identity

package
v0.0.0-...-8d377ce Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CACertificate 

func CACertificate(cn string) x509.Certificate

CA makes a Metropolis-compatible CA certificate template.

cn is a human-readable string that can be used to distinguish Metropolis clusters, if needed. It is not machine-parsed, instead only signature verification and CA pinning is performed.

func NodeCertificate 

func NodeCertificate(pubkey ed25519.PublicKey) x509.Certificate

NodeCertificate makes a Metropolis-compatible node certificate template.

func NodeID 

func NodeID(pub []byte) string

NodeID returns the name of this node, which is `metropolis-{pubkeyHash}`. This name should be the primary way to refer to Metropoils nodes within a cluster, and is guaranteed to be unique by relying on cryptographic randomness.

func NodeIDBare 

func NodeIDBare(pub []byte) string

NodeIDBare returns the `{pubkeyHash}` part of the node ID.

func UserCertificate 

func UserCertificate(identity string) x509.Certificate

UserCertificate makes a Metropolis-compatible user certificate template.

func VerifyCAInsecure 

func VerifyCAInsecure(ca *x509.Certificate) error

VerifyCAInsecure ensures that the given certificate is a valid certificate that is allowed to act as a CA and which is emitted for an Ed25519 keypair.

It does _not_ ensure that the certificate is the local node's CA, and should not be used for security checks, just for data validation checks.

func VerifyInCluster 

func VerifyInCluster(cert, ca *x509.Certificate) (ed25519.PublicKey, error)

VerifyInCluster ensures that the given certificate has been signed by a CA certificate and are both certificates emitted for ed25519 keypairs.

The subject certificate's public key is returned if verification is successful, and error is returned otherwise.

func VerifyNodeInCluster 

func VerifyNodeInCluster(node, ca *x509.Certificate) (ed25519.PublicKey, error)

VerifyNodeInCluster ensures that a given certificate is a Metropolis node certificate emitted by a given Metropolis CA.

The node's public key is returned if verification is successful, and error is returned otherwise.

func VerifyUserInCluster 

func VerifyUserInCluster(user, ca *x509.Certificate) (string, error)

VerifyUserInCluster ensures that a given certificate is a Metropolis user certificate emitted by a given Metropolis CA.

The user certificate's identity is returned if verification is successful, and error is returned otherwise.

Types

type Node 

type Node struct {
	// contains filtered or unexported fields
}

Node is the public part of the credentials of a node. They are emitted for a node by the cluster CA contained within the curator.

func NewNode 

func NewNode(cert, ca []byte) (*Node, error)

NewNode wraps a pair CA and node DER-encoded certificates into Node, ensuring the given certificate data is valid and compatible with Metropolis assumptions.

func (*Node) Certificate 

func (n *Node) Certificate() *x509.Certificate

func (*Node) ClusterCA 

func (n *Node) ClusterCA() *x509.Certificate

ClusterCA returns the CA certificate of the cluster for which this Node is emitted.

func (*Node) ID 

func (n *Node) ID() string

ID returns the canonical ID/name of the node for which this certificate/credentials were emitted.

func (*Node) PublicKey 

func (n *Node) PublicKey() ed25519.PublicKey

PublicKey returns the Ed25519 public key corresponding to this node's certificate/credentials.

type NodeCredentials 

type NodeCredentials struct {
	Node
	// contains filtered or unexported fields
}

NodeCredentials are the public and private part of the credentials of a node.

It represents all the data necessary for a node to authenticate over mTLS to other nodes and the rest of the cluster.

It must never be made available to any node other than the node it has been emitted for.

func NewNodeCredentials 

func NewNodeCredentials(priv, cert, ca []byte) (*NodeCredentials, error)

NewNodeCredentials wraps a pair of CA and node DER-encoded certificates plus a private key into NodeCredentials, ensuring that the given data is valid and compatible with Metropolis assumptions.

func (*NodeCredentials) Read 

func (n *NodeCredentials) Read(d PKIDirectory) error

Read initializes NodeCredentials' contents with the data stored in the PKIDirectory d. It may return an I/O error, or a parsing error.

func (*NodeCredentials) Save 

func (n *NodeCredentials) Save(d PKIDirectory) error

Save stores the given node credentials in local storage.

func (*NodeCredentials) TLSCredentials 

func (n *NodeCredentials) TLSCredentials() tls.Certificate

type PKIDirectory 

type PKIDirectory interface {
	ReadAll() (ca, cert *x509.Certificate, key ed25519.PrivateKey, err error)
	WriteAll(cert []byte, key ed25519.PrivateKey, ca []byte) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.