Documentation
¶
Index ¶
- Constants
- Variables
- type AS
- type ASVerifier
- type Base
- type Chain
- type CritAS
- type CritIssuer
- type EncodedAS
- type EncodedIssuer
- type EncodedProtectedAS
- type EncodedProtectedIssuer
- type FormatVersion
- type Issuer
- type IssuerCertID
- type IssuerTRC
- type IssuerVerifier
- type KeyType
- type ProtectedAS
- type ProtectedIssuer
- type SignatureTypeCertificate
- type SignatureTypeTRC
- type SignedAS
- type SignedIssuer
- type TypeAS
- type TypeIssuer
Constants ¶
const ( // ErrWildcardIssuer indicates the issuer is a wildcard IA. ErrWildcardIssuer common.ErrMsg = "issuer.ia is wildcard" // ErrIssuerDifferentISD indicates that the issuing AS is in a different ISD. ErrIssuerDifferentISD common.ErrMsg = "issuing.ia in different ISD" // ErrInvalidCertificateType indicates the certificate type is invalid. ErrInvalidCertificateType common.ErrMsg = "invalid certificate_type" )
const ( // ErrInvalidKeyType indicates an inexistent key type. ErrInvalidKeyType common.ErrMsg = "invalid key type" // ErrInvalidVersion indicates an invalid certificate version. ErrInvalidVersion common.ErrMsg = "Invalid certificate version" // ErrUnsupportedFormat indicates an invalid certificate format. ErrUnsupportedFormat common.ErrMsg = "Unsupported certificate format" )
Parsing errors with context.
const ( // ErrInvalidValidityPeriod indicates an invalid validity period. ErrInvalidValidityPeriod common.ErrMsg = "invalid validity period" // ErrInvalidSubject indicates that the subject contains a wildcard. ErrInvalidSubject common.ErrMsg = "subject contains wildcard" // ErrInvalidDistributionPoint indicates that the distribution point is a wildcard. ErrInvalidDistributionPoint common.ErrMsg = "distribution point contains wildcard" // ErrUnexpectedKey indicates that the certificate holds an excess key. ErrUnexpectedKey common.ErrMsg = "unexpected key" // ErrMissingKey indicates that the certificate is missing a key. ErrMissingKey common.ErrMsg = "missing key" )
Validation errors with context.
const ( IssuingKeyJSON = "issuing" SigningKeyJSON = "signing" EncryptionKeyJSON = "encryption" RevocationKeyJSON = "revocation" )
const ( // ErrInvalidCrit indicates that the value for the crit key is invalid. ErrInvalidCrit common.ErrMsg = "invalid crit" // ErrInvalidSignatureType indicates an invalid signature type. ErrInvalidSignatureType common.ErrMsg = "invalid signature type" )
const ( // ErrASValidityNotCovered indicates the AS certificate's validity period is // not covered by the issuer certificate's validity period. ErrASValidityNotCovered common.ErrMsg = "AS validity not covered" // ErrIssuerValidityNotCovered indicates the issuer certificate's validity // period is not covered by the TRC's validity period. ErrIssuerValidityNotCovered common.ErrMsg = "AS validity not covered" // ErrUnexpectedIssuer indicates another issuer is expected. ErrUnexpectedIssuer common.ErrMsg = "wrong issuer" // ErrUnexpectedCertificateVersion indicates another issuer certificate version is expected. ErrUnexpectedCertificateVersion common.ErrMsg = "wrong certificate version" // ErrUnexpectedTRCVersion indicates another TRC version is expected. ErrUnexpectedTRCVersion common.ErrMsg = "wrong TRC version" // ErrInvalidProtected indicates an invalid protected meta. ErrInvalidProtected common.ErrMsg = "invalid protected meta" )
const ErrInvalidChainLength common.ErrMsg = "invalid chain length"
ErrInvalidChainLength indicates an invalid chain length.
const SignatureTypeCertificateJSON = "certificate"
const SignatureTypeTRCJSON = "trc"
const TypeASJSON = "as"
const TypeIssuerJSON = "issuer"
Variables ¶
var ( // ErrIssuerIANotSet indicates the issuer ia is not set. ErrIssuerIANotSet = errors.New("issuer.ia not set") // ErrIssuerCertificateVersionNotSet indicates the issuer certificate version is not set. ErrIssuerCertificateVersionNotSet = errors.New("issuer.certificate_version not set") )
var ( // ErrSubjectNotSet indicates subject is not set. ErrSubjectNotSet = errors.New("subject not set") // ErrVersionNotSet indicates version is not set. ErrVersionNotSet = errors.New("version not set") // ErrFormatVersionNotSet indicates format_version is not set. ErrFormatVersionNotSet = errors.New("format_version not set") // ErrDescriptionNotSet indicates description is not set. ErrDescriptionNotSet = errors.New("description not set") // ErrOptionalDistributionPointsNotSet indicates optional_distribution_points is not set. ErrOptionalDistributionPointsNotSet = errors.New("optional_distribution_points not set") // ErrValidityNotSet indicates validity is not set. ErrValidityNotSet = errors.New("validity not set") // ErrKeysNotSet indicates keys is not set. ErrKeysNotSet = errors.New("keys not set") // ErrIssuerNotSet indicates issuer is not set. ErrIssuerNotSet = errors.New("issuer not set") // ErrCertificateTypeNotSet indicates certificate_type is not set. ErrCertificateTypeNotSet = errors.New("certificate_type not set") )
Parsing errors.
var ( // ErrCritNotSet indicates that crit is not set. ErrCritNotSet = errors.New("crit not set") // ErrNotUTF8 indicates an invalid encoding. ErrNotUTF8 = errors.New("not utf-8 encoded") // ErrSignatureTypeNotSet indicates the signature type is not set. ErrSignatureTypeNotSet = errors.New("signature type not set") )
var ( // ErrAlgorithmNotSet indicates the key algorithm is not set. ErrAlgorithmNotSet = errors.New("algorithm not set") )
Validation errors.
var ErrIANotSet = errors.New("ia not set")
ErrIANotSet indicates the issuing ia is not set.
var ( // ErrIssuerTRCVersionNotSet indicates the issuer TRC version is not set. ErrIssuerTRCVersionNotSet = errors.New("issuer.trc_version not set") )
var ( // ErrNotIssuing indicates that the subject of the issuer certificate is not // and issuing AS, and not allowed to self-sign the certificate. ErrNotIssuing = errors.New("not an issuing primary") )
var ( // ErrTRCVersionNotSet indicates the TRC version is not set. ErrTRCVersionNotSet = errors.New("trc_version not set") )
Functions ¶
This section is empty.
Types ¶
type AS ¶
type AS struct {
Base
// Issuer holds the identifiers of the issuing issuer certificate.
Issuer IssuerCertID `json:"issuer"`
// CertificateType ensures the correct certificate type when marshalling.
CertificateType TypeAS `json:"certificate_type"`
}
AS is the AS certificate.
func (*AS) UnmarshalJSON ¶
UnmarshalJSON checks that all fields are set.
type ASVerifier ¶
ASVerifier verifies the AS certificate based on the trusted issuer certificate. The caller must ensure that the issuer certificate is verified, and that the AS certificate is valid and decoded from the signed AS certificate.
type Base ¶
type Base struct {
// Subject identifies the subject of the certificate.
Subject addr.IA `json:"subject"`
// Version indicates the certificate version.
Version scrypto.Version `json:"version"`
// FormatVersion is the certificate format version.
FormatVersion FormatVersion `json:"format_version"`
// Description is a human-readable description of the certificate.
Description string `json:"description"`
// OptionalDistributionPoints contains optional certificate revocation
// distribution points.
OptionalDistributionPoints []addr.IA `json:"optional_distribution_points"`
// Validity defines the validity period of the certificate.
Validity *scrypto.Validity `json:"validity"`
// Keys holds all keys authenticated by this certificate.
Keys map[KeyType]scrypto.KeyMeta `json:"keys"`
}
Base contains the shared fields between the issuer and AS certificate.
type Chain ¶
type Chain struct {
// Issuer contains the signed issuer certificate.
Issuer SignedIssuer
// AS contains the signed AS certificate.
AS SignedAS
}
Chain represents the certificate chain.
func (Chain) MarshalJSON ¶
MarshalJSON packs the chain as a json array.
func (*Chain) UnmarshalJSON ¶
UnmarshalJSON unpacks the chain formatted as a json array.
type CritAS ¶
type CritAS struct{}
CritAS is the "crit" section for the AS certificate (see: https://tools.ietf.org/html/rfc7515#section-4.1.11).
func (CritAS) MarshalJSON ¶
MarshalJSON returns a json array with the expected crit elements.
func (CritAS) UnmarshalJSON ¶
UnmarshalJSON checks that all expected elements and no other are in the array.
type CritIssuer ¶
type CritIssuer struct{}
CritIssuer is the "crit" section for the issuer certificate (see: https://tools.ietf.org/html/rfc7515#section-4.1.11).
func (CritIssuer) MarshalJSON ¶
func (CritIssuer) MarshalJSON() ([]byte, error)
MarshalJSON returns a json array with the expected crit elements.
func (CritIssuer) UnmarshalJSON ¶
func (CritIssuer) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all expected elements and no other are in the array.
type EncodedAS ¶
type EncodedAS []byte
EncodedAS is the the base64url encoded marshaled AS certificate.
type EncodedIssuer ¶
type EncodedIssuer []byte
EncodedIssuer is the the base64url encoded marshaled issuer certificate.
func EncodeIssuer ¶
func EncodeIssuer(c *Issuer) (EncodedIssuer, error)
EncodeIssuer encodes and returns the packed issuer certificate.
func (*EncodedIssuer) Decode ¶
func (p *EncodedIssuer) Decode() (*Issuer, error)
Decode returns the decoded Decode.
type EncodedProtectedAS ¶
type EncodedProtectedAS []byte
EncodedProtectedAS is the base64url encoded utf-8 metadata.
func EncodeProtectedAS ¶
func EncodeProtectedAS(p ProtectedAS) (EncodedProtectedAS, error)
EncodeProtectedAS encodes the protected header.
func (*EncodedProtectedAS) Decode ¶
func (h *EncodedProtectedAS) Decode() (ProtectedAS, error)
Decode decodes and return the protected header.
type EncodedProtectedIssuer ¶
type EncodedProtectedIssuer []byte
EncodedProtectedIssuer is the base64url encoded utf-8 metadata.
func EncodeProtectedIssuer ¶
func EncodeProtectedIssuer(p ProtectedIssuer) (EncodedProtectedIssuer, error)
EncodeProtectedIssuer encodes the protected header.
func (*EncodedProtectedIssuer) Decode ¶
func (h *EncodedProtectedIssuer) Decode() (ProtectedIssuer, error)
Decode decodes and return the protected header.
type FormatVersion ¶
type FormatVersion uint8
FormatVersion indicates the certificate format version. Currently, only format version 1 is supported.
func (*FormatVersion) UnmarshalJSON ¶
func (v *FormatVersion) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that the FormatVersion is supported.
type Issuer ¶
type Issuer struct {
Base
// Issuer holds the TRC Version. Since the issuer certificate is
// self-signed, the issuing AS in the TRC is the same as the subject of this
// certificate.
Issuer IssuerTRC `json:"issuer"`
// CertificateType ensures the correct certificate type when marshalling.
CertificateType TypeIssuer `json:"certificate_type"`
}
Issuer is the Issuer certificate.
func (*Issuer) UnmarshalJSON ¶
UnmarshalJSON checks that all fields are set.
type IssuerCertID ¶
type IssuerCertID struct {
// IA is the subject of the issuing issuer certificate.
IA addr.IA `json:"ia"`
// CertificateVersion is the version of the issuing issuer certificate.
CertificateVersion scrypto.Version `json:"certificate_version"`
}
IssuerCertID identifies the issuer certificate that authenticates the AS certificate.
func (*IssuerCertID) UnmarshalJSON ¶
func (i *IssuerCertID) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type IssuerTRC ¶
type IssuerTRC struct {
// TRCVersion is the version of the issuing TRC.
TRCVersion scrypto.Version `json:"trc_version"`
}
IssuerTRC identifies the TRC that authenticates the issuer certificate. The issuer certificate is self-signed, thus, the issuing AS and TRC ISD are implied by the subject.
func (*IssuerTRC) UnmarshalJSON ¶
UnmarshalJSON checks that all fields are set.
type IssuerVerifier ¶
type IssuerVerifier struct {
TRC *trc.TRC
Issuer *Issuer
SignedIssuer *SignedIssuer
}
IssuerVerifier verifies the issuer certificate based on the trusted TRC. The caller must ensure that the TRC is verified, and that the issuer certificate is valid and decoded from the signed issuer certificate.
func (IssuerVerifier) Verify ¶
func (v IssuerVerifier) Verify() error
Verify verifies the issuer certificate.
type KeyType ¶
type KeyType int
KeyType indicates the type of the key authenticated by the certificate.
Because KeyType is used as a map key, it cannot be a string type. (see: https://github.com/golang/go/issues/33298)
const ( // IssuingKey is the issuing key type. It must only appear in issuer certificates. IssuingKey KeyType // SigningKey is the signing key type. It must only appear in AS certificates. SigningKey // EncryptionKey is the encryption key type. It must only appear in AS certificates. EncryptionKey // RevocationKey is the revocation key type. It may appear in AS and issuer certificates. RevocationKey )
func (KeyType) MarshalText ¶
MarshalText is implemented to allow KeyType to be used as JSON map key. This must be a value receiver in order for KeyType fields in a struct to marshal correctly.
func (*KeyType) UnmarshalText ¶
UnmarshalText allows KeyType to be used as a map key and do validation when parsing.
type ProtectedAS ¶
type ProtectedAS struct {
Algorithm string `json:"alg"`
Crit CritAS `json:"crit"`
Type SignatureTypeCertificate `json:"type"`
CertificateVersion scrypto.Version `json:"certificate_version"`
IA addr.IA `json:"ia"`
}
ProtectedAS is the signature metadata.
func (*ProtectedAS) UnmarshalJSON ¶
func (p *ProtectedAS) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type ProtectedIssuer ¶
type ProtectedIssuer struct {
Algorithm string `json:"alg"`
Type SignatureTypeTRC `json:"type"`
TRCVersion scrypto.Version `json:"trc_version"`
Crit CritIssuer `json:"crit"`
}
ProtectedIssuer is the signature metadata.
func (*ProtectedIssuer) UnmarshalJSON ¶
func (p *ProtectedIssuer) UnmarshalJSON(b []byte) error
UnmarshalJSON checks that all fields are set.
type SignatureTypeCertificate ¶
type SignatureTypeCertificate struct{}
SignatureTypeCertificate indicates the public key is authenticated by an issuer certificate.
func (SignatureTypeCertificate) MarshalText ¶
func (t SignatureTypeCertificate) MarshalText() ([]byte, error)
func (*SignatureTypeCertificate) UnmarshalText ¶
func (t *SignatureTypeCertificate) UnmarshalText(b []byte) error
UnmarshalText checks the signature type is correct.
type SignatureTypeTRC ¶
type SignatureTypeTRC struct{}
SignatureTypeTRC indicates the public key is authenticated by an issuer certificate.
func (SignatureTypeTRC) MarshalText ¶
func (t SignatureTypeTRC) MarshalText() ([]byte, error)
func (*SignatureTypeTRC) UnmarshalText ¶
func (t *SignatureTypeTRC) UnmarshalText(b []byte) error
UnmarshalText checks the signature type is correct.
type SignedAS ¶
type SignedAS struct {
Encoded EncodedAS `json:"payload"`
EncodedProtected EncodedProtectedAS `json:"protected"`
Signature common.RawBytes `json:"signature"`
}
type SignedIssuer ¶
type SignedIssuer struct {
Encoded EncodedIssuer `json:"payload"`
EncodedProtected EncodedProtectedIssuer `json:"protected"`
Signature common.RawBytes `json:"signature"`
}
func (SignedIssuer) SigInput ¶
func (s SignedIssuer) SigInput() common.RawBytes
SigInput computes the signature input according to rfc7517 (see: https://tools.ietf.org/html/rfc7515#section-5.1)
type TypeAS ¶
type TypeAS struct{}
TypeAS indicates an AS certificate.
func (TypeAS) MarshalText ¶
MarshalText returns the AS certificate type.
func (TypeAS) UnmarshalText ¶
UnmarshalText checks that the certificate type matches.
type TypeIssuer ¶
type TypeIssuer struct{}
TypeIssuer indicates an AS certificate.
func (TypeIssuer) MarshalText ¶
func (TypeIssuer) MarshalText() ([]byte, error)
MarshalText returns the AS certificate type.
func (TypeIssuer) UnmarshalText ¶
func (TypeIssuer) UnmarshalText(b []byte) error
UnmarshalText checks that the certificate type matches.
Source Files