v0.2202.11 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 9, 2023 License: Apache-2.0 Imports: 12 Imported by: 3



Package identity encapsulates the node identity.



View Source
const (
	// NodeKeyPubFilename is the filename of the PEM encoded node public key.
	NodeKeyPubFilename = "identity_pub.pem"

	// P2PKeyPubFilename is the filename of the PEM encoded p2p public key.
	P2PKeyPubFilename = "p2p_pub.pem"

	// ConsensusKeyPubFilename is the filename of the PEM encoded consensus
	// public key.
	ConsensusKeyPubFilename = "consensus_pub.pem"

	// VRFKeyPubFilename is the filename of the PEM encoded node VRF public key.
	VRFKeyPubFilename = "vrf_pub.pem"

	// CommonName is the CommonName to use when generating TLS certificates.
	CommonName = "oasis-node"


View Source
var (
	// ErrCertificateRotationForbidden is returned by RotateCertificates if
	// TLS certificate rotation is forbidden.  This happens when rotation is
	// enabled and an existing TLS certificate was successfully loaded
	// (or a new one was generated and persisted to disk).
	ErrCertificateRotationForbidden = errors.New("identity", 1, "identity: TLS certificate rotation forbidden")

	// RequiredSignerRoles is the required signer roles needed to load or
	// provision a node identity.
	RequiredSignerRoles = []signature.SignerRole{


func TLSCertPaths

func TLSCertPaths(dataDir string) (string, string)

TLSCertPaths returns the TLS private key and certificate paths relative to the passed data directory.

func TLSSentryClientCertPaths

func TLSSentryClientCertPaths(dataDir string) (string, string)

TLSSentryClientCertPaths returns the sentry client TLS private key and certificate paths relative to the passed data directory.


type Identity

type Identity struct {

	// NodeSigner is a node identity key signer.
	NodeSigner signature.Signer
	// P2PSigner is a node P2P link key signer.
	P2PSigner signature.Signer
	// ConsensusSigner is a node consensus key signer.
	ConsensusSigner signature.Signer
	// VRFSigner is a node VRF key signer.
	VRFSigner signature.Signer

	// TLSSentryClientCertificate is the client certificate used for
	// connecting to the sentry node's control connection.  It is never rotated.
	TLSSentryClientCertificate *tls.Certificate

	// DoNotRotateTLS flag is true if we mustn't rotate the TLS certificates below.
	DoNotRotateTLS bool
	// contains filtered or unexported fields

Identity is a node identity.

func Load

func Load(dataDir string, signerFactory signature.SignerFactory) (*Identity, error)

Load loads an identity.

func LoadOrGenerate

func LoadOrGenerate(dataDir string, signerFactory signature.SignerFactory, persistTLS bool) (*Identity, error)

LoadOrGenerate loads or generates an identity. If persistTLS is true, it saves the generated TLS certificates to disk.

func (*Identity) GetNextTLSCertificate

func (i *Identity) GetNextTLSCertificate() *tls.Certificate

GetNextTLSCertificate returns the next TLS certificate.

func (*Identity) GetNextTLSSigner

func (i *Identity) GetNextTLSSigner() signature.Signer

GetNextTLSSigner returns the next TLS signer.

func (*Identity) GetTLSCertificate

func (i *Identity) GetTLSCertificate() *tls.Certificate

GetTLSCertificate returns the current TLS certificate.

func (*Identity) GetTLSPubKeys

func (i *Identity) GetTLSPubKeys() []signature.PublicKey

GetTLSPubKeys returns a list of currently valid TLS public keys.

func (*Identity) GetTLSSigner

func (i *Identity) GetTLSSigner() signature.Signer

GetTLSSigner returns the current TLS signer.

func (*Identity) RotateCertificates

func (i *Identity) RotateCertificates() error

RotateCertificates rotates the identity's TLS certificates. This is called from worker/registration/worker.go every CfgRegistrationRotateCerts epochs (if it's non-zero).

func (*Identity) SetTLSCertificate

func (i *Identity) SetTLSCertificate(cert *tls.Certificate)

SetTLSCertificate sets the current TLS certificate.

func (*Identity) WatchCertificateRotations

func (i *Identity) WatchCertificateRotations() (<-chan struct{}, pubsub.ClosableSubscription)

WatchCertificateRotations subscribes to TLS certificate rotation notifications.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL