README
¶
TesseraCT
This personality implements Static CT API using Trillian Tessera to store data. It is based on Trillian's CTFE.
It is under active development.
Deployment
Each Tessera storage backend needs its own TesseraCT binary.
At the moment, these storage backends are supported:
- GCP: deployment instructions
- AWS: deployment instructions
- more to come soon!
Contact
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewLogHandler ¶
func NewLogHandler(ctx context.Context, origin string, signer crypto.Signer, cfg ChainValidationConfig, cs storage.CreateStorage, httpDeadline time.Duration, maskInternalErrors bool) (http.Handler, error)
NewLogHandler creates a Tessera based CT log pluged into HTTP handlers. The HTTP server handlers implement https://c2sp.org/static-ct-api write endpoints.
Types ¶
type ChainValidationConfig ¶
type ChainValidationConfig struct {
// RootsPEMFile is the path to the file containing root certificates that
// are acceptable to the log. The certs are served through get-roots
// endpoint.
RootsPEMFile string
// RejectExpired controls if true then the certificate validity period will be
// checked against the current time during the validation of submissions.
// This will cause expired certificates to be rejected.
RejectExpired bool
// RejectUnexpired controls if TesseraCT rejects certificates that are
// either currently valid or not yet valid.
// TODO(phboneff): evaluate whether we need to keep this one.
RejectUnexpired bool
// ExtKeyUsages lists Extended Key Usage values that newly submitted
// certificates MUST contain. By default all are accepted. The
// values specified must be ones known to the x509 package, comma separated.
ExtKeyUsages string
// RejectExtensions lists X.509 extension OIDs that newly submitted
// certificates MUST NOT contain. Empty by default. Values must be
// specificed in dotted string form (e.g. "2.3.4.5").
RejectExtensions string
// NotAfterStart defines the start of the range of acceptable NotAfter
// values, inclusive.
// Leaving this unset implies no lower bound to the range.
NotAfterStart *time.Time
// NotAfterLimit defines the end of the range of acceptable NotAfter values,
// exclusive.
// Leaving this unset implies no upper bound to the range.
NotAfterLimit *time.Time
}
ChainValidationConfig contains parameters to configure chain validation.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
aws
The ct_server binary runs the CT personality.
|
The ct_server binary runs the CT personality. |
|
experimental/migrate/gcp
migrate-gcp is a command-line tool for migrating data from a static-ct compliant log, into a TesseraCT log instance.
|
migrate-gcp is a command-line tool for migrating data from a static-ct compliant log, into a TesseraCT log instance. |
|
gcp
The ct_server binary runs the CT personality.
|
The ct_server binary runs the CT personality. |
|
internal
|
|
|
client
Package client provides client support for interacting with logs that uses the [tlog-tiles API].
|
Package client provides client support for interacting with logs that uses the [tlog-tiles API]. |
|
hammer
hammer is a tool to load test a Static CT API log.
|
hammer is a tool to load test a Static CT API log. |
|
testonly/storage/posix
package posix implements a test issuer storage system on a local filesystem.
|
package posix implements a test issuer storage system on a local filesystem. |
|
types/tls
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246.
|
Package tls implements functionality for dealing with TLS-encoded data, as defined in RFC 5246. |
|
modules
|
|
|
dedup
Package dedup limits the number of duplicate entries a personality allows in a Tessera log.
|
Package dedup limits the number of duplicate entries a personality allows in a Tessera log. |
|
bbolt
Package bbolt implements modules/dedup using BBolt.
|
Package bbolt implements modules/dedup using BBolt. |
Click to show internal directories.
Click to hide internal directories.