Documentation ¶
Index ¶
- Variables
- func IsExpired(t time.Time) bool
- func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier)
- func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey, ...) error
- func VerifyExpiry(s *data.SignedCommon, role string) error
- func VerifySignature(msg []byte, sig data.Signature, pk data.PublicKey) error
- func VerifySignatures(s *data.Signed, roleData data.BaseRole) error
- func VerifyVersion(s *data.SignedCommon, minVersion int) error
- type CryptoService
- type ECDSAVerifier
- type Ed25519
- func (e *Ed25519) AddKey(role, gun string, k data.PrivateKey) error
- func (e *Ed25519) Create(role, gun, algorithm string) (data.PublicKey, error)
- func (e *Ed25519) GetKey(keyID string) data.PublicKey
- func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error)
- func (e *Ed25519) ListAllKeys() map[string]string
- func (e *Ed25519) ListKeys(role string) []string
- func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error)
- func (e *Ed25519) RemoveKey(keyID string) error
- type Ed25519Verifier
- type ErrExpired
- type ErrInsufficientSignatures
- type ErrInvalidKeyID
- type ErrInvalidKeyLength
- type ErrInvalidKeyType
- type ErrLowVersion
- type ErrNoKeys
- type ErrRoleThreshold
- type KeyService
- type RSAPKCS1v15Verifier
- type RSAPSSVerifier
- type RSAPyCryptoVerifier
- type Verifier
Constants ¶
This section is empty.
Variables ¶
var ( ErrMissingKey = errors.New("tuf: missing key") ErrNoSignatures = errors.New("tuf: data has no signatures") ErrInvalid = errors.New("tuf: signature verification failed") ErrWrongMethod = errors.New("tuf: invalid signature type") ErrUnknownRole = errors.New("tuf: unknown role") ErrWrongType = errors.New("tuf: meta file has wrong type") )
Various basic signing errors
var Verifiers = map[data.SigAlgorithm]Verifier{ data.RSAPSSSignature: RSAPSSVerifier{}, data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{}, data.PyCryptoSignature: RSAPyCryptoVerifier{}, data.ECDSASignature: ECDSAVerifier{}, data.EDDSASignature: Ed25519Verifier{}, }
Verifiers serves as a map of all verifiers available on the system and can be injected into a verificationService. For testing and configuration purposes, it will not be used by default.
Functions ¶
func RegisterVerifier ¶
func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier)
RegisterVerifier provides a convenience function for init() functions to register additional verifiers or replace existing ones.
func Sign ¶
func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey, minSignatures int, otherWhitelistedKeys []data.PublicKey) error
Sign takes a data.Signed and a cryptoservice containing private keys, calculates and adds at least minSignature signatures using signingKeys the data.Signed. It will also clean up any signatures that are not in produced by either a signingKey or an otherWhitelistedKey. Note that in most cases, otherWhitelistedKeys should probably be null. They are for keys you don't want to sign with, but you also don't want to remove existing signatures by those keys. For instance, if you want to call Sign multiple times with different sets of signing keys without undoing removing signatures produced by the previous call to Sign.
func VerifyExpiry ¶ added in v0.3.0
func VerifyExpiry(s *data.SignedCommon, role string) error
VerifyExpiry returns ErrExpired if the metadata is expired
func VerifySignature ¶ added in v0.3.0
VerifySignature checks a single signature and public key against a payload
func VerifySignatures ¶
VerifySignatures checks the we have sufficient valid signatures for the given role
func VerifyVersion ¶ added in v0.3.0
func VerifyVersion(s *data.SignedCommon, minVersion int) error
VerifyVersion returns ErrLowVersion if the metadata version is lower than the min version
Types ¶
type CryptoService ¶
type CryptoService interface { KeyService }
CryptoService is deprecated and all instances of its use should be replaced with KeyService
type ECDSAVerifier ¶
type ECDSAVerifier struct{}
ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately
type Ed25519 ¶
type Ed25519 struct {
// contains filtered or unexported fields
}
Ed25519 implements a simple in memory cryptosystem for ED25519 keys
func NewEd25519 ¶
func NewEd25519() *Ed25519
NewEd25519 initializes a new empty Ed25519 CryptoService that operates entirely in memory
func (*Ed25519) AddKey ¶ added in v0.3.0
func (e *Ed25519) AddKey(role, gun string, k data.PrivateKey) error
AddKey allows you to add a private key
func (*Ed25519) GetPrivateKey ¶
GetPrivateKey returns a single private key and role if present, based on the ID
func (*Ed25519) ListAllKeys ¶
ListAllKeys returns the map of keys IDs to role
func (*Ed25519) PublicKeys ¶
PublicKeys returns a map of public keys for the ids provided, when those IDs are found in the store.
type Ed25519Verifier ¶
type Ed25519Verifier struct{}
Ed25519Verifier used to verify Ed25519 signatures
type ErrExpired ¶
ErrExpired indicates a piece of metadata has expired
func (ErrExpired) Error ¶
func (e ErrExpired) Error() string
type ErrInsufficientSignatures ¶
ErrInsufficientSignatures - can not create enough signatures on a piece of metadata
func (ErrInsufficientSignatures) Error ¶
func (e ErrInsufficientSignatures) Error() string
type ErrInvalidKeyID ¶ added in v0.3.0
type ErrInvalidKeyID struct{}
ErrInvalidKeyID indicates the specified key ID was incorrect for its associated data
func (ErrInvalidKeyID) Error ¶ added in v0.3.0
func (e ErrInvalidKeyID) Error() string
type ErrInvalidKeyLength ¶
type ErrInvalidKeyLength struct {
// contains filtered or unexported fields
}
ErrInvalidKeyLength indicates that while we may support the cipher, the provided key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys
func (ErrInvalidKeyLength) Error ¶
func (e ErrInvalidKeyLength) Error() string
type ErrInvalidKeyType ¶
type ErrInvalidKeyType struct{}
ErrInvalidKeyType indicates the types for the key and signature it's associated with are mismatched. Probably a sign of malicious behaviour
func (ErrInvalidKeyType) Error ¶
func (e ErrInvalidKeyType) Error() string
type ErrLowVersion ¶
ErrLowVersion indicates the piece of metadata has a version number lower than a version number we're already seen for this role
func (ErrLowVersion) Error ¶
func (e ErrLowVersion) Error() string
type ErrNoKeys ¶
type ErrNoKeys struct {
KeyIDs []string
}
ErrNoKeys indicates no signing keys were found when trying to sign
type ErrRoleThreshold ¶
type ErrRoleThreshold struct {
Msg string
}
ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold
func (ErrRoleThreshold) Error ¶
func (e ErrRoleThreshold) Error() string
type KeyService ¶
type KeyService interface { // Create issues a new key pair and is responsible for loading // the private key into the appropriate signing service. Create(role, gun, algorithm string) (data.PublicKey, error) // AddKey adds a private key to the specified role and gun AddKey(role, gun string, key data.PrivateKey) error // GetKey retrieves the public key if present, otherwise it returns nil GetKey(keyID string) data.PublicKey // GetPrivateKey retrieves the private key and role if present and retrievable, // otherwise it returns nil and an error GetPrivateKey(keyID string) (data.PrivateKey, string, error) // RemoveKey deletes the specified key, and returns an error only if the key // removal fails. If the key doesn't exist, no error should be returned. RemoveKey(keyID string) error // ListKeys returns a list of key IDs for the role, or an empty list or // nil if there are no keys. ListKeys(role string) []string // ListAllKeys returns a map of all available signing key IDs to role, or // an empty map or nil if there are no keys. ListAllKeys() map[string]string }
KeyService provides management of keys locally. It will never accept or provide private keys. Communication between the KeyService and a SigningService happen behind the Create function.
type RSAPKCS1v15Verifier ¶
type RSAPKCS1v15Verifier struct{}
RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures
type RSAPyCryptoVerifier ¶
type RSAPyCryptoVerifier struct{}
RSAPyCryptoVerifier checks RSASSA-PSS signatures