trustmanager

package
v0.3.0-RC1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 19, 2016 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrPathOutsideStore indicates that the returned path would be
	// outside the store
	ErrPathOutsideStore = errors.New("path outside file store")
)

Functions

func CertChainToPEM added in v0.3.0

func CertChainToPEM(certChain []*x509.Certificate) ([]byte, error)

CertChainToPEM is a utility function returns a PEM encoded chain of x509 Certificates, in the order they are passed

func CertToKey

func CertToKey(cert *x509.Certificate) data.PublicKey

CertToKey transforms a single input certificate into its corresponding PublicKey

func CertToPEM

func CertToPEM(cert *x509.Certificate) []byte

CertToPEM is a utility function returns a PEM encoded x509 Certificate

func CertsToKeys

func CertsToKeys(leafCerts []*x509.Certificate, intCerts map[string][]*x509.Certificate) map[string]data.PublicKey

CertsToKeys transforms each of the input certificate chains into its corresponding PublicKey

func ECDSAToPrivateKey

func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)

ECDSAToPrivateKey converts an ecdsa.Private key to a TUF data.PrivateKey type

func ED25519ToPrivateKey

func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)

ED25519ToPrivateKey converts a serialized ED25519 key to a TUF data.PrivateKey type

func EncryptPrivateKey

func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, error)

EncryptPrivateKey returns an encrypted PEM key given a Privatekey and a passphrase

func FilterCertsExpiredSha1

func FilterCertsExpiredSha1(cert *x509.Certificate) bool

FilterCertsExpiredSha1 can be used as the filter function to cert store initializers to filter out all expired or SHA-1 certificate that we shouldn't load.

func FingerprintCert

func FingerprintCert(cert *x509.Certificate) (string, error)

FingerprintCert returns a TUF compliant fingerprint for a X509 Certificate

func GenerateECDSAKey

func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)

GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey

func GenerateED25519Key

func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)

GenerateED25519Key generates an ED25519 private key and returns a TUF PrivateKey. The serialization format we use is just the public key bytes followed by the private key bytes

func GenerateRSAKey

func GenerateRSAKey(random io.Reader, bits int) (data.PrivateKey, error)

GenerateRSAKey generates an RSA private key and returns a TUF PrivateKey

func GetCertFromURL

func GetCertFromURL(urlStr string) (*x509.Certificate, error)

GetCertFromURL tries to get a X509 certificate given a HTTPS URL

func GetIntermediateCerts

func GetIntermediateCerts(certs []*x509.Certificate) []*x509.Certificate

GetIntermediateCerts parses a list of x509 Certificates and returns all of the ones marked as a CA, to be used as intermediates

func GetLeafCerts

func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate

GetLeafCerts parses a list of x509 Certificates and returns all of them that aren't CA

func GetPasswdDecryptBytes

func GetPasswdDecryptBytes(passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error)

GetPasswdDecryptBytes gets the password to decrypt the given pem bytes. Returns the password and private key

func KeyToPEM

func KeyToPEM(privKey data.PrivateKey, role string) ([]byte, error)

KeyToPEM returns a PEM encoded key from a Private Key

func LoadCertBundleFromFile

func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)

LoadCertBundleFromFile loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertBundleFromPEM

func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

LoadCertBundleFromPEM loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromFile

func LoadCertFromFile(filename string) (*x509.Certificate, error)

LoadCertFromFile loads the first certificate from the file provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"

func LoadCertFromPEM

func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)

LoadCertFromPEM returns the first certificate found in a bunch of bytes or error if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.

func NewCertificate

func NewCertificate(gun string, startTime, endTime time.Time) (*x509.Certificate, error)

NewCertificate returns an X509 Certificate following a template, given a GUN and validity interval.

func ParsePEMPrivateKey

func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)

ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It only supports RSA (PKCS#1) and attempts to decrypt using the passphrase, if encrypted.

func ParsePEMPublicKey

func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error)

ParsePEMPublicKey returns a data.PublicKey from a PEM encoded public key or certificate.

func RSAToPrivateKey

func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)

RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type

func ReadRoleFromPEM

func ReadRoleFromPEM(pemBytes []byte) string

ReadRoleFromPEM returns the value from the role PEM header, if it exists

func ValidateCertificate

func ValidateCertificate(c *x509.Certificate) error

ValidateCertificate returns an error if the certificate is not valid for notary Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA

func Verify

func Verify(s X509Store, dnsName string, certList []*x509.Certificate) error

Verify operates on an X509Store and validates the existence of a chain of trust between a leafCertificate and a CA present inside of the X509 Store. It requires at least two certificates in certList, a leaf Certificate and an intermediate CA certificate.

func X509PublicKeyID

func X509PublicKeyID(certPubKey data.PublicKey) (string, error)

X509PublicKeyID returns a public key ID as a string, given a data.PublicKey that contains an X509 Certificate

Types

type CertID

type CertID string

CertID represent the ID used to identify certificates

type ErrAttemptsExceeded

type ErrAttemptsExceeded struct{}

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

func (ErrAttemptsExceeded) Error

func (err ErrAttemptsExceeded) Error() string

ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

type ErrBadCertificateStore

type ErrBadCertificateStore struct {
}

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

func (ErrBadCertificateStore) Error

func (err ErrBadCertificateStore) Error() string

ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store

type ErrCertExists

type ErrCertExists struct {
}

ErrCertExists is returned when a Certificate already exists in the key store

func (ErrCertExists) Error

func (err ErrCertExists) Error() string

ErrCertExists is returned when a Certificate already exists in the key store

type ErrCertValidation

type ErrCertValidation struct {
}

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

func (ErrCertValidation) Error

func (err ErrCertValidation) Error() string

ErrCertValidation is returned when a certificate doesn't pass the store specific validations

type ErrKeyNotFound

type ErrKeyNotFound struct {
	KeyID string
}

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

func (ErrKeyNotFound) Error

func (err ErrKeyNotFound) Error() string

ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

type ErrNoCertificatesFound

type ErrNoCertificatesFound struct {
	// contains filtered or unexported fields
}

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

func (ErrNoCertificatesFound) Error

func (err ErrNoCertificatesFound) Error() string

ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*

type ErrPasswordInvalid

type ErrPasswordInvalid struct{}

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

func (ErrPasswordInvalid) Error

func (err ErrPasswordInvalid) Error() string

ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.

type KeyFileStore

type KeyFileStore struct {
	sync.Mutex
	SimpleFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyFileStore persists and manages private keys on disk

func NewKeyFileStore

func NewKeyFileStore(baseDir string, passphraseRetriever passphrase.Retriever) (*KeyFileStore, error)

NewKeyFileStore returns a new KeyFileStore creating a private directory to hold the keys.

func (*KeyFileStore) AddKey

func (s *KeyFileStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyFileStore) ExportKey

func (s *KeyFileStore) ExportKey(keyID string) ([]byte, error)

ExportKey exports the encrypted bytes from the keystore

func (*KeyFileStore) GetKey

func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyFileStore) GetKeyInfo added in v0.3.0

func (s *KeyFileStore) GetKeyInfo(keyID string) (KeyInfo, error)

GetKeyInfo returns the corresponding gun and role key info for a keyID

func (*KeyFileStore) ListKeys

func (s *KeyFileStore) ListKeys() map[string]KeyInfo

ListKeys returns a list of unique PublicKeys present on the KeyFileStore, by returning a copy of the keyInfoMap

func (*KeyFileStore) Name

func (s *KeyFileStore) Name() string

Name returns a user friendly name for the location this store keeps its data

func (*KeyFileStore) RemoveKey

func (s *KeyFileStore) RemoveKey(keyID string) error

RemoveKey removes the key from the keyfilestore

type KeyInfo added in v0.3.0

type KeyInfo struct {
	Gun  string
	Role string
}

KeyInfo stores the role, path, and gun for a corresponding private key ID It is assumed that each private key ID is unique

func KeyInfoFromPEM added in v0.3.0

func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo, error)

KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key

type KeyMemoryStore

type KeyMemoryStore struct {
	sync.Mutex
	MemoryFileStore
	passphrase.Retriever
	// contains filtered or unexported fields
}

KeyMemoryStore manages private keys in memory

func NewKeyMemoryStore

func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore

NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory

func (*KeyMemoryStore) AddKey

func (s *KeyMemoryStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error

AddKey stores the contents of a PEM-encoded private key as a PEM block

func (*KeyMemoryStore) ExportKey

func (s *KeyMemoryStore) ExportKey(keyID string) ([]byte, error)

ExportKey exports the encrypted bytes from the keystore

func (*KeyMemoryStore) GetKey

func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, string, error)

GetKey returns the PrivateKey given a KeyID

func (*KeyMemoryStore) GetKeyInfo added in v0.3.0

func (s *KeyMemoryStore) GetKeyInfo(keyID string) (KeyInfo, error)

GetKeyInfo returns the corresponding gun and role key info for a keyID

func (*KeyMemoryStore) ListKeys

func (s *KeyMemoryStore) ListKeys() map[string]KeyInfo

ListKeys returns a list of unique PublicKeys present on the KeyFileStore, by returning a copy of the keyInfoMap

func (*KeyMemoryStore) Name

func (s *KeyMemoryStore) Name() string

Name returns a user friendly name for the location this store keeps its data

func (*KeyMemoryStore) RemoveKey

func (s *KeyMemoryStore) RemoveKey(keyID string) error

RemoveKey removes the key from the keystore

type KeyStore

type KeyStore interface {
	// AddKey adds a key to the KeyStore, and if the key already exists,
	// succeeds.  Otherwise, returns an error if it cannot add.
	AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error
	// Should fail with ErrKeyNotFound if the keystore is operating normally
	// and knows that it does not store the requested key.
	GetKey(keyID string) (data.PrivateKey, string, error)
	GetKeyInfo(keyID string) (KeyInfo, error)
	ListKeys() map[string]KeyInfo
	RemoveKey(keyID string) error
	ExportKey(keyID string) ([]byte, error)
	Name() string
}

KeyStore is a generic interface for private key storage

type MemoryFileStore

type MemoryFileStore struct {
	sync.Mutex
	// contains filtered or unexported fields
}

MemoryFileStore is an implementation of Storage that keeps the contents in memory.

func NewMemoryFileStore

func NewMemoryFileStore() *MemoryFileStore

NewMemoryFileStore creates a MemoryFileStore

func (*MemoryFileStore) Add

func (f *MemoryFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*MemoryFileStore) Get

func (f *MemoryFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*MemoryFileStore) ListFiles

func (f *MemoryFileStore) ListFiles() []string

ListFiles lists all the files inside of a store

func (*MemoryFileStore) Remove

func (f *MemoryFileStore) Remove(name string) error

Remove removes a file identified by name

type SimpleFileStore

type SimpleFileStore struct {
	// contains filtered or unexported fields
}

SimpleFileStore implements FileStore

func NewFileStore added in v0.3.0

func NewFileStore(baseDir, fileExt string, perms os.FileMode) (*SimpleFileStore, error)

NewFileStore creates a fully configurable file store

func NewPrivateSimpleFileStore

func NewPrivateSimpleFileStore(baseDir, fileExt string) (*SimpleFileStore, error)

NewPrivateSimpleFileStore is a wrapper to create an owner readable/writeable _only_ filestore

func NewSimpleFileStore

func NewSimpleFileStore(baseDir, fileExt string) (*SimpleFileStore, error)

NewSimpleFileStore is a convenience wrapper to create a world readable, owner writeable filestore

func (*SimpleFileStore) Add

func (f *SimpleFileStore) Add(name string, data []byte) error

Add writes data to a file with a given name

func (*SimpleFileStore) BaseDir

func (f *SimpleFileStore) BaseDir() string

BaseDir returns the base directory of the filestore

func (*SimpleFileStore) Get

func (f *SimpleFileStore) Get(name string) ([]byte, error)

Get returns the data given a file name

func (*SimpleFileStore) GetPath

func (f *SimpleFileStore) GetPath(name string) (string, error)

GetPath returns the full final path of a file with a given name

func (*SimpleFileStore) ListFiles

func (f *SimpleFileStore) ListFiles() []string

ListFiles lists all the files inside of a store

func (*SimpleFileStore) Remove

func (f *SimpleFileStore) Remove(name string) error

Remove removes a file identified by name

type Storage added in v0.3.0

type Storage interface {
	// Add writes a file to the specified location, returning an error if this
	// is not possible (reasons may include permissions errors). The path is cleaned
	// before being made absolute against the store's base dir.
	Add(fileName string, data []byte) error

	// Remove deletes a file from the store relative to the store's base directory.
	// The path is cleaned before being made absolute to ensure no path traversal
	// outside the base directory is possible.
	Remove(fileName string) error

	// Get returns the file content found at fileName relative to the base directory
	// of the file store. The path is cleaned before being made absolute to ensure
	// path traversal outside the store is not possible. If the file is not found
	// an error to that effect is returned.
	Get(fileName string) ([]byte, error)

	// ListFiles returns a list of paths relative to the base directory of the
	// filestore. Any of these paths must be retrievable via the
	// Storage.Get method.
	ListFiles() []string
}

Storage implements the bare bones primitives (no hierarchy)

type Validator

type Validator interface {
	Validate(cert *x509.Certificate) bool
}

Validator is a convenience type to create validating function that filters certificates that get added to the store

type ValidatorFunc

type ValidatorFunc func(cert *x509.Certificate) bool

ValidatorFunc is a convenience type to create functions that implement the Validator interface

func (ValidatorFunc) Validate

func (vf ValidatorFunc) Validate(cert *x509.Certificate) bool

Validate implements the Validator interface to allow for any func() bool method to be passed as a Validator

type X509FileStore

type X509FileStore struct {
	// contains filtered or unexported fields
}

X509FileStore implements X509Store that persists on disk

func NewX509FileStore

func NewX509FileStore(directory string) (*X509FileStore, error)

NewX509FileStore returns a new X509FileStore.

func NewX509FilteredFileStore

func NewX509FilteredFileStore(directory string, validate func(*x509.Certificate) bool) (*X509FileStore, error)

NewX509FilteredFileStore returns a new X509FileStore that validates certificates that are added.

func (*X509FileStore) AddCert

func (s *X509FileStore) AddCert(cert *x509.Certificate) error

AddCert creates a filename for a given cert and adds a certificate with that name

func (*X509FileStore) AddCertFromFile

func (s *X509FileStore) AddCertFromFile(filename string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (X509FileStore) AddCertFromPEM

func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds the first certificate that it finds in the byte[], returning an error if no Certificates are found

func (*X509FileStore) Empty

func (s *X509FileStore) Empty() bool

Empty returns true if there are no certificates in the X509FileStore, false otherwise.

func (*X509FileStore) GetCertificateByCertID

func (s *X509FileStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509FileStore) GetCertificatePool

func (s *X509FileStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509FileStore) GetCertificates

func (s *X509FileStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509FileStore) GetCertificatesByCN

func (s *X509FileStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509FileStore) GetVerifyOptions

func (s *X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509FileStore) RemoveAll

func (s *X509FileStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509FileStore) RemoveCert

func (s *X509FileStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509FileStore.

type X509MemStore

type X509MemStore struct {
	// contains filtered or unexported fields
}

X509MemStore implements X509Store as an in-memory object with no persistence

func NewX509FilteredMemStore

func NewX509FilteredMemStore(validate func(*x509.Certificate) bool) *X509MemStore

NewX509FilteredMemStore returns a new X509Memstore that validates certificates that are added.

func NewX509MemStore

func NewX509MemStore() *X509MemStore

NewX509MemStore returns a new X509MemStore.

func (*X509MemStore) AddCert

func (s *X509MemStore) AddCert(cert *x509.Certificate) error

AddCert adds a certificate to the store

func (*X509MemStore) AddCertFromFile

func (s *X509MemStore) AddCertFromFile(originFilname string) error

AddCertFromFile tries to adds a X509 certificate to the store given a filename

func (*X509MemStore) AddCertFromPEM

func (s *X509MemStore) AddCertFromPEM(pemBytes []byte) error

AddCertFromPEM adds a certificate to the store from a PEM blob

func (*X509MemStore) GetCertificateByCertID

func (s *X509MemStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)

GetCertificateByCertID returns the certificate that matches a certain certID

func (*X509MemStore) GetCertificatePool

func (s *X509MemStore) GetCertificatePool() *x509.CertPool

GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.

func (*X509MemStore) GetCertificates

func (s *X509MemStore) GetCertificates() []*x509.Certificate

GetCertificates returns an array with all of the current X509 Certificates.

func (*X509MemStore) GetCertificatesByCN

func (s *X509MemStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)

GetCertificatesByCN returns all the certificates that match a specific CommonName

func (*X509MemStore) GetVerifyOptions

func (s *X509MemStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)

GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.

func (*X509MemStore) RemoveAll

func (s *X509MemStore) RemoveAll() error

RemoveAll removes all the certificates from the store

func (*X509MemStore) RemoveCert

func (s *X509MemStore) RemoveCert(cert *x509.Certificate) error

RemoveCert removes a certificate from a X509MemStore.

type X509Store

type X509Store interface {
	AddCert(cert *x509.Certificate) error
	AddCertFromPEM(pemCerts []byte) error
	AddCertFromFile(filename string) error
	RemoveCert(cert *x509.Certificate) error
	RemoveAll() error
	GetCertificateByCertID(certID string) (*x509.Certificate, error)
	GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
	GetCertificates() []*x509.Certificate
	GetCertificatePool() *x509.CertPool
	GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
}

X509Store is the interface for all X509Stores

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL