ctfe

package
v0.0.0-...-ceca4e5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2017 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

Package ctfe contains a usage example by providing an implementation of an RFC6962 compatible CT log server using a Trillian log server as backend storage via its GRPC API.

IMPORTANT: Only code rooted within this part of the tree should refer to the CT Github repository. Other parts of the system must not assume that the data they're processing is X.509 or CT related.

The CT repository can be found at: https://github.com/google/certificate-transparency

Index

Constants

View Source
const (
	AddChainName          = EntrypointName("AddChain")
	AddPreChainName       = EntrypointName("AddPreChain")
	GetSTHName            = EntrypointName("GetSTH")
	GetSTHConsistencyName = EntrypointName("GetSTHConsistency")
	GetProofByHashName    = EntrypointName("GetProofByHash")
	GetEntriesName        = EntrypointName("GetEntries")
	GetRootsName          = EntrypointName("GetRoots")
	GetEntryAndProofName  = EntrypointName("GetEntryAndProof")
)

Constants for entrypoint names, as exposed in statistics/logging.

Variables

Entrypoints is a list of entrypoint names as exposed in statistics/logging.

View Source
var MaxGetEntriesAllowed int64 = 50

MaxGetEntriesAllowed is the number of entries we allow in a get-entries request

Functions

func GetCTLogID

func GetCTLogID(pk crypto.PublicKey) ([sha256.Size]byte, error)

GetCTLogID takes the key manager for a log and returns the LogID. (see RFC 6962 S3.2) In CT V1 the log id is a hash of the public key.

func IsPrecertificate

func IsPrecertificate(cert *x509.Certificate) (bool, error)

IsPrecertificate tests if a certificate is a pre-certificate as defined in CT. An error is returned if the CT extension is present but is not ASN.1 NULL as defined by the spec.

func ValidateChain

func ValidateChain(rawChain [][]byte, validationOpts CertValidationOpts) ([]*x509.Certificate, error)

ValidateChain takes the certificate chain as it was parsed from a JSON request. Ensures all elements in the chain decode as X.509 certificates. Ensures that there is a valid path from the end entity certificate in the chain to a trusted root cert, possibly using the intermediates supplied in the chain. Then applies the RFC requirement that the path must involve all the submitted chain in the order of submission.

Types

type AppHandler

type AppHandler struct {
	Context LogContext
	Handler func(context.Context, LogContext, http.ResponseWriter, *http.Request) (int, error)
	Name    EntrypointName
	Method  string // http.MethodGet or http.MethodPost
}

AppHandler holds a LogContext and a handler function that uses it, and is an implementation of the http.Handler interface.

func (AppHandler) ServeHTTP

func (a AppHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP for an AppHandler invokes the underlying handler function but does additional common error and stats processing.

type CertValidationOpts

type CertValidationOpts struct {
	// contains filtered or unexported fields
}

CertValidationOpts contains various parameters for certificate chain validation

type EntrypointName

type EntrypointName string

EntrypointName identifies a CT entrypoint as defined in section 4 of RFC 6962.

type LogConfig

type LogConfig struct {
	LogID           int64
	Prefix          string
	RootsPEMFile    []string
	PrivKeyPEMFile  string
	PrivKeyPassword string
	// The public key is included for the convenience of test tools (and obviously should
	// match the private key above); it is not used by the CT personality.
	PubKeyPEMFile string
	RejectExpired bool
	ExtKeyUsages  []string
}

LogConfig describes the configuration options for a log instance.

func LogConfigFromFile

func LogConfigFromFile(filename string) ([]LogConfig, error)

LogConfigFromFile creates a slice of LogConfig options from the given filename, which should contain JSON encoded configuration data.

func (LogConfig) SetUpInstance

func (cfg LogConfig) SetUpInstance(client trillian.TrillianLogClient, deadline time.Duration, mf monitoring.MetricFactory) (*PathHandlers, error)

SetUpInstance sets up a log instance that uses the specified client to communicate with the Trillian RPC back end.

type LogContext

type LogContext struct {
	// LogPrefix is a pre-formatted string identifying the log for diagnostics
	LogPrefix string
	// TimeSource is a util.TimeSource that can be injected for testing
	TimeSource util.TimeSource
	// contains filtered or unexported fields
}

LogContext holds information for a specific log instance.

func NewLogContext

func NewLogContext(logID int64, prefix string, trustedRoots *PEMCertPool, rejectExpired bool, extKeyUsages []x509.ExtKeyUsage, rpcClient trillian.TrillianLogClient, signer *crypto.Signer, rpcDeadline time.Duration, timeSource util.TimeSource, mf monitoring.MetricFactory) *LogContext

NewLogContext creates a new instance of LogContext.

func (LogContext) Handlers

func (c LogContext) Handlers(prefix string) PathHandlers

Handlers returns a map from URL paths (with the given prefix) and AppHandler instances to handle those entrypoints.

type LogEntry

type LogEntry struct {
	// The leaf structure that was built from the client submission
	Leaf ct.MerkleTreeLeaf
	// The complete chain for the certificate or precertificate as raw bytes
	Chain []ct.ASN1Cert `tls:"minlen:0,maxlen:16777215"`
}

LogEntry holds the data we send to the backend with the leaf. There is a LogEntry type in the CT code but it is a superset of what we need. These structs are purely containers for data passed between the frontend and backend. They are not responsible for request validation or chain checking. Validation of submitted chains is the responsibility of the frontend. The backend handles generic blobs and does not know their format.

func NewLogEntry

func NewLogEntry(leaf ct.MerkleTreeLeaf, certChain []*x509.Certificate) *LogEntry

NewLogEntry creates a new LogEntry instance based on the given Merkle tree leaf and certificate chain.

type PEMCertPool

type PEMCertPool struct {
	// contains filtered or unexported fields
}

PEMCertPool is a wrapper / extension to x509.CertPool. It allows us to access the raw certs, which we need to serve get-roots request and has stricter handling on loading certs into the pool. CertPool ignores errors if at least one cert loads correctly but PEMCertPool requires all certs to load.

func NewPEMCertPool

func NewPEMCertPool() *PEMCertPool

NewPEMCertPool creates a new, empty, instance of PEMCertPool.

func (*PEMCertPool) AddCert

func (p *PEMCertPool) AddCert(cert *x509.Certificate)

AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates. cert must not be nil.

func (*PEMCertPool) AppendCertsFromPEM

func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM adds certs to the pool from a byte slice assumed to contain PEM encoded data. Skips over non certificate blocks in the data. Returns true if all certificates in the data were parsed and added to the pool successfully and at least one certificate was found.

func (*PEMCertPool) AppendCertsFromPEMFile

func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error

AppendCertsFromPEMFile adds certs from a file that contains concatenated PEM data.

func (*PEMCertPool) CertPool

func (p *PEMCertPool) CertPool() *x509.CertPool

CertPool returns the underlying CertPool.

func (*PEMCertPool) RawCertificates

func (p *PEMCertPool) RawCertificates() []*x509.Certificate

RawCertificates returns a list of the raw bytes of certificates that are in this pool

func (*PEMCertPool) Subjects

func (p *PEMCertPool) Subjects() (res [][]byte)

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

type PathHandlers

type PathHandlers map[string]AppHandler

PathHandlers maps from a path to the relevant AppHandler instance.

Directories

Path Synopsis
The ct_server binary runs the CT personality.
The ct_server binary runs the CT personality.
Package testonly contains code and data that should only be used by tests.
Package testonly contains code and data that should only be used by tests.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL