ndncert

package
v1.5.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2025 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	KwRecordName    = "record-name"
	KwExpectedValue = "expected-value"

	DNSPrefix = "_ndncert-challenge"
)
View Source 
const AeadSizeNonce = 12
View Source 
const AeadSizeRand = 8
View Source 
const AeadSizeTag = 16
View Source 
const KwCode = "code"
View Source 
const KwConfirmation = "confirmation"
View Source 
const KwDns = "dns"
View Source 
const KwDomain = "domain"
View Source 
const KwEmail = "email"

Keywords

View Source 
const KwPin = "pin"

Variables

View Source 
var ErrChallengeBefore = errors.New("challenge before request")

Challenge Errors

View Source 
var ErrChallengeFailed = errors.New("challenge failed")
View Source 
var ErrChallengePending = errors.New("challenge pending")
View Source 
var ErrChallengeStatusUnknown = errors.New("unknown challenge status")
View Source 
var ErrNoKeySuggestions = errors.New("no key suggestions")

Functions

func AeadDecrypt 

func AeadDecrypt(
	key [AeadSizeTag]byte,
	message AeadMessage,
	info []byte,
) ([]byte, error)

(AI GENERATED DESCRIPTION): Decrypts an AEAD‑protected message using AES‑GCM with the given key and additional authenticated data.

func EcdhHkdf 

func EcdhHkdf(skey *ecdh.PrivateKey, pkey []byte, salt []byte, info []byte) ([]byte, error)

EcdhHkdf computes a shared secret using ECDH and HKDF.

func EcdhKeygen 

func EcdhKeygen() (*ecdh.PrivateKey, error)

EcdhKeygen generates an ECDH key pair.

func IsError 

func IsError(wire enc.Wire) error

IsError checks if a packet contains an NDNCERT error.

Types

type AeadCounter 

type AeadCounter struct {
	// contains filtered or unexported fields
}

func NewAeadCounter 

func NewAeadCounter() *AeadCounter

(AI GENERATED DESCRIPTION): Creates a new AeadCounter initialized with a zero block counter and a freshly generated random byte sequence.

type AeadMessage 

type AeadMessage struct {
	IV         [AeadSizeNonce]byte
	AuthTag    [AeadSizeTag]byte
	CipherText []byte
}

func AeadEncrypt 

func AeadEncrypt(
	key [AeadSizeTag]byte,
	plaintext []byte,
	info []byte,
	counter *AeadCounter,
) (*AeadMessage, error)

(AI GENERATED DESCRIPTION): Encrypts the given plaintext with AES‑GCM using the supplied key and context info, deriving an IV from the counter, and returns an `AeadMessage` containing the IV, ciphertext, and authentication tag.

func (*AeadMessage) FromTLV 

func (m *AeadMessage) FromTLV(t *tlv.CipherMsg)

(AI GENERATED DESCRIPTION): Populates an AeadMessage's IV, AuthTag, and CipherText fields from a provided tlv.CipherMsg.

func (*AeadMessage) TLV 

func (m *AeadMessage) TLV() *tlv.CipherMsg

(AI GENERATED DESCRIPTION): Creates a tlv.CipherMsg containing the AEAD message’s IV, authentication tag, and ciphertext.

type Challenge 

type Challenge interface {
	// Name returns the name of the challenge.
	Name() string

	// Request gets the params of the challenge request.
	// The input provides the params of the previous challenge response.
	// Input is nil for the initial request.
	// Status is for the previous challenge response.
	Request(input ParamMap, status optional.Optional[string]) (ParamMap, error)
}

Challenge is the interface for an NDNCERT challenge.

type ChallengeDns added in v1.5.3 

type ChallengeDns struct {
	// DomainCallback is called to get the domain name from the user.
	// It receives the challenge status for user prompting.
	DomainCallback func(status string) string

	// ConfirmationCallback is called to get confirmation from user that
	// they have created the required DNS record.
	// It receives the record details and status for user prompting.
	ConfirmationCallback func(recordName, expectedValue, status string) string
	// contains filtered or unexported fields
}

ChallengeDns implements the DNS-01 challenge following Let's Encrypt practices. The challenge allows certificate requesters to prove domain ownership by creating a DNS TXT record containing a challenge token.

Challenge Flow: 1. Requester provides domain name they want to validate 2. CA generates challenge token and responds with DNS record details 3. Requester creates TXT record at _ndncert-challenge.<domain> with challenge response 4. Requester confirms record is in place 5. CA performs DNS lookup to verify the TXT record exists

func (*ChallengeDns) Name added in v1.5.3 

func (*ChallengeDns) Name() string

(AI GENERATED DESCRIPTION): Returns the predefined DNS keyword `KwDns`, identifying this challenge type.

func (*ChallengeDns) Request added in v1.5.3 

func (c *ChallengeDns) Request(input ParamMap, status optional.Optional[string]) (ParamMap, error)

(AI GENERATED DESCRIPTION): Handles the DNS challenge flow by validating configuration, requesting domain and record details, invoking callbacks for user confirmation, and returning the appropriate parameter map for each challenge status.

type ChallengeEmail 

type ChallengeEmail struct {
	// Email address to send the challenge to.
	Email string
	// Callback to get the code from the user.
	CodeCallback func(status string) string
}

func (*ChallengeEmail) Name 

func (*ChallengeEmail) Name() string

(AI GENERATED DESCRIPTION): Returns the constant name string KwEmail that identifies ChallengeEmail packets.

func (*ChallengeEmail) Request 

func (c *ChallengeEmail) Request(input ParamMap, status optional.Optional[string]) (ParamMap, error)

(AI GENERATED DESCRIPTION): Generates the appropriate request parameters for an email‑based challenge, returning the email address on first contact or the user‑supplied code when a status indicates a required or incorrect code.

type ChallengePin 

type ChallengePin struct {
	// Callback to get the code from the user.
	CodeCallback func(status string) string
}

func (*ChallengePin) Name 

func (*ChallengePin) Name() string

(AI GENERATED DESCRIPTION): Returns the predefined keyword string (KwPin) that identifies a ChallengePin, used as its name in the protocol.

func (*ChallengePin) Request 

func (c *ChallengePin) Request(input ParamMap, status optional.Optional[string]) (ParamMap, error)

(AI GENERATED DESCRIPTION): Processes a challenge request by calling a configured callback to obtain a PIN code when the status indicates “need‑code” or “wrong‑code”, returning that code in a ParamMap, and otherwise validating the challenge configuration or returning an error for unknown status.

type ChallengeStatus 

type ChallengeStatus uint64
const (
	ChallengeStatusBefore    ChallengeStatus = 0
	ChallengeStatusChallenge ChallengeStatus = 1
	ChallengeStatusPending   ChallengeStatus = 2
	ChallengeStatusSuccess   ChallengeStatus = 3
	ChallengeStatusFailure   ChallengeStatus = 4
)

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func NewClient 

func NewClient(engine ndn.Engine, caCert []byte) (*Client, error)

NewClient creates a new NDNCERT client. 

engine: NDN engine
caCert: CA certificate raw wire
signer: signer for the client

func (*Client) CaPrefix 

func (c *Client) CaPrefix() enc.Name

CaPrefix returns the CA prefix.

func (*Client) Challenge 

func (c *Client) Challenge(
	challenge Challenge,
	newRes *tlv.NewRes,
	prevRes *tlv.ChallengeRes,
) (*tlv.ChallengeRes, error)

Challenge sends a CHALLENGE request to the CA (blocking).

func (*Client) FetchIssuedCert 

func (c *Client) FetchIssuedCert(chRes *tlv.ChallengeRes) (ndn.Data, enc.Wire, error)

FetchIssuedCert fetches the issued certificate from the CA (blocking).

func (*Client) FetchProbe 

func (c *Client) FetchProbe(params ParamMap) (*tlv.ProbeRes, error)

FetchProbe sends a PROBE request to the CA (blocking).

func (*Client) FetchProbeRedirect 

func (c *Client) FetchProbeRedirect(params ParamMap) (probe *tlv.ProbeRes, err error)

FetchProbeRedirect sends a PROBE request to the CA (blocking). If a redirect is received, the request is sent to the new location.

func (*Client) FetchProfile 

func (c *Client) FetchProfile() (*tlv.CaProfile, error)

FetchProfile fetches the profile from the CA (blocking).

func (*Client) New 

func (c *Client) New(challenge Challenge, expiry time.Time) (*tlv.NewRes, error)

New sends a NEW request to the CA (blocking).

func (*Client) RequestCert 

func (c *Client) RequestCert(args RequestCertArgs) (*RequestCertResult, error)

RequestCert is the high level function to issue a certificate. This API is recommended to be used for most cases. This is a blocking function and should be called in a separate goroutine.

func (*Client) SetSigner 

func (c *Client) SetSigner(signer ndn.Signer)

SetSigner sets the signer for the client.

type ErrSignerProbeMismatch 

type ErrSignerProbeMismatch struct {
	KeyName   enc.Name
	Suggested []enc.Name
}

RequestCert Errors

func (ErrSignerProbeMismatch) Error 

func (e ErrSignerProbeMismatch) Error() string

(AI GENERATED DESCRIPTION): Generates an error message stating that the supplied signer does not match any CA suggestion for the specified key name.

type ParamMap 

type ParamMap map[string][]byte

ParamMap is a map of challenge parameters.

type RequestCertArgs 

type RequestCertArgs struct {
	// Challenge is the challenge to be used for the certificate request.
	Challenge Challenge
	// OnProfile is called when a CA profile is fetched.
	// Returning an error will abort the request.
	OnProfile func(profile *tlv.CaProfile) error
	// DisableProbe is a flag to disable the probe step.
	// If true, the key will be used directly.
	DisableProbe bool
	// OnProbeParam is the callback to get the probe parameter.
	// Returning an error will abort the request.
	OnProbeParam func(key string) ([]byte, error)
	// OnChooseKey is the callback to choose a key suggestion.
	// Returning an invalid index will abort the request.
	// If nil, the first suggestion is used.
	OnChooseKey func(suggestions []enc.Name) int
	// OnKeyChosen is called when a key is chosen.
	// Returning an error will abort the request.
	OnKeyChosen func(keyName enc.Name) error
}

RequestCertArgs is the arguments for the Issue function.

type RequestCertResult 

type RequestCertResult struct {
	// CertData is the issued certificate data.
	CertData ndn.Data
	// CertWire is the raw certificate data.
	CertWire enc.Wire
	// Signer is the signer used for the certificate.
	Signer ndn.Signer
}

RequestCertResult is the result of the Issue function.

Source Files

View all Source files

Directories

Path Synopsis
Code generated by ndn tlv codegen DO NOT EDIT.
 Code generated by ndn tlv codegen DO NOT EDIT.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.