signed

package
v0.0.0-...-a9fda57 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 10, 2015 License: Apache-2.0, BSD-3-Clause Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrMissingKey   = errors.New("tuf: missing key")
	ErrNoSignatures = errors.New("tuf: data has no signatures")
	ErrInvalid      = errors.New("tuf: signature verification failed")
	ErrWrongMethod  = errors.New("tuf: invalid signature type")
	ErrUnknownRole  = errors.New("tuf: unknown role")
	ErrWrongType    = errors.New("tuf: meta file has wrong type")
)

Various basic signing errors

View Source 
var Verifiers = map[data.SigAlgorithm]Verifier{
	data.RSAPSSSignature:      RSAPSSVerifier{},
	data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{},
	data.PyCryptoSignature:    RSAPyCryptoVerifier{},
	data.ECDSASignature:       ECDSAVerifier{},
	data.EDDSASignature:       Ed25519Verifier{},
}

Verifiers serves as a map of all verifiers available on the system and can be injected into a verificationService. For testing and configuration purposes, it will not be used by default.

Functions

func IsExpired 

func IsExpired(t time.Time) bool

IsExpired checks if the given time passed before the present time

func RegisterVerifier 

func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier)

RegisterVerifier provides a convenience function for init() functions to register additional verifiers or replace existing ones.

func Sign 

func Sign(service CryptoService, s *data.Signed, keys ...data.PublicKey) error

Sign takes a data.Signed and a key, calculated and adds the signature to the data.Signed

func Unmarshal 

func Unmarshal(b []byte, v interface{}, role string, minVersion int, db *keys.KeyDB) error

Unmarshal unmarshals and verifys the raw bytes for a given role's metadata

func UnmarshalTrusted 

func UnmarshalTrusted(b []byte, v interface{}, role string, db *keys.KeyDB) error

UnmarshalTrusted unmarshals and verifies signatures only, not metadata, for a given role's metadata

func Verify 

func Verify(s *data.Signed, role string, minVersion int, db *keys.KeyDB) error

Verify checks the signatures and metadata (expiry, version) for the signed role data

func VerifyRoot 

func VerifyRoot(s *data.Signed, minVersion int, keys map[string]data.PublicKey) error

VerifyRoot checks if a given root file is valid against a known set of keys. Threshold is always assumed to be 1

func VerifySignatures 

func VerifySignatures(s *data.Signed, role string, db *keys.KeyDB) error

VerifySignatures checks the we have sufficient valid signatures for the given role

Types

type CryptoService 

type CryptoService interface {
	SigningService
	KeyService
}

CryptoService defines a unified Signing and Key Service as this will be most useful for most applications.

type ECDSAVerifier 

type ECDSAVerifier struct{}

ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately

func (ECDSAVerifier) Verify 

func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check.

type Ed25519 

type Ed25519 struct {
	// contains filtered or unexported fields
}

Ed25519 implements a simple in memory cryptosystem for ED25519 keys

func NewEd25519 

func NewEd25519() *Ed25519

NewEd25519 initializes a new empty Ed25519 CryptoService that operates entirely in memory

func (*Ed25519) Create 

func (e *Ed25519) Create(role, algorithm string) (data.PublicKey, error)

Create generates a new key and returns the public part

func (*Ed25519) GetKey 

func (e *Ed25519) GetKey(keyID string) data.PublicKey

GetKey returns a single public key based on the ID

func (*Ed25519) GetPrivateKey 

func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error)

GetPrivateKey returns a single private key based on the ID

func (*Ed25519) ListKeys 

func (e *Ed25519) ListKeys(role string) []string

ListKeys returns the list of keys IDs for the role

func (*Ed25519) PublicKeys 

func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error)

PublicKeys returns a map of public keys for the ids provided, when those IDs are found in the store.

func (*Ed25519) RemoveKey 

func (e *Ed25519) RemoveKey(keyID string) error

RemoveKey deletes a key from the signer

func (*Ed25519) Sign 

func (e *Ed25519) Sign(keyIDs []string, toSign []byte) ([]data.Signature, error)

Sign generates an Ed25519 signature over the data

type Ed25519Verifier 

type Ed25519Verifier struct{}

Ed25519Verifier used to verify Ed25519 signatures

func (Ed25519Verifier) Verify 

func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify checks that an ed25519 signature is valid

type ErrExpired 

type ErrExpired struct {
	Role    string
	Expired string
}

ErrExpired indicates a piece of metadata has expired

func (ErrExpired) Error 

func (e ErrExpired) Error() string

type ErrInvalidKeyLength 

type ErrInvalidKeyLength struct {
	// contains filtered or unexported fields
}

ErrInvalidKeyLength indicates that while we may support the cipher, the provided key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys

func (ErrInvalidKeyLength) Error 

func (e ErrInvalidKeyLength) Error() string

type ErrInvalidKeyType 

type ErrInvalidKeyType struct{}

ErrInvalidKeyType indicates the types for the key and signature it's associated with are mismatched. Probably a sign of malicious behaviour

func (ErrInvalidKeyType) Error 

func (e ErrInvalidKeyType) Error() string

type ErrLowVersion 

type ErrLowVersion struct {
	Actual  int
	Current int
}

ErrLowVersion indicates the piece of metadata has a version number lower than a version number we're already seen for this role

func (ErrLowVersion) Error 

func (e ErrLowVersion) Error() string

type ErrRoleThreshold 

type ErrRoleThreshold struct{}

ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold

func (ErrRoleThreshold) Error 

func (e ErrRoleThreshold) Error() string

type KeyService 

type KeyService interface {
	// Create issues a new key pair and is responsible for loading
	// the private key into the appropriate signing service.
	// The role isn't currently used for anything, but it's here to support
	// future features
	Create(role, algorithm string) (data.PublicKey, error)

	// GetKey retrieves the public key if present, otherwise it returns nil
	GetKey(keyID string) data.PublicKey

	// GetPrivateKey retrieves the private key and role if present, otherwise
	// it returns nil
	GetPrivateKey(keyID string) (data.PrivateKey, string, error)

	// RemoveKey deletes the specified key
	RemoveKey(keyID string) error

	// ListKeys returns a map of IDs to role
	ListKeys(role string) []string
}

KeyService provides management of keys locally. It will never accept or provide private keys. Communication between the KeyService and a SigningService happen behind the Create function.

type RSAPKCS1v15Verifier 

type RSAPKCS1v15Verifier struct{}

RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures

func (RSAPKCS1v15Verifier) Verify 

func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual verification

type RSAPSSVerifier 

type RSAPSSVerifier struct{}

RSAPSSVerifier checks RSASSA-PSS signatures

func (RSAPSSVerifier) Verify 

func (v RSAPSSVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check.

type RSAPyCryptoVerifier 

type RSAPyCryptoVerifier struct{}

RSAPyCryptoVerifier checks RSASSA-PSS signatures

func (RSAPyCryptoVerifier) Verify 

func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check. N.B. We have not been able to make this work in a way that is compatible with PyCrypto.

type SigningService 

type SigningService interface {
	// Sign takes a slice of keyIDs and a piece of data to sign
	// and returns a slice of signatures and an error
	Sign(keyIDs []string, data []byte) ([]data.Signature, error)
}

SigningService defines the necessary functions to determine if a user is able to sign with a key, and to perform signing.

type Verifier 

type Verifier interface {
	Verify(key data.PublicKey, sig []byte, msg []byte) error
}

Verifier defines an interface for verfying signatures. An implementer of this interface should verify signatures for one and only one signing scheme.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.