types

package
v0.2.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2024 License: MPL-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	KEYTYPE_name = map[int32]string{
		0: "UNSPECIFIED",
		1: "ED25519",
		2: "X25519",
	}
	KEYTYPE_value = map[string]int32{
		"UNSPECIFIED": 0,
		"ED25519":     1,
		"X25519":      2,
	}
)

Enum value maps for KEYTYPE.

View Source 
var File_types_github_com_hashicorp_nodeenrollment_types_v1_proto protoreflect.FileDescriptor

Functions

func ValidateMessage 

func ValidateMessage(msg proto.Message) error

ValidateMessage contains some common functions that can be used to ensure that the message is valid before further processing:

* It's not nil * It's a known type

func X25519EncryptionKey 

func X25519EncryptionKey(privKey []byte, privKeyType KEYTYPE, pubKey []byte, pubKeyType KEYTYPE) ([]byte, error)

X25519EncryptionKey takes in public and private keys and performs the X25519 operation on them.

NOTE: This function is tested by tests on the individual implementations in NodeCredentials and NodeInformation, which also perform nil checks, and which are a thin wrapper around this.

Types

type CertificateBundle 

type CertificateBundle struct {
	CertificateDer       []byte                 `protobuf:"bytes,1,opt,name=certificate_der,proto3" json:"certificate_der,omitempty"`
	CaCertificateDer     []byte                 `protobuf:"bytes,2,opt,name=ca_certificate_der,proto3" json:"ca_certificate_der,omitempty"`
	CertificateNotBefore *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=certificate_not_before,proto3" json:"certificate_not_before,omitempty"`
	CertificateNotAfter  *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=certificate_not_after,proto3" json:"certificate_not_after,omitempty"`
	// contains filtered or unexported fields
}

CertificateBundle contains information about a certificate the its issuing certificate

func (*CertificateBundle) Descriptor deprecated 

func (*CertificateBundle) Descriptor() ([]byte, []int)

Deprecated: Use CertificateBundle.ProtoReflect.Descriptor instead.

func (*CertificateBundle) GetCaCertificateDer 

func (x *CertificateBundle) GetCaCertificateDer() []byte

func (*CertificateBundle) GetCertificateDer 

func (x *CertificateBundle) GetCertificateDer() []byte

func (*CertificateBundle) GetCertificateNotAfter 

func (x *CertificateBundle) GetCertificateNotAfter() *timestamppb.Timestamp

func (*CertificateBundle) GetCertificateNotBefore 

func (x *CertificateBundle) GetCertificateNotBefore() *timestamppb.Timestamp

func (*CertificateBundle) ProtoMessage 

func (*CertificateBundle) ProtoMessage()

func (*CertificateBundle) ProtoReflect 

func (x *CertificateBundle) ProtoReflect() protoreflect.Message

func (*CertificateBundle) Reset 

func (x *CertificateBundle) Reset()

func (*CertificateBundle) String 

func (x *CertificateBundle) String() string

type DuplicateRecordError added in v0.2.5 

type DuplicateRecordError struct {
}

func (DuplicateRecordError) Error added in v0.2.5 

func (d DuplicateRecordError) Error() string

type EncryptionKey added in v0.1.17 

type EncryptionKey struct {
	KeyId           string  `protobuf:"bytes,1,opt,name=key_id,proto3" json:"key_id,omitempty"`
	PrivateKeyPkcs8 []byte  `protobuf:"bytes,2,opt,name=private_key_pkcs8,proto3" json:"private_key_pkcs8,omitempty"`
	PrivateKeyType  KEYTYPE `` /* 144-byte string literal not displayed */
	PublicKeyPkix   []byte  `protobuf:"bytes,4,opt,name=public_key_pkix,proto3" json:"public_key_pkix,omitempty"`
	PublicKeyType   KEYTYPE `` /* 142-byte string literal not displayed */
	// contains filtered or unexported fields
}

EncryptionKey contains the key information necessary to generate a sharedKey NodeInformation and NodeCredentials will store their previous encryption key using this message type

func (*EncryptionKey) Descriptor deprecated added in v0.1.17 

func (*EncryptionKey) Descriptor() ([]byte, []int)

Deprecated: Use EncryptionKey.ProtoReflect.Descriptor instead.

func (*EncryptionKey) GetKeyId added in v0.1.17 

func (x *EncryptionKey) GetKeyId() string

func (*EncryptionKey) GetPrivateKeyPkcs8 added in v0.1.17 

func (x *EncryptionKey) GetPrivateKeyPkcs8() []byte

func (*EncryptionKey) GetPrivateKeyType added in v0.1.17 

func (x *EncryptionKey) GetPrivateKeyType() KEYTYPE

func (*EncryptionKey) GetPublicKeyPkix added in v0.1.17 

func (x *EncryptionKey) GetPublicKeyPkix() []byte

func (*EncryptionKey) GetPublicKeyType added in v0.1.17 

func (x *EncryptionKey) GetPublicKeyType() KEYTYPE

func (*EncryptionKey) ProtoMessage added in v0.1.17 

func (*EncryptionKey) ProtoMessage()

func (*EncryptionKey) ProtoReflect added in v0.1.17 

func (x *EncryptionKey) ProtoReflect() protoreflect.Message

func (*EncryptionKey) Reset added in v0.1.17 

func (x *EncryptionKey) Reset()

func (*EncryptionKey) String added in v0.1.17 

func (x *EncryptionKey) String() string

type FetchNodeCredentialsInfo 

type FetchNodeCredentialsInfo struct {
	Id                       string  `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // Key id derived from pkix public key
	CertificatePublicKeyPkix []byte  `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePublicKeyType KEYTYPE `` /* 166-byte string literal not displayed */
	EncryptionPublicKeyBytes []byte  `protobuf:"bytes,10,opt,name=encryption_public_key_bytes,proto3" json:"encryption_public_key_bytes,omitempty"`
	EncryptionPublicKeyType  KEYTYPE `` /* 165-byte string literal not displayed */
	Nonce                    []byte  `protobuf:"bytes,20,opt,name=nonce,proto3" json:"nonce,omitempty"`
	// If provided, a wrapped (encrypted) registration bundle that can be used for
	// just-in-time authorization
	WrappedRegistrationInfo []byte `protobuf:"bytes,21,opt,name=wrapped_registration_info,proto3" json:"wrapped_registration_info,omitempty"`
	// This will be populated with decrypted values if the above field is populated
	WrappingRegistrationFlowInfo *WrappingRegistrationFlowInfo `protobuf:"bytes,22,opt,name=wrapping_registration_flow_info,proto3" json:"wrapping_registration_flow_info,omitempty"`
	NotBefore                    *timestamppb.Timestamp        `protobuf:"bytes,7,opt,name=not_before,proto3" json:"not_before,omitempty"`
	NotAfter                     *timestamppb.Timestamp        `protobuf:"bytes,8,opt,name=not_after,proto3" json:"not_after,omitempty"`
	// contains filtered or unexported fields
}

FetchNodeCredentialsInfo contains the values bundled and signed into a FetchNodeCredentialsRequest. These values contain the ID (for identification, although the server should always re-derive this itself), the claimed certificate public key (which is also used to sign these values), and the public encryption key, as well as the registration nonce.

Because the signature from the certificate public key is across both itself and the encryption key, if the key ID is authorized, then after verification of the signature we can trust the public encryption key too, which is an important property for preventing MITM/replay scenarios.

func (*FetchNodeCredentialsInfo) Descriptor deprecated 

func (*FetchNodeCredentialsInfo) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsInfo.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsInfo) GetCertificatePublicKeyPkix 

func (x *FetchNodeCredentialsInfo) GetCertificatePublicKeyPkix() []byte

func (*FetchNodeCredentialsInfo) GetCertificatePublicKeyType 

func (x *FetchNodeCredentialsInfo) GetCertificatePublicKeyType() KEYTYPE

func (*FetchNodeCredentialsInfo) GetEncryptionPublicKeyBytes 

func (x *FetchNodeCredentialsInfo) GetEncryptionPublicKeyBytes() []byte

func (*FetchNodeCredentialsInfo) GetEncryptionPublicKeyType 

func (x *FetchNodeCredentialsInfo) GetEncryptionPublicKeyType() KEYTYPE

func (*FetchNodeCredentialsInfo) GetId 

func (x *FetchNodeCredentialsInfo) GetId() string

func (*FetchNodeCredentialsInfo) GetNonce 

func (x *FetchNodeCredentialsInfo) GetNonce() []byte

func (*FetchNodeCredentialsInfo) GetNotAfter 

func (x *FetchNodeCredentialsInfo) GetNotAfter() *timestamppb.Timestamp

func (*FetchNodeCredentialsInfo) GetNotBefore 

func (x *FetchNodeCredentialsInfo) GetNotBefore() *timestamppb.Timestamp

func (*FetchNodeCredentialsInfo) GetWrappedRegistrationInfo added in v0.2.0 

func (x *FetchNodeCredentialsInfo) GetWrappedRegistrationInfo() []byte

func (*FetchNodeCredentialsInfo) GetWrappingRegistrationFlowInfo added in v0.2.0 

func (x *FetchNodeCredentialsInfo) GetWrappingRegistrationFlowInfo() *WrappingRegistrationFlowInfo

func (*FetchNodeCredentialsInfo) ProtoMessage 

func (*FetchNodeCredentialsInfo) ProtoMessage()

func (*FetchNodeCredentialsInfo) ProtoReflect 

func (x *FetchNodeCredentialsInfo) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsInfo) Reset 

func (x *FetchNodeCredentialsInfo) Reset()

func (*FetchNodeCredentialsInfo) String 

func (x *FetchNodeCredentialsInfo) String() string

type FetchNodeCredentialsRequest 

type FetchNodeCredentialsRequest struct {
	Bundle          []byte `protobuf:"bytes,28,opt,name=bundle,proto3" json:"bundle,omitempty"`
	BundleSignature []byte `protobuf:"bytes,29,opt,name=bundle_signature,proto3" json:"bundle_signature,omitempty"`
	// If an intermediate node is decrypting the wrapped registration info with a
	// wrapper not available on the server, it can't cache the decrypted value in
	// the original bundle because it's signed. In that case, it can cache the
	// value here and encrypt it to the server.
	RewrappedWrappingRegistrationFlowInfo []byte `` /* 136-byte string literal not displayed */
	RewrappingKeyId                       string `protobuf:"bytes,33,opt,name=rewrapping_key_id,proto3" json:"rewrapping_key_id,omitempty"`
	// contains filtered or unexported fields
}

FetchNodeCredentialsRequest contains the marshaled FetchNodeCredentialsInfo message and a signature using private key corresponding to the certificate public key contained within the marshaled bundle.

func (*FetchNodeCredentialsRequest) Descriptor deprecated 

func (*FetchNodeCredentialsRequest) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsRequest.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsRequest) GetBundle 

func (x *FetchNodeCredentialsRequest) GetBundle() []byte

func (*FetchNodeCredentialsRequest) GetBundleSignature 

func (x *FetchNodeCredentialsRequest) GetBundleSignature() []byte

func (*FetchNodeCredentialsRequest) GetRewrappedWrappingRegistrationFlowInfo added in v0.2.0 

func (x *FetchNodeCredentialsRequest) GetRewrappedWrappingRegistrationFlowInfo() []byte

func (*FetchNodeCredentialsRequest) GetRewrappingKeyId added in v0.2.0 

func (x *FetchNodeCredentialsRequest) GetRewrappingKeyId() string

func (*FetchNodeCredentialsRequest) ProtoMessage 

func (*FetchNodeCredentialsRequest) ProtoMessage()

func (*FetchNodeCredentialsRequest) ProtoReflect 

func (x *FetchNodeCredentialsRequest) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsRequest) Reset 

func (x *FetchNodeCredentialsRequest) Reset()

func (*FetchNodeCredentialsRequest) String 

func (x *FetchNodeCredentialsRequest) String() string

type FetchNodeCredentialsResponse 

type FetchNodeCredentialsResponse struct {
	ServerEncryptionPublicKeyBytes    []byte  `` /* 155-byte string literal not displayed */
	ServerEncryptionPublicKeyType     KEYTYPE `` /* 211-byte string literal not displayed */
	EncryptedNodeCredentials          []byte  `protobuf:"bytes,40,opt,name=encrypted_node_credentials,proto3" json:"encrypted_node_credentials,omitempty"`
	EncryptedNodeCredentialsSignature []byte  `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

FetchNodeCredentialsResponse contains a response to a fetch request. If unauthorized, only that bool will be returned. If authorized, the encrypted node credentials will contain a marshaled NodeCredentials struct containing certificates and other server-provided information, with the encryption key derived from a DH operation on the node's submitted public key and the server's private key corresponding to the given public encryption key.

The encrypted node credentials are signed with the current root certificate key. This is an optional step that can be taken by the node if it has pre-distributed CA certificates to validate the signature on the encrypted node credentials. This mostly is a guard against the failure of an operator to actually validate the key ID that they are authorizing.

func (*FetchNodeCredentialsResponse) Descriptor deprecated 

func (*FetchNodeCredentialsResponse) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsResponse.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsResponse) GetEncryptedNodeCredentials 

func (x *FetchNodeCredentialsResponse) GetEncryptedNodeCredentials() []byte

func (*FetchNodeCredentialsResponse) GetEncryptedNodeCredentialsSignature 

func (x *FetchNodeCredentialsResponse) GetEncryptedNodeCredentialsSignature() []byte

func (*FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyBytes 

func (x *FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyBytes() []byte

func (*FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyType 

func (x *FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyType() KEYTYPE

func (*FetchNodeCredentialsResponse) ProtoMessage 

func (*FetchNodeCredentialsResponse) ProtoMessage()

func (*FetchNodeCredentialsResponse) ProtoReflect 

func (x *FetchNodeCredentialsResponse) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsResponse) Reset 

func (x *FetchNodeCredentialsResponse) Reset()

func (*FetchNodeCredentialsResponse) String 

func (x *FetchNodeCredentialsResponse) String() string

type GenerateServerCertificatesRequest 

type GenerateServerCertificatesRequest struct {
	CertificatePublicKeyPkix []byte `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	Nonce                    []byte `protobuf:"bytes,20,opt,name=nonce,proto3" json:"nonce,omitempty"`
	NonceSignature           []byte `protobuf:"bytes,21,opt,name=nonce_signature,proto3" json:"nonce_signature,omitempty"`
	CommonName               string `protobuf:"bytes,24,opt,name=common_name,proto3" json:"common_name,omitempty"`
	SkipVerification         bool   `protobuf:"varint,25,opt,name=skip_verification,proto3" json:"skip_verification,omitempty"`
	// ClientState data comes from the client and will be returned in the
	// *protocol.Conn, if used. This must be a marshaled structpb.Struct.
	ClientState []byte `protobuf:"bytes,50,opt,name=client_state,proto3" json:"client_state,omitempty"`
	// ClientStateSignature, like with the nonce, is used to be able to trust the
	// data, once the public key has been validated
	ClientStateSignature []byte `protobuf:"bytes,51,opt,name=client_state_signature,proto3" json:"client_state_signature,omitempty"`
	// contains filtered or unexported fields
}

GenerateServerCertificatesRequest holds values necessary for the server to generate a server-side TLS certificate, either for itself or for a middle node in a multi-hop scenario. The nonce and signature are provided by the authenticating node, so that the server can validate the signature and ensure that the node is authorized, then embed the nonce in the returned certificate to authorize the upstream node (or server) to the authenticating node.

The common name and skip verification parameters would ideally be options to downstream functions, however, since multihop goes over gRPC (or could go over some other transport) the options cannot be carried in that way. If desired, in the future, an options message could be created and these (and any other) values aggregated there.

func (*GenerateServerCertificatesRequest) Descriptor deprecated 

func (*GenerateServerCertificatesRequest) Descriptor() ([]byte, []int)

Deprecated: Use GenerateServerCertificatesRequest.ProtoReflect.Descriptor instead.

func (*GenerateServerCertificatesRequest) GetCertificatePublicKeyPkix 

func (x *GenerateServerCertificatesRequest) GetCertificatePublicKeyPkix() []byte

func (*GenerateServerCertificatesRequest) GetClientState added in v0.1.19 

func (x *GenerateServerCertificatesRequest) GetClientState() []byte

func (*GenerateServerCertificatesRequest) GetClientStateSignature added in v0.1.19 

func (x *GenerateServerCertificatesRequest) GetClientStateSignature() []byte

func (*GenerateServerCertificatesRequest) GetCommonName 

func (x *GenerateServerCertificatesRequest) GetCommonName() string

func (*GenerateServerCertificatesRequest) GetNonce 

func (x *GenerateServerCertificatesRequest) GetNonce() []byte

func (*GenerateServerCertificatesRequest) GetNonceSignature 

func (x *GenerateServerCertificatesRequest) GetNonceSignature() []byte

func (*GenerateServerCertificatesRequest) GetSkipVerification 

func (x *GenerateServerCertificatesRequest) GetSkipVerification() bool

func (*GenerateServerCertificatesRequest) ProtoMessage 

func (*GenerateServerCertificatesRequest) ProtoMessage()

func (*GenerateServerCertificatesRequest) ProtoReflect 

func (x *GenerateServerCertificatesRequest) ProtoReflect() protoreflect.Message

func (*GenerateServerCertificatesRequest) Reset 

func (x *GenerateServerCertificatesRequest) Reset()

func (*GenerateServerCertificatesRequest) String 

func (x *GenerateServerCertificatesRequest) String() string

type GenerateServerCertificatesResponse 

type GenerateServerCertificatesResponse struct {
	CertificatePrivateKeyPkcs8 []byte               `protobuf:"bytes,4,opt,name=certificate_private_key_pkcs8,proto3" json:"certificate_private_key_pkcs8,omitempty"`
	CertificatePrivateKeyType  KEYTYPE              `` /* 168-byte string literal not displayed */
	CertificateBundles         []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	// ClientState data is copied here from the request, if verified, and used to
	// populate the *protocol.Conn, if used
	ClientState *structpb.Struct `protobuf:"bytes,50,opt,name=client_state,proto3" json:"client_state,omitempty"`
	// contains filtered or unexported fields
}

GenerateServerCertificatesResponse contains values for a successful response to the request: a private key for the server (or intemediate node) to use along with the returned certificates.

func (*GenerateServerCertificatesResponse) Descriptor deprecated 

func (*GenerateServerCertificatesResponse) Descriptor() ([]byte, []int)

Deprecated: Use GenerateServerCertificatesResponse.ProtoReflect.Descriptor instead.

func (*GenerateServerCertificatesResponse) GetCertificateBundles 

func (x *GenerateServerCertificatesResponse) GetCertificateBundles() []*CertificateBundle

func (*GenerateServerCertificatesResponse) GetCertificatePrivateKeyPkcs8 

func (x *GenerateServerCertificatesResponse) GetCertificatePrivateKeyPkcs8() []byte

func (*GenerateServerCertificatesResponse) GetCertificatePrivateKeyType 

func (x *GenerateServerCertificatesResponse) GetCertificatePrivateKeyType() KEYTYPE

func (*GenerateServerCertificatesResponse) GetClientState added in v0.1.19 

func (x *GenerateServerCertificatesResponse) GetClientState() *structpb.Struct

func (*GenerateServerCertificatesResponse) ProtoMessage 

func (*GenerateServerCertificatesResponse) ProtoMessage()

func (*GenerateServerCertificatesResponse) ProtoReflect 

func (x *GenerateServerCertificatesResponse) ProtoReflect() protoreflect.Message

func (*GenerateServerCertificatesResponse) Reset 

func (x *GenerateServerCertificatesResponse) Reset()

func (*GenerateServerCertificatesResponse) String 

func (x *GenerateServerCertificatesResponse) String() string

type KEYTYPE 

type KEYTYPE int32

KEYTYPE is an enum holding known key types 

const (
	KEYTYPE_UNSPECIFIED KEYTYPE = 0
	KEYTYPE_ED25519     KEYTYPE = 1
	KEYTYPE_X25519      KEYTYPE = 2
)

func (KEYTYPE) Descriptor 

func (KEYTYPE) Descriptor() protoreflect.EnumDescriptor

func (KEYTYPE) Enum 

func (x KEYTYPE) Enum() *KEYTYPE

func (KEYTYPE) EnumDescriptor deprecated 

func (KEYTYPE) EnumDescriptor() ([]byte, []int)

Deprecated: Use KEYTYPE.Descriptor instead.

func (KEYTYPE) Number 

func (x KEYTYPE) Number() protoreflect.EnumNumber

func (KEYTYPE) String 

func (x KEYTYPE) String() string

func (KEYTYPE) Type 

func (KEYTYPE) Type() protoreflect.EnumType

type NodeCredentials 

type NodeCredentials struct {
	Id                             string               `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // "current" or "next"
	CertificatePublicKeyPkix       []byte               `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePrivateKeyPkcs8     []byte               `protobuf:"bytes,4,opt,name=certificate_private_key_pkcs8,proto3" json:"certificate_private_key_pkcs8,omitempty"`
	CertificatePrivateKeyType      KEYTYPE              `` /* 168-byte string literal not displayed */
	CertificateBundles             []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	EncryptionPrivateKeyBytes      []byte               `protobuf:"bytes,10,opt,name=encryption_private_key_bytes,proto3" json:"encryption_private_key_bytes,omitempty"`
	EncryptionPrivateKeyType       KEYTYPE              `` /* 167-byte string literal not displayed */
	ServerEncryptionPublicKeyBytes []byte               `protobuf:"bytes,12,opt,name=server_encryption_public_key_bytes,proto3" json:"server_encryption_public_key_bytes,omitempty"`
	ServerEncryptionPublicKeyType  KEYTYPE              `` /* 179-byte string literal not displayed */
	RegistrationNonce              []byte               `protobuf:"bytes,20,opt,name=registration_nonce,proto3" json:"registration_nonce,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private keys
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a version number on the resource for
	// implementing transactions.
	State                 *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	PreviousEncryptionKey *EncryptionKey   `protobuf:"bytes,60,opt,name=previous_encryption_key,proto3" json:"previous_encryption_key,omitempty"`
	// contains filtered or unexported fields
}

NodeCredentials is the corresponding struct for NodeInformation on the node side, containing the values necessary for proving identity. At various points in registration/authorization flows this may have some or all fields filled in.

func LoadNodeCredentials 

func LoadNodeCredentials(ctx context.Context, storage nodeenrollment.Storage, id nodeenrollment.KnownId, opt ...nodeenrollment.Option) (*NodeCredentials, error)

LoadNodeCredentials loads the node credentials from storage, unwrapping encrypted values if needed

Supported options: WithStorageWrapper

func NewNodeCredentials 

func NewNodeCredentials(
	ctx context.Context,
	storage nodeenrollment.Storage,
	opt ...nodeenrollment.Option,
) (*NodeCredentials, error)

NewNodeCredentials creates a new node credentials object and populates it with suitable parameters for presenting for registration.

Once registration succeeds, the node credentials stored here can be used to decrypt the incoming bundle with the server's view of the node credentials, which can then be merged; this happens in a different function.

Supported options: WithRandomReader, WithStorageWrapper (passed through to NodeCredentials.Store), WithSkipStorage, WithActivationToken

func (*NodeCredentials) CreateFetchNodeCredentialsRequest 

func (n *NodeCredentials) CreateFetchNodeCredentialsRequest(
	ctx context.Context,
	opt ...nodeenrollment.Option,
) (*FetchNodeCredentialsRequest, error)

CreateFetchNodeCredentialsRequest creates and returns a fetch request based on the current node creds

Supported options: WithRandomReader, WithActivationToken (used in place of the node's nonce value if provided, for the server-led flow; note that this should be the full string token, it will be decoded by this function), WithRegistrationWrapper/WithWrappingRegistrationFlowApplicationSpecificParams

func (*NodeCredentials) Descriptor deprecated 

func (*NodeCredentials) Descriptor() ([]byte, []int)

Deprecated: Use NodeCredentials.ProtoReflect.Descriptor instead.

func (*NodeCredentials) GetCertificateBundles 

func (x *NodeCredentials) GetCertificateBundles() []*CertificateBundle

func (*NodeCredentials) GetCertificatePrivateKeyPkcs8 

func (x *NodeCredentials) GetCertificatePrivateKeyPkcs8() []byte

func (*NodeCredentials) GetCertificatePrivateKeyType 

func (x *NodeCredentials) GetCertificatePrivateKeyType() KEYTYPE

func (*NodeCredentials) GetCertificatePublicKeyPkix 

func (x *NodeCredentials) GetCertificatePublicKeyPkix() []byte

func (*NodeCredentials) GetEncryptionPrivateKeyBytes 

func (x *NodeCredentials) GetEncryptionPrivateKeyBytes() []byte

func (*NodeCredentials) GetEncryptionPrivateKeyType 

func (x *NodeCredentials) GetEncryptionPrivateKeyType() KEYTYPE

func (*NodeCredentials) GetId 

func (x *NodeCredentials) GetId() string

func (*NodeCredentials) GetPreviousEncryptionKey added in v0.1.17 

func (x *NodeCredentials) GetPreviousEncryptionKey() *EncryptionKey

func (*NodeCredentials) GetRegistrationNonce 

func (x *NodeCredentials) GetRegistrationNonce() []byte

func (*NodeCredentials) GetServerEncryptionPublicKeyBytes 

func (x *NodeCredentials) GetServerEncryptionPublicKeyBytes() []byte

func (*NodeCredentials) GetServerEncryptionPublicKeyType 

func (x *NodeCredentials) GetServerEncryptionPublicKeyType() KEYTYPE

func (*NodeCredentials) GetState 

func (x *NodeCredentials) GetState() *structpb.Struct

func (*NodeCredentials) GetWrappingKeyId 

func (x *NodeCredentials) GetWrappingKeyId() string

func (*NodeCredentials) HandleFetchNodeCredentialsResponse 

func (n *NodeCredentials) HandleFetchNodeCredentialsResponse(
	ctx context.Context,
	storage nodeenrollment.Storage,
	input *FetchNodeCredentialsResponse,
	opt ...nodeenrollment.Option,
) (*NodeCredentials, error)

HandleFetchNodeCredentialsResponse parses the response from a server for node credentials and attempts to decrypt and merge with the existing NodeCredentials, storing the result. It returns the updated value and any error and stores the result in storage, unless WithSkipStorage is passed.

Supported options: WithWrapping (passed through to NodeCredentials.Store), WithSkipStorage, WithActivationToken (overrides the NodeCredentials' nonce when using server-led node authorization)

func (*NodeCredentials) PreviousX25519EncryptionKey added in v0.1.17 

func (n *NodeCredentials) PreviousX25519EncryptionKey() (string, []byte, error)

PreviousX25519EncryptionKey satisfies the X25519Producer and will produce a shared encryption key via X25519 if previous key data is present

func (*NodeCredentials) ProtoMessage 

func (*NodeCredentials) ProtoMessage()

func (*NodeCredentials) ProtoReflect 

func (x *NodeCredentials) ProtoReflect() protoreflect.Message

func (*NodeCredentials) Reset 

func (x *NodeCredentials) Reset()

func (*NodeCredentials) SetPreviousEncryptionKey added in v0.1.17 

func (n *NodeCredentials) SetPreviousEncryptionKey(oldNodeCredentials *NodeCredentials) error

SetPreviousEncryptionKey will set this NodeCredential's PreviousEncryptionKey field using the passed NodeCredentials

func (*NodeCredentials) Store 

func (n *NodeCredentials) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores node credentials to storage, wrapping values along the way if given a wrapper

Supported options: WithStorageWrapper

func (*NodeCredentials) String 

func (x *NodeCredentials) String() string

func (*NodeCredentials) X25519EncryptionKey 

func (n *NodeCredentials) X25519EncryptionKey() (string, []byte, error)

X25519EncryptionKey uses the NodeCredentials values to produce a shared encryption key via X25519

type NodeInformation 

type NodeInformation struct {
	Id                              string               `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	CertificatePublicKeyPkix        []byte               `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePublicKeyType        KEYTYPE              `` /* 166-byte string literal not displayed */
	CertificateBundles              []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	EncryptionPublicKeyBytes        []byte               `protobuf:"bytes,10,opt,name=encryption_public_key_bytes,proto3" json:"encryption_public_key_bytes,omitempty"`
	EncryptionPublicKeyType         KEYTYPE              `` /* 165-byte string literal not displayed */
	ServerEncryptionPrivateKeyBytes []byte               `protobuf:"bytes,12,opt,name=server_encryption_private_key_bytes,proto3" json:"server_encryption_private_key_bytes,omitempty"`
	ServerEncryptionPrivateKeyType  KEYTYPE              `` /* 181-byte string literal not displayed */
	RegistrationNonce               []byte               `protobuf:"bytes,20,opt,name=registration_nonce,proto3" json:"registration_nonce,omitempty"`
	// This will be populated with with any decrypted values that came in as a
	// result of this flow
	WrappingRegistrationFlowInfo *WrappingRegistrationFlowInfo `protobuf:"bytes,22,opt,name=wrapping_registration_flow_info,proto3" json:"wrapping_registration_flow_info,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private key and
	// the nonce
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a version number on the resource for
	// implementing transactions.
	State                 *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	PreviousEncryptionKey *EncryptionKey   `protobuf:"bytes,60,opt,name=previous_encryption_key,proto3" json:"previous_encryption_key,omitempty"`
	// contains filtered or unexported fields
}

NodeInformation contains server-side information about a node: its certificate public key, any issued certificates (purely for informational purposes), its encryption public key and the corresponding server private key. Nonce may or may not have a value depending on the flow used to register the node and the current state of that flow. The first seen value can be useful for display to an operator looking to authorize a node. Authorized stores whether or not this node is authorized; technically we could derive this based on whether we have complete key/certificate information, but it's nice to be explicit.

The ID corresponds to a key identifier generated by this library's KeyIdFromPkix function; unlike RootCertificate or NodeCredentials, which will only have at most two active values, here we need to identify an incoming node's information so use the actual key ID. Rotation simply means a new entry will be added with the new ID.

func LoadNodeInformation 

func LoadNodeInformation(ctx context.Context, storage nodeenrollment.Storage, id string, opt ...nodeenrollment.Option) (*NodeInformation, error)

LoadNodeInformation loads the node information from storage, unwrapping encrypted values if needed.

Supported options: WithStorageWrapper, WithState

func (*NodeInformation) Descriptor deprecated 

func (*NodeInformation) Descriptor() ([]byte, []int)

Deprecated: Use NodeInformation.ProtoReflect.Descriptor instead.

func (*NodeInformation) GetCertificateBundles 

func (x *NodeInformation) GetCertificateBundles() []*CertificateBundle

func (*NodeInformation) GetCertificatePublicKeyPkix 

func (x *NodeInformation) GetCertificatePublicKeyPkix() []byte

func (*NodeInformation) GetCertificatePublicKeyType 

func (x *NodeInformation) GetCertificatePublicKeyType() KEYTYPE

func (*NodeInformation) GetEncryptionPublicKeyBytes 

func (x *NodeInformation) GetEncryptionPublicKeyBytes() []byte

func (*NodeInformation) GetEncryptionPublicKeyType 

func (x *NodeInformation) GetEncryptionPublicKeyType() KEYTYPE

func (*NodeInformation) GetId 

func (x *NodeInformation) GetId() string

func (*NodeInformation) GetPreviousEncryptionKey added in v0.1.17 

func (x *NodeInformation) GetPreviousEncryptionKey() *EncryptionKey

func (*NodeInformation) GetRegistrationNonce 

func (x *NodeInformation) GetRegistrationNonce() []byte

func (*NodeInformation) GetServerEncryptionPrivateKeyBytes 

func (x *NodeInformation) GetServerEncryptionPrivateKeyBytes() []byte

func (*NodeInformation) GetServerEncryptionPrivateKeyType 

func (x *NodeInformation) GetServerEncryptionPrivateKeyType() KEYTYPE

func (*NodeInformation) GetState 

func (x *NodeInformation) GetState() *structpb.Struct

func (*NodeInformation) GetWrappingKeyId 

func (x *NodeInformation) GetWrappingKeyId() string

func (*NodeInformation) GetWrappingRegistrationFlowInfo added in v0.2.0 

func (x *NodeInformation) GetWrappingRegistrationFlowInfo() *WrappingRegistrationFlowInfo

func (*NodeInformation) PreviousX25519EncryptionKey added in v0.1.17 

func (n *NodeInformation) PreviousX25519EncryptionKey() (string, []byte, error)

PreviousX25519EncryptionKey satisfies the X25519Producer and will produce a shared encryption key via X25519 if previous key data is present

func (*NodeInformation) ProtoMessage 

func (*NodeInformation) ProtoMessage()

func (*NodeInformation) ProtoReflect 

func (x *NodeInformation) ProtoReflect() protoreflect.Message

func (*NodeInformation) Reset 

func (x *NodeInformation) Reset()

func (*NodeInformation) SetPreviousEncryptionKey added in v0.1.17 

func (n *NodeInformation) SetPreviousEncryptionKey(oldNodeInformation *NodeInformation) error

SetPreviousEncryptionKey will set this NodeInformation's PreviousEncryptionKey field using the passed NodeInformation

func (*NodeInformation) Store 

func (n *NodeInformation) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores node information to server storage, wrapping values along the way if given a wrapper

Supported options: WithStorageWrapper

func (*NodeInformation) String 

func (x *NodeInformation) String() string

func (*NodeInformation) X25519EncryptionKey 

func (n *NodeInformation) X25519EncryptionKey() (string, []byte, error)

X25519EncryptionKey uses the NodeInformation's values to produce a shared encryption key via X25519

type RootCertificate 

type RootCertificate struct {
	Id              string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // "current" or "next"
	PublicKeyPkix   []byte                 `protobuf:"bytes,2,opt,name=public_key_pkix,proto3" json:"public_key_pkix,omitempty"`
	PrivateKeyPkcs8 []byte                 `protobuf:"bytes,4,opt,name=private_key_pkcs8,proto3" json:"private_key_pkcs8,omitempty"`
	PrivateKeyType  KEYTYPE                `` /* 144-byte string literal not displayed */
	CertificateDer  []byte                 `protobuf:"bytes,6,opt,name=certificate_der,proto3" json:"certificate_der,omitempty"`
	NotBefore       *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=not_before,proto3" json:"not_before,omitempty"`
	NotAfter        *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=not_after,proto3" json:"not_after,omitempty"`
	// contains filtered or unexported fields
}

RootCertificate contains information about a root CA certificate and its associated public/private keys

func (*RootCertificate) Descriptor deprecated 

func (*RootCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RootCertificate.ProtoReflect.Descriptor instead.

func (*RootCertificate) GetCertificateDer 

func (x *RootCertificate) GetCertificateDer() []byte

func (*RootCertificate) GetId 

func (x *RootCertificate) GetId() string

func (*RootCertificate) GetNotAfter 

func (x *RootCertificate) GetNotAfter() *timestamppb.Timestamp

func (*RootCertificate) GetNotBefore 

func (x *RootCertificate) GetNotBefore() *timestamppb.Timestamp

func (*RootCertificate) GetPrivateKeyPkcs8 

func (x *RootCertificate) GetPrivateKeyPkcs8() []byte

func (*RootCertificate) GetPrivateKeyType 

func (x *RootCertificate) GetPrivateKeyType() KEYTYPE

func (*RootCertificate) GetPublicKeyPkix 

func (x *RootCertificate) GetPublicKeyPkix() []byte

func (*RootCertificate) ProtoMessage 

func (*RootCertificate) ProtoMessage()

func (*RootCertificate) ProtoReflect 

func (x *RootCertificate) ProtoReflect() protoreflect.Message

func (*RootCertificate) Reset 

func (x *RootCertificate) Reset()

func (*RootCertificate) SigningParams 

func (r *RootCertificate) SigningParams(ctx context.Context) (*x509.Certificate, crypto.Signer, error)

SigningParams is a helper to extract the necessary information from the RootCertificate to use as a CA certificate

func (*RootCertificate) String 

func (x *RootCertificate) String() string

type RootCertificates 

type RootCertificates struct {
	Id      string           `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Current *RootCertificate `protobuf:"bytes,2,opt,name=current,proto3" json:"current,omitempty"`
	Next    *RootCertificate `protobuf:"bytes,3,opt,name=next,proto3" json:"next,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private key
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a version number on the resource for
	// implementing transactions.
	State *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	// contains filtered or unexported fields
}

RootCertificates is a message that holds two root certificates for easy usage/identification. The ID will always be "roots".

func LoadRootCertificates 

func LoadRootCertificates(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) (*RootCertificates, error)

LoadRootCertificates loads the RootCertificates from storage, unwrapping encrypted values if needed

Supported options: WithStorageWrapper

func (*RootCertificates) Descriptor deprecated 

func (*RootCertificates) Descriptor() ([]byte, []int)

Deprecated: Use RootCertificates.ProtoReflect.Descriptor instead.

func (*RootCertificates) GetCurrent 

func (x *RootCertificates) GetCurrent() *RootCertificate

func (*RootCertificates) GetId 

func (x *RootCertificates) GetId() string

func (*RootCertificates) GetNext 

func (x *RootCertificates) GetNext() *RootCertificate

func (*RootCertificates) GetState 

func (x *RootCertificates) GetState() *structpb.Struct

func (*RootCertificates) GetWrappingKeyId 

func (x *RootCertificates) GetWrappingKeyId() string

func (*RootCertificates) ProtoMessage 

func (*RootCertificates) ProtoMessage()

func (*RootCertificates) ProtoReflect 

func (x *RootCertificates) ProtoReflect() protoreflect.Message

func (*RootCertificates) Reset 

func (x *RootCertificates) Reset()

func (*RootCertificates) Store 

func (r *RootCertificates) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores the certificates to the given storage, possibly encrypting secret values along the way if a wrapper is passed

Supported options: WithStorageWrapper

func (*RootCertificates) String 

func (x *RootCertificates) String() string

type RotateNodeCredentialsRequest 

type RotateNodeCredentialsRequest struct {

	// For identification of the node, in case it's not trivial from the
	// connection
	CertificatePublicKeyPkix []byte `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	// Encrypted FetchNodeCredentialsRequest, with the current encryption
	// parameters used for key generation
	EncryptedFetchNodeCredentialsRequest []byte `` /* 134-byte string literal not displayed */
	// contains filtered or unexported fields
}

RotateNodeCredentialsRequest is the message used when a node wants to rotate credentials

func (*RotateNodeCredentialsRequest) Descriptor deprecated 

func (*RotateNodeCredentialsRequest) Descriptor() ([]byte, []int)

Deprecated: Use RotateNodeCredentialsRequest.ProtoReflect.Descriptor instead.

func (*RotateNodeCredentialsRequest) GetCertificatePublicKeyPkix 

func (x *RotateNodeCredentialsRequest) GetCertificatePublicKeyPkix() []byte

func (*RotateNodeCredentialsRequest) GetEncryptedFetchNodeCredentialsRequest 

func (x *RotateNodeCredentialsRequest) GetEncryptedFetchNodeCredentialsRequest() []byte

func (*RotateNodeCredentialsRequest) ProtoMessage 

func (*RotateNodeCredentialsRequest) ProtoMessage()

func (*RotateNodeCredentialsRequest) ProtoReflect 

func (x *RotateNodeCredentialsRequest) ProtoReflect() protoreflect.Message

func (*RotateNodeCredentialsRequest) Reset 

func (x *RotateNodeCredentialsRequest) Reset()

func (*RotateNodeCredentialsRequest) String 

func (x *RotateNodeCredentialsRequest) String() string

type RotateNodeCredentialsResponse 

type RotateNodeCredentialsResponse struct {

	// Encrypted FetchNodeCredentialsResponse, with the current encryption
	// parameters used for key generation. The new key will be used for the
	// encrypted node credentials in the response.
	EncryptedFetchNodeCredentialsResponse []byte `` /* 136-byte string literal not displayed */
	// contains filtered or unexported fields
}

RotateNodeCredentialsResponse is the message used to return values

func (*RotateNodeCredentialsResponse) Descriptor deprecated 

func (*RotateNodeCredentialsResponse) Descriptor() ([]byte, []int)

Deprecated: Use RotateNodeCredentialsResponse.ProtoReflect.Descriptor instead.

func (*RotateNodeCredentialsResponse) GetEncryptedFetchNodeCredentialsResponse 

func (x *RotateNodeCredentialsResponse) GetEncryptedFetchNodeCredentialsResponse() []byte

func (*RotateNodeCredentialsResponse) ProtoMessage 

func (*RotateNodeCredentialsResponse) ProtoMessage()

func (*RotateNodeCredentialsResponse) ProtoReflect 

func (x *RotateNodeCredentialsResponse) ProtoReflect() protoreflect.Message

func (*RotateNodeCredentialsResponse) Reset 

func (x *RotateNodeCredentialsResponse) Reset()

func (*RotateNodeCredentialsResponse) String 

func (x *RotateNodeCredentialsResponse) String() string

type ServerLedActivationToken added in v0.1.16 

type ServerLedActivationToken struct {
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// The time at which this was created; always overwritten on load from
	// creation_time_marshaled
	CreationTime *timestamppb.Timestamp `protobuf:"bytes,10,opt,name=creation_time,proto3" json:"creation_time,omitempty"`
	// This stores a marshaled version of the creation time so that it can easily
	// be wrapped
	CreationTimeMarshaled []byte `protobuf:"bytes,11,opt,name=creation_time_marshaled,proto3" json:"creation_time_marshaled,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private keys
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a version number on the resource for
	// implementing transactions.
	State *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	// contains filtered or unexported fields
}

ServerLedActivationToken contains stored information about a one-time-use activation token. The ID is created by the actual returned token's nonce HMAC'd by the token's keybytes.

func LoadServerLedActivationToken added in v0.1.16 

func LoadServerLedActivationToken(ctx context.Context, storage nodeenrollment.Storage, id string, opt ...nodeenrollment.Option) (*ServerLedActivationToken, error)

LoadServerLedActivationToken loads the node credentials from storage, unwrapping encrypted values if needed

Supported options: WithStorageWrapper

func (*ServerLedActivationToken) Descriptor deprecated added in v0.1.16 

func (*ServerLedActivationToken) Descriptor() ([]byte, []int)

Deprecated: Use ServerLedActivationToken.ProtoReflect.Descriptor instead.

func (*ServerLedActivationToken) GetCreationTime added in v0.1.16 

func (x *ServerLedActivationToken) GetCreationTime() *timestamppb.Timestamp

func (*ServerLedActivationToken) GetCreationTimeMarshaled added in v0.1.16 

func (x *ServerLedActivationToken) GetCreationTimeMarshaled() []byte

func (*ServerLedActivationToken) GetId added in v0.1.16 

func (x *ServerLedActivationToken) GetId() string

func (*ServerLedActivationToken) GetState added in v0.1.16 

func (x *ServerLedActivationToken) GetState() *structpb.Struct

func (*ServerLedActivationToken) GetWrappingKeyId added in v0.1.16 

func (x *ServerLedActivationToken) GetWrappingKeyId() string

func (*ServerLedActivationToken) ProtoMessage added in v0.1.16 

func (*ServerLedActivationToken) ProtoMessage()

func (*ServerLedActivationToken) ProtoReflect added in v0.1.16 

func (x *ServerLedActivationToken) ProtoReflect() protoreflect.Message

func (*ServerLedActivationToken) Reset added in v0.1.16 

func (x *ServerLedActivationToken) Reset()

func (*ServerLedActivationToken) Store added in v0.1.16 

func (s *ServerLedActivationToken) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores an activation token to storage, wrapping values along the way if given a wrapper

Supported options: WithStorageWrapper

func (*ServerLedActivationToken) String added in v0.1.16 

func (x *ServerLedActivationToken) String() string

type ServerLedActivationTokenNonce added in v0.1.16 

type ServerLedActivationTokenNonce struct {
	Nonce        []byte `protobuf:"bytes,1,opt,name=nonce,proto3" json:"nonce,omitempty"`
	HmacKeyBytes []byte `protobuf:"bytes,2,opt,name=hmac_key_bytes,proto3" json:"hmac_key_bytes,omitempty"`
	// contains filtered or unexported fields
}

ServerLedActivationTokenNonce is the value actually returned to a user. The a SHA256-HMAC of the nonce by the key bytes should result in an ID that can be found in storage.

func (*ServerLedActivationTokenNonce) Descriptor deprecated added in v0.1.16 

func (*ServerLedActivationTokenNonce) Descriptor() ([]byte, []int)

Deprecated: Use ServerLedActivationTokenNonce.ProtoReflect.Descriptor instead.

func (*ServerLedActivationTokenNonce) GetHmacKeyBytes added in v0.1.16 

func (x *ServerLedActivationTokenNonce) GetHmacKeyBytes() []byte

func (*ServerLedActivationTokenNonce) GetNonce added in v0.1.16 

func (x *ServerLedActivationTokenNonce) GetNonce() []byte

func (*ServerLedActivationTokenNonce) ProtoMessage added in v0.1.16 

func (*ServerLedActivationTokenNonce) ProtoMessage()

func (*ServerLedActivationTokenNonce) ProtoReflect added in v0.1.16 

func (x *ServerLedActivationTokenNonce) ProtoReflect() protoreflect.Message

func (*ServerLedActivationTokenNonce) Reset added in v0.1.16 

func (x *ServerLedActivationTokenNonce) Reset()

func (*ServerLedActivationTokenNonce) String added in v0.1.16 

func (x *ServerLedActivationTokenNonce) String() string

type ServerLedRegistrationRequest 

type ServerLedRegistrationRequest struct {
	// contains filtered or unexported fields
}

ServerLedRegistrationRequest is a request for the "operator-led" registration flow. Although currently empty it's required to ensure that we can add parameters later without an API change.

func (*ServerLedRegistrationRequest) Descriptor deprecated 

func (*ServerLedRegistrationRequest) Descriptor() ([]byte, []int)

Deprecated: Use ServerLedRegistrationRequest.ProtoReflect.Descriptor instead.

func (*ServerLedRegistrationRequest) ProtoMessage 

func (*ServerLedRegistrationRequest) ProtoMessage()

func (*ServerLedRegistrationRequest) ProtoReflect 

func (x *ServerLedRegistrationRequest) ProtoReflect() protoreflect.Message

func (*ServerLedRegistrationRequest) Reset 

func (x *ServerLedRegistrationRequest) Reset()

func (*ServerLedRegistrationRequest) String 

func (x *ServerLedRegistrationRequest) String() string

type WrappingRegistrationFlowInfo added in v0.2.0 

type WrappingRegistrationFlowInfo struct {
	CertificatePublicKeyPkix  []byte           `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	Nonce                     []byte           `protobuf:"bytes,20,opt,name=nonce,proto3" json:"nonce,omitempty"`
	ApplicationSpecificParams *structpb.Struct `` /* 139-byte string literal not displayed */
	// contains filtered or unexported fields
}

WrappingRegistrationFlowInfo is a message that can be encrypted via a shared encryption wrapper and supplied to perform just-in-time registration. The public key contained in this bundle must match that within FetchNodeCredentialsInfo, as must the nonce. Forgeries by other users with access to the wrapper are prevented due to the signature on the FetchNodeCredentialsRequest including this; replays are prevented because the returned credentials are still encrypted to the derived shared key.

The application specific params can be used to pass extra registration information to the consuming application. Although both provide state to the server, there are two differences between the application specific params and passing state through to the node's dialer:

  • The information is available at different times; client state cannot be sent through most of the nodeenrollment code because state parameters are reserved for the storage system to use as needed (e.g. to track operations across multiple calls). So client state is only available to the eventual receiver of a connection via a *protocol.Conn, whereas the application specific params are available when node information is being stored (at which time a conn is not available, and where passing this information as state would overwrite the storage system's state, if used).
  • Anything in WrappingRegistrationFlowInfo is encrypted via the KMS, if required

It is entirely possible that the state passed into `protocol.Dial` and application specific params will carry the same data for use at different times. For instance, information about a node's name and version may be put into application specific params in order to have it avaialble during registration time, since registration is automatic (as opposed to e.g. an API call to activate a worker-led token where name can be provided at that time); however, when the connection is eventually returned to the application listener, the state can help the application figure out the next step in handling the connection based on version (e.g. passing to gRPC versus starting a yamux session).

func (*WrappingRegistrationFlowInfo) Descriptor deprecated added in v0.2.0 

func (*WrappingRegistrationFlowInfo) Descriptor() ([]byte, []int)

Deprecated: Use WrappingRegistrationFlowInfo.ProtoReflect.Descriptor instead.

func (*WrappingRegistrationFlowInfo) GetApplicationSpecificParams added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) GetApplicationSpecificParams() *structpb.Struct

func (*WrappingRegistrationFlowInfo) GetCertificatePublicKeyPkix added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) GetCertificatePublicKeyPkix() []byte

func (*WrappingRegistrationFlowInfo) GetNonce added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) GetNonce() []byte

func (*WrappingRegistrationFlowInfo) ProtoMessage added in v0.2.0 

func (*WrappingRegistrationFlowInfo) ProtoMessage()

func (*WrappingRegistrationFlowInfo) ProtoReflect added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) ProtoReflect() protoreflect.Message

func (*WrappingRegistrationFlowInfo) Reset added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) Reset()

func (*WrappingRegistrationFlowInfo) String added in v0.2.0 

func (x *WrappingRegistrationFlowInfo) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.