Documentation
¶
Index ¶
- Constants
- Variables
- func ExtractIA(dn pkix.Name) (*addr.IA, error)
- func ReadPEMCerts(file string) ([]*x509.Certificate, error)
- func SubjectKeyID(pub crypto.PublicKey) ([]byte, error)
- func ValidateChain(certs []*x509.Certificate) error
- func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error
- type CAPolicy
- type CertType
- type SignedTRC
- type TRC
- func (pld *TRC) Encode() ([]byte, error)
- func (trc *TRC) GracePeriodEnd() time.Time
- func (trc *TRC) InGracePeriod(now time.Time) bool
- func (trc *TRC) IsZero() bool
- func (trc *TRC) RootCerts() ([]*x509.Certificate, error)
- func (trc *TRC) RootPool() (*x509.CertPool, error)
- func (trc *TRC) Validate() error
- func (trc *TRC) ValidateUpdate(predecessor *TRC) (Update, error)
- type TRCID
- type Update
- type UpdateType
- type Validity
- type VerifyOptions
Constants ¶
const (
// CertVersion is the x509 certificate version number 3.
CertVersion = 3
)
Variables ¶
var ( OIDExtKeyUsageSensitive = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 1} OIDExtKeyUsageRegular = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 2} OIDExtKeyUsageRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 3} )
KeyUsage oids.
var ( // ErrWildcardISD indicates a wildcard ISD. ErrWildcardISD = serrors.New("wildcard ISD") // ErrReservedNumber indicates that the number is reserved. ErrReservedNumber = serrors.New("reserved number") // ErrSerialBeforeBase indicates that the serial number is smaller than the // base number. ErrSerialBeforeBase = serrors.New("serial before base") )
var ( // ErrInvalidTRCVersion indicates an invalid TRC version. ErrInvalidTRCVersion = serrors.New("invalid TRC version") // ErrInvalidID indicates an invalid TRC ID. ErrInvalidID = serrors.New("invalid ID") // ErrGracePeriodNonZero indicates the grace period is non-zero in a // non-base TRC. ErrGracePeriodNonZero = serrors.New("grace period non-zero") // ErrVotesOnBaseTRC indicates that there are votes on a base TRC. ErrVotesOnBaseTRC = serrors.New("non-empty votes on base TRC") // ErrInvalidQuorumSize indicates the quorum size is outside of the [1,255] // range. ErrInvalidQuorumSize = serrors.New("invalid quorum size") // ErrNoASes indicates the ASes sequence is empty in the TRC. ErrNoASes = serrors.New("no ASes") // ErrWildcardAS indicates a wildcard AS. ErrWildcardAS = serrors.New("wildcard AS") // ErrDuplicateAS indicates an AS is duplicated in the sequence. ErrDuplicateAS = serrors.New("duplicate AS") // ErrUnclassifiedCertificate indicates a certificate could not be // classified as neither sensitive voting, regular voting nor root. ErrUnclassifiedCertificate = serrors.New("unclassified certificate") // ErrNotEnoughVoters indicates that the number of voters is smaller than // the voting quorum. ErrNotEnoughVoters = serrors.New("not enough voters") // ErrCertForOtherISD indicates a certificate that is for another ISD. ErrCertForOtherISD = serrors.New("certificate for other ISD") // ErrDuplicate indicates a duplicate certificate in the TRC. ErrDuplicate = serrors.New("duplicate certificate") // ErrTRCValidityNotCovered indicates that the TRC validity period is not // covered by a certificate. ErrTRCValidityNotCovered = serrors.New("TRC validity not covered by certificate") )
var ( // ErrInvalidCertType indicates an invalid certificate type. ErrInvalidCertType = serrors.New("invalid certificate type") )
var ErrInvalidValidityPeriod = serrors.New("NotAfter before NotBefore")
ErrInvalidValidityPeriod indicates an invalid validity period.
var (
OIDNameIA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 2, 1}
)
Other oids.
var ( ValidSCIONSignatureAlgs = []x509.SignatureAlgorithm{ x509.ECDSAWithSHA512, } )
Valid SCION signatures
Functions ¶
func ExtractIA ¶
ExtractIA extracts the IA from the distinguished name. Returns nil if the ISD-AS number is not present in the distinguished name. If the ISD-AS number is not parsable, an error is returned.
func ReadPEMCerts ¶
func ReadPEMCerts(file string) ([]*x509.Certificate, error)
ReadPEMCerts reads the PEM file and parses the certificate blocks in it. Only PEM files with only CERTIFICATE blocks are allowed.
func SubjectKeyID ¶
SubjectKeyID computes a subject key identifier for a given public key. The computed ID is the SHA-1 hash of the marshaled public key according to https://tools.ietf.org/html/rfc5280#section-4.2.1.2 (1)
func ValidateChain ¶
func ValidateChain(certs []*x509.Certificate) error
ValidateChain validates that a slice of SCION certificates can be a valid chain.
func VerifyChain ¶
func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error
VerifyChain attempts to verify the certificate chain by iterating over the root certificates in the TRC and searching for a valid verification path.
Types ¶
type CAPolicy ¶
type CAPolicy struct {
// Validity defines the validity period of the create AS certificate.
Validity time.Duration
// Certificate is the CA certificate.
Certificate *x509.Certificate
// Signer holds the private key authenticated by the CA certificate.
Signer crypto.Signer
// CurrentTime indicates the signing time. If zero, the current time is
// used.
CurrentTime time.Time
}
CAPolicy defines how AS certificates are generated.
func (CAPolicy) CreateChain ¶
func (ca CAPolicy) CreateChain(csr *x509.CertificateRequest) ([]*x509.Certificate, error)
CreateChain takes the certificate request and creates a certificate chain. The request is assumed to be validated by the caller. The returned chain captures a reference to the CA certificate.
type CertType ¶
type CertType int
CertType describes the type of the SCION certificate.
func ValidateCert ¶
func ValidateCert(c *x509.Certificate) (CertType, error)
ValidateCert validates the SCION certificate, as part of this it will validate that it is of valid type.
type SignedTRC ¶
type SignedTRC struct {
Raw []byte
TRC TRC
SignerInfos []protocol.SignerInfo
}
SignedTRC represents the parsed signed TRC.
func DecodeSignedTRC ¶
DecodeSignedTRC parses the signed TRC.
func (*SignedTRC) Verify ¶
Verify verifies the signatures on a signed TRC. In case of a base TRC, the predecessor must be nil. In case of a non-base TRC, the predecessor must not be nil.
Verifying base TRC: When verifying the base TRC, it is checked that the TRC payload is valid, and that all voting certificates have signed the TRC.
Verifying non-base TRC: When verifying a non-base TRC, it is checked that the TRC payload is valid. Based on the predecessor TRC, the update is classified as regular update, or sensitive update. There are different sets of rules that need to be checked based on the update type.
type TRC ¶
type TRC struct {
// Raw contains the complete ASN.1 DER content.
Raw []byte
// Version is the one-indexed format version. This means, that the
// serialized version 0 is represented as 1. This emulates behavior of the
// go standard library for the x509 certificate version:
// https://golang.org/pkg/crypto/x509/#Certificate
Version int
ID TRCID
Validity Validity
GracePeriod time.Duration
NoTrustReset bool
Votes []int
Quorum int
CoreASes []addr.AS
AuthoritativeASes []addr.AS
Description string
Certificates []*x509.Certificate
}
TRC is the TRC payload.
func DecodeTRC ¶
DecodeTRC parses the payload form ASN.1 DER format. The payload keeps a reference to the input data.
func (*TRC) GracePeriodEnd ¶
GracePeriodEnd indicates the end of the grace period implied by this TRC. In case of a base TRC, the zero value is returned.
func (*TRC) InGracePeriod ¶
InGracePeriod indicates if the provided time is in the grace period of this TRC.
func (*TRC) RootCerts ¶
func (trc *TRC) RootCerts() ([]*x509.Certificate, error)
RootCerts returns all CP root certificates in this TRC.
type Update ¶
type Update struct {
Type UpdateType
// NewVoters lists the sensitive and regular voting certificates that were
// not part of the previous TRC. Either, due to changing an existing
// voter, or, due to adding a new voter to the set.
NewVoters []*x509.Certificate
// Votes lists the sensitive or regular voting certificates that cast a vote
// in the update.
Votes []*x509.Certificate
// RootAcknowledgments lists all the root certificates that need to
// acknowledge a regular TRC update that changes their root certificate.
RootAcknowledgments []*x509.Certificate
}
Update holds metadata about a TRC update.
type UpdateType ¶
type UpdateType int
UpdateType indicates the type of update.
const ( SensitiveUpdate UpdateType RegularUpdate )
Update types.
func (UpdateType) String ¶
func (u UpdateType) String() string
type Validity ¶
Validity indicates the TRC validity.
func (Validity) Contains ¶
Contains indicates whether the provided time is inside the validity period.
type VerifyOptions ¶
VerifyOptions contains parameters for certificate chain verification.
Source Files