cfssl: github.com/cloudflare/cfssl/ubiquity Index | Files

package ubiquity

import "github.com/cloudflare/cfssl/ubiquity"

Package ubiquity contains the ubiquity scoring logic for CFSSL bundling.

Index

Package Files

filter.go performance.go sha1.go ubiquity_crypto.go ubiquity_platform.go

Variables

var Platforms []Platform

Platforms is the list of platforms against which ubiquity bundling will be optimized.

var SHA1DeprecationPolicys = []SHA1DeprecationPolicy{

    {
        Platform:       "Google Chrome",
        Description:    "shows the SSL connection has minor problems",
        Severity:       Medium,
        ExpiryDeadline: time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC),
    },

    {
        Platform:       "Google Chrome",
        Description:    "shows the SSL connection is untrusted",
        Severity:       High,
        ExpiryDeadline: time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
    },

    {
        Platform:       "Mozilla Firefox",
        Description:    "gives warning in the developer console",
        Severity:       Low,
        ExpiryDeadline: time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
    },

    {
        Platform:        "Mozilla Firefox",
        Description:     "shows the SSL connection is untrusted",
        Severity:        Medium,
        EffectiveDate:   time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC),
        NeverIssueAfter: time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC),
    },

    {
        Platform:       "Mozilla Firefox",
        Description:    "shows the SSL connection is untrusted",
        Severity:       High,
        EffectiveDate:  time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
        ExpiryDeadline: time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
    },

    {
        Platform:       "Microsoft Windows Vista and later",
        Description:    "shows the SSL connection is untrusted",
        Severity:       High,
        EffectiveDate:  time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
        ExpiryDeadline: time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC),
    },
}

SHA1DeprecationPolicys ia a list of various SHA1DeprecationPolicy's proposed by major browser producers

func CompareChainCryptoSuite Uses

func CompareChainCryptoSuite(chain1, chain2 []*x509.Certificate) int

CompareChainCryptoSuite ranks chains with more current crypto suite higher.

func CompareChainExpiry Uses

func CompareChainExpiry(chain1, chain2 []*x509.Certificate) int

CompareChainExpiry ranks chain that lasts longer higher.

func CompareChainHashPriority Uses

func CompareChainHashPriority(chain1, chain2 []*x509.Certificate) int

CompareChainHashPriority ranks chains with more current hash functions higher.

func CompareChainHashUbiquity Uses

func CompareChainHashUbiquity(chain1, chain2 []*x509.Certificate) int

CompareChainHashUbiquity returns a positive, zero, or negative value if the hash ubiquity of the first chain is greater, equal, or less than the second chain.

func CompareChainKeyAlgoPriority Uses

func CompareChainKeyAlgoPriority(chain1, chain2 []*x509.Certificate) int

CompareChainKeyAlgoPriority ranks chains with more current key algorithm higher.

func CompareChainKeyAlgoUbiquity Uses

func CompareChainKeyAlgoUbiquity(chain1, chain2 []*x509.Certificate) int

CompareChainKeyAlgoUbiquity returns a positive, zero, or negative value if the public-key ubiquity of the first chain is greater, equal, or less than the second chain.

func CompareChainLength Uses

func CompareChainLength(chain1, chain2 []*x509.Certificate) int

CompareChainLength ranks shorter chain higher.

func CompareExpiryUbiquity Uses

func CompareExpiryUbiquity(chain1, chain2 []*x509.Certificate) int

CompareExpiryUbiquity ranks two certificate chains based on the exiry dates of intermediates and roots. Certs expire later are ranked higher than ones expire earlier. The ranking between chains are determined by the first pair of intermediates, scanned from the root level, that ar ranked differently.

func ComparePlatformUbiquity Uses

func ComparePlatformUbiquity(chain1, chain2 []*x509.Certificate) int

ComparePlatformUbiquity compares the cross-platform ubiquity between chain1 and chain2.

func CompareSHA2Homogeneity Uses

func CompareSHA2Homogeneity(chain1, chain2 []*x509.Certificate) int

CompareSHA2Homogeneity compares the chains based on SHA2 homogeneity. Full SHA-2 chain (excluding root) is rated higher that the rest.

func CrossPlatformUbiquity Uses

func CrossPlatformUbiquity(chain []*x509.Certificate) int

CrossPlatformUbiquity returns a ubiquity score (presumably relecting the market share in percentage) based on whether the given chain can be verified with the different platforms' root certificate stores.

func Filter Uses

func Filter(chains [][]*x509.Certificate, f RankingFunc) [][]*x509.Certificate

Filter filters out the chains with highest rank according to the ranking function f.

func HashPriority Uses

func HashPriority(certs []*x509.Certificate) int

HashPriority returns the hash priority of the chain as the average of hash priority of certs in it.

func KeyAlgoPriority Uses

func KeyAlgoPriority(certs []*x509.Certificate) int

KeyAlgoPriority returns the key algorithm priority of the chain as the average of key algorithm priority of certs in it.

func LoadPlatforms Uses

func LoadPlatforms(filename string) error

LoadPlatforms reads the file content as a json object array and convert it to Platforms.

func SHA1DeprecationMessages Uses

func SHA1DeprecationMessages(chain []*x509.Certificate) []string

SHA1DeprecationMessages returns a list of human-readable messages. Each message describes how one platform rejects the chain based on SHA1 deprecation policies.

func SHA1RawPublicKey Uses

func SHA1RawPublicKey(cert *x509.Certificate) string

SHA1RawPublicKey returns a SHA1 hash of the raw certificate public key

func SHA2Homogeneity Uses

func SHA2Homogeneity(chain []*x509.Certificate) int

SHA2Homogeneity returns 1 if the chain contains only SHA-2 certs (excluding root). Otherwise it returns 0.

func UntrustedPlatforms Uses

func UntrustedPlatforms(root *x509.Certificate) []string

UntrustedPlatforms returns a list of platforms which don't trust the root certificate.

type CertSet Uses

type CertSet map[string]bool

CertSet is a succint set of x509 certificates which only stores certificates' SHA1 hashes.

func (CertSet) Add Uses

func (s CertSet) Add(cert *x509.Certificate)

Add adds a certificate to the set.

func (CertSet) Lookup Uses

func (s CertSet) Lookup(cert *x509.Certificate) bool

Lookup returns whether a certificate is stored in the set.

type DeprecationSeverity Uses

type DeprecationSeverity int

DeprecationSeverity encodes the severity of a deprecation policy

const (
    // None indicates there is no deprecation
    None DeprecationSeverity = iota
    // Low indicates the deprecation policy won't affect user experience
    Low
    // Medium indicates the deprecation policy will affect user experience
    // either in a minor way or for a limited scope of users.
    Medium
    // High indicates the deprecation policy will strongly affect user experience
    High
)

type HashUbiquity Uses

type HashUbiquity int

HashUbiquity represents a score for how ubiquitous a given hash algorithm is; the higher the score, the more preferable the algorithm is.

const (
    UnknownHashUbiquity HashUbiquity = 0
    SHA2Ubiquity        HashUbiquity = 70
    SHA1Ubiquity        HashUbiquity = 100
    MD5Ubiquity         HashUbiquity = 0
    MD2Ubiquity         HashUbiquity = 0
)

SHA1 is ubiquitous. SHA2 is not supported on some legacy platforms. We consider MD2/MD5 is harmful and thus assign them lowest ubiquity.

func ChainHashUbiquity Uses

func ChainHashUbiquity(chain []*x509.Certificate) HashUbiquity

ChainHashUbiquity scores a chain based on the hash algorithms used by the certificates in the chain.

type KeyAlgoUbiquity Uses

type KeyAlgoUbiquity int

KeyAlgoUbiquity represents a score for how ubiquitous a given public-key algorithm is; the higher the score, the more preferable the algorithm is.

const (
    RSAUbiquity         KeyAlgoUbiquity = 100
    DSAUbiquity         KeyAlgoUbiquity = 100
    ECDSA256Ubiquity    KeyAlgoUbiquity = 70
    ECDSA384Ubiquity    KeyAlgoUbiquity = 70
    ECDSA521Ubiquity    KeyAlgoUbiquity = 30
    UnknownAlgoUbiquity KeyAlgoUbiquity = 0
)

RSA and DSA are considered ubiquitous. ECDSA256 and ECDSA384 should be supported by TLS 1.2 and have limited support from TLS 1.0 and 1.1, based on RFC6460, but ECDSA521 is less well-supported as a standard.

func ChainKeyAlgoUbiquity Uses

func ChainKeyAlgoUbiquity(chain []*x509.Certificate) KeyAlgoUbiquity

ChainKeyAlgoUbiquity scores a chain based on the public-key algorithms used by the certificates in the chain.

type Platform Uses

type Platform struct {
    Name            string `json:"name"`
    Weight          int    `json:"weight"`
    HashAlgo        string `json:"hash_algo"`
    KeyAlgo         string `json:"key_algo"`
    KeyStoreFile    string `json:"keystore"`
    KeyStore        CertSet
    HashUbiquity    HashUbiquity
    KeyAlgoUbiquity KeyAlgoUbiquity
}

A Platform contains ubiquity information on supported crypto algorithms and root certificate store name.

func (*Platform) ParseAndLoad Uses

func (p *Platform) ParseAndLoad() (ok bool)

ParseAndLoad converts HashAlgo and KeyAlgo to corresponding ubiquity value and load certificates into internal KeyStore from KeyStoreFiles

func (Platform) Trust Uses

func (p Platform) Trust(root *x509.Certificate) bool

Trust returns whether the platform has the root cert in the trusted store.

type RankingFunc Uses

type RankingFunc func(chain1, chain2 []*x509.Certificate) int

RankingFunc returns the relative rank between chain1 and chain2. Return value:

positive integer if rank(chain1) > rank(chain2),
negative integer if rank(chain1) < rank(chain2),
0 if rank(chain1) == (chain2).

type SHA1DeprecationPolicy Uses

type SHA1DeprecationPolicy struct {
    // the name of platform
    Platform string `json:"platform"`
    // policy severity, policies of the same platform will only trigger the one of highest severity
    Severity DeprecationSeverity `json:"severity"`
    // a human readable message describing the deprecation effects
    Description string `json:"description"`
    // the date when the policy is effective. zero value means effective immediately
    EffectiveDate time.Time `json:"effective_date"`
    // the expiry deadline indicates the latest date which a end-entity
    // certificate with SHA1 can be valid through.
    ExpiryDeadline time.Time `json:"expiry_deadline"`
    // the date beyond which SHA1 cert should not be issued.
    NeverIssueAfter time.Time `json:"never_issue_after"`
}

SHA1DeprecationPolicy encodes how a platform deprecates the support of SHA1

func (SHA1DeprecationPolicy) Flag Uses

func (p SHA1DeprecationPolicy) Flag(chain []*x509.Certificate) bool

Flag returns whether the policy flags the cert chain as deprecated for matching its deprecation criteria

Package ubiquity imports 14 packages (graph) and is imported by 205 packages. Updated 2018-04-03. Refresh now. Tools for package owners.