ct

package
v0.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 13, 2023 License: MPL-2.0, Apache-2.0 Imports: 17 Imported by: 36

README

The code in this directory is based on Google's Certificiate Transparency Go library
(originally at <https://github.com/google/certificate-transparency/tree/master/go>;
now at <https://github.com/google/certificate-transparency-go>).
See AUTHORS for the copyright holders, and LICENSE for the license.

Documentation

Index

Constants

View Source
const (
	CertificateLengthBytes      = 3
	PreCertificateLengthBytes   = 3
	ExtensionsLengthBytes       = 2
	CertificateChainLengthBytes = 3
	SignatureLengthBytes        = 2
)

Variable size structure prefix-header byte lengths

View Source
const (
	MaxCertificateLength = (1 << 24) - 1
	MaxExtensionsLength  = (1 << 16) - 1
)

Max lengths

Variables

This section is empty.

Functions

func MarshalDigitallySigned

func MarshalDigitallySigned(ds DigitallySigned) ([]byte, error)

MarshalDigitallySigned marshalls a DigitallySigned structure into a byte array

func ReadTimestampedEntryInto

func ReadTimestampedEntryInto(r io.Reader, t *TimestampedEntry) error

ReadTimestampedEntryInto parses the byte-stream representation of a TimestampedEntry from |r| and populates the struct |t| with the data. See RFC section 3.4 for details on the format. Returns a non-nil error if there was a problem.

func SerializeSCT

func SerializeSCT(sct SignedCertificateTimestamp) ([]byte, error)

SerializeSCT serializes the passed in sct into the format specified by RFC6962 section 3.2

func SerializeSCTSignatureInput

func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry) ([]byte, error)

SerializeSCTSignatureInput serializes the passed in sct and log entry into the correct format for signing.

func SerializeSTHSignatureInput

func SerializeSTHSignatureInput(sth SignedTreeHead) ([]byte, error)

SerializeSTHSignatureInput serializes the passed in sth into the correct format for signing.

Types

type ASN1Cert

type ASN1Cert []byte

ASN1Cert type for holding the raw DER bytes of an ASN.1 Certificate (section 3.1)

func UnmarshalPrecertChainArray

func UnmarshalPrecertChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalPrecertChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to a Precertificate leaf.

func UnmarshalX509ChainArray

func UnmarshalX509ChainArray(b []byte) ([]ASN1Cert, error)

UnmarshalX509ChainArray unmarshalls the contents of the "chain:" entry in a GetEntries response in the case where the entry refers to an X509 leaf.

type AuditPath

type AuditPath []MerkleTreeNode

AuditPath represents a CT inclusion proof (see sections 2.1.1 and 4.5)

type CTExtensions

type CTExtensions []byte

CTExtensions is a representation of the raw bytes of any CtExtension structure (see section 3.2)

type ConsistencyProof

type ConsistencyProof []MerkleTreeNode

ConsistencyProof represents a CT consistency proof (see sections 2.1.2 and 4.4)

type DigitallySigned

type DigitallySigned struct {
	HashAlgorithm      HashAlgorithm
	SignatureAlgorithm SignatureAlgorithm
	Signature          []byte
}

DigitallySigned represents an RFC5246 DigitallySigned structure

func UnmarshalDigitallySigned

func UnmarshalDigitallySigned(r io.Reader) (*DigitallySigned, error)

UnmarshalDigitallySigned reconstructs a DigitallySigned structure from a Reader

func (DigitallySigned) Base64String

func (d DigitallySigned) Base64String() (string, error)

Base64String returns the base64 representation of the DigitallySigned struct.

func (*DigitallySigned) FromBase64String

func (d *DigitallySigned) FromBase64String(b64 string) error

FromBase64String populates the DigitallySigned structure from the base64 data passed in. Returns an error if the base64 data is invalid.

func (DigitallySigned) MarshalJSON

func (d DigitallySigned) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface.

func (*DigitallySigned) UnmarshalJSON

func (d *DigitallySigned) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type HashAlgorithm

type HashAlgorithm byte

HashAlgorithm from the DigitallySigned struct

const (
	None   HashAlgorithm = 0
	MD5    HashAlgorithm = 1
	SHA1   HashAlgorithm = 2
	SHA224 HashAlgorithm = 3
	SHA256 HashAlgorithm = 4
	SHA384 HashAlgorithm = 5
	SHA512 HashAlgorithm = 6
)

HashAlgorithm constants

func (HashAlgorithm) String

func (h HashAlgorithm) String() string

type LeafInput

type LeafInput []byte

LeafInput represents a serialized MerkleTreeLeaf structure

type LogEntry

type LogEntry struct {
	Index     int64
	Leaf      MerkleTreeLeaf
	Chain     []ASN1Cert
	LeafBytes []byte
}

LogEntry represents the contents of an entry in a CT log, see section 3.1.

type LogEntryType

type LogEntryType uint16

LogEntryType represents the LogEntryType enum from section 3.1 of the RFC:

enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
const (
	X509LogEntryType    LogEntryType = 0
	PrecertLogEntryType LogEntryType = 1
)

LogEntryType constants, see section 3.1 of RFC6962.

func (LogEntryType) String

func (e LogEntryType) String() string

type MerkleLeafType

type MerkleLeafType uint8

MerkleLeafType represents the MerkleLeafType enum from section 3.4 of the RFC: enum { timestamped_entry(0), (255) } MerkleLeafType;

const (
	TimestampedEntryLeafType MerkleLeafType = 0 // Entry type for an SCT
)

MerkleLeafType constants, see section 3.4 of the RFC.

func (MerkleLeafType) String

func (m MerkleLeafType) String() string

type MerkleTreeLeaf

type MerkleTreeLeaf struct {
	Version          Version          // the version of the protocol to which the MerkleTreeLeaf corresponds
	LeafType         MerkleLeafType   // The type of the leaf input, currently only TimestampedEntry can exist
	TimestampedEntry TimestampedEntry // The entry data itself
}

MerkleTreeLeaf represents the deserialized structure of the hash input for the leaves of a log's Merkle tree. See RFC section 3.4

func ReadMerkleTreeLeaf

func ReadMerkleTreeLeaf(r io.Reader) (*MerkleTreeLeaf, error)

ReadMerkleTreeLeaf parses the byte-stream representation of a MerkleTreeLeaf and returns a pointer to a new MerkleTreeLeaf structure containing the parsed data. See RFC section 3.4 for details on the format. Returns a pointer to a new MerkleTreeLeaf or non-nil error if there was a problem

type MerkleTreeNode

type MerkleTreeNode []byte

MerkleTreeNode represents an internal node in the CT tree

type PreCert

type PreCert struct {
	IssuerKeyHash  [issuerKeyHashLength]byte
	TBSCertificate []byte
}

PreCert represents a Precertificate (section 3.2)

type SHA256Hash

type SHA256Hash [sha256.Size]byte

SHA256Hash represents the output from the SHA256 hash function.

func PublicKeyFromPEM

func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error)

PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.

func (SHA256Hash) Base64String

func (s SHA256Hash) Base64String() string

Base64String returns the base64 representation of this SHA256Hash.

func (SHA256Hash) Base64URLString added in v0.15.0

func (s SHA256Hash) Base64URLString() string

Returns the raw base64url representation of this SHA256Hash.

func (*SHA256Hash) FromBase64String

func (s *SHA256Hash) FromBase64String(b64 string) error

FromBase64String populates the SHA256 struct with the contents of the base64 data passed in.

func (SHA256Hash) MarshalJSON

func (s SHA256Hash) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface for SHA256Hash.

func (*SHA256Hash) UnmarshalJSON

func (s *SHA256Hash) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaller interface.

type SignatureAlgorithm

type SignatureAlgorithm byte

SignatureAlgorithm from the DigitallySigned struct

const (
	Anonymous SignatureAlgorithm = 0
	RSA       SignatureAlgorithm = 1
	DSA       SignatureAlgorithm = 2
	ECDSA     SignatureAlgorithm = 3
)

SignatureAlgorithm constants

func (SignatureAlgorithm) String

func (s SignatureAlgorithm) String() string

type SignatureType

type SignatureType uint8

SignatureType differentiates STH signatures from SCT signatures, see RFC section 3.2

const (
	CertificateTimestampSignatureType SignatureType = 0
	TreeHashSignatureType             SignatureType = 1
)

SignatureType constants, see RFC section 3.2

func (SignatureType) String

func (st SignatureType) String() string

type SignatureVerifier

type SignatureVerifier struct {
	// contains filtered or unexported fields
}

SignatureVerifier can verify signatures on SCTs and STHs

func NewSignatureVerifier

func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error)

NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.

func (SignatureVerifier) VerifySCTSignature

func (s SignatureVerifier) VerifySCTSignature(sct SignedCertificateTimestamp, entry LogEntry) error

VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry

func (SignatureVerifier) VerifySTHSignature

func (s SignatureVerifier) VerifySTHSignature(sth SignedTreeHead) error

VerifySTHSignature verifies that the STH's signature is valid.

type SignedCertificateTimestamp

type SignedCertificateTimestamp struct {
	SCTVersion Version    `json:"sct_version"` // The version of the protocol to which the SCT conforms
	LogID      SHA256Hash `json:"id"`          // the SHA-256 hash of the log's public key, calculated over
	// the DER encoding of the key represented as SubjectPublicKeyInfo.
	Timestamp  uint64          `json:"timestamp"`  // Timestamp (in ms since unix epoch) at which the SCT was issued
	Extensions CTExtensions    `json:"extensions"` // For future extensions to the protocol
	Signature  DigitallySigned `json:"signature"`  // The Log's signature for this SCT
}

SignedCertificateTimestamp represents the structure returned by the add-chain and add-pre-chain methods after base64 decoding. (see RFC sections 3.2 ,4.1 and 4.2)

func DeserializeSCT

func DeserializeSCT(r io.Reader) (*SignedCertificateTimestamp, error)

func (SignedCertificateTimestamp) String

type SignedTreeHead

type SignedTreeHead struct {
	Version           Version         `json:"sth_version"`         // The version of the protocol to which the STH conforms
	TreeSize          uint64          `json:"tree_size"`           // The number of entries in the new tree
	Timestamp         uint64          `json:"timestamp"`           // The time at which the STH was created
	SHA256RootHash    SHA256Hash      `json:"sha256_root_hash"`    // The root hash of the log's Merkle tree
	TreeHeadSignature DigitallySigned `json:"tree_head_signature"` // The Log's signature for this STH (see RFC section 3.5)
	LogID             SHA256Hash      `json:"log_id"`              // The SHA256 hash of the log's public key
}

SignedTreeHead represents the structure returned by the get-sth CT method after base64 decoding. See sections 3.5 and 4.3 in the RFC)

func (*SignedTreeHead) TimestampTime added in v0.15.0

func (sth *SignedTreeHead) TimestampTime() time.Time

type TimestampedEntry

type TimestampedEntry struct {
	Timestamp    uint64
	EntryType    LogEntryType
	X509Entry    ASN1Cert
	PrecertEntry PreCert
	Extensions   CTExtensions
}

TimestampedEntry is part of the MerkleTreeLeaf structure. See RFC section 3.4

type Version

type Version uint8

Version represents the Version enum from section 3.2 of the RFC: enum { v1(0), (255) } Version;

const (
	V1 Version = 0
)

CT Version constants, see section 3.2 of the RFC.

func (Version) String

func (v Version) String() string

Directories

Path Synopsis
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL