auth

package
v0.0.0-...-26d6cb3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2019 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package webpush provides helper functions for sending encrpyted payloads using the Web Push protocol.

Sending a message: 

import (
  "strings"
  "github.com/googlechrome/webpush/webpush"
)

func main() {
  // The values that make up the Subscription struct come from the browser
  sub := &webpush.Subscription{endpoint, key, auth}
  webpush.Send(nil, sub, "Yay! Web Push!", nil)
}

You can turn a JSON string representation of a PushSubscription object you collected from the browser into a Subscription struct with a helper function. 

var exampleJSON = []byte(`{"endpoint": "...", "keys": {"p256dh": "...", "auth": "..."}}`)
sub, err := SubscriptionFromJSON(exampleJSON)

If the push service requires an authentication header (notably Google Cloud Messaging, used by Chrome) then you can add that as a fourth parameter: 

if strings.Contains(sub.Endpoint, "https://android.googleapis.com/gcm/send/") {
  webpush.Send(nil, sub, "A message for Chrome", myGCMKey)
}

Index

Constants

View Source 
const SSH_ECPREFIX = "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABB"

Base64-encoded prefix for SSH EC256 keys. Followed by the STD encoding of the B64 key 0 0 0 19 : 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 ; "ecdsa-sha2-nistp256" 0 0 0 8 : 110 105 115 116 112 50 53 54; "nistp256" 0 0 0 65 :

Variables

View Source 
var (
	Curve256 = elliptic.P256()
)
View Source 
var (
	//MESH_NETWORK = []byte{0x20, 0x01, 0x04, 0x70, 0x1f, 0x04, 4, 0x29}
	MESH_NETWORK = []byte{0xFD, 0x00, 0x00, 0x00, 0x00, 0x00, 0, 0x00}
)

Functions

func Decrypt 

func Decrypt(sub *Subscription, crypt *EncryptionResult, subPrivate []byte) (plain []byte, err error)

Decrypt an encrypted messages.

func KeyBytes 

func KeyBytes(key crypto.PublicKey) []byte

Convert a PublicKey to a marshalled format.

func ParseAuth 

func ParseAuth(auth string) (string, map[string]string, error)

ParseAuth splits the Authorization header, returning the scheme and parameters.

func Pub2ID 

func Pub2ID(pub []byte) uint64

Generate a 8-byte identifier from a public key

func Pub2NodeID 

func Pub2NodeID(pub []byte) []byte

Generate a 8-byte identifier from a public key

func Pub2VIP 

func Pub2VIP(pub []byte) net.IP

Convert a public key to a VIP. This is the primary ID of the nodes. Primary format is the 64-byte EC256 public key.

For RSA, the ASN.1 format of the byte[] is used. For ED, the 32-byte raw encoding.

func RawToPrivate 

func RawToPrivate(priv, pub []byte) (*ecdsa.PrivateKey, error)

Will initialize the privateKey from configuration (Pub, Priv must be set)

func SSH2Pub 

func SSH2Pub(authkey string) ([]byte, error)

func Verify 

func Verify(data []byte, pub []byte, sig []byte) error

Types

type Auth 

type Auth struct {
	// If set, will attempt to load the key and certs from storage, and save the generated ones.
	// Config is a simple interface for blob storage.
	Config ConfStore

	// Name and domain to include in the self-signed cert.
	Name   string
	Domain string

	// Primary VIP, Created from the Pub key, will be included in the self-signed cert.
	VIP6 net.IP
	// Same as VIP6, but as uint64
	VIP64 uint64

	// Primary public key of the node.
	// EC256: 65 bytes, uncompressed format
	// RSA: DER
	// ED25519: 32B
	Pub []byte

	// Private key to use in both server and client authentication. This is the base of the VIP of the node.
	// ED22519: 32B
	// EC256: 32
	// RSA: DER
	Priv []byte

	// Primary private keys.
	EC256PrivateKey *ecdsa.PrivateKey

	// Secondary private keys.
	RSAPrivate *rsa.PrivateKey
	EDPrivate  *ed25519.PrivateKey

	// List of authorized keys and roles, for minimal Authz.
	// Key is the string(marshalled_form). For example EC256 it's a byte[65]
	// Value is list of roles for the key.
	Authorized map[string]string

	// TODO: Root certificates to trust, keyed by domain.
	Roots map[string]*Root
	// contains filtered or unexported fields
}

Support for ID and authn using certificates.

1. load or generate a 'primary' key pair. 2. load or generate a self signed certificates. Save if generated. 3. use the cert to sign, verify signed messages 4. basic authorization using a ssh-style config (to reuse authorized_keys info), with role extensions

The same identity is used for both SSH and TLS.

Currently the 'primary' key is EC256 - mainly for Webpush integration and to simplify the code.

TODO: add rsa - mainly for Istio and dropbear TODO: add ed for IoT/arduino TODO: root CA support - if the node is a VPN master, sign keys for members.

SSH config is broadly used and convenient for interop with ssh servers/clients ( and to not invent a new thing ). Alternatives are more complex.

func NewAuth 

func NewAuth(cfg ConfStore, name, domain string) *Auth

Initialize the certificates, loading or generating them. If cfg is nil, will generate certs but not save.

func (*Auth) AddAuthorized 

func (certs *Auth) AddAuthorized(key interface{}, role string)

Add or update an identity (key) with a set of permissions (roles). This is extending the SSH, by using the comment field as a list of roles, starting with the user identity.

func (*Auth) Auth 

func (c *Auth) Auth(key []byte, role string) string

Check if an identity is authorized for the role. The key is in the marshalled format - use KeyBytes to convert a crypto.PublicKey.

func (*Auth) GenerateDirectCert 

func (c *Auth) GenerateDirectCert(pub crypto.PublicKey, hours time.Duration, name []string, urls []*url.URL, ips []net.IP) []byte

Sign certificates for children.

func (*Auth) GenerateTLSConfigClient 

func (c *Auth) GenerateTLSConfigClient() *tls.Config

Generate a config to be used in a HTTP client, using the primary identity and cert.

func (*Auth) GenerateTLSConfigServer 

func (c *Auth) GenerateTLSConfigServer() *tls.Config

From a key pair, generate a tls config with cert. Used for Auth and Client servers.

func (*Auth) GetCerts 

func (h2 *Auth) GetCerts() map[string]*tls.Certificate

Get all known certificates from the config store. "istio" is a special name, set if istio certs are found

func (*Auth) GetRoots 

func (h2 *Auth) GetRoots() *x509.CertPool

SSH equivalent: ssh-keygen -f server_ca -t ecdsa ssh-keygen -s server_ca -I keyid -n username -V +52w key.pub Also host keys (-h -n foo.com)

func (*Auth) NodeID 

func (c *Auth) NodeID() []byte

func (*Auth) NodeIDUInt 

func (c *Auth) NodeIDUInt() uint64

func (*Auth) PublicKey 

func (c *Auth) PublicKey() crypto.PublicKey

func (*Auth) Sign 

func (c *Auth) Sign(data []byte, sig []byte)

type ConfStore 

type ConfStore interface {
	Get(name string) ([]byte, error)

	// keys used: ec-key.pem ec-cert.pem id_ecdsa.pub authorized_keys.save
	Set(conf string, data []byte) error
}

ConfStore abstracts config and secret storage.

type EncryptionResult 

type EncryptionResult struct {
	Ciphertext      []byte
	Salt            []byte
	ServerPublicKey []byte
}

EncryptionResult stores the result of encrypting a message. The ciphertext is the actual encrypted message, while the salt and server public key are required to be sent to the client so that the message can be decrypted.

func Encrypt 

func Encrypt(sub *Subscription, message string) (*EncryptionResult, error)

Encrypt a message such that it can be sent using the Web Push protocol. You can find out more about the various pieces:

func EncryptWithTempKey 

func EncryptWithTempKey(sub *Subscription, plaintext []byte,
	serverPrivateKey, serverPublicKey []byte) (*EncryptionResult, error)

Encrypt a message using Web Push protocol, reusing the temp key. A new salt will be used. This is ~20% faster.

type Root 

type Root struct {
	// contains filtered or unexported fields
}

type Subscription 

type Subscription struct {
	// Endpoint is the URL to send the Web Push message to. Comes from the
	// endpoint field of the PushSubscription.
	Endpoint string
	// Key is the client's public key. From the keys.p256dh field.
	Key []byte
	// Auth is a value used by the client to validate the encryption. From the
	// keys.auth field.
	Auth []byte

	// Used by the UA to receive messages, as PUSH promises
	Location string
}

Subscription holds the useful values from a PushSubscription object acquired from the browser

func SubscriptionFromJSON 

func SubscriptionFromJSON(b []byte) (*Subscription, error)

SubscriptionFromJSON is a convenience function that takes a JSON encoded PushSubscription object acquired from the browser and returns a pointer to a Subscription

type Vapid 

type Vapid struct {
	// The EC256 public key, base64 urlsafe, uncompressed. This value should be
	// used in 'subscribe' requests and is included as p256ecdsa in
	// the Crypto-Key header.
	PublicKey string

	// Sub should be an email or URL, for identification
	Sub string
	// contains filtered or unexported fields
}

Vapid represents a sender identity.

func NewVapid 

func NewVapid(publicKey, privateKey string) (v *Vapid)

NewVapid constructs a new Vapid generator from EC256 public and private keys, in uncompressed format.

func (*Vapid) Authorization 

func (vapid *Vapid) Authorization(aud string) string

func (*Vapid) Token 

func (vapid *Vapid) Token(aud string) (res string)

Token creates a token with the specified endpoint, using configured Sub id and a default expiration (1h).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.