identity

package
v0.0.0-...-5f226fc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: MIT Imports: 23 Imported by: 58

Documentation

Overview

Package identity implements CA and Peer identity management and generation.

Index

Constants

View Source 
const (
	NoCertNoKey = TLSFilesStatus(iota)
	CertNoKey
	NoCertKey
	CertKey
)

Four possible outcomes for four files.

Variables

View Source 
var (
	// ErrZeroBytes is returned for zero slice.
	ErrZeroBytes = errs.New("byte slice was unexpectedly empty")
)
View Source 
var (

	// Error is a identity error.
	Error = errs.Class("identity")
)

Functions

func EncodePeerIdentity 

func EncodePeerIdentity(pi *PeerIdentity) []byte

EncodePeerIdentity encodes the complete identity chain to bytes.

func GenerateKey 

func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (
	k crypto.PrivateKey, id storj.NodeID, err error)

GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.

func GenerateKeys 

func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)

GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.

func NodeIDFromCert 

func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)

NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.

func NodeIDFromCertPath 

func NodeIDFromCertPath(certPath string) (storj.NodeID, error)

NodeIDFromCertPath loads a node ID from a certificate file path.

func NodeIDFromKey 

func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)

NodeIDFromKey calculates the node ID for a given public key with the passed version.

func NodeIDFromPEM 

func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)

NodeIDFromPEM loads a node ID from certificate bytes.

func ToChains 

func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate

ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.

Types

type CASetupConfig 

type CASetupConfig struct {
	VersionNumber  uint   `default:"0" help:"which identity version to use (0 is latest)"`
	ParentCertPath string `help:"path to the parent authority's certificate chain"`
	ParentKeyPath  string `help:"path to the parent authority's private key"`
	CertPath       string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath        string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
	Difficulty     uint64 `help:"minimum difficulty for identity generation" default:"36"`
	Timeout        string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"`
	Overwrite      bool   `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"`
	Concurrency    uint   `help:"number of concurrent workers for certificate authority generation" default:"4"`
}

CASetupConfig is for creating a CA.

func (CASetupConfig) Create 

func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)

Create generates and saves a CA using the config.

func (CASetupConfig) FullConfig 

func (caS CASetupConfig) FullConfig() FullCAConfig

FullConfig converts a `CASetupConfig` to `FullCAConfig`.

func (CASetupConfig) Status 

func (caS CASetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the CA cert/key files for the config.

type Config 

type Config struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true" path:"true"`
}

Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (Config) Load 

func (ic Config) Load() (*FullIdentity, error)

Load loads a FullIdentity from the config.

func (Config) PeerConfig 

func (ic Config) PeerConfig() *PeerConfig

PeerConfig converts a Config to a PeerConfig.

func (Config) Save 

func (ic Config) Save(fi *FullIdentity) error

Save saves a FullIdentity according to the config.

func (Config) SaveBackup 

func (ic Config) SaveBackup(fi *FullIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename.

type FullCAConfig 

type FullCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
}

FullCAConfig is for locating a CA certificate and it's private key.

func (FullCAConfig) Load 

func (fc FullCAConfig) Load() (*FullCertificateAuthority, error)

Load loads a CA from the given configuration.

func (FullCAConfig) PeerConfig 

func (fc FullCAConfig) PeerConfig() PeerCAConfig

PeerConfig converts a full ca config to a peer ca config.

func (FullCAConfig) Save 

func (fc FullCAConfig) Save(ca *FullCertificateAuthority) error

Save saves a CA with the given configuration.

func (FullCAConfig) SaveBackup 

func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename.

type FullCertificateAuthority 

type FullCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
	// Key is the private key of the CA
	Key crypto.PrivateKey
}

FullCertificateAuthority represents the CA which is used to author and validate full identities.

func FullCertificateAuthorityFromPEM 

func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)

FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewCA 

func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)

NewCA creates a new full identity with the given difficulty.

func (*FullCertificateAuthority) AddExtension 

func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error

AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.

func (*FullCertificateAuthority) Chain 

func (ca *FullCertificateAuthority) Chain() []*x509.Certificate

Chain returns the CA's certificate chain.

func (*FullCertificateAuthority) NewIdentity 

func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)

NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.

func (*FullCertificateAuthority) PeerCA 

func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority

PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority.

func (*FullCertificateAuthority) RawChain 

func (ca *FullCertificateAuthority) RawChain() [][]byte

RawChain returns the CA's certificate chain as a 2d byte slice.

func (*FullCertificateAuthority) RawRestChain 

func (ca *FullCertificateAuthority) RawRestChain() [][]byte

RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice.

func (*FullCertificateAuthority) Revoke 

func (ca *FullCertificateAuthority) Revoke() error

Revoke extends the certificate authority certificate with a certificate revocation extension.

func (*FullCertificateAuthority) Sign 

func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)

Sign signs the passed certificate with ca certificate.

func (*FullCertificateAuthority) Version 

func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type FullIdentity 

type FullIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA. The ID is taken from this cert.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
	// Key is the key this identity uses with the leaf for communication.
	Key crypto.PrivateKey
}

FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.

func FullIdentityFromPEM 

func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)

FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewFullIdentity 

func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)

NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.

func (*FullIdentity) Chain 

func (fi *FullIdentity) Chain() []*x509.Certificate

Chain returns the Identity's certificate chain.

func (*FullIdentity) PeerIdentity 

func (fi *FullIdentity) PeerIdentity() *PeerIdentity

PeerIdentity converts a FullIdentity into a PeerIdentity.

func (*FullIdentity) RawChain 

func (fi *FullIdentity) RawChain() [][]byte

RawChain returns all of the certificate chain as a 2d byte slice.

func (*FullIdentity) RawRestChain 

func (fi *FullIdentity) RawRestChain() [][]byte

RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice.

func (*FullIdentity) Version 

func (fi *FullIdentity) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type GenerateCallback 

type GenerateCallback func(crypto.PrivateKey, storj.NodeID) (done bool, err error)

GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error.

type ManageableFullIdentity 

type ManageableFullIdentity struct {
	*FullIdentity
	CA *FullCertificateAuthority
}

ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).

func NewManageableFullIdentity 

func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity

NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageableFullIdentity) Revoke 

func (manageableIdent *ManageableFullIdentity) Revoke() error

Revoke extends the CA certificate with a certificate revocation extension.

type ManageablePeerIdentity 

type ManageablePeerIdentity struct {
	*PeerIdentity
	CA *FullCertificateAuthority
}

ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.

func NewManageablePeerIdentity 

func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity

NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageablePeerIdentity) AddExtension 

func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error

AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.

type NewCAOptions 

type NewCAOptions struct {
	// VersionNumber is the IDVersion to use for the identity
	VersionNumber storj.IDVersionNumber
	// Difficulty is the number of trailing zero-bits the nodeID must have
	Difficulty uint16
	// Concurrency is the number of go routines used to generate a CA of sufficient difficulty
	Concurrency uint
	// ParentCert, if provided will be prepended to the certificate chain
	ParentCert *x509.Certificate
	// ParentKey ()
	ParentKey crypto.PrivateKey
	// Logger is used to log generation status updates
	Logger io.Writer
}

NewCAOptions is used to pass parameters to `NewCA`.

type PeerCAConfig 

type PeerCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}

PeerCAConfig is for locating a CA certificate without a private key.

func (PeerCAConfig) Load 

func (pc PeerCAConfig) Load() (*PeerCertificateAuthority, error)

Load loads a CA from the given configuration.

func (PeerCAConfig) Save 

func (pc PeerCAConfig) Save(ca *PeerCertificateAuthority) error

Save saves a peer CA (cert, no key) with the given configuration.

func (PeerCAConfig) SaveBackup 

func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename.

type PeerCertificateAuthority 

type PeerCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
}

PeerCertificateAuthority represents the CA which is used to validate peer identities.

func PeerCertificateAuthorityFromPEM 

func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)

PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

type PeerConfig 

type PeerConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"`
}

PeerConfig allows you to interact with a peer identity (cert, no key) on disk.

func (PeerConfig) Load 

func (ic PeerConfig) Load() (*PeerIdentity, error)

Load loads a PeerIdentity from the config.

func (PeerConfig) Save 

func (ic PeerConfig) Save(peerIdent *PeerIdentity) error

Save saves a PeerIdentity according to the config.

func (PeerConfig) SaveBackup 

func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename.

type PeerIdentity 

type PeerIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
}

PeerIdentity represents another peer on the network.

func DecodePeerIdentity 

func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)

DecodePeerIdentity Decodes the bytes into complete identity chain.

func PeerIdentityFromChain 

func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)

PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.

func PeerIdentityFromContext 

func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)

PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.

func PeerIdentityFromPEM 

func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)

PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.

func PeerIdentityFromPeer 

func PeerIdentityFromPeer(peer *rpcpeer.Peer) (*PeerIdentity, error)

PeerIdentityFromPeer loads a PeerIdentity from a peer connection.

type SetupConfig 

type SetupConfig struct {
	CertPath  string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" path:"true"`
	KeyPath   string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" path:"true"`
	Overwrite bool   `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"`
	Version   string `help:"semantic version of identity storage format" default:"0"`
}

SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (SetupConfig) Create 

func (is SetupConfig) Create(ca *FullCertificateAuthority) (*FullIdentity, error)

Create generates and saves a CA using the config.

func (SetupConfig) FullConfig 

func (is SetupConfig) FullConfig() Config

FullConfig converts a `SetupConfig` to `Config`.

func (SetupConfig) Status 

func (is SetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the identity cert/key files for the config.

type TLSFilesStatus 

type TLSFilesStatus int

TLSFilesStatus is the status of keys.

func (TLSFilesStatus) String 

func (t TLSFilesStatus) String() string

Source Files

View all Source files

Directories

Path Synopsis
Package testidentity contains pregenerated identities for testing.
 Package testidentity contains pregenerated identities for testing.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.