notary: github.com/theupdateframework/notary/tuf/signed Index | Files

package signed

import "github.com/theupdateframework/notary/tuf/signed"

Index

Package Files

ed25519.go errors.go interface.go sign.go verifiers.go verify.go

Variables

var (
    ErrNoSignatures = errors.New("tuf: data has no signatures")
    ErrInvalid      = errors.New("tuf: signature verification failed")
    ErrWrongType    = errors.New("tuf: meta file has wrong type")
)

Various basic signing errors

var Verifiers = map[data.SigAlgorithm]Verifier{
    data.RSAPSSSignature:      RSAPSSVerifier{},
    data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{},
    data.PyCryptoSignature:    RSAPyCryptoVerifier{},
    data.ECDSASignature:       ECDSAVerifier{},
    data.EDDSASignature:       Ed25519Verifier{},
}

Verifiers serves as a map of all verifiers available on the system and can be injected into a verificationService. For testing and configuration purposes, it will not be used by default.

func IsExpired Uses

func IsExpired(t time.Time) bool

IsExpired checks if the given time passed before the present time

func Sign Uses

func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey,
    minSignatures int, otherWhitelistedKeys []data.PublicKey) error

Sign takes a data.Signed and a cryptoservice containing private keys, calculates and adds at least minSignature signatures using signingKeys the data.Signed. It will also clean up any signatures that are not in produced by either a signingKey or an otherWhitelistedKey. Note that in most cases, otherWhitelistedKeys should probably be null. They are for keys you don't want to sign with, but you also don't want to remove existing signatures by those keys. For instance, if you want to call Sign multiple times with different sets of signing keys without undoing removing signatures produced by the previous call to Sign.

func VerifyExpiry Uses

func VerifyExpiry(s *data.SignedCommon, role data.RoleName) error

VerifyExpiry returns ErrExpired if the metadata is expired

func VerifyPublicKeyMatchesPrivateKey Uses

func VerifyPublicKeyMatchesPrivateKey(privKey data.PrivateKey, pubKey data.PublicKey) error

VerifyPublicKeyMatchesPrivateKey checks if the private key and the public keys forms valid key pairs. Supports both x509 certificate PublicKeys and non-certificate PublicKeys

func VerifySignature Uses

func VerifySignature(msg []byte, sig *data.Signature, pk data.PublicKey) error

VerifySignature checks a single signature and public key against a payload If the signature is verified, the signature's is valid field will actually be mutated to be equal to the boolean true

func VerifySignatures Uses

func VerifySignatures(s *data.Signed, roleData data.BaseRole) error

VerifySignatures checks the we have sufficient valid signatures for the given role

func VerifyVersion Uses

func VerifyVersion(s *data.SignedCommon, minVersion int) error

VerifyVersion returns ErrLowVersion if the metadata version is lower than the min version

type CryptoService Uses

type CryptoService interface {
    KeyService
}

CryptoService is deprecated and all instances of its use should be replaced with KeyService

type ECDSAVerifier Uses

type ECDSAVerifier struct{}

ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately

func (ECDSAVerifier) Verify Uses

func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check.

type Ed25519 Uses

type Ed25519 struct {
    // contains filtered or unexported fields
}

Ed25519 implements a simple in memory cryptosystem for ED25519 keys

func NewEd25519 Uses

func NewEd25519() *Ed25519

NewEd25519 initializes a new empty Ed25519 CryptoService that operates entirely in memory

func (*Ed25519) AddKey Uses

func (e *Ed25519) AddKey(role data.RoleName, gun data.GUN, k data.PrivateKey) error

AddKey allows you to add a private key

func (*Ed25519) Create Uses

func (e *Ed25519) Create(role data.RoleName, gun data.GUN, algorithm string) (data.PublicKey, error)

Create generates a new key and returns the public part

func (*Ed25519) GetKey Uses

func (e *Ed25519) GetKey(keyID string) data.PublicKey

GetKey returns a single public key based on the ID

func (*Ed25519) GetPrivateKey Uses

func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, data.RoleName, error)

GetPrivateKey returns a single private key and role if present, based on the ID

func (*Ed25519) ListAllKeys Uses

func (e *Ed25519) ListAllKeys() map[string]data.RoleName

ListAllKeys returns the map of keys IDs to role

func (*Ed25519) ListKeys Uses

func (e *Ed25519) ListKeys(role data.RoleName) []string

ListKeys returns the list of keys IDs for the role

func (*Ed25519) PublicKeys Uses

func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error)

PublicKeys returns a map of public keys for the ids provided, when those IDs are found in the store.

func (*Ed25519) RemoveKey Uses

func (e *Ed25519) RemoveKey(keyID string) error

RemoveKey deletes a key from the signer

type Ed25519Verifier Uses

type Ed25519Verifier struct{}

Ed25519Verifier used to verify Ed25519 signatures

func (Ed25519Verifier) Verify Uses

func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify checks that an ed25519 signature is valid

type ErrExpired Uses

type ErrExpired struct {
    Role    data.RoleName
    Expired string
}

ErrExpired indicates a piece of metadata has expired

func (ErrExpired) Error Uses

func (e ErrExpired) Error() string

type ErrInsufficientSignatures Uses

type ErrInsufficientSignatures struct {
    FoundKeys     int
    NeededKeys    int
    MissingKeyIDs []string
}

ErrInsufficientSignatures - can not create enough signatures on a piece of metadata

func (ErrInsufficientSignatures) Error Uses

func (e ErrInsufficientSignatures) Error() string

type ErrInvalidKeyID Uses

type ErrInvalidKeyID struct{}

ErrInvalidKeyID indicates the specified key ID was incorrect for its associated data

func (ErrInvalidKeyID) Error Uses

func (e ErrInvalidKeyID) Error() string

type ErrInvalidKeyLength Uses

type ErrInvalidKeyLength struct {
    // contains filtered or unexported fields
}

ErrInvalidKeyLength indicates that while we may support the cipher, the provided key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys

func (ErrInvalidKeyLength) Error Uses

func (e ErrInvalidKeyLength) Error() string

type ErrInvalidKeyType Uses

type ErrInvalidKeyType struct{}

ErrInvalidKeyType indicates the types for the key and signature it's associated with are mismatched. Probably a sign of malicious behaviour

func (ErrInvalidKeyType) Error Uses

func (e ErrInvalidKeyType) Error() string

type ErrLowVersion Uses

type ErrLowVersion struct {
    Actual  int
    Current int
}

ErrLowVersion indicates the piece of metadata has a version number lower than a version number we're already seen for this role

func (ErrLowVersion) Error Uses

func (e ErrLowVersion) Error() string

type ErrNoKeys Uses

type ErrNoKeys struct {
    KeyIDs []string
}

ErrNoKeys indicates no signing keys were found when trying to sign

func (ErrNoKeys) Error Uses

func (e ErrNoKeys) Error() string

type ErrRoleThreshold Uses

type ErrRoleThreshold struct {
    Msg string
}

ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold

func (ErrRoleThreshold) Error Uses

func (e ErrRoleThreshold) Error() string

type KeyService Uses

type KeyService interface {
    // Create issues a new key pair and is responsible for loading
    // the private key into the appropriate signing service.
    Create(role data.RoleName, gun data.GUN, algorithm string) (data.PublicKey, error)

    // AddKey adds a private key to the specified role and gun
    AddKey(role data.RoleName, gun data.GUN, key data.PrivateKey) error

    // GetKey retrieves the public key if present, otherwise it returns nil
    GetKey(keyID string) data.PublicKey

    // GetPrivateKey retrieves the private key and role if present and retrievable,
    // otherwise it returns nil and an error
    GetPrivateKey(keyID string) (data.PrivateKey, data.RoleName, error)

    // RemoveKey deletes the specified key, and returns an error only if the key
    // removal fails. If the key doesn't exist, no error should be returned.
    RemoveKey(keyID string) error

    // ListKeys returns a list of key IDs for the role, or an empty list or
    // nil if there are no keys.
    ListKeys(role data.RoleName) []string

    // ListAllKeys returns a map of all available signing key IDs to role, or
    // an empty map or nil if there are no keys.
    ListAllKeys() map[string]data.RoleName
}

KeyService provides management of keys locally. It will never accept or provide private keys. Communication between the KeyService and a SigningService happen behind the Create function.

type RSAPKCS1v15Verifier Uses

type RSAPKCS1v15Verifier struct{}

RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures

func (RSAPKCS1v15Verifier) Verify Uses

func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual verification

type RSAPSSVerifier Uses

type RSAPSSVerifier struct{}

RSAPSSVerifier checks RSASSA-PSS signatures

func (RSAPSSVerifier) Verify Uses

func (v RSAPSSVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check.

type RSAPyCryptoVerifier Uses

type RSAPyCryptoVerifier struct{}

RSAPyCryptoVerifier checks RSASSA-PSS signatures

func (RSAPyCryptoVerifier) Verify Uses

func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

Verify does the actual check. N.B. We have not been able to make this work in a way that is compatible with PyCrypto.

type Verifier Uses

type Verifier interface {
    Verify(key data.PublicKey, sig []byte, msg []byte) error
}

Verifier defines an interface for verifying signatures. An implementer of this interface should verify signatures for one and only one signing scheme.

Package signed imports 18 packages (graph) and is imported by 98 packages. Updated 2019-03-25. Refresh now. Tools for package owners.