cppki

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 12, 2022 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// CertVersion is the x509 certificate version number 3.
	CertVersion = 3
)

Variables

View Source
var (
	OIDExtKeyUsageSensitive = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 1}
	OIDExtKeyUsageRegular   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 2}
	OIDExtKeyUsageRoot      = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 3}

	OIDExtKeyUsageServerAuth   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
	OIDExtKeyUsageClientAuth   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
	OIDExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
)

ExtKeyUsage oids.

View Source
var (
	OIDExtensionSubjectKeyID     = asn1.ObjectIdentifier{2, 5, 29, 14}
	OIDExtensionKeyUsage         = asn1.ObjectIdentifier{2, 5, 29, 15}
	OIDExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19}
	OIDExtensionAuthorityKeyID   = asn1.ObjectIdentifier{2, 5, 29, 35}
	OIDExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
)

x.509v3 extension oids.

View Source
var (
	// ErrWildcardISD indicates a wildcard ISD.
	ErrWildcardISD = serrors.New("wildcard ISD")
	// ErrReservedNumber indicates that the number is reserved.
	ErrReservedNumber = serrors.New("reserved number")
	// ErrSerialBeforeBase indicates that the serial number is smaller than the
	// base number.
	ErrSerialBeforeBase = serrors.New("serial before base")
	// ErrInvalidTRCIDString indicates that provided string in not valid TRC ID formatted string.
	ErrInvalidTRCIDString = serrors.New("string is not valid TRC ID")
)
View Source
var (
	// ErrInvalidTRCVersion indicates an invalid TRC version.
	ErrInvalidTRCVersion = serrors.New("invalid TRC version")
	// ErrInvalidID indicates an invalid TRC ID.
	ErrInvalidID = serrors.New("invalid ID")
	// ErrGracePeriodNonZero indicates the grace period is non-zero in a
	// non-base TRC.
	ErrGracePeriodNonZero = serrors.New("grace period non-zero")
	// ErrVotesOnBaseTRC indicates that there are votes on a base TRC.
	ErrVotesOnBaseTRC = serrors.New("non-empty votes on base TRC")
	// ErrInvalidQuorumSize indicates the quorum size is outside of the [1,255]
	// range.
	ErrInvalidQuorumSize = serrors.New("invalid quorum size")
	// ErrNoASes indicates the ASes sequence is empty in the TRC.
	ErrNoASes = serrors.New("no ASes")
	// ErrWildcardAS indicates a wildcard AS.
	ErrWildcardAS = serrors.New("wildcard AS")
	// ErrDuplicateAS indicates an AS is duplicated in the sequence.
	ErrDuplicateAS = serrors.New("duplicate AS")
	// ErrUnclassifiedCertificate indicates a certificate could not be
	// classified as neither sensitive voting, regular voting nor root.
	ErrUnclassifiedCertificate = serrors.New("unclassified certificate")
	// ErrNotEnoughVoters indicates that the number of voters is smaller than
	// the voting quorum.
	ErrNotEnoughVoters = serrors.New("not enough voters")
	// ErrCertForOtherISD indicates a certificate that is for another ISD.
	ErrCertForOtherISD = serrors.New("certificate for other ISD")
	// ErrDuplicate indicates a duplicate certificate in the TRC.
	ErrDuplicate = serrors.New("duplicate certificate")
	// ErrTRCValidityNotCovered indicates that the TRC validity period is not
	// covered by a certificate.
	ErrTRCValidityNotCovered = serrors.New("TRC validity not covered by certificate")
)
View Source
var (
	// ErrInvalidCertType indicates an invalid certificate type.
	ErrInvalidCertType = serrors.New("invalid certificate type")
)
View Source
var ErrInvalidValidityPeriod = serrors.New("NotAfter before NotBefore")

ErrInvalidValidityPeriod indicates an invalid validity period.

View Source
var (
	OIDNameIA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 2, 1}
)

DistinguishedName oids.

Valid SCION signatures

Functions

func ExtractIA

func ExtractIA(dn pkix.Name) (addr.IA, error)

ExtractIA extracts the ISD-AS from the distinguished name. If the ISD-AS number is not present in the distinguished name, an error is returned.

func ParsePEMCerts added in v0.7.0

func ParsePEMCerts(raw []byte) ([]*x509.Certificate, error)

ParsePEMCerts parses the PEM encoded certificate blocks in raw.

func ReadPEMCerts

func ReadPEMCerts(file string) ([]*x509.Certificate, error)

ReadPEMCerts reads the PEM file and parses the certificate blocks in it. Only PEM files with only CERTIFICATE blocks are allowed.

func SubjectKeyID

func SubjectKeyID(pub crypto.PublicKey) ([]byte, error)

SubjectKeyID computes a subject key identifier for a given public key. The computed ID is the SHA-1 hash of the marshaled public key according to https://tools.ietf.org/html/rfc5280#section-4.2.1.2 (1)

func ValidateChain

func ValidateChain(certs []*x509.Certificate) error

ValidateChain validates that a slice of SCION certificates can be a valid chain.

func VerifyChain

func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error

VerifyChain attempts to verify the certificate chain against every TRC included in opts. Success (nil error) is returned if at least one verification succeeds. If all verifications fail, an error containing the details of why each verification failed is returned.

The certificate chain is verified by building a trust root based on the Root Certificates in each TRC, and searching for a valid verification path.

Types

type CAPolicy

type CAPolicy struct {
	// Validity defines the validity period of the create AS certificate.
	Validity time.Duration
	// Certificate is the CA certificate.
	Certificate *x509.Certificate
	// Signer holds the private key authenticated by the CA certificate.
	Signer crypto.Signer
	// CurrentTime indicates the signing time. If zero, the current time is
	// used.
	CurrentTime time.Time

	// ForceECDSAWithSHA512 forces the CA policy to use ECDSAWithSHA512 as the
	// signature algorithm for signing the issued certificate. This field
	// forces the old behavior extending the acceptable signature algorithms
	// in https://github.com/scionproto/scion/commit/df8565dc97cb6ef7c7925c26f23f3e9954ab2a97.
	//
	// Experimental: This field is experimental and will be subject to change.
	ForceECDSAWithSHA512 bool
}

CAPolicy defines how AS certificates are generated.

func (CAPolicy) CreateChain

func (ca CAPolicy) CreateChain(csr *x509.CertificateRequest) ([]*x509.Certificate, error)

CreateChain takes the certificate request and creates a certificate chain. The request is assumed to be validated by the caller. The returned chain captures a reference to the CA certificate.

func (CAPolicy) Equal

func (ca CAPolicy) Equal(o CAPolicy) bool

type CertType

type CertType int

CertType describes the type of the SCION certificate.

const (
	Invalid CertType = iota
	Sensitive
	Regular
	Root
	CA
	AS
)

Valid SCION certificate types

func ValidateCert

func ValidateCert(c *x509.Certificate) (CertType, error)

ValidateCert validates the SCION certificate, as part of this it will validate that it is of valid type.

func (CertType) String

func (ct CertType) String() string

type SignedTRC

type SignedTRC struct {
	Raw         []byte
	TRC         TRC
	SignerInfos []protocol.SignerInfo
}

SignedTRC represents the parsed signed TRC.

func DecodeSignedTRC

func DecodeSignedTRC(raw []byte) (SignedTRC, error)

DecodeSignedTRC parses the signed TRC.

func (*SignedTRC) Encode

func (s *SignedTRC) Encode() ([]byte, error)

Encode encodes the signed TRC as CMS signed message in ASN.1 DER format.

func (*SignedTRC) IsZero

func (s *SignedTRC) IsZero() bool

IsZero reports whether this TRC is empty.

func (*SignedTRC) Verify

func (s *SignedTRC) Verify(predecessor *TRC) error

Verify verifies the signatures on a signed TRC. In case of a base TRC, the predecessor must be nil. In case of a non-base TRC, the predecessor must not be nil.

Verifying base TRC: When verifying the base TRC, it is checked that the TRC payload is valid, and that all voting certificates have signed the TRC.

Verifying non-base TRC: When verifying a non-base TRC, it is checked that the TRC payload is valid. Based on the predecessor TRC, the update is classified as regular update, or sensitive update. There are different sets of rules that need to be checked based on the update type.

type SignedTRCs added in v0.7.0

type SignedTRCs []SignedTRC

SignedTRCs represents a list of parsed signed TRC.

func (SignedTRCs) Len added in v0.7.0

func (t SignedTRCs) Len() int

Len returns the number of SignedTRCs.

func (SignedTRCs) Less added in v0.7.0

func (t SignedTRCs) Less(i, j int) bool

Less returns if SignedTRC[i] is less than SignedTRC[j] based on isd > base > serial

func (SignedTRCs) Swap added in v0.7.0

func (t SignedTRCs) Swap(i, j int)

Swap swaps the two elements of SignedTRCs

type TRC

type TRC struct {
	// Raw contains the complete ASN.1 DER content.
	Raw []byte
	// Version is the one-indexed format version. This means, that the
	// serialized version 0 is represented as 1. This emulates behavior of the
	// go standard library for the x509 certificate version:
	// https://golang.org/pkg/crypto/x509/#Certificate
	Version           int
	ID                TRCID
	Validity          Validity
	GracePeriod       time.Duration
	NoTrustReset      bool
	Votes             []int
	Quorum            int
	CoreASes          []addr.AS
	AuthoritativeASes []addr.AS
	Description       string
	Certificates      []*x509.Certificate
}

TRC is the TRC payload.

func DecodeTRC

func DecodeTRC(raw []byte) (TRC, error)

DecodeTRC parses the payload form ASN.1 DER format. The payload keeps a reference to the input data.

func (*TRC) Encode

func (pld *TRC) Encode() ([]byte, error)

Encode encodes the payload in ASN.1 DER format.

func (*TRC) GracePeriodEnd

func (trc *TRC) GracePeriodEnd() time.Time

GracePeriodEnd indicates the end of the grace period implied by this TRC. In case of a base TRC, the zero value is returned.

func (*TRC) InGracePeriod

func (trc *TRC) InGracePeriod(now time.Time) bool

InGracePeriod indicates if the provided time is in the grace period of this TRC.

func (*TRC) IsZero

func (trc *TRC) IsZero() bool

IsZero reports whether this TRC represents the zero value.

func (*TRC) RootCerts

func (trc *TRC) RootCerts() ([]*x509.Certificate, error)

RootCerts returns all CP root certificates in this TRC.

func (*TRC) RootPool

func (trc *TRC) RootPool() (*x509.CertPool, error)

RootPool extracts all CP root certificates in this TRC as a CertPool.

func (*TRC) Validate

func (trc *TRC) Validate() error

Validate validates the payload. This does not include validation of TRC update restrictions.

func (*TRC) ValidateUpdate

func (trc *TRC) ValidateUpdate(predecessor *TRC) (Update, error)

ValidateUpdate validates if this TRC is a valid successor TRC to the provided predecessor.

type TRCID

type TRCID struct {
	ISD    addr.ISD
	Serial scrypto.Version
	Base   scrypto.Version
}

TRCID identifies a TRC.

func TRCIDFromString added in v0.7.0

func TRCIDFromString(idStr string) (TRCID, error)

TRCIDFromString creates new TRCID from the provided string. TRCID string must be in format `ISD%d-B%d-S%d`.

func (TRCID) IsBase

func (id TRCID) IsBase() bool

IsBase indicates if this is a base TRC.

func (TRCID) String

func (id TRCID) String() string

func (TRCID) Validate

func (id TRCID) Validate() error

Validate validates the TRC ID.

type Update

type Update struct {
	Type UpdateType
	// NewVoters lists the sensitive and regular voting certificates that were
	// not part of the previous TRC. Either, due to changing an existing
	// voter, or, due to adding a new voter to the set.
	NewVoters []*x509.Certificate
	// Votes lists the sensitive or regular voting certificates that cast a vote
	// in the update.
	Votes []*x509.Certificate
	// RootAcknowledgments lists all the root certificates that need to
	// acknowledge a regular TRC update that changes their root certificate.
	RootAcknowledgments []*x509.Certificate
}

Update holds metadata about a TRC update.

type UpdateType

type UpdateType int

UpdateType indicates the type of update.

const (
	SensitiveUpdate UpdateType
	RegularUpdate
)

Update types.

func (UpdateType) String

func (u UpdateType) String() string

type Validity

type Validity struct {
	NotBefore time.Time
	NotAfter  time.Time
}

Validity indicates the TRC validity.

func (Validity) Contains

func (v Validity) Contains(t time.Time) bool

Contains indicates whether the provided time is inside the validity period.

func (Validity) Covers

func (v Validity) Covers(other Validity) bool

Covers indicates whether the other validity is covered by this validity.

func (Validity) Validate

func (v Validity) Validate() error

Validate checks that NotAfter is after NotBefore.

type VerifyOptions

type VerifyOptions struct {
	TRC         []*TRC
	CurrentTime time.Time // if zero, the current time is used
}

VerifyOptions contains parameters for certificate chain verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL