Documentation ¶
Index ¶
- Constants
- Variables
- func ExtractIA(dn pkix.Name) (addr.IA, error)
- func ParsePEMCerts(raw []byte) ([]*x509.Certificate, error)
- func ReadPEMCerts(file string) ([]*x509.Certificate, error)
- func SubjectKeyID(pub crypto.PublicKey) ([]byte, error)
- func ValidateChain(certs []*x509.Certificate) error
- func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error
- type CAPolicy
- type CertType
- type SignedTRC
- type SignedTRCs
- type TRC
- func (pld *TRC) Encode() ([]byte, error)
- func (trc *TRC) GracePeriodEnd() time.Time
- func (trc *TRC) InGracePeriod(now time.Time) bool
- func (trc *TRC) IsZero() bool
- func (trc *TRC) RootCerts() ([]*x509.Certificate, error)
- func (trc *TRC) RootPool() (*x509.CertPool, error)
- func (trc *TRC) Validate() error
- func (trc *TRC) ValidateUpdate(predecessor *TRC) (Update, error)
- type TRCID
- type Update
- type UpdateType
- type Validity
- type VerifyOptions
Constants ¶
const (
// CertVersion is the x509 certificate version number 3.
CertVersion = 3
)
Variables ¶
var ( OIDExtKeyUsageSensitive = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 1} OIDExtKeyUsageRegular = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 2} OIDExtKeyUsageRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 3, 3} OIDExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1} OIDExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} OIDExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8} )
ExtKeyUsage oids.
var ( OIDExtensionSubjectKeyID = asn1.ObjectIdentifier{2, 5, 29, 14} OIDExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15} OIDExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19} OIDExtensionAuthorityKeyID = asn1.ObjectIdentifier{2, 5, 29, 35} OIDExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37} )
x.509v3 extension oids.
var ( // ErrWildcardISD indicates a wildcard ISD. ErrWildcardISD = serrors.New("wildcard ISD") // ErrReservedNumber indicates that the number is reserved. ErrReservedNumber = serrors.New("reserved number") // ErrSerialBeforeBase indicates that the serial number is smaller than the // base number. ErrSerialBeforeBase = serrors.New("serial before base") // ErrInvalidTRCIDString indicates that provided string in not valid TRC ID formatted string. ErrInvalidTRCIDString = serrors.New("string is not valid TRC ID") )
var ( // ErrInvalidTRCVersion indicates an invalid TRC version. ErrInvalidTRCVersion = serrors.New("invalid TRC version") // ErrInvalidID indicates an invalid TRC ID. ErrInvalidID = serrors.New("invalid ID") // ErrGracePeriodNonZero indicates the grace period is non-zero in a // non-base TRC. ErrGracePeriodNonZero = serrors.New("grace period non-zero") // ErrVotesOnBaseTRC indicates that there are votes on a base TRC. ErrVotesOnBaseTRC = serrors.New("non-empty votes on base TRC") // ErrInvalidQuorumSize indicates the quorum size is outside of the [1,255] // range. ErrInvalidQuorumSize = serrors.New("invalid quorum size") // ErrNoASes indicates the ASes sequence is empty in the TRC. ErrNoASes = serrors.New("no ASes") // ErrWildcardAS indicates a wildcard AS. ErrWildcardAS = serrors.New("wildcard AS") // ErrDuplicateAS indicates an AS is duplicated in the sequence. ErrDuplicateAS = serrors.New("duplicate AS") // ErrUnclassifiedCertificate indicates a certificate could not be // classified as neither sensitive voting, regular voting nor root. ErrUnclassifiedCertificate = serrors.New("unclassified certificate") // ErrNotEnoughVoters indicates that the number of voters is smaller than // the voting quorum. ErrNotEnoughVoters = serrors.New("not enough voters") // ErrCertForOtherISD indicates a certificate that is for another ISD. ErrCertForOtherISD = serrors.New("certificate for other ISD") // ErrDuplicate indicates a duplicate certificate in the TRC. ErrDuplicate = serrors.New("duplicate certificate") // ErrTRCValidityNotCovered indicates that the TRC validity period is not // covered by a certificate. ErrTRCValidityNotCovered = serrors.New("TRC validity not covered by certificate") )
var ( // ErrInvalidCertType indicates an invalid certificate type. ErrInvalidCertType = serrors.New("invalid certificate type") )
var ErrInvalidValidityPeriod = serrors.New("NotAfter before NotBefore")
ErrInvalidValidityPeriod indicates an invalid validity period.
var (
OIDNameIA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55324, 1, 2, 1}
)
DistinguishedName oids.
var ( ValidSCIONSignatureAlgs = []x509.SignatureAlgorithm{ x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512, } )
Valid SCION signatures
Functions ¶
func ExtractIA ¶
ExtractIA extracts the ISD-AS from the distinguished name. If the ISD-AS number is not present in the distinguished name, an error is returned.
func ParsePEMCerts ¶
func ParsePEMCerts(raw []byte) ([]*x509.Certificate, error)
ParsePEMCerts parses the PEM encoded certificate blocks in raw.
func ReadPEMCerts ¶
func ReadPEMCerts(file string) ([]*x509.Certificate, error)
ReadPEMCerts reads the PEM file and parses the certificate blocks in it. Only PEM files with only CERTIFICATE blocks are allowed.
func SubjectKeyID ¶
SubjectKeyID computes a subject key identifier for a given public key. The computed ID is the SHA-1 hash of the marshaled public key according to https://tools.ietf.org/html/rfc5280#section-4.2.1.2 (1)
func ValidateChain ¶
func ValidateChain(certs []*x509.Certificate) error
ValidateChain validates that a slice of SCION certificates can be a valid chain.
func VerifyChain ¶
func VerifyChain(certs []*x509.Certificate, opts VerifyOptions) error
VerifyChain attempts to verify the certificate chain against every TRC included in opts. Success (nil error) is returned if at least one verification succeeds. If all verifications fail, an error containing the details of why each verification failed is returned.
The certificate chain is verified by building a trust root based on the Root Certificates in each TRC, and searching for a valid verification path.
Types ¶
type CAPolicy ¶
type CAPolicy struct { // Validity defines the validity period of the create AS certificate. Validity time.Duration // Certificate is the CA certificate. Certificate *x509.Certificate // Signer holds the private key authenticated by the CA certificate. Signer crypto.Signer // CurrentTime indicates the signing time. If zero, the current time is // used. CurrentTime time.Time // ForceECDSAWithSHA512 forces the CA policy to use ECDSAWithSHA512 as the // signature algorithm for signing the issued certificate. This field // forces the old behavior extending the acceptable signature algorithms // in https://github.com/scionproto/scion/commit/df8565dc97cb6ef7c7925c26f23f3e9954ab2a97. // // Experimental: This field is experimental and will be subject to change. ForceECDSAWithSHA512 bool }
CAPolicy defines how AS certificates are generated.
func (CAPolicy) CreateChain ¶
func (ca CAPolicy) CreateChain(csr *x509.CertificateRequest) ([]*x509.Certificate, error)
CreateChain takes the certificate request and creates a certificate chain. The request is assumed to be validated by the caller. The returned chain captures a reference to the CA certificate.
type CertType ¶
type CertType int
CertType describes the type of the SCION certificate.
func ValidateCert ¶
func ValidateCert(c *x509.Certificate) (CertType, error)
ValidateCert validates the SCION certificate, as part of this it will validate that it is of valid type.
type SignedTRC ¶
type SignedTRC struct { Raw []byte TRC TRC SignerInfos []protocol.SignerInfo }
SignedTRC represents the parsed signed TRC.
func DecodeSignedTRC ¶
DecodeSignedTRC parses the signed TRC.
func (*SignedTRC) Verify ¶
Verify verifies the signatures on a signed TRC. In case of a base TRC, the predecessor must be nil. In case of a non-base TRC, the predecessor must not be nil.
Verifying base TRC: When verifying the base TRC, it is checked that the TRC payload is valid, and that all voting certificates have signed the TRC.
Verifying non-base TRC: When verifying a non-base TRC, it is checked that the TRC payload is valid. Based on the predecessor TRC, the update is classified as regular update, or sensitive update. There are different sets of rules that need to be checked based on the update type.
type SignedTRCs ¶
type SignedTRCs []SignedTRC
SignedTRCs represents a list of parsed signed TRC.
func (SignedTRCs) Less ¶
func (t SignedTRCs) Less(i, j int) bool
Less returns if SignedTRC[i] is less than SignedTRC[j] based on isd > base > serial
func (SignedTRCs) Swap ¶
func (t SignedTRCs) Swap(i, j int)
Swap swaps the two elements of SignedTRCs
type TRC ¶
type TRC struct { // Raw contains the complete ASN.1 DER content. Raw []byte // Version is the one-indexed format version. This means, that the // serialized version 0 is represented as 1. This emulates behavior of the // go standard library for the x509 certificate version: // https://golang.org/pkg/crypto/x509/#Certificate Version int ID TRCID Validity Validity GracePeriod time.Duration NoTrustReset bool Votes []int Quorum int CoreASes []addr.AS AuthoritativeASes []addr.AS Description string Certificates []*x509.Certificate }
TRC is the TRC payload.
func DecodeTRC ¶
DecodeTRC parses the payload form ASN.1 DER format. The payload keeps a reference to the input data.
func (*TRC) GracePeriodEnd ¶
GracePeriodEnd indicates the end of the grace period implied by this TRC. In case of a base TRC, the zero value is returned.
func (*TRC) InGracePeriod ¶
InGracePeriod indicates if the provided time is in the grace period of this TRC.
func (*TRC) RootCerts ¶
func (trc *TRC) RootCerts() ([]*x509.Certificate, error)
RootCerts returns all CP root certificates in this TRC.
type TRCID ¶
TRCID identifies a TRC.
func TRCIDFromString ¶
TRCIDFromString creates new TRCID from the provided string. TRCID string must be in format `ISD%d-B%d-S%d`.
type Update ¶
type Update struct { Type UpdateType // NewVoters lists the sensitive and regular voting certificates that were // not part of the previous TRC. Either, due to changing an existing // voter, or, due to adding a new voter to the set. NewVoters []*x509.Certificate // Votes lists the sensitive or regular voting certificates that cast a vote // in the update. Votes []*x509.Certificate // RootAcknowledgments lists all the root certificates that need to // acknowledge a regular TRC update that changes their root certificate. RootAcknowledgments []*x509.Certificate }
Update holds metadata about a TRC update.
type UpdateType ¶
type UpdateType int
UpdateType indicates the type of update.
const ( SensitiveUpdate UpdateType RegularUpdate )
Update types.
func (UpdateType) String ¶
func (u UpdateType) String() string
type Validity ¶
Validity indicates the TRC validity.
func (Validity) Contains ¶
Contains indicates whether the provided time is inside the validity period.
type VerifyOptions ¶
VerifyOptions contains parameters for certificate chain verification.