Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrNotFound = errors.New("cabundle: key not found")
ErrNotFound is returned when a key is not found in storage. This is typically returned on first request when no seqno has been stored yet.
var ( // ErrStorageCorrupted indicates that the persistent storage HMAC verification failed ErrStorageCorrupted = errors.New("storage: HMAC verification failed (file may be corrupted or tampered)") )
Functions ¶
This section is empty.
Types ¶
type BundleCache ¶
type BundleCache struct {
// contains filtered or unexported fields
}
BundleCache is a simple in-memory cache for CA bundles with request deduplication.
func NewBundleCache ¶
func NewBundleCache(ttl time.Duration) *BundleCache
NewBundleCache creates a new BundleCache.
type FileStorage ¶
type FileStorage struct {
// contains filtered or unexported fields
}
FileStorage is a persistent, tamper-evident storage for sequence numbers. It uses HMAC-SHA256 to detect tampering and prevent rollback attacks.
File format (per issuer):
[8 bytes: seqno (big-endian uint64)] [32 bytes: HMAC-SHA256(seqno || issuerID)]
Security properties:
- Detects tampering: HMAC verification fails if seqno is modified
- Prevents rollback: Attacker cannot rewind seqno without breaking HMAC
- Offline-first: No network required for verification
Thread-safe: Uses mutex for concurrent access
func NewFileStorage ¶
func NewFileStorage(dir string, hmacKey []byte) (*FileStorage, error)
NewFileStorage creates a new HMAC-protected file storage. The directory will be created if it doesn't exist. The HMAC key should be 32 bytes for SHA-256, and must be kept secret.
func (*FileStorage) GetLastSeenSeqno ¶
GetLastSeenSeqno returns the last seen sequence number for a given issuer ID. Returns 0 if no sequence number has been stored yet (first time seeing this issuer).
func (*FileStorage) SetLastSeenSeqnoIfGreater ¶
func (s *FileStorage) SetLastSeenSeqnoIfGreater(ctx context.Context, issuerID string, seqno uint64) error
SetLastSeenSeqnoIfGreater stores the last seen sequence number for a given issuer ID ONLY if the new sequence number is greater than the currently stored one. The seqno is protected with an HMAC to prevent tampering.
type HTTPSFetcher ¶
type HTTPSFetcher struct {
// contains filtered or unexported fields
}
HTTPSFetcher is an implementation of the revocation.Fetcher interface that fetches a CA bundle from an HTTPS endpoint.
func NewHTTPSFetcher ¶
func NewHTTPSFetcher(url string, client *http.Client) *HTTPSFetcher
NewHTTPSFetcher creates a new HTTPSFetcher.
type MemoryStorage ¶
type MemoryStorage struct {
// contains filtered or unexported fields
}
MemoryStorage is an in-memory implementation of the types.Storage interface.
func NewMemoryStorage ¶
func NewMemoryStorage() *MemoryStorage
NewMemoryStorage creates a new MemoryStorage.
func (*MemoryStorage) GetLastSeenSeqno ¶
GetLastSeenSeqno returns the last seen sequence number for a given issuer ID.
func (*MemoryStorage) SetLastSeenSeqnoIfGreater ¶
func (s *MemoryStorage) SetLastSeenSeqnoIfGreater(ctx context.Context, issuerID string, seqno uint64) error
SetLastSeenSeqnoIfGreater sets the last seen sequence number if it's greater than current.
Source Files