Documentation
¶
Index ¶
- Constants
- Variables
- func Conf(cs ConfStore, name, def string) string
- func ConfInt(cs ConfStore, name string, def int) int
- func ContextWithAuth(ctx context.Context, h2c *ReqContext) context.Context
- func KeyBytes(key crypto.PublicKey) []byte
- func ParseKey(key []byte) (*rsa.PrivateKey, error)
- func Pub2ID(pub []byte) uint64
- func Pub2NodeID(pub []byte) []byte
- func Pub2VIP(pub []byte) net.IP
- func RawToPrivate(priv, pub []byte) (*ecdsa.PrivateKey, error)
- func SSH2Pub(authkey string) ([]byte, error)
- func Verify(data []byte, pub []byte, sig []byte) error
- type Auth
- func (auth *Auth) AddAuthorized(key interface{}, role string)
- func (auth *Auth) Auth(key []byte, role string) string
- func (auth *Auth) Dump()
- func (auth *Auth) DumpKnown()
- func (auth *Auth) GenerateDirectCert(pub crypto.PublicKey, hours time.Duration, name []string, urls []*url.URL, ...) []byte
- func (auth *Auth) GenerateTLSConfigClient() *tls.Config
- func (auth *Auth) GenerateTLSConfigServer() *tls.Config
- func (auth *Auth) GetCerts() map[string]*tls.Certificate
- func (auth *Auth) GetRoots() *x509.CertPool
- func (auth *Auth) NodeID() []byte
- func (auth *Auth) NodeIDUInt() uint64
- func (auth *Auth) PublicKey() crypto.PublicKey
- func (a *Auth) Self() string
- func (auth *Auth) Sign(data []byte, sig []byte)
- type AuthzInfo
- type ConfStore
- type ReqContext
- type Subscription
Constants ¶
const SSH_ECPREFIX = "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABB"
Base64-encoded prefix for SSH EC256 keys. Followed by the STD encoding of the B64 key 0 0 0 19 : 101 99 100 115 97 45 115 104 97 50 45 110 105 115 116 112 50 53 54 ; "ecdsa-sha2-nistp256" 0 0 0 8 : 110 105 115 116 112 50 53 54; "nistp256" 0 0 0 65 :
Variables ¶
var (
Curve256 = elliptic.P256()
)
var ( //MESH_NETWORK = []byte{0x20, 0x01, 0x04, 0x70, 0x1f, 0x04, 4, 0x29} MESH_NETWORK = []byte{0xFD, 0x00, 0x00, 0x00, 0x00, 0x00, 0, 0x00} )
Functions ¶
func ContextWithAuth ¶
func ContextWithAuth(ctx context.Context, h2c *ReqContext) context.Context
func ParseKey ¶
func ParseKey(key []byte) (*rsa.PrivateKey, error)
ParseKey converts the binary contents of a private key file to an *rsa.PrivateKey. It detects whether the private key is in a PEM container or not. If so, it extracts the the private key from PEM container before conversion. It only supports PEM containers with no passphrase.
func Pub2VIP ¶
Convert a public key to a VIP. This is the primary ID of the nodes. Primary format is the 64-byte EC256 public key.
For RSA, the ASN.1 format of the byte[] is used. For ED, the 32-byte raw encoding.
func RawToPrivate ¶
func RawToPrivate(priv, pub []byte) (*ecdsa.PrivateKey, error)
Will initialize the privateKey from configuration (Pub, Priv must be set)
Types ¶
type Auth ¶
type Auth struct {
// If set, will attempt to load the key and certs from storage, and save the generated ones.
// Config is a simple interface for blob storage.
Config ConfStore
// Name and domain to include in the self-signed cert.
Name string
// Identifies the domain of the node.
// Added to the 'sub' field in Vapid messages. Can be an email or domain.
Domain string
// Primary VIP, Created from the Pub key, will be included in the self-signed cert.
VIP6 net.IP
// Same as VIP6, but as uint64
VIP64 uint64
// Primary public key of the node.
// EC256: 65 bytes, uncompressed format
// RSA: DER
// ED25519: 32B
Pub []byte
// base64URL encoding of the primary public key.
// Will be added to Crypto-Keys p256ecdsa header field.
PubKey string
// Private key to use in both server and client authentication. This is the base of the VIP of the node.
// ED22519: 32B
// EC256: 32
// RSA: DER
Priv []byte
// Primary private keys. This is a long-lived key, used as SSH server
// key.
EC256PrivateKey *ecdsa.PrivateKey
// Secondary private keys.
RSAPrivate *rsa.PrivateKey
EDPrivate *ed25519.PrivateKey
// List of authorized keys and roles, for minimal Authz.
// Key is the string(marshalled_form). For example EC256 it's a byte[65]
// Value is list of roles for the key.
Authorized map[string]string
Known map[string]*AuthzInfo
Authz map[string]*AuthzInfo
AuthzByID map[uint64]*AuthzInfo
// contains filtered or unexported fields
}
Support for ID and authn using certificates.
1. load or generate a 'primary' key pair. 2. load or generate a self signed certificates. Save if generated. 3. use the cert to sign, verify signed messages 4. basic authorization using a ssh-style config (to reuse authorized_keys info), with role extensions
The same identity is used for both SSH and TLS.
Currently the 'primary' key is EC256 - mainly for Webpush integration and to simplify the code.
TODO: add rsa - mainly for Istio and dropbear TODO: add ed for IoT/arduino TODO: root CA support - if the node is a VPN master, sign keys for members.
SSH config is broadly used and convenient for interop with ssh servers/clients ( and to not invent a new thing ). Alternatives are more complex.
func NewAuth ¶
Initialize the certificates, loading or generating them. If cfg is nil, will generate certs but not save.
func NewVapid ¶
NewVapid constructs a new Vapid generator from EC256 public and private keys, in base64 uncompressed format.
func (*Auth) AddAuthorized ¶
Add or update an identity (key) with a set of permissions (roles). This is extending the SSH, by using the comment field as a list of roles, starting with the user identity.
func (*Auth) Auth ¶
Check if an identity is authorized for the role. The key is in the marshalled format - use KeyBytes to convert a crypto.PublicKey.
func (*Auth) GenerateDirectCert ¶
func (auth *Auth) GenerateDirectCert(pub crypto.PublicKey, hours time.Duration, name []string, urls []*url.URL, ips []net.IP) []byte
Sign certificates for children.
func (*Auth) GenerateTLSConfigClient ¶
Generate a config to be used in a HTTP client, using the primary identity and cert.
func (*Auth) GenerateTLSConfigServer ¶
From a key pair, generate a tls config with cert. Used for Auth and Client servers.
func (*Auth) GetCerts ¶
func (auth *Auth) GetCerts() map[string]*tls.Certificate
Get all known certificates from the config store. "istio" is a special name, set if istio certs are found
func (*Auth) GetRoots ¶
SSH equivalent: ssh-keygen -f server_ca -t ecdsa ssh-keygen -s server_ca -I keyid -n username -V +52w key.pub Also host keys (-h -n foo.com)
func (*Auth) NodeIDUInt ¶
type AuthzInfo ¶
type AuthzInfo struct {
// Role - stored as comment of the SSH authz keys
Role string
Public []byte
Opts map[string]string
// key.(*ecdsa.PublicKey)
// key.(*rsa.PublicKey)
// key.(ed25519.PublicKey)
Key crypto.PublicKey
}
WIP: more info about authorized
type ReqContext ¶
type ReqContext struct {
// Auth role - set if a authorized_keys or other authz is configured
Role string
// SAN list from the certificate, or equivalent auth method.
SAN []string
// Request start time
T0 time.Time
// Public key of the first cert in the chain (similar with SSH)
Pub []byte
// VIP associated with the public key.
VIP net.IP
VAPID *auth.JWT
}
ReqContext is a context associated with a request. Typically for H2:
h2ctx := r.Context().Value(mesh.H2Info).(*mesh.ReqContext)
func AuthContext ¶
func AuthContext(ctx context.Context) *ReqContext
func (*ReqContext) ID ¶
func (rc *ReqContext) ID() string
ID of the caller, validated based on certs. Currently based on VIP6 for mesh nods.
type Subscription ¶
type Subscription struct {
// Endpoint is the URL to send the Web Push message to. Comes from the
// endpoint field of the PushSubscription.
Endpoint string
// Key is the client's public key. From the getKey("p256dh") or keys.p256dh field.
Key []byte
// Auth is a value used by the client to validate the encryption. From the
// keys.auth field.
// The encrypted aes128gcm will have 16 bytes authentication tag derived from this.
// This is the pre-shared authentication secret.
Auth []byte
// Used by the UA to receive messages, as PUSH promises
Location string
}
Subscription holds the useful values from a PushSubscription object acquired from the browser.
https://w3c.github.io/push-api/
Returned as result of /subscribe
Source Files