README
¶
Key Transparency
Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.
Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.
Key Transparency Client
Setup
- Install Go 1.9.
go get -u github.com/google/keytransparency/cmd/keytransparency-client- Get an OAuth client ID and download the generated JSON file to
client_secret.json.
Client operations
Publish a public key
keytransparency-client authorized-keys --help
keytransparency-client authorized-keys add --generate --type=ecdsa --activate
keytransparency-client post user@domain.com app1 --client-secret=client_secret.json --insecure -d 'dGVzdA==' #Base64
Get and verify a public key
keytransparency-client get <email> <app> --insecure --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
Verify key history
keytransparency-client history <email> --insecure
Epoch |Timestamp |Profile
4 |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
Running the server
Install
- OpenSSL
- Docker
- Docker Engine 1.13.0+
docker version -f '{{.Server.APIVersion}}' - Docker Compose 1.11.0+
docker-compose --version
- Docker Engine 1.13.0+
go get -u github.com/google/keytransparency/...go get -u github.com/google/trillian/..../scripts/prepare_server.sh -f
Run
- Run Key Transparency
$ docker-compose up -d
Creating keytransparency_db_1 ... done
Creating keytransparency_map_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_server_1 ... done
Creating keytransparency_sequencer_1 ... done
Creating keytransparency_monitor_1 ... done
Creating keytransparency_init_1 ... done
Creating keytransparency_prometheus_1 ... done
Creating keytransparency_monitor_1 ... done
- Watch it Run
docker-compose logs --tail=0 --follow- Proof for app1/foo@bar.com
- Server configuration info
- Prometheus graphs
Development and Testing
Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
keytransparency-delegate
Package main is a delegate server that can be used to (a) create user accounts.
|
Package main is a delegate server that can be used to (a) create user accounts. |
|
core
|
|
|
adminserver
Package adminserver contains the KeyTransparencyAdmin implementation
|
Package adminserver contains the KeyTransparencyAdmin implementation |
|
api/monitor/v1/monitor_proto
Package monitor_proto is a generated protocol buffer package.
|
Package monitor_proto is a generated protocol buffer package. |
|
api/type/type_proto
Package type_proto is a generated protocol buffer package.
|
Package type_proto is a generated protocol buffer package. |
|
api/usermanager/v1/usermanager_proto
Package usermanager_proto is a generated protocol buffer package.
|
Package usermanager_proto is a generated protocol buffer package. |
|
api/v1/keytransparency_proto
Package keytransparency_proto is a reverse proxy.
|
Package keytransparency_proto is a reverse proxy. |
|
authentication
Package authentication implements authentication mechanisms.
|
Package authentication implements authentication mechanisms. |
|
authorization
Package authorization defines the authorization interface of Key Transparency.
|
Package authorization defines the authorization interface of Key Transparency. |
|
client/gobindclient
Package gobindclient contains a gobind friendly implementation of a KeyTransparency Client able to make GetEntry requests to a KT server and verify the soundness of the responses.
|
Package gobindclient contains a gobind friendly implementation of a KeyTransparency Client able to make GetEntry requests to a KT server and verify the soundness of the responses. |
|
client/grpcc
Package grpcc is a client for communicating with the Key Server.
|
Package grpcc is a client for communicating with the Key Server. |
|
client/kt
Package kt holds Key Transparency message generation and verification routines.
|
Package kt holds Key Transparency message generation and verification routines. |
|
client/multi
Package multi contains utilities for multiplexing io operations.
|
Package multi contains utilities for multiplexing io operations. |
|
crypto/commitments
Package commitments implements a cryptographic commitment.
|
Package commitments implements a cryptographic commitment. |
|
crypto/dev
Package dev provides pseudo dev/* readers and writers.
|
Package dev provides pseudo dev/* readers and writers. |
|
crypto/keymaster
Package keymaster supports the concept of keysets.
|
Package keymaster supports the concept of keysets. |
|
crypto/signatures
Package signatures signs and verifies data.
|
Package signatures signs and verifies data. |
|
crypto/signatures/rsa
Package rsa implements signature generation and verification using RSA.
|
Package rsa implements signature generation and verification using RSA. |
|
crypto/vrf
Package vrf defines the interface to a verifiable random function.
|
Package vrf defines the interface to a verifiable random function. |
|
crypto/vrf/p256
Package p256 implements a verifiable random function using curve p256.
|
Package p256 implements a verifiable random function using curve p256. |
|
domain
Package domain stores multi-tenancy configuration information.
|
Package domain stores multi-tenancy configuration information. |
|
fake
Package fake holds fake implementations of various services for tests.
|
Package fake holds fake implementations of various services for tests. |
|
internal
Package internal gathers helpers used by code in ./core/...
|
Package internal gathers helpers used by code in ./core/... |
|
keyserver
Package keyserver implements a transparent key server for End to End.
|
Package keyserver implements a transparent key server for End to End. |
|
managementserver
Package managementserver implements the user manager APIs
|
Package managementserver implements the user manager APIs |
|
monitor
Package monitor implements the monitor service.
|
Package monitor implements the monitor service. |
|
monitorserver
Package monitorserver contains an implementation of a Monitor server which can be queried for monitoring results.
|
Package monitorserver contains an implementation of a Monitor server which can be queried for monitoring results. |
|
monitorstorage
Package monitorstorage holds data produced by the monitor
|
Package monitorstorage holds data produced by the monitor |
|
mutator
Package mutator defines the operations to transform mutations into changes in the map as well as operations to write and read mutations to and from the database.
|
Package mutator defines the operations to transform mutations into changes in the map as well as operations to write and read mutations to and from the database. |
|
mutator/entry
Package entry implements a simple replacement strategy as a mapper.
|
Package entry implements a simple replacement strategy as a mapper. |
|
sequencer
Package sequencer reads mutations and applies them to the Trillian Map.
|
Package sequencer reads mutations and applies them to the Trillian Map. |
|
storage
Package storage defines storage interfaces.
|
Package storage defines storage interfaces. |
|
deploy
|
|
|
impl
|
|
|
authorization
Package authorization contains the authorization module implementation.
|
Package authorization contains the authorization module implementation. |
|
authorization/authz_proto
Package authz_proto is a generated protocol buffer package.
|
Package authz_proto is a generated protocol buffer package. |
|
config
Package config has utilities for loading configuration files from disk.
|
Package config has utilities for loading configuration files from disk. |
|
sql/domain
Package domain implements the domain.Storage interface.
|
Package domain implements the domain.Storage interface. |
|
sql/keysets
Package keysets implements the storage.KeySets interface.
|
Package keysets implements the storage.KeySets interface. |
|
sql/mutationstorage
Package mutationstorage defines operations to write and read mutations to and from the database.
|
Package mutationstorage defines operations to write and read mutations to and from the database. |
|
sql/testutil
Package testutil contains test supporting functionality for 'impl/sql/...'.
|
Package testutil contains test supporting functionality for 'impl/sql/...'. |
Click to show internal directories.
Click to hide internal directories.