Documentation

Index

Constants

View Source
const (
	// MaxServerName must be of UUID size maximum
	MaxServerName = 36
	// NonceLength is the length of the Nonce to be used in the secrets
	NonceLength = 16
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ConnectionClaims

type ConnectionClaims struct {
	T *policy.TagStore
	// RMT is the nonce of the remote that has to be signed in the JWT
	RMT []byte
	// LCL is the nonce of the local node that has to be signed
	LCL []byte
	// EK is the ephemeral EC key for encryption
	EK []byte
}

    ConnectionClaims captures all the claim information

    type CustomTokenConfig

    type CustomTokenConfig struct {
    
    	// ValidityPeriod for the signed token
    	ValidityPeriod time.Duration
    
    	// Issuer is the server that signs the request
    	Issuer string
    
    	// SignMethod is the method to use for signing the labels
    	SignMethod CustomTokenSignMethod
    
    	// Key is an interface for either the Private Key or the Preshared Key
    	Key interface{}
    	// CA is the certificate of the CA that has signed the server keys
    	CA *x509.Certificate
    	// Cert is the certificate of the server
    	Cert *x509.Certificate
    	// CertPEM is a buffer of the PEM file that is send to other servers - Cached for efficiency
    	CertPEM []byte
    	// IncludeCert instructs the engine to transmit the certificate with each token
    	IncludeCert bool
    	// CertPool is pool of certificates that are already distributed out of band
    	PublicKeyCache map[string]*ecdsa.PublicKey
    }

      CustomTokenConfig configures the custom token generator with the standard parameters

      func NewPSKCustomToken

      func NewPSKCustomToken(validity time.Duration, issuer string, psk []byte) *CustomTokenConfig

        NewPSKCustomToken creates a new token generator for custom tokens

        func (*CustomTokenConfig) CreateAndSign

        func (c *CustomTokenConfig) CreateAndSign(isAck bool, claims *ConnectionClaims) []byte

          CreateAndSign creates a buffer for a new custom token and signs the token. Format is Signature, Random Local, Random Remote, Tags separated by the spaces

          func (*CustomTokenConfig) Decode

          func (c *CustomTokenConfig) Decode(isAck bool, data []byte, previousCert interface{}) (*ConnectionClaims, interface{})

            Decode decodes a string into the data structures for a custom token

            type CustomTokenSignMethod

            type CustomTokenSignMethod int

              CustomTokenSignMethod describes the sign methods for the custome tokens

              const (
              	// PreSharedKey defines a pre-shared key implementation
              	PreSharedKey CustomTokenSignMethod = iota
              	// PKI defines a public/private key implementation
              	PKI
              )

              type JWTClaims

              type JWTClaims struct {
              	*ConnectionClaims
              	jwt.StandardClaims
              }

                JWTClaims captures all the custom clains

                type JWTConfig

                type JWTConfig struct {
                	// ValidityPeriod  period of the JWT
                	ValidityPeriod time.Duration
                	// Issuer is the server that issues the JWT
                	Issuer string
                	// contains filtered or unexported fields
                }

                  JWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server

                  func NewJWT

                  func NewJWT(validity time.Duration, issuer string, s secrets.Secrets) (*JWTConfig, error)

                    NewJWT creates a new JWT token processor

                    func (*JWTConfig) CreateAndSign

                    func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims) (token []byte, nonce []byte, err error)

                      CreateAndSign creates a new token, attaches an ephemeral key pair and signs with the issuer key. It also randomizes the source nonce of the token. It returns back the token and the private key.

                      func (*JWTConfig) Decode

                      func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)

                        Decode takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted

                        func (*JWTConfig) Randomize

                        func (c *JWTConfig) Randomize(token []byte) (nonce []byte, err error)

                          Randomize adds a nonce to an existing token. Returns the nonce

                          func (*JWTConfig) RetrieveNonce

                          func (c *JWTConfig) RetrieveNonce(token []byte) ([]byte, error)

                            RetrieveNonce returns the nonce of a token. It copies the value

                            type TokenEngine

                            type TokenEngine interface {
                            	// CreteAndSign creates a token, signs it and produces the final byte string
                            	CreateAndSign(isAck bool, claims *ConnectionClaims) (token []byte, nonce []byte, err error)
                            	// Decode decodes an incoming buffer and returns the claims and the sender certificate
                            	Decode(isAck bool, data []byte, previousCert interface{}) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)
                            	// Randomize inserts a source nonce in an existing token - New nonce will be
                            	// create every time the token is transmitted as a challenge to the other side
                            	// even when the token is cached. There should be space in the token already.
                            	// Returns an error if there is no space
                            	Randomize([]byte) (nonce []byte, err error)
                            	// RetrieveNonce retrieves the nonce from the token only. Returns the nonce
                            	// or an error if the nonce cannot be decoded
                            	RetrieveNonce([]byte) ([]byte, error)
                            }

                              TokenEngine is the interface to the different implementations of tokens