...

Source file src/github.com/theupdateframework/go-tuf/verify/db.go

Documentation: github.com/theupdateframework/go-tuf/verify 

     1  package verify
     2  
     3  import (
     4  	"github.com/theupdateframework/go-tuf/data"
     5  	"github.com/theupdateframework/go-tuf/internal/roles"
     6  	"github.com/theupdateframework/go-tuf/pkg/keys"
     7  )
     8  
     9  type Role struct {
    10  	KeyIDs    map[string]struct{}
    11  	Threshold int
    12  }
    13  
    14  func (r *Role) ValidKey(id string) bool {
    15  	_, ok := r.KeyIDs[id]
    16  	return ok
    17  }
    18  
    19  type DB struct {
    20  	roles     map[string]*Role
    21  	verifiers map[string]keys.Verifier
    22  }
    23  
    24  func NewDB() *DB {
    25  	return &DB{
    26  		roles:     make(map[string]*Role),
    27  		verifiers: make(map[string]keys.Verifier),
    28  	}
    29  }
    30  
    31  // NewDBFromDelegations returns a DB that verifies delegations
    32  // of a given Targets.
    33  func NewDBFromDelegations(d *data.Delegations) (*DB, error) {
    34  	db := &DB{
    35  		roles:     make(map[string]*Role, len(d.Roles)),
    36  		verifiers: make(map[string]keys.Verifier, len(d.Keys)),
    37  	}
    38  	for _, r := range d.Roles {
    39  		if _, ok := roles.TopLevelRoles[r.Name]; ok {
    40  			return nil, ErrInvalidDelegatedRole
    41  		}
    42  		role := &data.Role{Threshold: r.Threshold, KeyIDs: r.KeyIDs}
    43  		if err := db.AddRole(r.Name, role); err != nil {
    44  			return nil, err
    45  		}
    46  	}
    47  	for id, k := range d.Keys {
    48  		if err := db.AddKey(id, k); err != nil {
    49  			return nil, err
    50  		}
    51  	}
    52  	return db, nil
    53  }
    54  
    55  func (db *DB) AddKey(id string, k *data.PublicKey) error {
    56  	verifier, err := keys.GetVerifier(k)
    57  	if err != nil {
    58  		return err // ErrInvalidKey
    59  	}
    60  
    61  	// TUF is considering in TAP-12 removing the
    62  	// requirement that the keyid hash algorithm be derived
    63  	// from the public key. So to be forwards compatible,
    64  	// we allow any key ID, rather than checking k.ContainsID(id)
    65  	//
    66  	// AddKey should be idempotent, so we allow re-adding the same PublicKey.
    67  	//
    68  	// TAP-12: https://github.com/theupdateframework/taps/blob/master/tap12.md
    69  	if oldVerifier, exists := db.verifiers[id]; exists && oldVerifier.Public() != verifier.Public() {
    70  		return ErrRepeatID{id}
    71  	}
    72  
    73  	db.verifiers[id] = verifier
    74  	return nil
    75  }
    76  
    77  func (db *DB) AddRole(name string, r *data.Role) error {
    78  	if r.Threshold < 1 {
    79  		return ErrInvalidThreshold
    80  	}
    81  
    82  	role := &Role{
    83  		KeyIDs:    make(map[string]struct{}),
    84  		Threshold: r.Threshold,
    85  	}
    86  	for _, id := range r.KeyIDs {
    87  		role.KeyIDs[id] = struct{}{}
    88  	}
    89  
    90  	db.roles[name] = role
    91  	return nil
    92  }
    93  
    94  func (db *DB) GetVerifier(id string) (keys.Verifier, error) {
    95  	k, ok := db.verifiers[id]
    96  	if !ok {
    97  		return nil, ErrMissingKey
    98  	}
    99  	return k, nil
   100  }
   101  
   102  func (db *DB) GetRole(name string) *Role {
   103  	return db.roles[name]
   104  }
   105  

View as plain text