GenerateChallenge returns a cryptographically secure random challenge string.

IsValidChallenge returns true if the passed challenge is validly formed.

NewCredentialAuthority makes a new signleton CredentialAuthority an start it running.

NewUserKeyAPIer returns a UserKeyAPIer implementation.

we use hex encoding.

ErrShutdown is raised when an operation is pending but the CA is shutting down.

BadKeyError is raised when the given KID is not valid for the given UID.

BadUsernameError is raised when the given username disagreeds with the expected username.

CredentialAuthority should be allocated as a singleton object.

InvalidTokenChallengeError is raised when the challenge presented in the token does not correspond to the challenge of the verifier.

InvalidTokenKeyError is raised when the public key presented in the token does not correspond to the private key used to sign the token.

InvalidTokenServerError is raised when the server presented in the token does not correspond to the server being asked to verify the token.

InvalidTokenTypeError is raised when the given token is not of the expected type.

KeysNotEqualError is raised when compared keys sets aren't equal.

MaxTokenExpiresError is raised when the given token expires too far in the future.

TokenExpiredError is raised when the given token is expired.

UserKeyAPIer is an interface that specifies the UserKeyAPI that will eventually be used to get information about the users from the trusted server authority.