Documentation ¶
Index ¶
- Variables
- type ASLocalRecurser
- type Attribute
- type AuthRouter
- type CachingInspector
- type ChainQuery
- type DB
- type DBInspector
- type Engine
- type Fetcher
- type FetchingProvider
- func (p FetchingProvider) GetChains(ctx context.Context, query ChainQuery, opts ...Option) ([][]*x509.Certificate, error)
- func (p FetchingProvider) GetSignedTRC(ctx context.Context, id cppki.TRCID, opts ...Option) (cppki.SignedTRC, error)
- func (p FetchingProvider) NotifyTRC(ctx context.Context, id cppki.TRCID, opts ...Option) error
- type Inspector
- type KeyRing
- type LoadResult
- type LocalOnlyRecurser
- type LocalRouter
- type Option
- type Provider
- type Recurser
- type Router
- type Signer
- type SignerGen
- type TLSCryptoManager
- type Verifier
- type X509KeyPairLoader
Constants ¶
This section is empty.
Variables ¶
var ( // ErrAlreadyExists indicates a file is ignored because the contents have // already been loaded previously. ErrAlreadyExists = serrors.New("already exists") // ErrOutsideValidity indicates a file is ignored because the current time // is outside of the certificates validity period. ErrOutsideValidity = serrors.New("outside validity") )
var ErrRecursionNotAllowed = serrors.New("recursion not allowed")
ErrRecursionNotAllowed indicates that recursion is not allowed.
Functions ¶
This section is empty.
Types ¶
type ASLocalRecurser ¶
ASLocalRecurser allows AS local addresses to start recursive requests.
func (ASLocalRecurser) AllowRecursion ¶
func (r ASLocalRecurser) AllowRecursion(peer net.Addr) error
AllowRecursion returns an error if address is not part of the local AS (or if the check cannot be made).
type Attribute ¶
type Attribute int
Attribute indicates the capability of a primary AS.
type AuthRouter ¶
AuthRouter routes requests for missing crypto material to the authoritative ASes of the appropriate ISD.
TODO(roosd): Add implementation of snet.Router that routes to authoritative AS.
func (AuthRouter) ChooseServer ¶
ChooseServer builds a CS address for crypto with the subject in a given ISD.
- a local authoritative CS if subject is ISD-local.
- a local authoritative CS if subject is in remote ISD, but no active TRC is available.
- a remote authoritative CS otherwise.
type CachingInspector ¶
type CachingInspector struct { Inspector Inspector // Cache keeps track of recently used certificates. If nil no cache is used. // This API is experimental. Cache *cache.Cache CacheHits libmetrics.Counter MaxCacheExpiration time.Duration }
CachingInspector caches the results for a certain amount of time.
func (CachingInspector) ByAttributes ¶
func (i CachingInspector) ByAttributes(ctx context.Context, isd addr.ISD, attrs Attribute) ([]addr.IA, error)
ByAttributes returns a list of primary ASes in the specified ISD that hold all the requested attributes. If no attribute is specified, all primary ASes are returned.
func (CachingInspector) HasAttributes ¶
func (i CachingInspector) HasAttributes(ctx context.Context, ia addr.IA, attrs Attribute) (bool, error)
HasAttributes indicates whether an AS holds all the specified attributes. The first return value is always false for non-primary ASes.
type ChainQuery ¶
type ChainQuery struct { // IA is the ISD-AS identifier that must be part of the AS certificate's // subject. IA addr.IA // SubjectKeyID identifies the subject key that the AS certificate must // authenticate. SubjectKeyID []byte // Date is the time when the chain must be valid. Date time.Time }
ChainQuery identifies a set of chains that need to be looked up.
func (ChainQuery) MarshalJSON ¶
func (q ChainQuery) MarshalJSON() ([]byte, error)
MarshalJSON marshals the chain query for well formated log output.
type DB ¶
type DB interface { // Chains looks up all chains that match the query. Chains(context.Context, ChainQuery) ([][]*x509.Certificate, error) // InsertChain inserts the given chain. InsertChain(context.Context, []*x509.Certificate) (bool, error) // SignedTRC looks up the TRC identified by the id. SignedTRC(ctx context.Context, id cppki.TRCID) (cppki.SignedTRC, error) // InsertTRC inserts the given TRC. Returns true if the TRC was not yet in // the DB. InsertTRC(ctx context.Context, trc cppki.SignedTRC) (bool, error) }
DB is the database interface for trust material.
type DBInspector ¶
type DBInspector struct {
DB DB
}
DBInspector gives insight about primary ASes of a given ISD based on the TRC that is stored in the DB.
func (DBInspector) ByAttributes ¶
func (i DBInspector) ByAttributes(ctx context.Context, isd addr.ISD, attrs Attribute) ([]addr.IA, error)
ByAttributes returns a list of primary ASes in the specified ISD that hold all the requested attributes. If no attribute is specified, all primary ASes are returned.
func (DBInspector) HasAttributes ¶
func (i DBInspector) HasAttributes( ctx context.Context, ia addr.IA, attrs Attribute, ) (bool, error)
HasAttributes indicates whether an AS holds all the specified attributes. The first return value is always false for non-primary ASes.
type Engine ¶
type Engine struct { // Inspector determines the attributes of an AS inside its ISD. Inspector // Provider provides verified crypto material. Provider DB DB }
Engine keeps the SCION control-plane going.
The engines is in charge of verifying control-plane messages based on the control-plane PKI. To that end, the engine keeps track of crypto material, such as CP certificates and TRCs, and resolves them where appropriate.
The engine is composed of multiple parts, each with its own set of responsibilities.
type Fetcher ¶
type Fetcher interface { // Chains fetches certificate chains that match the query from the remote. Chains(ctx context.Context, req ChainQuery, server net.Addr) ([][]*x509.Certificate, error) // TRC fetches a specific TRC from the remote. TRC(ctx context.Context, id cppki.TRCID, server net.Addr) (cppki.SignedTRC, error) }
Fetcher fetches trust material from a remote.
type FetchingProvider ¶
FetchingProvider provides crypto material. The fetching provider is capable of fetching missing crypto material over the network.
func (FetchingProvider) GetChains ¶
func (p FetchingProvider) GetChains(ctx context.Context, query ChainQuery, opts ...Option) ([][]*x509.Certificate, error)
GetChains returns certificate chains that match the chain query. If no chain is locally available, they are resolved over the network.
By default, this only returns chains that are verifiable against the currently active TRCs, even if the the query date is set to a value in the past. To allow chains that are no longer verifiable using the active TRC, but that were verifiable in the past, set the AllowInactive option.
Currently, there is no use case for fetching inactive certificate chains from a remote and verifying them against a no-longer active TRC. For simplicity, this feature is not implemented. Thus, certificate chains that are fetched over the network that are not verifiable against the active TRCs are ignored, even if the AllowInactive option is set.
func (FetchingProvider) GetSignedTRC ¶
func (p FetchingProvider) GetSignedTRC(ctx context.Context, id cppki.TRCID, opts ...Option) (cppki.SignedTRC, error)
GetSignedTRC returns the signed TRC. Currently, this method only uses the DB and doesn't recurse over the network. TODO(lukedirtwalker): add recursing functionality.
type Inspector ¶
type Inspector interface { // ByAttributes returns a list of primary ASes in the specified ISD that // hold all the requested attributes. If no attribute is specified, all // primary ASes are returned. ByAttributes(ctx context.Context, isd addr.ISD, attrs Attribute) ([]addr.IA, error) // HasAttributes indicates whether an AS holds all the specified attributes. // The first return value is always false for non-primary ASes. HasAttributes(ctx context.Context, ia addr.IA, attrs Attribute) (bool, error) }
Inspector gives insights into the primary ASes of a given ISD.
A primary AS is an AS that holds one of the following attributes:
- authoritative
- core
- root CA
type LoadResult ¶
LoadResult indicates which files were loaded, which files were ignored.
func LoadChains ¶
LoadChains loads all *.pem files located in a directory in the database after validating first that each one is a valid CP certificate chains. All *.pem files that are not valid chains are ignored.
type LocalOnlyRecurser ¶
type LocalOnlyRecurser struct{}
LocalOnlyRecurser returns an error if the address is not nil.
func (LocalOnlyRecurser) AllowRecursion ¶
func (r LocalOnlyRecurser) AllowRecursion(peer net.Addr) error
AllowRecursion returns an error if the address is not nil.
type LocalRouter ¶
LocalRouter routes requests to the local CS.
func (LocalRouter) ChooseServer ¶
ChooseServer always routes to the local CS.
type Option ¶
type Option func(o *options)
Option is a function that sets an option.
func AllowInactive ¶
func AllowInactive() Option
AllowInactive allows chains that are verifiable with TRCs that are no longer active.
type Provider ¶
type Provider interface { // NotifyTRC notifies a provider of the existence of a TRC. When a signature // metadata is received that contains base and serial number, this method // should be invoked. NotifyTRC(context.Context, cppki.TRCID, ...Option) error // GetChains returns certificate chains that match the chain query. If no // chain is locally available, the provider can resolve them over the // network. By default, the provider only returns certificate chains that // are verifiable with the currently active TRCs. To configure the behavior, // options can be provided. GetChains(context.Context, ChainQuery, ...Option) ([][]*x509.Certificate, error) // GetSignedTRC returns the TRC with the given ID. If the TRC is not // available, the provider can resolve it over the network. GetSignedTRC(context.Context, cppki.TRCID, ...Option) (cppki.SignedTRC, error) }
Provider provides crypto material. A crypto provider can spawn network requests if necessary and permitted.
type Recurser ¶
type Recurser interface { // AllowRecursion indicates whether the recursion is allowed for the // provided Peer. Recursions started by the local trust store have a nil // address and should generally be allowed. The nil value indicates // recursion is allowed. Non-nil return values indicate that recursion is // not allowed and specify the reason. AllowRecursion(peer net.Addr) error }
Recurser decides whether a recursive request is permitted for a given peer. For infra services use either ASLocalRecurser or LocalOnlyRecurser.
type Router ¶
type Router interface { // ChooseServer determines the remote server for trust material with the // subject in the provided ISD. ChooseServer(ctx context.Context, subjectISD addr.ISD) (net.Addr, error) }
Router builds the CS address for crypto material with the subject in a given ISD.
type Signer ¶
type Signer struct { PrivateKey crypto.Signer Algorithm signed.SignatureAlgorithm IA addr.IA Subject pkix.Name Chain []*x509.Certificate SubjectKeyID []byte Expiration time.Time TRCID cppki.TRCID ChainValidity cppki.Validity InGrace bool }
Signer is used to sign control plane messages with the AS private key.
func (Signer) Sign ¶
func (s Signer) Sign(ctx context.Context, msg []byte, associatedData ...[]byte) (*cryptopb.SignedMessage, error)
Sign signs the message with the associated data and returns a SignedMessage protobuf payload. The associated data is not included in the header or body of the signed message.
type SignerGen ¶
type SignerGen struct { IA addr.IA KeyRing KeyRing DB DB // FIXME(roosd): Eventually this should use a crypto provider }
SignerGen generates signers from the keys available in key dir.
type TLSCryptoManager ¶
type TLSCryptoManager struct { Loader X509KeyPairLoader DB DB Timeout time.Duration }
TLSCryptoManager implements callbacks which will be called during TLS handshake.
func NewTLSCryptoManager ¶
func NewTLSCryptoManager(loader X509KeyPairLoader, db DB) *TLSCryptoManager
NewTLSCryptoManager returns a new instance with the defaultTimeout.
func (*TLSCryptoManager) GetCertificate ¶
func (m *TLSCryptoManager) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate retrieves a certificate to be presented during TLS handshake.
func (*TLSCryptoManager) GetClientCertificate ¶
func (m *TLSCryptoManager) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate retrieves a client certificate to be presented during TLS handshake.
func (*TLSCryptoManager) VerifyPeerCertificate ¶
func (m *TLSCryptoManager) VerifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCertificate verifies the certificate presented by the peer during TLS handshake, based on the TRC.
type Verifier ¶
type Verifier struct { // BoundIA when non-zero makes sure that only a signature originated from that IA // can be valid. BoundIA addr.IA // BoundServer binds a remote server to ask for missing crypto material. BoundServer net.Addr // Engine provides verified certificate chains. Engine Provider // Cache keeps track of recently used certificates. If nil no cache is used. // This API is experimental. Cache *cache.Cache CacheHits libmetrics.Counter MaxCacheExpiration time.Duration }
Verifier is used to verify control plane messages using the AS cert stored in the database.
type X509KeyPairLoader ¶
type X509KeyPairLoader interface {
LoadX509KeyPair() (*tls.Certificate, error)
}
X509KeyPairLoader provides a certificate to be presented during TLS handshake.