aboutsummaryrefslogtreecommitdiff
path: root/namespace/namespace.go
diff options
context:
space:
mode:
Diffstat (limited to 'namespace/namespace.go')
-rw-r--r--namespace/namespace.go150
1 files changed, 150 insertions, 0 deletions
diff --git a/namespace/namespace.go b/namespace/namespace.go
new file mode 100644
index 0000000..a02de6d
--- /dev/null
+++ b/namespace/namespace.go
@@ -0,0 +1,150 @@
+// Package namespace provides namespace functionality. A namespace refers to a
+// particular verification key and signing algorithm that can be serialized with
+// TLS 1.2 notation, see RFC 5246 (ยง4). Only Ed25519 is supported at this time.
+//
+// For example, this is how a serialized Ed25519 namespace looks like:
+//
+// 0 2 34 (byte index)
+// +---+----------------------+
+// | 1 + Verification key +
+// +---+----------------------+
+package namespace
+
+import (
+ "fmt"
+
+ "crypto/ed25519"
+
+ "github.com/google/certificate-transparency-go/tls"
+)
+
+// NamespaceFormat defines a particular namespace type that is versioend
+type NamespaceFormat tls.Enum
+
+const (
+ NamespaceFormatReserved NamespaceFormat = 0
+ NamespaceFormatEd25519V1 NamespaceFormat = 1
+)
+
+// Namespace references a versioned namespace based on a given format specifier
+type Namespace struct {
+ Format NamespaceFormat `tls:"maxval:65535"`
+ NamespaceEd25519V1 *NamespaceEd25519V1 `tls:"selector:Format,val:1"`
+}
+
+// NamespaceEd25519V1 uses an Ed25519 verification key as namespace. Encoding,
+// signing, and verification operations are defined by RFC 8032.
+type NamespaceEd25519V1 struct {
+ Namespace []byte `tls:"minlen:32,maxlen:32"`
+}
+
+// String returns a human-readable representation of a namespace.
+func (n Namespace) String() string {
+ switch n.Format {
+ case NamespaceFormatEd25519V1:
+ return fmt.Sprintf("%x", n.NamespaceEd25519V1.Namespace)
+ default:
+ return "reserved"
+ }
+}
+
+// NewNamespaceEd25519V1 returns an new Ed25519V1 namespace based on a
+// verification key.
+func NewNamespaceEd25519V1(vk []byte) (*Namespace, error) {
+ if len(vk) != 32 {
+ return nil, fmt.Errorf("invalid verification key: must be 32 bytes")
+ }
+ return &Namespace{
+ Format: NamespaceFormatEd25519V1,
+ NamespaceEd25519V1: &NamespaceEd25519V1{
+ Namespace: vk,
+ },
+ }, nil
+}
+
+// Verify checks that signature is valid over message for this namespace
+func (ns *Namespace) Verify(message, signature []byte) error {
+ switch ns.Format {
+ case NamespaceFormatEd25519V1:
+ if !ed25519.Verify(ed25519.PublicKey(ns.NamespaceEd25519V1.Namespace), message, signature) {
+ return fmt.Errorf("ed25519 signature verification failed")
+ }
+ default:
+ return fmt.Errorf("namespace not supported: %v", ns.Format)
+ }
+ return nil
+}
+
+func (ns *Namespace) Marshal() ([]byte, error) {
+ serialized, err := tls.Marshal(*ns)
+ if err != nil {
+ return nil, fmt.Errorf("marshaled failed for namespace(%v): %v", ns.Format, err)
+ }
+ return serialized, err
+}
+
+func (ns *Namespace) Unmarshal(serialized []byte) error {
+ extra, err := tls.Unmarshal(serialized, ns)
+ if err != nil {
+ return fmt.Errorf("unmarshal failed for namespace: %v", err)
+ } else if len(extra) > 0 {
+ return fmt.Errorf("unmarshal found extra data for namespace(%v): %v", ns.Format, err)
+ }
+ return nil
+}
+
+// NamespacePool is a pool of namespaces that contain complete verification keys
+type NamespacePool struct {
+ pool map[string]*Namespace
+ list []*Namespace
+ // If we need to update this structure without a restart => add mutex.
+}
+
+// NewNameSpacePool creates a new namespace pool from a list of namespaces. An
+// error is returned if there are duplicate namespaces or namespaces without a
+// complete verification key. The latter is determined by namespaceWithKey().
+func NewNamespacePool(namespaces []*Namespace) (*NamespacePool, error) {
+ np := &NamespacePool{
+ pool: make(map[string]*Namespace),
+ list: make([]*Namespace, 0),
+ }
+ for _, namespace := range namespaces {
+ if !namespaceWithKey(namespace.Format) {
+ return nil, fmt.Errorf("need verification key in namespace pool: %v", namespace.Format)
+ }
+ if _, ok := np.pool[namespace.String()]; ok {
+ return nil, fmt.Errorf("duplicate namespace: %v", namespace.String())
+ }
+ np.pool[namespace.String()] = namespace
+ np.list = append(np.list, namespace)
+ }
+ return np, nil
+}
+
+// Find checks if namespace is a member of the namespace pool.
+func (np *NamespacePool) Find(namespace *Namespace) (*Namespace, bool) {
+ if _, ok := np.pool[namespace.String()]; !ok {
+ return nil, false
+ }
+ // If the passed namespace is a key fingerprint the actual key needs to be
+ // attached before returning. Not applicable for Ed25519. Docdoc later.
+ return namespace, true
+}
+
+// List returns a copied list of namespaces that is used by this pool.
+func (np *NamespacePool) List() []*Namespace {
+ namespaces := make([]*Namespace, len(np.list))
+ copy(namespaces, np.list)
+ return namespaces
+}
+
+// namespaceWithKey returns true if a namespace format contains a complete
+// verification key. I.e., some formats might have a key fingerprint instead.
+func namespaceWithKey(format NamespaceFormat) bool {
+ switch format {
+ case NamespaceFormatEd25519V1:
+ return true
+ default:
+ return false
+ }
+}