ct

package

v0.1.1 Latest Latest Go to latest Published: Dec 9, 2025 License: Apache-2.0 Imports: 40 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/transparency-dev/tesseract

Links

Open Source Insights

Documentation ¶

Index ¶

func NewChainValidator(trustedRoots *x509util.PEMCertPool, rejectExpired, rejectUnexpired bool, ...) chainValidator
func NewCpSigner(cs crypto.Signer, origin string, timeSource TimeSource) (note.Signer, error)
func NewLog(ctx context.Context, origin string, signer crypto.Signer, cv ChainValidator, ...) (*log, error)
func NewPathHandlers(ctx context.Context, opts *HandlerOptions, log *log) pathHandlers
func ParseExtKeyUsages(kus []string) ([]x509.ExtKeyUsage, error)
func ParseOIDs(oids []string) ([]asn1.ObjectIdentifier, error)
type ChainValidator
type DefaultRequestLog
type HandlerOptions
type RateLimits
type Storage
type TimeSource

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewChainValidator ¶

func NewChainValidator(trustedRoots *x509util.PEMCertPool, rejectExpired, rejectUnexpired bool, notAfterStart, notAfterLimit *time.Time, extKeyUsages []x509.ExtKeyUsage, rejectExtIds []asn1.ObjectIdentifier, acceptSHA1 bool) chainValidator

func NewCpSigner ¶

func NewCpSigner(cs crypto.Signer, origin string, timeSource TimeSource) (note.Signer, error)

NewCpSigner returns a new note signer that can sign https://c2sp.org/static-ct-api checkpoints. TODO(phboneff): add tests

func NewLog ¶

func NewLog(ctx context.Context, origin string, signer crypto.Signer, cv ChainValidator, cs storage.CreateStorage, ts TimeSource) (*log, error)

NewLog instantiates a new log instance, with write endpoints. It initiates:

checkpoint signer
SCT signer
storage, used to persist chains

func NewPathHandlers ¶

func NewPathHandlers(ctx context.Context, opts *HandlerOptions, log *log) pathHandlers

func ParseExtKeyUsages ¶

func ParseExtKeyUsages(kus []string) ([]x509.ExtKeyUsage, error)

ParseExtKeyUsages parses strings into x509ExtKeyUsage. Throws an error if the string does not match with a known key usage.

func ParseOIDs ¶

func ParseOIDs(oids []string) ([]asn1.ObjectIdentifier, error)

ParseOIDs parses strings of dot separated numbers into OIDs.

Types ¶

type ChainValidator ¶

type ChainValidator interface {
	Validate(chain []*x509.Certificate, expectingPrecert bool) ([]*x509.Certificate, error)
	Roots() []*x509.Certificate
}

ChainValidator provides functions to validate incoming chains.

type DefaultRequestLog ¶

type DefaultRequestLog struct {
}

DefaultRequestLog is an implementation of RequestLog that does nothing except log the calls at a high level of verbosity.

type HandlerOptions ¶

type HandlerOptions struct {
	// Deadline is a timeout for HTTP requests.
	Deadline time.Duration
	// RequestLog provides structured logging of TesseraCT requests.
	RequestLog requestLog
	// MaskInternalErrors indicates if internal server errors should be masked
	// or returned to the user containing the full error message.
	MaskInternalErrors bool
	// TimeSource indicated the system time and can be injfected for testing.
	// TODO(phbnf): hide inside the log
	TimeSource TimeSource
	// PathPrefix prefixes static-ct-api endpoint paths.
	PathPrefix string
	// RateLimits describes optional rate limits to enforce.
	RateLimits RateLimits
}

HandlerOptions describes log handlers options.

type RateLimits ¶ added in v0.1.1

type RateLimits struct {
	// contains filtered or unexported fields
}

RateLimits knows how to apply configurable rate limits to submissions.

func (*RateLimits) AcceptDedup ¶ added in v0.1.1

func (r *RateLimits) AcceptDedup(ctx context.Context) bool

AcceptDedup returns true if a duplicate entry is permitted to be resolved.

func (*RateLimits) AcceptNotBefore ¶ added in v0.1.1

func (r *RateLimits) AcceptNotBefore(ctx context.Context, chain []*x509.Certificate) bool

AcceptNotBefore returns true if the provided chain should be accepted, and false otherwise.

func (*RateLimits) Dedup ¶ added in v0.1.1

func (r *RateLimits) Dedup(limit float64)

Dedup configures a rate limit on entries being deduplicated.

Submissions will be subject to the specified number of entries per second.

func (*RateLimits) NotBefore ¶ added in v0.1.1

func (r *RateLimits) NotBefore(age time.Duration, limit float64)

NotBefore configures a rate limit on old certs.

Submissions whose notBefore date is at least as old as age will be subject to the specified number of entries per second.

type Storage ¶

type Storage interface {
	// Add assigns an index to the provided Entry, stages the entry for integration, and returns a future for the assigned index.
	Add(context.Context, *ctonly.Entry) (tessera.IndexFuture, error)
	// DedupFuture fetches a duplicate tessera ctlog entry from the log and extracts its timestamp.
	DedupFuture(context.Context, tessera.IndexFuture) (uint64, error)
	// AddIssuerChain stores every the chain certificate in a content-addressable store under their sha256 hash.
	AddIssuerChain(context.Context, []*x509.Certificate) error
}

Storage provides functions to store certificates in a static-ct-api log.

type TimeSource ¶

type TimeSource interface {
	// Now returns the current time in real implementations or a suitable value in others
	Now() time.Time
}

TimeSource can provide the current time, or be replaced by a mock in tests to return specific values.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL