renewal

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 16, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExtractChain 

func ExtractChain(sd *protocol.SignedData) ([]*x509.Certificate, error)

func NewChainRenewalRequest 

func NewChainRenewalRequest(ctx context.Context, csr []byte,
	signer trust.Signer) (*cppb.ChainRenewalRequest, error)

NewChainRenewalRequest builds a ChainRenewalRequest given a serialized CSR and a signer enveloped in a CMS SignedData.

Types

type CACertLoader 

type CACertLoader struct {
	IA  addr.IA
	Dir string
	DB  trust.DB
}

CACertLoader loads CA certificates from disk.

func (CACertLoader) CACerts 

func (l CACertLoader) CACerts(ctx context.Context) ([]*x509.Certificate, error)

CACerts returns a list of CA certificates from disk that are verifiable with an active TRC.

type CACertProvider 

type CACertProvider interface {
	// CACerts returns a list of CA certificates that are verifiable with an
	// active TRC.
	CACerts(ctx context.Context) ([]*x509.Certificate, error)
}

CACertProvider provides verifiable CA certificates.

type CachingPolicyGen 

type CachingPolicyGen struct {
	PolicyGen PolicyGen
	Interval  time.Duration

	CAActive        metrics.Gauge
	LastGeneratedCA metrics.Gauge
	ExpirationCA    metrics.Gauge
	// contains filtered or unexported fields
}

CachingPolicyGen is a PolicyGen that can cache the previously generated CASigner for some time.

func (*CachingPolicyGen) Generate 

func (s *CachingPolicyGen) Generate(ctx context.Context) (cppki.CAPolicy, error)

Generate generates a CAPolicy using the PolicyGen or returns the cached CAPolicy.

type ChainBuilder 

type ChainBuilder struct {
	PolicyGen    PolicyGen
	SignedChains func(string) metrics.Counter
}

ChainBuilder creates a certificate chain with the generated policy.

func (ChainBuilder) CreateChain 

func (c ChainBuilder) CreateChain(ctx context.Context,
	csr *x509.CertificateRequest) ([]*x509.Certificate, error)

CreateChain creates a certificate chain with the latest available CA policy.

type LoadingPolicyGen 

type LoadingPolicyGen struct {
	Validity     time.Duration
	KeyRing      trust.KeyRing
	CertProvider CACertProvider

	CASigners func(string) metrics.Counter

	// ForceECDSAWithSHA512 forces the CA policy to use ECDSAWithSHA512 as the
	// signature algorithm for signing the issued certificate. This field
	// forces the old behavior extending the acceptable signature algorithms
	// in https://github.com/scionproto/scion/commit/df8565dc97cb6ef7c7925c26f23f3e9954ab2a97.
	//
	// Experimental: This field is experimental and will be subject to change.
	ForceECDSAWithSHA512 bool
}

LoadingPolicyGen generates a CAPolicy from the keys and certificates available on the file system.

func (LoadingPolicyGen) Generate 

func (l LoadingPolicyGen) Generate(ctx context.Context) (cppki.CAPolicy, error)

Generate fetches private keys from the key ring and searches active CA certificates that authenticate the corresponding public key. The returned policy uses the private which is backed by the CA certificate with the highest expiration time.

type Metrics added in v0.9.0 

type Metrics struct {
	// CAActive describes whether the CA signer is active and can sign
	// certificate chains.
	CAActive metrics.Gauge
	// CASigners tracks the number of generated CA signers that sign certificate
	// chains.
	CASigners func(string) metrics.Counter
	// SignedChains tracks the number of certificate chains signed, labeled by
	// the status of the signing.
	SignedChains func(string) metrics.Counter
	// LastGeneratedCA exports the last time a signer for creating AS
	// certificates was successfully generated.
	LastGeneratedCA metrics.Gauge
	// ExpirationCA exports the expiration time of the current CA signer.
	ExpirationCA metrics.Gauge
}

type PolicyGen 

type PolicyGen interface {
	Generate(context.Context) (cppki.CAPolicy, error)
}

PolicyGen generates a new CA policy.

type RequestVerifier 

type RequestVerifier struct {
	TRCFetcher TRCFetcher
}

func (RequestVerifier) VerifyCMSSignedRenewalRequest 

func (r RequestVerifier) VerifyCMSSignedRenewalRequest(ctx context.Context,
	req []byte) (*x509.CertificateRequest, error)

VerifyCMSSignedRenewalRequest verifies a renewal request that is encapsulated in a CMS envelop. It checks that the contained CSR is valid and correctly self-signed, and that the signature is valid and can be verified by the chain included in the CMS envelop.

func (RequestVerifier) VerifySignature 

func (r RequestVerifier) VerifySignature(
	ctx context.Context,
	sd *protocol.SignedData,
	chain []*x509.Certificate,
) error

VerifySignature verifies the signature on the signed data with the provided chain. It is checked that the certificate chain is verifiable with an active TRC, and that the signature can be verified with the chain.

type TRCFetcher 

type TRCFetcher interface {
	// SignedTRC fetches the signed TRC for a given ID.
	// The latest TRC can be requested by setting the serial and base number
	// to scrypto.LatestVer.
	SignedTRC(ctx context.Context, id cppki.TRCID) (cppki.SignedTRC, error)
}

Source Files

View all Source files

Directories

Path Synopsis
mock_grpc
Package mock_grpc is a generated GoMock package.
 Package mock_grpc is a generated GoMock package.
Package mock_renewal is a generated GoMock package.
 Package mock_renewal is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.