Documentation
¶
Index ¶
- Variables
- func IsExpired(t time.Time) bool
- func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier)
- func Sign(service CryptoService, s *data.Signed, keys ...data.PublicKey) error
- func Unmarshal(b []byte, v interface{}, role string, minVersion int, db *keys.KeyDB) error
- func UnmarshalTrusted(b []byte, v interface{}, role string, db *keys.KeyDB) error
- func Verify(s *data.Signed, role string, minVersion int, db *keys.KeyDB) error
- func VerifyRoot(s *data.Signed, minVersion int, keys map[string]data.PublicKey) error
- func VerifySignatures(s *data.Signed, role string, db *keys.KeyDB) error
- type CryptoService
- type ECDSAVerifier
- type Ed25519
- func (e *Ed25519) Create(role string, algorithm data.KeyAlgorithm) (data.PublicKey, error)
- func (e *Ed25519) GetKey(keyID string) data.PublicKey
- func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error)
- func (e *Ed25519) RemoveKey(keyID string) error
- func (e *Ed25519) Sign(keyIDs []string, toSign []byte) ([]data.Signature, error)
- type Ed25519Verifier
- type ErrExpired
- type ErrInvalidKeyLength
- type ErrInvalidKeyType
- type ErrLowVersion
- type ErrRoleThreshold
- type KeyService
- type RSAPKCS1v15Verifier
- type RSAPSSVerifier
- type RSAPyCryptoVerifier
- type SigningService
- type Verifier
Constants ¶
This section is empty.
Variables ¶
var ( ErrMissingKey = errors.New("tuf: missing key") ErrNoSignatures = errors.New("tuf: data has no signatures") ErrInvalid = errors.New("tuf: signature verification failed") ErrWrongMethod = errors.New("tuf: invalid signature type") ErrUnknownRole = errors.New("tuf: unknown role") ErrWrongType = errors.New("tuf: meta file has wrong type") )
Various basic signing errors
var Verifiers = map[data.SigAlgorithm]Verifier{ data.RSAPSSSignature: RSAPSSVerifier{}, data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{}, data.PyCryptoSignature: RSAPyCryptoVerifier{}, data.ECDSASignature: ECDSAVerifier{}, data.EDDSASignature: Ed25519Verifier{}, }
Verifiers serves as a map of all verifiers available on the system and can be injected into a verificationService. For testing and configuration purposes, it will not be used by default.
Functions ¶
func RegisterVerifier ¶
func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier)
RegisterVerifier provides a convenience function for init() functions to register additional verifiers or replace existing ones.
func Sign ¶
Sign takes a data.Signed and a key, calculated and adds the signature to the data.Signed
func UnmarshalTrusted ¶
UnmarshalTrusted unmarshals and verifies signatures only, not metadata, for a given role's metadata
func VerifyRoot ¶
VerifyRoot checks if a given root file is valid against a known set of keys. Threshold is always assumed to be 1
Types ¶
type CryptoService ¶
type CryptoService interface {
SigningService
KeyService
}
CryptoService defines a unified Signing and Key Service as this will be most useful for most applications.
type ECDSAVerifier ¶
type ECDSAVerifier struct{}
ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately
type Ed25519 ¶
type Ed25519 struct {
// contains filtered or unexported fields
}
Ed25519 implements a simple in memory cryptosystem for ED25519 keys
func NewEd25519 ¶
func NewEd25519() *Ed25519
NewEd25519 initializes a new empty Ed25519 CryptoService that operates entirely in memory
func (*Ed25519) PublicKeys ¶
PublicKeys returns a map of public keys for the ids provided, when those IDs are found in the store.
type Ed25519Verifier ¶
type Ed25519Verifier struct{}
Ed25519Verifier used to verify Ed25519 signatures
type ErrExpired ¶
ErrExpired indicates a piece of metadata has expired
func (ErrExpired) Error ¶
func (e ErrExpired) Error() string
type ErrInvalidKeyLength ¶
type ErrInvalidKeyLength struct {
// contains filtered or unexported fields
}
ErrInvalidKeyLength indicates that while we may support the cipher, the provided key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys
func (ErrInvalidKeyLength) Error ¶
func (e ErrInvalidKeyLength) Error() string
type ErrInvalidKeyType ¶
type ErrInvalidKeyType struct{}
ErrInvalidKeyType indicates the types for the key and signature it's associated with are mismatched. Probably a sign of malicious behaviour
func (ErrInvalidKeyType) Error ¶
func (e ErrInvalidKeyType) Error() string
type ErrLowVersion ¶
ErrLowVersion indicates the piece of metadata has a version number lower than a version number we're already seen for this role
func (ErrLowVersion) Error ¶
func (e ErrLowVersion) Error() string
type ErrRoleThreshold ¶
type ErrRoleThreshold struct{}
ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold
func (ErrRoleThreshold) Error ¶
func (e ErrRoleThreshold) Error() string
type KeyService ¶
type KeyService interface {
// Create issues a new key pair and is responsible for loading
// the private key into the appropriate signing service.
// The role isn't currently used for anything, but it's here to support
// future features
Create(role string, algorithm data.KeyAlgorithm) (data.PublicKey, error)
// GetKey retrieves the public key if present, otherwise it returns nil
GetKey(keyID string) data.PublicKey
// RemoveKey deletes the specified key
RemoveKey(keyID string) error
}
KeyService provides management of keys locally. It will never accept or provide private keys. Communication between the KeyService and a SigningService happen behind the Create function.
type RSAPKCS1v15Verifier ¶
type RSAPKCS1v15Verifier struct{}
RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures
type RSAPyCryptoVerifier ¶
type RSAPyCryptoVerifier struct{}
RSAPyCryptoVerifier checks RSASSA-PSS signatures
type SigningService ¶
type SigningService interface {
// Sign takes a slice of keyIDs and a piece of data to sign
// and returns a slice of signatures and an error
Sign(keyIDs []string, data []byte) ([]data.Signature, error)
}
SigningService defines the necessary functions to determine if a user is able to sign with a key, and to perform signing.
Source Files