Documentation
¶
Index ¶
- Constants
- Variables
- func EncodeSignedIssuer(signed SignedIssuer) ([]byte, error)
- type AS
- type ASVerifier
- type Base
- type Chain
- type CritAS
- type CritIssuer
- type EncodedAS
- type EncodedIssuer
- type EncodedProtectedAS
- type EncodedProtectedIssuer
- type FormatVersion
- type Issuer
- type IssuerCertID
- type IssuerTRC
- type IssuerVerifier
- type KeyType
- type ProtectedAS
- type ProtectedIssuer
- type SignatureTypeCertificate
- type SignatureTypeTRC
- type SignedAS
- type SignedIssuer
- type TypeAS
- type TypeIssuer
Constants ¶
const ( // ErrWildcardIssuer indicates the issuer is a wildcard IA. ErrWildcardIssuer common.ErrMsg = "issuer.ia is wildcard" // ErrIssuerDifferentISD indicates that the issuing AS is in a different ISD. ErrIssuerDifferentISD common.ErrMsg = "issuing.ia in different ISD" // ErrInvalidCertificateType indicates the certificate type is invalid. ErrInvalidCertificateType common.ErrMsg = "invalid certificate_type" )
const ( // ErrInvalidKeyType indicates an inexistent key type. ErrInvalidKeyType common.ErrMsg = "invalid key type" // ErrInvalidVersion indicates an invalid certificate version. ErrInvalidVersion common.ErrMsg = "Invalid certificate version" // ErrUnsupportedFormat indicates an invalid certificate format. ErrUnsupportedFormat common.ErrMsg = "Unsupported certificate format" )
Parsing errors with context.
const ( // ErrInvalidValidityPeriod indicates an invalid validity period. ErrInvalidValidityPeriod common.ErrMsg = "invalid validity period" // ErrInvalidSubject indicates that the subject contains a wildcard. ErrInvalidSubject common.ErrMsg = "subject contains wildcard" // ErrInvalidDistributionPoint indicates that the distribution point is a wildcard. ErrInvalidDistributionPoint common.ErrMsg = "distribution point contains wildcard" // ErrUnexpectedKey indicates that the certificate holds an excess key. ErrUnexpectedKey common.ErrMsg = "unexpected key" // ErrMissingKey indicates that the certificate is missing a key. ErrMissingKey common.ErrMsg = "missing key" )
Validation errors with context.
const ( IssuingKeyJSON = "issuing" SigningKeyJSON = "signing" EncryptionKeyJSON = "encryption" RevocationKeyJSON = "revocation" )
const ( // ErrASValidityNotCovered indicates the AS certificate's validity period is // not covered by the issuer certificate's validity period. ErrASValidityNotCovered common.ErrMsg = "AS validity not covered" // ErrIssuerValidityNotCovered indicates the issuer certificate's validity // period is not covered by the TRC's validity period. ErrIssuerValidityNotCovered common.ErrMsg = "AS validity not covered" // ErrUnexpectedIssuer indicates another issuer is expected. ErrUnexpectedIssuer common.ErrMsg = "wrong issuer" // ErrUnexpectedCertificateVersion indicates another issuer certificate version is expected. ErrUnexpectedCertificateVersion common.ErrMsg = "wrong certificate version" // ErrUnexpectedTRCVersion indicates another TRC version is expected. ErrUnexpectedTRCVersion common.ErrMsg = "wrong TRC version" // ErrInvalidProtected indicates an invalid protected meta. ErrInvalidProtected common.ErrMsg = "invalid protected meta" )
const ErrInvalidChainLength common.ErrMsg = "invalid chain length"
ErrInvalidChainLength indicates an invalid chain length.
const ( // ErrInvalidSignatureType indicates an invalid signature type. ErrInvalidSignatureType common.ErrMsg = "invalid signature type" )
const SignatureTypeCertificateJSON = "certificate"
const SignatureTypeTRCJSON = "trc"
const TypeASJSON = "as"
const TypeIssuerJSON = "issuer"
Variables ¶
var ( // ErrIssuerIANotSet indicates the issuer ia is not set. ErrIssuerIANotSet = errors.New("issuer.ia not set") // ErrIssuerCertificateVersionNotSet indicates the issuer certificate version is not set. ErrIssuerCertificateVersionNotSet = errors.New("issuer.certificate_version not set") )
var ( // ErrSubjectNotSet indicates subject is not set. ErrSubjectNotSet = errors.New("subject not set") // ErrVersionNotSet indicates version is not set. ErrVersionNotSet = errors.New("version not set") // ErrFormatVersionNotSet indicates format_version is not set. ErrFormatVersionNotSet = errors.New("format_version not set") // ErrDescriptionNotSet indicates description is not set. ErrDescriptionNotSet = errors.New("description not set") // ErrOptionalDistributionPointsNotSet indicates optional_distribution_points is not set. ErrOptionalDistributionPointsNotSet = errors.New("optional_distribution_points not set") // ErrValidityNotSet indicates validity is not set. ErrValidityNotSet = errors.New("validity not set") // ErrKeysNotSet indicates keys is not set. ErrKeysNotSet = errors.New("keys not set") // ErrIssuerNotSet indicates issuer is not set. ErrIssuerNotSet = errors.New("issuer not set") // ErrCertificateTypeNotSet indicates certificate_type is not set. ErrCertificateTypeNotSet = errors.New("certificate_type not set") )
Parsing errors.
var ( // ErrCritNotSet indicates that crit is not set. ErrCritNotSet = errors.New("crit not set") // ErrNotUTF8 indicates an invalid encoding. ErrNotUTF8 = errors.New("not utf-8 encoded") // ErrSignatureTypeNotSet indicates the signature type is not set. ErrSignatureTypeNotSet = errors.New("signature type not set") )
var ( // ErrAlgorithmNotSet indicates the key algorithm is not set. ErrAlgorithmNotSet = errors.New("algorithm not set") )
Validation errors.
var ErrIANotSet = errors.New("ia not set")
ErrIANotSet indicates the issuing ia is not set.
var ( // ErrIssuerTRCVersionNotSet indicates the issuer TRC version is not set. ErrIssuerTRCVersionNotSet = errors.New("issuer.trc_version not set") )
var ( // ErrNotIssuing indicates that the subject of the issuer certificate is not // and issuing AS, and not allowed to self-sign the certificate. ErrNotIssuing = errors.New("not an issuing primary") )
var ( // ErrTRCVersionNotSet indicates the TRC version is not set. ErrTRCVersionNotSet = errors.New("trc_version not set") )
Functions ¶
func EncodeSignedIssuer ¶ added in v0.5.0
func EncodeSignedIssuer(signed SignedIssuer) ([]byte, error)
EncodeSignedIssuer encodes the signed issuer certificate to raw bytes.
Types ¶
type AS ¶ added in v0.5.0
type AS struct {
Base
// Issuer holds the identifiers of the issuing issuer certificate.
Issuer IssuerCertID `json:"issuer"`
// CertificateType ensures the correct certificate type when marshalling.
CertificateType TypeAS `json:"certificate_type"`
}
AS is the AS certificate.
func (*AS) UnmarshalJSON ¶ added in v0.5.0
UnmarshalJSON checks that all fields are set.
type ASVerifier ¶ added in v0.5.0
ASVerifier verifies the AS certificate based on the trusted issuer certificate. The caller must ensure that the issuer certificate is verified, and that the AS certificate is valid and decoded from the signed AS certificate.
func (ASVerifier) Verify ¶ added in v0.5.0
func (v ASVerifier) Verify() error
Verify verifies the AS certificate.
type Base ¶ added in v0.5.0
type Base struct {
// Subject identifies the subject of the certificate.
Subject addr.IA `json:"subject"`
// Version indicates the certificate version.
Version scrypto.Version `json:"version"`
// FormatVersion is the certificate format version.
FormatVersion FormatVersion `json:"format_version"`
// Description is a human-readable description of the certificate.
Description string `json:"description"`
// OptionalDistributionPoints contains optional certificate revocation
// distribution points.
OptionalDistributionPoints []addr.IA `json:"optional_distribution_points"`
// Validity defines the validity period of the certificate.
Validity *scrypto.Validity `json:"validity"`
// Keys holds all keys authenticated by this certificate.
Keys map[KeyType]scrypto.KeyMeta `json:"keys"`
}
Base contains the shared fields between the issuer and AS certificate.
type Chain ¶
type Chain struct {
// Issuer contains the signed issuer certificate.
Issuer SignedIssuer
// AS contains the signed AS certificate.
AS SignedAS
}
Chain represents the certificate chain.
func ParseChain ¶ added in v0.5.0
ParseChain parses the raw chain.
func (Chain) MarshalJSON ¶ added in v0.5.0
MarshalJSON packs the chain as a json array.
func (*Chain) UnmarshalJSON ¶
UnmarshalJSON unpacks the chain formatted as a json array.
type CritAS ¶ added in v0.5.0
type CritAS struct{}
CritAS is the "crit" section for the AS certificate (see: https://tools.ietf.org/html/rfc7515#section-4.1.11).
func (CritAS) MarshalJSON ¶ added in v0.5.0
MarshalJSON returns a json array with the expected crit elements.
func (CritAS) UnmarshalJSON ¶ added in v0.5.0
UnmarshalJSON checks that all expected elements and no other are in the array.
type CritIssuer ¶ added in v0.5.0
type CritIssuer struct{}
CritIssuer is the "crit" section for the issuer certificate (see: https://tools.ietf.org/html/rfc7515#section-4.1.11).
func (CritIssuer) MarshalJSON ¶ added in v0.5.0
func (CritIssuer) MarshalJSON() ([]byte, error)
MarshalJSON returns a json array with the expected crit elements.
func (CritIssuer) UnmarshalJSON ¶ added in v0.5.0
func (CritIssuer) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all expected elements and no other are in the array.
type EncodedAS ¶ added in v0.5.0
type EncodedAS string
EncodedAS is the the base64url encoded marshaled AS certificate. It is a string type to prevent json.Marshal from encoding it to base64 a second time.
type EncodedIssuer ¶ added in v0.5.0
type EncodedIssuer string
EncodedIssuer is the the base64url encoded marshaled issuer certificate. It is a string type to prevent json.Marshal from encoding it to base64 a second time.
func EncodeIssuer ¶ added in v0.5.0
func EncodeIssuer(c *Issuer) (EncodedIssuer, error)
EncodeIssuer encodes and returns the packed issuer certificate.
func (EncodedIssuer) Decode ¶ added in v0.5.0
func (p EncodedIssuer) Decode() (*Issuer, error)
Decode returns the decoded Decode.
type EncodedProtectedAS ¶ added in v0.5.0
type EncodedProtectedAS string
EncodedProtectedAS is the base64url encoded utf-8 metadata. It is a string type to prevent json.Marshal from encoding it to base64 a second time.
func EncodeProtectedAS ¶ added in v0.5.0
func EncodeProtectedAS(p ProtectedAS) (EncodedProtectedAS, error)
EncodeProtectedAS encodes the protected header.
func (EncodedProtectedAS) Decode ¶ added in v0.5.0
func (h EncodedProtectedAS) Decode() (ProtectedAS, error)
Decode decodes and return the protected header.
type EncodedProtectedIssuer ¶ added in v0.5.0
type EncodedProtectedIssuer string
EncodedProtectedIssuer is the base64url encoded utf-8 metadata. It is a string type to prevent json.Marshal from encoding it to base64 a second time.
func EncodeProtectedIssuer ¶ added in v0.5.0
func EncodeProtectedIssuer(p ProtectedIssuer) (EncodedProtectedIssuer, error)
EncodeProtectedIssuer encodes the protected header.
func (EncodedProtectedIssuer) Decode ¶ added in v0.5.0
func (h EncodedProtectedIssuer) Decode() (ProtectedIssuer, error)
Decode decodes and return the protected header.
type FormatVersion ¶ added in v0.5.0
type FormatVersion uint8
FormatVersion indicates the certificate format version. Currently, only format version 1 is supported.
func (*FormatVersion) UnmarshalJSON ¶ added in v0.5.0
func (v *FormatVersion) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that the FormatVersion is supported.
type Issuer ¶ added in v0.5.0
type Issuer struct {
Base
// Issuer holds the TRC Version. Since the issuer certificate is
// self-signed, the issuing AS in the TRC is the same as the subject of this
// certificate.
Issuer IssuerTRC `json:"issuer"`
// CertificateType ensures the correct certificate type when marshalling.
CertificateType TypeIssuer `json:"certificate_type"`
}
Issuer is the Issuer certificate.
func (*Issuer) UnmarshalJSON ¶ added in v0.5.0
UnmarshalJSON checks that all fields are set.
type IssuerCertID ¶ added in v0.5.0
type IssuerCertID struct {
// IA is the subject of the issuing issuer certificate.
IA addr.IA `json:"isd_as"`
// CertificateVersion is the version of the issuing issuer certificate.
CertificateVersion scrypto.Version `json:"certificate_version"`
}
IssuerCertID identifies the issuer certificate that authenticates the AS certificate.
func (*IssuerCertID) UnmarshalJSON ¶ added in v0.5.0
func (i *IssuerCertID) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type IssuerTRC ¶ added in v0.5.0
type IssuerTRC struct {
// TRCVersion is the version of the issuing TRC.
TRCVersion scrypto.Version `json:"trc_version"`
}
IssuerTRC identifies the TRC that authenticates the issuer certificate. The issuer certificate is self-signed, thus, the issuing AS and TRC ISD are implied by the subject.
func (*IssuerTRC) UnmarshalJSON ¶ added in v0.5.0
UnmarshalJSON checks that all fields are set.
type IssuerVerifier ¶ added in v0.5.0
type IssuerVerifier struct {
TRC *trc.TRC
Issuer *Issuer
SignedIssuer *SignedIssuer
}
IssuerVerifier verifies the issuer certificate based on the trusted TRC. The caller must ensure that the TRC is verified, and that the issuer certificate is valid and decoded from the signed issuer certificate.
func (IssuerVerifier) Verify ¶ added in v0.5.0
func (v IssuerVerifier) Verify() error
Verify verifies the issuer certificate.
type KeyType ¶ added in v0.5.0
type KeyType int
KeyType indicates the type of the key authenticated by the certificate.
Because KeyType is used as a map key, it cannot be a string type. (see: https://github.com/golang/go/issues/33298)
const ( // IssuingKey is the issuing key type. It must only appear in issuer certificates. IssuingKey KeyType // SigningKey is the signing key type. It must only appear in AS certificates. SigningKey // EncryptionKey is the encryption key type. It must only appear in AS certificates. EncryptionKey // RevocationKey is the revocation key type. It may appear in AS and issuer certificates. RevocationKey )
func (KeyType) MarshalText ¶ added in v0.5.0
MarshalText is implemented to allow KeyType to be used as JSON map key. This must be a value receiver in order for KeyType fields in a struct to marshal correctly.
func (*KeyType) UnmarshalText ¶ added in v0.5.0
UnmarshalText allows KeyType to be used as a map key and do validation when parsing.
type ProtectedAS ¶ added in v0.5.0
type ProtectedAS struct {
Algorithm string `json:"alg"`
Crit CritAS `json:"crit"`
Type SignatureTypeCertificate `json:"type"`
CertificateVersion scrypto.Version `json:"certificate_version"`
IA addr.IA `json:"isd_as"`
}
ProtectedAS is the signature metadata.
func (*ProtectedAS) UnmarshalJSON ¶ added in v0.5.0
func (p *ProtectedAS) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type ProtectedIssuer ¶ added in v0.5.0
type ProtectedIssuer struct {
Algorithm string `json:"alg"`
Type SignatureTypeTRC `json:"type"`
TRCVersion scrypto.Version `json:"trc_version"`
Crit CritIssuer `json:"crit"`
}
ProtectedIssuer is the signature metadata.
func (*ProtectedIssuer) UnmarshalJSON ¶ added in v0.5.0
func (p *ProtectedIssuer) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type SignatureTypeCertificate ¶ added in v0.5.0
type SignatureTypeCertificate struct{}
SignatureTypeCertificate indicates the public key is authenticated by an issuer certificate.
func (SignatureTypeCertificate) MarshalText ¶ added in v0.5.0
func (t SignatureTypeCertificate) MarshalText() ([]byte, error)
func (*SignatureTypeCertificate) UnmarshalText ¶ added in v0.5.0
func (t *SignatureTypeCertificate) UnmarshalText(b []byte) error
UnmarshalText checks the signature type is correct.
type SignatureTypeTRC ¶ added in v0.5.0
type SignatureTypeTRC struct{}
SignatureTypeTRC indicates the public key is authenticated by an issuer certificate.
func (SignatureTypeTRC) MarshalText ¶ added in v0.5.0
func (t SignatureTypeTRC) MarshalText() ([]byte, error)
func (*SignatureTypeTRC) UnmarshalText ¶ added in v0.5.0
func (t *SignatureTypeTRC) UnmarshalText(b []byte) error
UnmarshalText checks the signature type is correct.
type SignedAS ¶ added in v0.5.0
type SignedAS struct {
Encoded EncodedAS `json:"payload"`
EncodedProtected EncodedProtectedAS `json:"protected"`
Signature scrypto.JWSignature `json:"signature"`
}
func (SignedAS) SigInput ¶ added in v0.5.0
SigInput computes the signature input according to rfc7517 (see: https://tools.ietf.org/html/rfc7515#section-5.1)
type SignedIssuer ¶ added in v0.5.0
type SignedIssuer struct {
Encoded EncodedIssuer `json:"payload"`
EncodedProtected EncodedProtectedIssuer `json:"protected"`
Signature scrypto.JWSignature `json:"signature"`
}
func ParseSignedIssuer ¶ added in v0.5.0
func ParseSignedIssuer(raw []byte) (SignedIssuer, error)
ParseSignedIssuer parses the raw signed issuer certificate.
func (SignedIssuer) SigInput ¶ added in v0.5.0
func (s SignedIssuer) SigInput() []byte
SigInput computes the signature input according to rfc7517 (see: https://tools.ietf.org/html/rfc7515#section-5.1)
type TypeAS ¶ added in v0.5.0
type TypeAS struct{}
TypeAS indicates an AS certificate.
func (TypeAS) MarshalText ¶ added in v0.5.0
MarshalText returns the AS certificate type.
func (TypeAS) UnmarshalText ¶ added in v0.5.0
UnmarshalText checks that the certificate type matches.
type TypeIssuer ¶ added in v0.5.0
type TypeIssuer struct{}
TypeIssuer indicates an AS certificate.
func (TypeIssuer) MarshalText ¶ added in v0.5.0
func (TypeIssuer) MarshalText() ([]byte, error)
MarshalText returns the AS certificate type.
func (TypeIssuer) UnmarshalText ¶ added in v0.5.0
func (TypeIssuer) UnmarshalText(b []byte) error
UnmarshalText checks that the certificate type matches.
Source Files
Directories