted form (i.e. it does not include the poison extension and any changes to reflect the final certificate's issuer have been made; see x509.BuildPrecertTBS).
func (*MerkleTreeLeaf) X509Certificate ¶
func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error)
X509Certificate returns the X.509 Certificate contained within the MerkleTreeLeaf.
type MerkleTreeNode ¶
type MerkleTreeNode []byte
MerkleTreeNode represents an internal node in the CT tree.
type PreCert ¶
type PreCert struct { IssuerKeyHash [sha256.Size]byte TBSCertificate []byte `tls:"minlen:1,maxlen:16777215"` // DER-encoded TBSCertificate }
PreCert represents a Precertificate (section 3.2).
type PrecertChainEntry ¶
type PrecertChainEntry struct { PreCertificate ASN1Cert `tls:"minlen:1,maxlen:16777215"` CertificateChain []ASN1Cert `tls:"minlen:0,maxlen:16777215"` }
PrecertChainEntry holds an precertificate together with a validation chain for it; see section 3.1.
type Precertificate ¶
type Precertificate struct { // DER-encoded pre-certificate as originally added, which includes a // poison extension and a signature generated over the pre-cert by // the pre-cert issuer (which might differ from the issuer of the final // cert, see RFC6962 s3.1). Submitted ASN1Cert // SHA256 hash of the issuing key IssuerKeyHash [sha256.Size]byte // Parsed TBSCertificate structure, held in an x509.Certificate for convenience. TBSCertificate *x509.Certificate }
Precertificate represents the parsed CT Precertificate structure.
type SHA256Hash ¶
SHA256Hash represents the output from the SHA256 hash function.
func PublicKeyFromPEM ¶
PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
func (SHA256Hash) Base64String ¶
func (s SHA256Hash) Base64String() string
Base64String returns the base64 representation of this SHA256Hash.
func (*SHA256Hash) FromBase64String ¶
func (s *SHA256Hash) FromBase64String(b64 string) error
FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.
func (SHA256Hash) MarshalJSON ¶
func (s SHA256Hash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaller interface for SHA256Hash.
func (*SHA256Hash) UnmarshalJSON ¶
func (s *SHA256Hash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaller interface.
type SignatureType ¶
SignatureType differentiates STH signatures from SCT signatures, see section 3.2.
enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType;
const ( CertificateTimestampSignatureType SignatureType = 0 TreeHashSignatureType SignatureType = 1 )
SignatureType constants from section 3.2.
func (SignatureType) String ¶
func (st SignatureType) String() string
type SignatureVerifier ¶
type SignatureVerifier struct {
// contains filtered or unexported fields
}
SignatureVerifier can verify signatures on SCTs and STHs
func NewSignatureVerifier ¶
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)
NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.
func (SignatureVerifier) VerifySCTSignature ¶
func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error
VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry.
func (SignatureVerifier) VerifySTHSignature ¶
func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error
VerifySTHSignature verifies that the STH's signature is valid.
func (SignatureVerifier) VerifySignature ¶
func (s SignatureVerifier) VerifySignature(data []byte, sig tls.DigitallySigned) error
VerifySignature verifies the given signature sig matches the data.
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct { SCTVersion Version `tls:"maxval:255"` LogID LogID Timestamp uint64 Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` Signature DigitallySigned // Signature over TLS-encoded CertificateTimestamp }
SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding; see sections 3.2, 4.1 and 4.2.
func (SignedCertificateTimestamp) String ¶
func (s SignedCertificateTimestamp) String() string
type SignedTreeHead ¶
type SignedTreeHead struct { Version Version `json:"sth_version"` // The version of the protocol to which the STH conforms TreeSize uint64 `json:"tree_size"` // The number of entries in the new tree Timestamp uint64 `json:"timestamp"` // The time at which the STH was created SHA256RootHash SHA256Hash `json:"sha256_root_hash"` // The root hash of the log's Merkle tree TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // Log's signature over a TLS-encoded TreeHeadSignature LogID SHA256Hash `json:"log_id"` // The SHA256 hash of the log's public key }
SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding; see sections 3.5 and 4.3.
type TimestampedEntry ¶
type TimestampedEntry struct { Timestamp uint64 EntryType LogEntryType `tls:"maxval:65535"` X509Entry *ASN1Cert `tls:"selector:EntryType,val:0"` PrecertEntry *PreCert `tls:"selector:EntryType,val:1"` JSONEntry *JSONDataEntry `tls:"selector:EntryType,val:32768"` Extensions CTExtensions `tls:"minlen:0,maxlen:65535"` }
TimestampedEntry is part of the MerkleTreeLeaf structure; see section 3.4.
type TreeHeadSignature ¶
type TreeHeadSignature struct { Version Version `tls:"maxval:255"` SignatureType SignatureType `tls:"maxval:255"` // == TreeHashSignatureType Timestamp uint64 TreeSize uint64 SHA256RootHash SHA256Hash }
TreeHeadSignature holds the data over which the signature in an STH is generated; see section 3.5
Directories ¶
Path | Synopsis |
---|---|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
|
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690. |
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
|
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances. |
configpb
Package configpb is a generated protocol buffer package.
|
Package configpb is a generated protocol buffer package. |
ctclient
ctclient is a command-line utility for interacting with CT logs.
|
ctclient is a command-line utility for interacting with CT logs. |
Package fixchain holds code to help fix the validation chains for certificates.
|
Package fixchain holds code to help fix the validation chains for certificates. |
chainfix
chainfix is a utility program for fixing the validation chains for certificates.
|
chainfix is a utility program for fixing the validation chains for certificates. |
ratelimiter
Package ratelimiter provides an exceedingly simple rate limiter.
|
Package ratelimiter provides an exceedingly simple rate limiter. |
Package gossip holds code for spreading CT log information via a gossip protocol.
|
Package gossip holds code for spreading CT log information via a gossip protocol. |
ingestor
|
|
ranges
Package ranges provides tools to track the completeness of a range composed of a number of sub-ranges which may be added in any order.
|
Package ranges provides tools to track the completeness of a range composed of a number of sub-ranges which may be added in any order. |
Package logid provides a type and accompanying helpers for manipulating log IDs.
|
Package logid provides a type and accompanying helpers for manipulating log IDs. |
Package merkletree holds code to manipulate Merkle trees.
|
Package merkletree holds code to manipulate Merkle trees. |
Package preload holds code for adding batches of certificates to CT logs.
|
Package preload holds code for adding batches of certificates to CT logs. |
Package scanner holds code for iterating through the contents of a CT log.
|
Package scanner holds code for iterating through the contents of a CT log. |
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246.
|
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246. |
trillian
|
|
ctfe
Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API.
|
Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API. |
ctfe/configpb
Package configpb is a generated protocol buffer package.
|
Package configpb is a generated protocol buffer package. |
ctfe/ct_server
The ct_server binary runs the CT personality.
|
The ct_server binary runs the CT personality. |
ctfe/testonly
Package testonly contains code and data that should only be used by tests.
|
Package testonly contains code and data that should only be used by tests. |
integration
Package integration holds test-only code for running tests on an integrated system of the CT personality and a Trillian log.
|
Package integration holds test-only code for running tests on an integrated system of the CT personality and a Trillian log. |
integration/ct_hammer
ct_hammer is a stress/load test for a CT log.
|
ct_hammer is a stress/load test for a CT log. |
mockclient
Package mockclient provides a mockable version of the Trillian log client API.
|
Package mockclient provides a mockable version of the Trillian log client API. |
util
Package util provides general utility functions for the CT personality.
|
Package util provides general utility functions for the CT personality. |
Package x509 parses X.509-encoded keys and certificates.
|
Package x509 parses X.509-encoded keys and certificates. |
pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
|
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP. |
Package x509util includes utility code for working with X.509 certificates from the x509 package.
|
Package x509util includes utility code for working with X.509 certificates from the x509 package. |
certcheck
certcheck is a utility to show and check the contents of certificates.
|
certcheck is a utility to show and check the contents of certificates. |
crlcheck
crlcheck is a utility to show and check the contents of certificate revocation lists (CRLs).
|
crlcheck is a utility to show and check the contents of certificate revocation lists (CRLs). |