Documentation
¶
Index ¶
- Constants
- func AppendTileLeaf(t []byte, e *LogEntry) []byte
- func DigitallySign(k *ecdsa.PrivateKey, msg []byte) ([]byte, error)
- func FormatCheckpoint(c Checkpoint) string
- func KAnonHashPath(h []byte, mask int) string
- func MarshalExtensions(e Extensions) ([]byte, error)
- func NewRFC6962Verifier(name string, key crypto.PublicKey, tf func(uint64)) (note.Verifier, error)
- func Path(t tlog.Tile) string
- func SignTreeHead(k *ecdsa.PrivateKey, treeSize, timestamp uint64, sha256RootHash [32]byte) ([]byte, error)
- func SignTreeHeadCheckpoint(origin string, privKey *ecdsa.PrivateKey, treeSize, timestamp int64, ...) (checkpoint []byte, err error)
- type Checkpoint
- type Extensions
- type LogEntry
- type TileReader
- type UnsequencedEntry
Constants ¶
const TileHeight = 8
const TileWidth = 1 << TileHeight
Variables ¶
This section is empty.
Functions ¶
func AppendTileLeaf ¶
AppendTileLeaf appends a LogEntry to a data tile.
func DigitallySign ¶
func DigitallySign(k *ecdsa.PrivateKey, msg []byte) ([]byte, error)
digitallySign produces an encoded digitally-signed signature.
It reimplements tls.CreateSignature and tls.Marshal from github.com/google/certificate-transparency-go/tls, in part to limit complexity and in part because tls.CreateSignature expects non-pointer {rsa,ecdsa}.PrivateKey types, which is unusual.
We use deterministic RFC 6979 ECDSA signatures so that when fetching a previous SCT's timestamp and index from the deduplication cache, the new SCT we produce is identical.
func FormatCheckpoint ¶
func FormatCheckpoint(c Checkpoint) string
func KAnonHashPath ¶
func MarshalExtensions ¶
func MarshalExtensions(e Extensions) ([]byte, error)
func NewRFC6962Verifier ¶
NewRFC6962Verifier constructs a new note.Verifier that verifies a RFC 6962 TreeHeadSignature formatted according to c2sp.org/sunlight.
tf, if not nil, is called with the timestamp extracted from any valid verified signature.
func SignTreeHead ¶
func SignTreeHead(k *ecdsa.PrivateKey, treeSize, timestamp uint64, sha256RootHash [32]byte) ([]byte, error)
SignTreeHead takes in the parameters to create a signed tree head and returns the JSON-encoded response.
func SignTreeHeadCheckpoint ¶
func SignTreeHeadCheckpoint(origin string, privKey *ecdsa.PrivateKey, treeSize, timestamp int64, sha256RootHash [32]byte) (checkpoint []byte, err error)
signTreeHead signs the tree and returns a checkpoint according to c2sp.org/checkpoint.
Types ¶
type Checkpoint ¶
type Checkpoint struct {
Origin string
tlog.Tree
// Extension is empty or a sequence of non-empty lines,
// each terminated by a newline character.
Extension string
}
A Checkpoint is a tree head to be formatted according to c2sp.org/checkpoint.
A checkpoint looks like this:
example.com/origin 923748 nND/nri/U0xuHUrYSy0HtMeal2vzD9V4k/BO79C+QeI=
It can be followed by extra extension lines.
func ParseCheckpoint ¶
func ParseCheckpoint(text string) (Checkpoint, error)
type Extensions ¶
type Extensions struct {
LeafIndex uint64
}
Extensions is the CTExtensions field of SignedCertificateTimestamp and TimestampedEntry, according to c2sp.org/sunlight.
func ParseExtensions ¶
func ParseExtensions(extensions []byte) (Extensions, error)
ParseExtensions parse a CTExtensions field, ignoring unknown extensions. It is an error if the leaf_index extension is missing.
type LogEntry ¶
type LogEntry struct {
// Certificate is either the X509ChainEntry.leaf_certificate, or the
// PreCert.tbs_certificate for Precertificates.
// It must be at most 2^24-1 bytes long.
Certificate []byte
// IsPrecert is true if LogEntryType is precert_entry. Otherwise, the
// following three fields are zero and ignored.
IsPrecert bool
// IssuerKeyHash is the PreCert.issuer_key_hash.
IssuerKeyHash [32]byte
// PreCertificate is the PrecertChainEntry.pre_certificate.
// It must be at most 2^24-1 bytes long.
PreCertificate []byte
// CertificateFp is the fingerprint of the first element of the chain
CertificateFp [32]byte
// ChainFp is a slice of the fingerprints of the entries
// in the chain submitted the add-chain or add-pre-chain endpoints,
// excluding the first element, with the original order maintained.
ChainFp [][32]byte
// Chain is the rest of the certificates in the chain
// It will only be filled in if the LogEntry is generated in the
// submit cert or precert endpoints
Chain []*x509.Certificate
// Timestamp is the TimestampedEntry.timestamp.
Timestamp int64
// LeafIndex is the zero-based index of the leaf in the log.
// It must be between 0 and 2^40-1.
LeafIndex uint64
}
func ReadTileLeaf ¶
ReadTileLeaf reads a LogEntry from a data tile, and returns the remaining data in the tile.
type TileReader ¶
type TileReader struct {
Fetch func(key string) ([]byte, error)
SaveTilesInt func(tiles []tlog.Tile, data [][]byte)
}
func (*TileReader) Height ¶
func (r *TileReader) Height() int
type UnsequencedEntry ¶
type UnsequencedEntry struct {
// Certificate is either the X509ChainEntry.leaf_certificate, or the
// PreCert.tbs_certificate for Precertificates.
// It must be at most 2^24-1 bytes long.
Certificate []byte
// IsPrecert is true if LogEntryType is precert_entry. Otherwise, the
// following three fields are zero and ignored.
IsPrecert bool
// IssuerKeyHash is the PreCert.issuer_key_hash.
IssuerKeyHash [32]byte
// PreCertificate is the PrecertChainEntry.pre_certificate.
// It must be at most 2^24-1 bytes long.
PreCertificate []byte
// CertificateFp is the fingerprint of the first element of the chain
CertificateFp [32]byte
// ChainFp is a slice of the fingerprints of the entries
// in the chain submitted the add-chain or add-pre-chain endpoints,
// excluding the first element, with the original order maintained.
ChainFp [][32]byte
// Chain is the rest of the certificates in the chain
// It will only be filled in if the LogEntry is generated in the
// submit cert or precert endpoints
Chain []*x509.Certificate
}
Source Files