sctfe

package module
v0.0.0-...-400a50a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2024 License: Apache-2.0 Imports: 32 Imported by: 0

README

SCTFE

This personality implements CT Static API using Trillian Tessera to store data. It is based on Trillian's CTFE.

It is under active development.

Deployment

Each Tessera storage backend needs its own SCTFE binary.

At the moment, these storage backends are supported:

Working on the Code

The following files are auto-generated:

To re-generate these files, first install the right tools:

Then, generate the files:

cd $(go list -f '{{ .Dir }}' github.com/transparency-dev/static-ct); \
go generate -x ./...  # hunts for //go:generate comments and runs them
Contact

Documentation

Overview

Package sctfe contains a usage example by providing an implementation of a ct-static-api personality using Trillian Tessera as a backend storage.

It is a port of the ctfe package from https://github.com/google/certificate-transparency-go

Index

Constants

View Source 
const (
	AddChainName    = EntrypointName("AddChain")
	AddPreChainName = EntrypointName("AddPreChain")
	GetRootsName    = EntrypointName("GetRoots")
)

Constants for entrypoint names, as exposed in statistics/logging.

Variables

View Source 
var Entrypoints = []EntrypointName{AddChainName, AddPreChainName, GetRootsName}

Entrypoints is a list of entrypoint names as exposed in statistics/logging.

View Source 
var (
	ErrNoRFCCompliantPathFound = errors.New("no RFC compliant path to root found when trying to validate chain")
)

Functions

func DedupFromBundle 

func DedupFromBundle(bundle []byte, bundleIdx uint64) ([]dedup.LeafDedupInfo, error)

DedupFromBundle converts a bundle into an array of dedup.LeafDedupInfo.

The index of a leaf is computed from its position in the log, instead of parsing SCTs. Greatly inspired by https://github.com/FiloSottile/sunlight/blob/main/tile.go

func GetCTLogID 

func GetCTLogID(pk crypto.PublicKey) ([sha256.Size]byte, error)

GetCTLogID takes the key manager for a log and returns the LogID. (see RFC 6962 S3.2) In CT V1 the log id is a hash of the public key.

func IsPreIssuer 

func IsPreIssuer(issuer *x509.Certificate) bool

IsPreIssuer indicates whether a certificate is a pre-cert issuer with the specific certificate transparency extended key usage. copied form certificate-transparency-go/serialization.go

func NewCpSigner 

func NewCpSigner(signer crypto.Signer, origin string, logID [32]byte, timeSource TimeSource) note.Signer

NewCpSigner returns a new note signer that can sign https://c2sp.org/static-ct-api checkpoints. TODO(phboneff): add tests

func ParseBodyAsJSONChain 

func ParseBodyAsJSONChain(r *http.Request) (ct.AddChainRequest, error)

ParseBodyAsJSONChain tries to extract cert-chain out of request.

Types

type AppHandler 

type AppHandler struct {
	Info    *logInfo
	Handler func(context.Context, *logInfo, http.ResponseWriter, *http.Request) (int, error)
	Name    EntrypointName
	Method  string // http.MethodGet or http.MethodPost
}

AppHandler holds a logInfo and a handler function that uses it, and is an implementation of the http.Handler interface.

func (AppHandler) ServeHTTP 

func (a AppHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP for an AppHandler invokes the underlying handler function but does additional common error and stats processing.

type CTStorage 

type CTStorage struct {
	// contains filtered or unexported fields
}

CTStorage implements Storage.

func NewCTSTorage 

func NewCTSTorage(logStorage tessera.Storage, issuerStorage IssuerStorage, dedupStorage dedup.BEDedupStorage) (*CTStorage, error)

NewCTStorage instantiates a CTStorage object.

func (*CTStorage) Add 

func (cts *CTStorage) Add(ctx context.Context, entry *ctonly.Entry) tessera.IndexFuture

Add stores CT entries.

func (CTStorage) AddCertDedupInfo 

func (cts CTStorage) AddCertDedupInfo(ctx context.Context, c *x509.Certificate, sctDedupInfo dedup.SCTDedupInfo) error

AddCertDedupInfo stores <cert_hash, SCTDedupInfo> in the deduplication storage.

func (*CTStorage) AddIssuerChain 

func (cts *CTStorage) AddIssuerChain(ctx context.Context, chain []*x509.Certificate) error

AddIssuerChain stores every chain certificate under its sha256.

If an object is already stored under this hash, continues.

func (CTStorage) GetCertDedupInfo 

func (cts CTStorage) GetCertDedupInfo(ctx context.Context, c *x509.Certificate) (dedup.SCTDedupInfo, bool, error)

GetCertDedupInfo fetches the SCTDedupInfo of a given certificate from the deduplication storage.

type CertValidationOpts 

type CertValidationOpts struct {
	// contains filtered or unexported fields
}

CertValidationOpts contains various parameters for certificate chain validation

func NewCertValidationOpts 

func NewCertValidationOpts(trustedRoots *x509util.PEMCertPool, currentTime time.Time, rejectExpired bool, rejectUnexpired bool, notAfterStart *time.Time, notAfterLimit *time.Time, acceptOnlyCA bool, extKeyUsages []x509.ExtKeyUsage) CertValidationOpts

NewCertValidationOpts builds validation options based on parameters.

type CpSigner 

type CpSigner struct {
	// contains filtered or unexported fields
}

CpSigner implements note.Signer. It can generate https://c2sp.org/static-ct-api checkpoints.

func (*CpSigner) KeyHash 

func (cts *CpSigner) KeyHash() uint32

func (*CpSigner) Name 

func (cts *CpSigner) Name() string

func (*CpSigner) Sign 

func (cts *CpSigner) Sign(msg []byte) ([]byte, error)

Sign takes an unsigned checkpoint, and signs it with a https://c2sp.org/static-ct-api signature. Returns an error if the message doesn't parse as a checkpoint, or if the checkpoint origin doesn't match with the Signer's origin. TODO(phboneff): add tests

type DefaultRequestLog 

type DefaultRequestLog struct {
}

DefaultRequestLog is an implementation of RequestLog that does nothing except log the calls at a high level of verbosity.

func (*DefaultRequestLog) AddCertToChain 

func (dlr *DefaultRequestLog) AddCertToChain(_ context.Context, cert *x509.Certificate)

AddCertToChain logs some issuer / subject / timing fields from a certificate that is part of a submitted chain.

func (*DefaultRequestLog) AddDERToChain 

func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte)

AddDERToChain logs the raw bytes of a submitted certificate.

func (*DefaultRequestLog) IssueSCT 

func (dlr *DefaultRequestLog) IssueSCT(_ context.Context, sct []byte)

IssueSCT logs an SCT that will be issued to a client.

func (*DefaultRequestLog) LogOrigin 

func (dlr *DefaultRequestLog) LogOrigin(_ context.Context, p string)

LogOrigin logs the origin of the CT log that this request is for.

func (*DefaultRequestLog) Start 

func (dlr *DefaultRequestLog) Start(ctx context.Context) context.Context

Start logs the start of request processing.

func (*DefaultRequestLog) Status 

func (dlr *DefaultRequestLog) Status(_ context.Context, s int)

Status logs the response HTTP status code after processing completes.

type EntrypointName 

type EntrypointName string

EntrypointName identifies a CT entrypoint as defined in section 4 of RFC 6962.

type Instance 

type Instance struct {
	Handlers PathHandlers
	// contains filtered or unexported fields
}

Instance is a set up log/mirror instance. It must be created with the SetUpInstance call.

func SetUpInstance 

func SetUpInstance(ctx context.Context, opts InstanceOptions) (*Instance, error)

SetUpInstance sets up a log (or log mirror) instance using the provided configuration, and returns an object containing a set of handlers for this log, and an STH getter.

func (*Instance) GetPublicKey 

func (i *Instance) GetPublicKey() crypto.PublicKey

GetPublicKey returns the public key from the instance's signer.

type InstanceOptions 

type InstanceOptions struct {
	// Validated holds the original configuration options for the log, and some
	// of its fields parsed as a result of validating it.
	Validated *ValidatedLogConfig
	// CreateStorage instantiates a Tessera storage implementation with a signer option.
	CreateStorage func(context.Context, note.Signer) (*CTStorage, error)
	// Deadline is a timeout for Tessera requests.
	Deadline time.Duration
	// MetricFactory allows creating metrics.
	MetricFactory monitoring.MetricFactory
	// RequestLog provides structured logging of CTFE requests.
	RequestLog         RequestLog
	MaskInternalErrors bool
}

InstanceOptions describes the options for a log instance.

type IssuerStorage 

type IssuerStorage interface {
	AddIssuersIfNotExist(ctx context.Context, kv []KV) error
}

IssuerStorage issuer certificates under their hex encoded sha256.

type KV 

type KV struct {
	K []byte
	V []byte
}

type PathHandlers 

type PathHandlers map[string]AppHandler

PathHandlers maps from a path to the relevant AppHandler instance.

type RFC6962NoteSignature 

type RFC6962NoteSignature struct {
	// contains filtered or unexported fields
}

type RequestLog 

type RequestLog interface {
	// Start will be called once at the beginning of handling each request.
	// The supplied context will be the one used for request processing and
	// can be used by the logger to set values on the returned context.
	// The returned context should be used in all the following calls to
	// this API. This is normally arranged by the request handler code.
	Start(context.Context) context.Context
	// LogOrigin will be called once per request to set the log prefix.
	LogOrigin(context.Context, string)
	// AddDERToChain will be called once for each certificate in a submitted
	// chain. It's called early in request processing so the supplied bytes
	// have not been checked for validity. Calls will be in order of the
	// certificates as presented in the request with the root last.
	AddDERToChain(context.Context, []byte)
	// AddCertToChain will be called once for each certificate in the chain
	// after it has been parsed and verified. Calls will be in order of the
	// certificates as presented in the request with the root last.
	AddCertToChain(context.Context, *x509.Certificate)
	// IssueSCT will be called once when the server is about to issue an SCT to a
	// client. This should not be called if the submission process fails before an
	// SCT could be presented to a client, even if this is unrelated to
	// the validity of the submitted chain. The SCT bytes will be in TLS
	// serialized format.
	IssueSCT(context.Context, []byte)
	// Status will be called once to set the HTTP status code that was the
	// the result after the request has been handled.
	Status(context.Context, int)
}

RequestLog allows implementations to do structured logging of CTFE request parameters, submitted chains and other internal details that are useful for log operators when debugging issues. CTFE handlers will call the appropriate methods during request processing. The implementation is responsible for collating and storing the resulting logging information.

type Storage 

type Storage interface {
	// Add assigns an index to the provided Entry, stages the entry for integration, and returns a future for the assigned index.
	Add(context.Context, *ctonly.Entry) tessera.IndexFuture
	// AddIssuerChain stores every the chain certificate in a content-addressable store under their sha256 hash.
	AddIssuerChain(context.Context, []*x509.Certificate) error
	// AddCertDedupInfo stores the SCTDedupInfo of certificate in a log under its hash.
	AddCertDedupInfo(context.Context, *x509.Certificate, dedup.SCTDedupInfo) error
	// GetCertDedupInfo gets the SCTDedupInfo of certificate in a log from its hash.
	GetCertDedupInfo(context.Context, *x509.Certificate) (dedup.SCTDedupInfo, bool, error)
}

Storage provides all the storage primitives necessary to write to a ct-static-api log.

type SystemTimeSource 

type SystemTimeSource struct{}

SystemTimeSource provides the current system local time

func (SystemTimeSource) Now 

func (s SystemTimeSource) Now() time.Time

Now returns the true current local time.

type TimeSource 

type TimeSource interface {
	// Now returns the current time in real implementations or a suitable value in others
	Now() time.Time
}

TimeSource can provide the current time, or be replaced by a mock in tests to return specific values.

type ValidatedLogConfig 

type ValidatedLogConfig struct {
	// Origin identifies the log. It will be used in its checkpoint, and
	// is also its submission prefix, as per https://c2sp.org/static-ct-api.
	Origin string
	// Used to sign the checkpoint and SCTs.
	Signer crypto.Signer
	// If set, ExtKeyUsages will restrict the set of such usages that the
	// server will accept. By default all are accepted. The values specified
	// must be ones known to the x509 package.
	KeyUsages []x509.ExtKeyUsage
	// NotAfterStart defines the start of the range of acceptable NotAfter
	// values, inclusive.
	// Leaving this unset implies no lower bound to the range.
	NotAfterStart *time.Time
	// NotAfterLimit defines the end of the range of acceptable NotAfter values,
	// exclusive.
	// Leaving this unset implies no upper bound to the range.
	NotAfterLimit *time.Time
	// Path to the file containing root certificates that are acceptable to the
	// log. The certs are served through get-roots endpoint.
	RootsPemFile string
	// If RejectExpired is true then the certificate validity period will be
	// checked against the current time during the validation of submissions.
	// This will cause expired certificates to be rejected.
	RejectExpired bool
	// If RejectUnexpired is true then CTFE rejects certificates that are either
	// currently valid or not yet valid.
	RejectUnexpired bool
	// A list of X.509 extension OIDs, in dotted string form (e.g. "2.3.4.5")
	// which, if present, should cause submissions to be rejected.
	RejectExtensions []string
}

ValidatedLogConfig represents the LogConfig with the information that has been successfully parsed as a result of validating it.

func ValidateLogConfig 

func ValidateLogConfig(origin string, projectID string, bucket string, spannerDB string, rootsPemFile string, rejectExpired bool, rejectUnexpired bool, extKeyUsages string, rejectExtensions string, notAfterStart *time.Time, notAfterLimit *time.Time, signer crypto.Signer) (*ValidatedLogConfig, error)

ValidateLogConfig checks that a single log config is valid. In particular:

  • A log has a private, and optionally a public key (both valid).
  • Each of NotBeforeStart and NotBeforeLimit, if set, is a valid timestamp proto. If both are set then NotBeforeStart <= NotBeforeLimit.
  • Merge delays (if present) are correct.

Returns the validated structures (useful to avoid double validation).

Source Files

View all Source files

Directories

Path Synopsis
cmd
gcp
The ct_server binary runs the CT personality.
 The ct_server binary runs the CT personality.
Package mockclient provides a mockable version of the Trillian log client API.
 Package mockclient provides a mockable version of the Trillian log client API.
modules
dedup
Package dedup limits the number of duplicate entries a personality allows in a Tessera log.
 Package dedup limits the number of duplicate entries a personality allows in a Tessera log.
storage
bbolt
Package bbolt implements modules/dedup using BBolt.
 Package bbolt implements modules/dedup using BBolt.
gcp
Package gcp allows the SCTFE to interact with GCS to:
 Package gcp allows the SCTFE to interact with GCS to:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.