Documentation ¶
Index ¶
- func ExtractChain(sd *protocol.SignedData) ([]*x509.Certificate, error)
- func NewChainRenewalRequest(ctx context.Context, csr []byte, signer trust.Signer) (*cppb.ChainRenewalRequest, error)
- func NewLegacyChainRenewalRequest(ctx context.Context, csr []byte, signer trust.Signer) (*cppb.ChainRenewalRequest, error)
- type CACertLoader
- type CACertProvider
- type CachingPolicyGen
- type ChainBuilder
- type LoadingPolicyGen
- type PolicyGen
- type RequestVerifier
- func (r RequestVerifier) VerifyCMSSignedRenewalRequest(ctx context.Context, req []byte) (*x509.CertificateRequest, error)
- func (r RequestVerifier) VerifyPbSignedRenewalRequest(ctx context.Context, req *cryptopb.SignedMessage, chains [][]*x509.Certificate) (*x509.CertificateRequest, error)
- func (r RequestVerifier) VerifySignature(ctx context.Context, sd *protocol.SignedData, chain []*x509.Certificate) error
- type TRCFetcher
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractChain ¶
func ExtractChain(sd *protocol.SignedData) ([]*x509.Certificate, error)
func NewChainRenewalRequest ¶
func NewChainRenewalRequest(ctx context.Context, csr []byte, signer trust.Signer) (*cppb.ChainRenewalRequest, error)
NewChainRenewalRequest builds a ChainRenewalRequest given a serialized CSR and a signer enveloped in a CMS SignedData.
func NewLegacyChainRenewalRequest ¶
func NewLegacyChainRenewalRequest(ctx context.Context, csr []byte, signer trust.Signer) (*cppb.ChainRenewalRequest, error)
NewLegacyChainRenewalRequest builds a ChainRenewalRequest given a serialized CSR and a signer enveloped in a protobuf SignedMessage.
Types ¶
type CACertLoader ¶
CACertLoader loads CA certificates from disk.
func (CACertLoader) CACerts ¶
func (l CACertLoader) CACerts(ctx context.Context) ([]*x509.Certificate, error)
CACerts returns a list of CA certificates from disk that are verifiable with an active TRC.
type CACertProvider ¶
type CACertProvider interface { // CACerts returns a list of CA certificates that are verifiable with an // active TRC. CACerts(ctx context.Context) ([]*x509.Certificate, error) }
CACertProvider provides verifiable CA certificates.
type CachingPolicyGen ¶
type CachingPolicyGen struct { PolicyGen PolicyGen Interval time.Duration // contains filtered or unexported fields }
CachingPolicyGen is a PolicyGen that can cache the previously generated CASigner for some time.
type ChainBuilder ¶
type ChainBuilder struct {
PolicyGen PolicyGen
}
ChainBuilder creates a certificate chain with the generated policy.
func (ChainBuilder) CreateChain ¶
func (c ChainBuilder) CreateChain(ctx context.Context, csr *x509.CertificateRequest) ([]*x509.Certificate, error)
CreateChain creates a certificate chain with the latest available CA policy.
type LoadingPolicyGen ¶
type LoadingPolicyGen struct { Validity time.Duration KeyRing trust.KeyRing CertProvider CACertProvider // ForceECDSAWithSHA512 forces the CA policy to use ECDSAWithSHA512 as the // signature algorithm for signing the issued certificate. This field // forces the old behavior extending the acceptable signature algorithms // in https://github.com/scionproto/scion/commit/df8565dc97cb6ef7c7925c26f23f3e9954ab2a97. // // Experimental: This field is experimental and will be subject to change. ForceECDSAWithSHA512 bool }
LoadingPolicyGen generates a CAPolicy from the keys and certificates available on the file system.
type RequestVerifier ¶
type RequestVerifier struct {
TRCFetcher TRCFetcher
}
func (RequestVerifier) VerifyCMSSignedRenewalRequest ¶
func (r RequestVerifier) VerifyCMSSignedRenewalRequest(ctx context.Context, req []byte) (*x509.CertificateRequest, error)
VerifyCMSSignedRenewalRequest verifies a renewal request that is encapsulated in a CMS envelop. It checks that the contained CSR is valid and correctly self-signed, and that the signature is valid and can be verified by the chain included in the CMS envelop.
func (RequestVerifier) VerifyPbSignedRenewalRequest ¶
func (r RequestVerifier) VerifyPbSignedRenewalRequest(ctx context.Context, req *cryptopb.SignedMessage, chains [][]*x509.Certificate) (*x509.CertificateRequest, error)
VerifyPbSignedRenewalRequest verifies a renewal request that is encapsulated in a protobuf SignedMessage envelop. It checks that the contained CSR is valid and correctly self-signed, and that the signature is valid and can be verified by a chain in the given chains.
func (RequestVerifier) VerifySignature ¶
func (r RequestVerifier) VerifySignature( ctx context.Context, sd *protocol.SignedData, chain []*x509.Certificate, ) error
VerifySignature verifies the signature on the signed data with the provided chain. It is checked that the certificate chain is verifiable with an active TRC, and that the signature can be verified with the chain.