Documentation ¶
Overview ¶
Package tssig Go implementation of TSSig - a signed timestamp system.
Index ¶
Constants ¶
const MaxHttpDownloadSize = 192
MaxHttpDownloadSize Max size in bytes of the allowed body returned from the Issuer Key URL.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type HttpKeyLookup ¶
HttpKeyLookup A concrete implementation for retrieving a root public key directly from the URL.
type Issuer ¶
type Issuer struct { RootPublicKeyUrl string `json:"root-key"` LeafPublicKeyDer b64bytes `json:"leaf-key"` Signature b64bytes `json:"signature"` // contains filtered or unexported fields }
The Issuer represents:
- A Leaf Public Key, used to verify the signature on the SignedTimeStamp.
- The URL to a DER encoded Root Public Key, used to verify the signature on the Issuer.
- The issuer's signature, which signs the Root Key's URL, and the Leaf Key DER.
func (*Issuer) BytesToSign ¶
BytesToSign Returns the bytes to be signed in the Issuer's signature.
func (*Issuer) SignIssuer ¶
func (iss *Issuer) SignIssuer(signer IssuerSigner) error
SignIssuer Signs the Key URL, and the Leaf Public Key, with the Root Private Key. The data is passed to the IssuerSigner, which performs the actual signing.
func (*Issuer) SignTimeStamp ¶
func (iss *Issuer) SignTimeStamp(sts *SignedTimeStamp) error
SignTimeStamp Generate the SignTimeStamp's signature, taking into account:
- The Issuer's signature
- The originally provided digest
- The current datetime
type IssuerSigner ¶
IssuerSigner Defines the methods for signing an Issuer
type KeyLookup ¶
KeyLookup An interface for retrieving a root public key. Primarily designed to a caching layer can be added.
type SignedTimeStamp ¶
type SignedTimeStamp struct { Issuer *Issuer `json:"issuer"` Datetime time.Time `json:"datetime"` Digest b64bytes `json:"digest"` Signature b64bytes `json:"signature"` }
The SignedTimeStamp represents:
- The Issuer who has signed the time stamp
- The user provided Digest
- The Datetime at which we signed it
- The Signature
func NewSignedTimeStamp ¶
func NewSignedTimeStamp(digest string) (*SignedTimeStamp, error)
NewSignedTimeStamp Creates a new instance of SignedTimeStamp We pass digest in as a string as we want to ensure that it's URL encoded base64.
func (*SignedTimeStamp) BytesToSign ¶
func (ss *SignedTimeStamp) BytesToSign() []byte
BytesToSign The bytes which we are signing, made up of:
- The originally provided digest
- The Issuer's signature
- The current datetime
func (*SignedTimeStamp) Json ¶
func (ss *SignedTimeStamp) Json() ([]byte, error)
func (*SignedTimeStamp) PrettyJson ¶
func (ss *SignedTimeStamp) PrettyJson() ([]byte, error)
type TrustedIssuerKeyCheck ¶
TrustedIssuerKeyCheck Interface for checking if a given Issuer Key URL is trusted.
type TrustedIssuerKeys ¶
type TrustedIssuerKeys struct {
KeyPrefixes []string
}
TrustedIssuerKeys Basic implementation of a Trusted Issuer Key check.
type Verifier ¶
type Verifier struct {
// contains filtered or unexported fields
}
Verifier Represents the code to verify a SignedTimeStamp, and its Issuer.
func NewVerifier ¶
func NewVerifier(trustedIssuers TrustedIssuerKeyCheck) *Verifier
NewVerifier instantiates an instance of Verifier with its default (direct) key lookup.
func NewVerifierWithKeyLookup ¶
func NewVerifierWithKeyLookup(trustedIssuers TrustedIssuerKeyCheck, keyLookup KeyLookup) *Verifier
NewVerifierWithKeyLookup instantiates an instance of Verifier with a custom key lookup.
func (*Verifier) Verify ¶
func (v *Verifier) Verify(sts *SignedTimeStamp) error
Verify Combines the calling of the above into one method, verifying that both the Issuer and SignedTimeStamp are valid.
func (*Verifier) VerifyIssuer ¶
VerifyIssuer Verifies that the Leaf's public key has been signed by the Root Private Key,
func (*Verifier) VerifySignedTimeStamp ¶
func (v *Verifier) VerifySignedTimeStamp(sts *SignedTimeStamp) error
VerifySignedTimeStamp Verifies that the SignedTimeStamp has been signed by the Leaf Private Key.
func (*Verifier) VerifyWithDigest ¶ added in v0.2.1
func (v *Verifier) VerifyWithDigest(sts *SignedTimeStamp, digest []byte) error
VerifyWithDigest Checks the Time Stamps digest matches the expected one passed. If so, it goes ahead and does the full verification.