pki

package

v0.0.32 Latest Latest Go to latest Published: Apr 17, 2024 License: AGPL-3.0, AGPL-3.0 Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/katzenpost/katzenpost

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func IsDescriptorWellFormed(d *MixDescriptor, epoch uint64) error
func IsDocumentWellFormed(d *Document, verifiers []sign.PublicKey) error
func MultiSignDocument(signer sign.PrivateKey, verifier sign.PublicKey, ...) ([]byte, error)
func SignDocument(signer sign.PrivateKey, verifier sign.PublicKey, d *Document) ([]byte, error)
type Client
type Document
- func FromPayload(verifier sign.PublicKey, payload []byte) (*Document, error)
- func ParseDocument(b []byte) (*Document, error)
type MixDescriptor
type SharedRandom
type SignedUpload
type Transport

Constants ¶

View Source

const (
	// LayerProvider is the Layer that providers list in their MixDescriptors.
	LayerProvider           = 255
	PublicKeyHashSize       = 32
	SharedRandomLength      = 40
	SharedRandomValueLength = 32

	// DocumentVersion identifies the document format version
	DocumentVersion = "v0"
)

View Source

const (
	DescriptorVersion = "v0"
)

Variables ¶

View Source

var (
	ErrNoSignature       = errors.New("MixDescriptor has no signature")
	ErrInvalidSignature  = errors.New("MixDescriptor has an invalid signature")
	ErrTooManySignatures = errors.New("MixDescriptor has more than one signature")
)

View Source

var (
	// ErrNoDocument is the error returned when there never will be a document
	// for a given epoch.
	ErrNoDocument = errors.New("pki: requested epoch will never get a document")

	// ErrInvalidPostEpoch is the error returned when the server rejects a
	// descriptor upload for a given epoch due to time reasons.
	ErrInvalidPostEpoch = errors.New("pki: post for epoch will never succeeed")

	// ErrInvalidEpoch is the error to return when the document epoch is invalid.
	ErrInvalidEpoch = errors.New("invalid document epoch")

	// ErrDocumentNotSigned is the error returned when deserializing an unsigned
	// document
	ErrDocumentNotSigned = errors.New("document not signed")

	// TrustOnFirstUseAuth is a MixDescriptor.AuthenticationType
	TrustOnFirstUseAuth = "tofu"

	// OutOfBandAuth is a MixDescriptor.AuthenticationType
	OutOfBandAuth = "oob"
)

Functions ¶

func IsDescriptorWellFormed ¶

func IsDescriptorWellFormed(d *MixDescriptor, epoch uint64) error

IsDescriptorWellFormed validates the descriptor and returns a descriptive error iff there are any problems that would make it unusable as part of a PKI Document.

func IsDocumentWellFormed ¶

func IsDocumentWellFormed(d *Document, verifiers []sign.PublicKey) error

IsDocumentWellFormed validates the document and returns a descriptive error iff there are any problems that invalidates the document.

func MultiSignDocument ¶

func MultiSignDocument(signer sign.PrivateKey, verifier sign.PublicKey, peerSignatures []*cert.Signature, verifiers map[[32]byte]sign.PublicKey, d *Document) ([]byte, error)

MultiSignDocument signs and serializes the document with the provided signing key, adding the signature to the existing signatures.

func SignDocument ¶

func SignDocument(signer sign.PrivateKey, verifier sign.PublicKey, d *Document) ([]byte, error)

SignDocument signs and serializes the document with the provided signing key.

Types ¶

type Client ¶

type Client interface {
	// Get returns the PKI document along with the raw serialized form for the provided epoch.
	Get(ctx context.Context, epoch uint64) (*Document, []byte, error)

	// Post posts the node's descriptor to the PKI for the provided epoch.
	Post(ctx context.Context, epoch uint64, signingPrivateKey sign.PrivateKey, signingPublicKey sign.PublicKey, d *MixDescriptor, loopstats *loops.LoopStats) error

	// Deserialize returns PKI document given the raw bytes.
	Deserialize(raw []byte) (*Document, error)
}

Client is the abstract interface used for PKI interaction.

type Document ¶

type Document struct {
	// Epoch is the epoch for which this Document instance is valid for.
	Epoch uint64

	// GenesisEpoch is the epoch on which authorities started consensus
	GenesisEpoch uint64

	// SendRatePerMinute is the number of packets per minute a client can send.
	SendRatePerMinute uint64

	// Mu is the inverse of the mean of the exponential distribution
	// that the Sphinx packet per-hop mixing delay will be sampled from.
	Mu float64

	// MuMaxDelay is the maximum Sphinx packet per-hop mixing delay in
	// milliseconds.
	MuMaxDelay uint64

	// LambdaP is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// messages from it's FIFO egress queue or drop decoy messages if the queue
	// is empty.
	LambdaP float64

	// LambdaPMaxDelay is the maximum time interval in milliseconds.
	LambdaPMaxDelay uint64

	// LambdaL is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// decoy loop messages.
	LambdaL float64

	// LambdaLMaxDelay is the maximum time interval in milliseconds.
	LambdaLMaxDelay uint64

	// LambdaD is the inverse of the mean of the exponential distribution
	// that clients will sample to determine the time interval between sending
	// decoy drop messages.
	LambdaD float64

	// LambdaDMaxDelay is the maximum time interval in milliseconds.
	LambdaDMaxDelay uint64

	// LambdaM is the inverse of the mean of the exponential distribution
	// that mixes will sample to determine send timing of mix loop decoy traffic.
	LambdaM float64

	// LambdaMMaxDelay is the maximum send interval in milliseconds.
	LambdaMMaxDelay uint64

	// Topology is the mix network topology, excluding providers.
	Topology [][]*MixDescriptor

	// Providers is the list of providers that can interact with the mix
	// network.
	Providers []*MixDescriptor

	// Signatures holds detached Signatures from deserializing a signed Document
	Signatures map[[PublicKeyHashSize]byte]cert.Signature `cbor:"-"`

	// SharedRandomCommit used by the voting process.
	SharedRandomCommit map[[PublicKeyHashSize]byte][]byte

	// SharedRandomReveal used by the voting process.
	SharedRandomReveal map[[PublicKeyHashSize]byte][]byte

	// SharedRandomValue produced by voting process.
	SharedRandomValue []byte

	// PriorSharedRandom used by applications that need a longer lived SRV.
	PriorSharedRandom [][]byte

	// SphinxGeometryHash is used to ensure all mixnet actors have the same
	// Sphinx Geometry.
	SphinxGeometryHash []byte

	// Version uniquely identifies the document format as being for the
	// specified version so that it can be rejected if the format changes.
	Version string
}

Document is a PKI document.

func FromPayload ¶

func FromPayload(verifier sign.PublicKey, payload []byte) (*Document, error)

FromPayload deserializes, then verifies a Document, and returns the Document or error.

func ParseDocument ¶

func ParseDocument(b []byte) (*Document, error)

ParseDocument deserializes the document.

func (*Document) AddSignature ¶

func (d *Document) AddSignature(verifier sign.PublicKey, signature cert.Signature) error

AddSignature will add a Signature over this Document if it is signed by verifier.

func (*Document) GetMix ¶

func (d *Document) GetMix(name string) (*MixDescriptor, error)

GetMix returns the MixDescriptor for the given mix Name.

func (*Document) GetMixByKeyHash ¶

func (d *Document) GetMixByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetMixByKey returns the specific mix descriptor corresponding to the specified IdentityKey hash.

func (*Document) GetMixLayer ¶

func (d *Document) GetMixLayer(keyhash *[32]byte) (uint8, error)

GetMixLayer returns the assigned layer for the given mix from Topology

func (*Document) GetMixesInLayer ¶

func (d *Document) GetMixesInLayer(layer uint8) ([]*MixDescriptor, error)

GetMixesInLayer returns all the mix descriptors for a given layer.

func (*Document) GetNode ¶

func (d *Document) GetNode(name string) (*MixDescriptor, error)

GetNode returns the specific descriptor corresponding to the specified node Name.

func (*Document) GetNodeByKeyHash ¶

func (d *Document) GetNodeByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetNodeByKeyHash returns the specific descriptor corresponding to the specified IdentityKey hash.

func (*Document) GetProvider ¶

func (d *Document) GetProvider(name string) (*MixDescriptor, error)

GetProvider returns the MixDescriptor for the given provider Name.

func (*Document) GetProviderByKeyHash ¶

func (d *Document) GetProviderByKeyHash(keyhash *[32]byte) (*MixDescriptor, error)

GetProviderByKeyHash returns the specific provider descriptor corresponding to the specified IdentityKey hash.

func (*Document) MarshalBinary ¶

func (d *Document) MarshalBinary() ([]byte, error)

MarshalBinary implements encoding.BinaryMarshaler interface and wraps a Document with a cert.Certificate

func (*Document) String ¶

func (d *Document) String() string

String returns a string representation of a Document.

func (*Document) Sum256 ¶

func (d *Document) Sum256() [32]byte

func (*Document) UnmarshalBinary ¶

func (d *Document) UnmarshalBinary(data []byte) error

UnmarshalBinary implements encoding.BinaryUnmarshaler interface and populates Document with detached Signatures

type MixDescriptor ¶

type MixDescriptor struct {
	// Name is the human readable (descriptive) node identifier.
	Name string

	// Epoch is the Epoch in which this descriptor was created
	Epoch uint64

	// IdentityKey is the node's identity (signing) key.
	IdentityKey []byte

	// LinkKey is the node's wire protocol public key.
	LinkKey []byte

	// MixKeys is a map of epochs to Sphinx keys.
	MixKeys map[uint64][]byte

	// Addresses is the map of transport to address combinations that can
	// be used to reach the node.
	Addresses map[Transport][]string

	// Kaetzchen is the map of provider autoresponder agents by capability
	// to parameters.
	Kaetzchen map[string]map[string]interface{} `cbor:"omitempty"`

	// Provider indicates that this Mix is a Provider
	Provider bool

	// LoadWeight is the node's load balancing weight (unused).
	LoadWeight uint8

	// AuthenticationType is the authentication mechanism required
	AuthenticationType string

	// Version uniquely identifies the descriptor format as being for the
	// specified version so that it can be rejected if the format changes.
	Version string
}

MixDescriptor is a description of a given Mix or Provider (node).

func (*MixDescriptor) MarshalBinary ¶

func (d *MixDescriptor) MarshalBinary() ([]byte, error)

MarshalBinary implmements encoding.BinaryMarshaler

func (*MixDescriptor) String ¶

func (d *MixDescriptor) String() string

String returns a human readable MixDescriptor suitable for terse logging.

func (*MixDescriptor) UnmarshalBinary ¶

func (d *MixDescriptor) UnmarshalBinary(data []byte) error

UnmarshalBinary implements encoding.BinaryUnmarshaler interface

func (*MixDescriptor) UnmarshalMixKeyAsKEM ¶

func (d *MixDescriptor) UnmarshalMixKeyAsKEM(epoch uint64, g *geo.Geometry) (kem.PublicKey, error)

func (*MixDescriptor) UnmarshalMixKeyAsNike ¶

func (d *MixDescriptor) UnmarshalMixKeyAsNike(epoch uint64, g *geo.Geometry) (nike.PublicKey, error)

type SharedRandom ¶

type SharedRandom struct {
	// contains filtered or unexported fields
}

SharedRandom is a container for commit-and-reveal protocol messages

func (*SharedRandom) Commit ¶

func (s *SharedRandom) Commit(epoch uint64) ([]byte, error)

Commit produces a SharedRandom commit value for the given epoch

func (*SharedRandom) GetCommit ¶

func (s *SharedRandom) GetCommit() []byte

GetCommit returns the commit value

func (*SharedRandom) GetEpoch ¶

func (s *SharedRandom) GetEpoch() uint64

GetEpoch returns the epoch value

func (*SharedRandom) Reveal ¶

func (s *SharedRandom) Reveal() []byte

Reveal returns the reveal value

func (*SharedRandom) SetCommit ¶

func (s *SharedRandom) SetCommit(rawCommit []byte)

SetCommit sets the commit value

func (*SharedRandom) Verify ¶

func (s *SharedRandom) Verify(reveal []byte) bool

Verify checks that the reveal value verifies the commit value

type SignedUpload ¶ added in v0.0.32

type SignedUpload struct {
	// Signature is the signature over the serialized SignedUpload.
	Signature *cert.Signature

	// MixDescriptor is the mix descriptor.
	MixDescriptor *MixDescriptor

	// LoopStats is the mix loop statistics.
	LoopStats *loops.LoopStats
}

func (*SignedUpload) Marshal ¶ added in v0.0.32

func (s *SignedUpload) Marshal() ([]byte, error)

func (*SignedUpload) Sign ¶ added in v0.0.32

func (s *SignedUpload) Sign(privKey sign.PrivateKey, pubKey sign.PublicKey) error

func (*SignedUpload) Unmarshal ¶ added in v0.0.32

func (s *SignedUpload) Unmarshal(data []byte) error

func (*SignedUpload) Verify ¶ added in v0.0.32

func (s *SignedUpload) Verify(pubKey sign.PublicKey) bool

type Transport ¶

type Transport string

Transport is a link transport protocol.

var (
	// TransportInvalid is the invalid transport.
	TransportInvalid Transport

	// TransportTCP is TCP, with the IP version determined by the results of
	// a name server lookup.
	TransportTCP Transport = "tcp"

	// TransportTCPv4 is TCP over IPv4.
	TransportTCPv4 Transport = "tcp4"

	// TransportTCPv6 is TCP over IPv6.
	TransportTCPv6 Transport = "tcp6"

	// InternalTransports is the list of transports used for non-client related
	// communications.
	InternalTransports = []Transport{TransportTCPv4, TransportTCPv6}

	// ClientTransports is the list of transports used by default for client
	// to provider communication.
	ClientTransports = []Transport{TransportTCP, TransportTCPv4, TransportTCPv6}
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL