identity

package
v0.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 26, 2019 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NoCertNoKey = TLSFilesStatus(iota)
	CertNoKey
	NoCertKey
	CertKey
)

Four possible outcomes for four files

Variables

View Source 
var (
	// ErrZeroBytes is returned for zero slice
	ErrZeroBytes = errs.New("byte slice was unexpectedly empty")
)
View Source 
var (

	// Error is a pkg/identity error
	Error = errs.Class("pkg/identity error")
)

Functions

func GenerateKey 

func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (
	k crypto.PrivateKey, id storj.NodeID, err error)

GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.

func GenerateKeys 

func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)

GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.

func NodeIDFromCert added in v0.9.0 

func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)

NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.

func NodeIDFromCertPath 

func NodeIDFromCertPath(certPath string) (storj.NodeID, error)

NodeIDFromCertPath loads a node ID from a certificate file path.

func NodeIDFromKey 

func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)

NodeIDFromKey calculates the node ID for a given public key with the passed version.

func NodeIDFromPEM 

func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)

NodeIDFromPEM loads a node ID from certificate bytes.

func ToChains 

func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate

ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.

Types

type CASetupConfig 

type CASetupConfig struct {
	VersionNumber  uint   `default:"0" help:"which identity version to use (0 is latest)"`
	ParentCertPath string `help:"path to the parent authority's certificate chain"`
	ParentKeyPath  string `help:"path to the parent authority's private key"`
	CertPath       string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath        string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
	Difficulty     uint64 `help:"minimum difficulty for identity generation" default:"30"`
	Timeout        string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"`
	Overwrite      bool   `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"`
	Concurrency    uint   `help:"number of concurrent workers for certificate authority generation" default:"4"`
}

CASetupConfig is for creating a CA

func (CASetupConfig) Create 

func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)

Create generates and saves a CA using the config

func (CASetupConfig) FullConfig 

func (caS CASetupConfig) FullConfig() FullCAConfig

FullConfig converts a `CASetupConfig` to `FullCAConfig`

func (CASetupConfig) Status 

func (caS CASetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the CA cert/key files for the config

type Config 

type Config struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true"`
}

Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (Config) Load 

func (ic Config) Load() (*FullIdentity, error)

Load loads a FullIdentity from the config

func (Config) PeerConfig 

func (ic Config) PeerConfig() *PeerConfig

PeerConfig converts a Config to a PeerConfig

func (Config) Save 

func (ic Config) Save(fi *FullIdentity) error

Save saves a FullIdentity according to the config

func (Config) SaveBackup 

func (ic Config) SaveBackup(fi *FullIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename

type FullCAConfig 

type FullCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
}

FullCAConfig is for locating a CA certificate and it's private key

func (FullCAConfig) Load 

func (fc FullCAConfig) Load() (*FullCertificateAuthority, error)

Load loads a CA from the given configuration

func (FullCAConfig) PeerConfig 

func (fc FullCAConfig) PeerConfig() PeerCAConfig

PeerConfig converts a full ca config to a peer ca config

func (FullCAConfig) Save 

func (fc FullCAConfig) Save(ca *FullCertificateAuthority) error

Save saves a CA with the given configuration

func (FullCAConfig) SaveBackup 

func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename

type FullCertificateAuthority 

type FullCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
	// Key is the private key of the CA
	Key crypto.PrivateKey
}

FullCertificateAuthority represents the CA which is used to author and validate full identities

func FullCertificateAuthorityFromPEM 

func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)

FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewCA 

func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)

NewCA creates a new full identity with the given difficulty

func (*FullCertificateAuthority) AddExtension 

func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error

AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.

func (*FullCertificateAuthority) Chain 

func (ca *FullCertificateAuthority) Chain() []*x509.Certificate

Chain returns the CA's certificate chain

func (*FullCertificateAuthority) NewIdentity 

func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)

NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.

func (*FullCertificateAuthority) PeerCA 

func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority

PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority

func (*FullCertificateAuthority) RawChain 

func (ca *FullCertificateAuthority) RawChain() [][]byte

RawChain returns the CA's certificate chain as a 2d byte slice

func (*FullCertificateAuthority) RawRestChain 

func (ca *FullCertificateAuthority) RawRestChain() [][]byte

RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice

func (*FullCertificateAuthority) Revoke 

func (ca *FullCertificateAuthority) Revoke() error

Revoke extends the certificate authority certificate with a certificate revocation extension.

func (*FullCertificateAuthority) Sign 

func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)

Sign signs the passed certificate with ca certificate

func (*FullCertificateAuthority) Version added in v0.9.0 

func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type FullIdentity 

type FullIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA. The ID is taken from this cert.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
	// Key is the key this identity uses with the leaf for communication.
	Key crypto.PrivateKey
}

FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.

func FullIdentityFromPEM 

func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)

FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewFullIdentity 

func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)

NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.

func (*FullIdentity) Chain 

func (fi *FullIdentity) Chain() []*x509.Certificate

Chain returns the Identity's certificate chain

func (*FullIdentity) PeerIdentity 

func (fi *FullIdentity) PeerIdentity() *PeerIdentity

PeerIdentity converts a FullIdentity into a PeerIdentity

func (*FullIdentity) RawChain 

func (fi *FullIdentity) RawChain() [][]byte

RawChain returns all of the certificate chain as a 2d byte slice

func (*FullIdentity) RawRestChain 

func (fi *FullIdentity) RawRestChain() [][]byte

RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice

func (*FullIdentity) Version added in v0.9.0 

func (fi *FullIdentity) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type GenerateCallback 

type GenerateCallback func(crypto.PrivateKey, storj.NodeID) (done bool, err error)

GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error

type ManageableFullIdentity 

type ManageableFullIdentity struct {
	*FullIdentity
	CA *FullCertificateAuthority
}

ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).

func NewManageableFullIdentity 

func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity

NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageableFullIdentity) Revoke 

func (manageableIdent *ManageableFullIdentity) Revoke() error

Revoke extends the CA certificate with a certificate revocation extension.

type ManageablePeerIdentity 

type ManageablePeerIdentity struct {
	*PeerIdentity
	CA *FullCertificateAuthority
}

ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.

func NewManageablePeerIdentity 

func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity

NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageablePeerIdentity) AddExtension 

func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error

AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.

type NewCAOptions 

type NewCAOptions struct {
	// VersionNumber is the IDVersion to use for the identity
	VersionNumber storj.IDVersionNumber
	// Difficulty is the number of trailing zero-bits the nodeID must have
	Difficulty uint16
	// Concurrency is the number of go routines used to generate a CA of sufficient difficulty
	Concurrency uint
	// ParentCert, if provided will be prepended to the certificate chain
	ParentCert *x509.Certificate
	// ParentKey ()
	ParentKey crypto.PrivateKey
	// Logger is used to log generation status updates
	Logger io.Writer
}

NewCAOptions is used to pass parameters to `NewCA`

type PeerCAConfig 

type PeerCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}

PeerCAConfig is for locating a CA certificate without a private key

func (PeerCAConfig) Load 

func (pc PeerCAConfig) Load() (*PeerCertificateAuthority, error)

Load loads a CA from the given configuration

func (PeerCAConfig) Save 

func (pc PeerCAConfig) Save(ca *PeerCertificateAuthority) error

Save saves a peer CA (cert, no key) with the given configuration

func (PeerCAConfig) SaveBackup 

func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename

type PeerCertificateAuthority 

type PeerCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
}

PeerCertificateAuthority represents the CA which is used to validate peer identities

func PeerCertificateAuthorityFromPEM 

func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)

PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

type PeerConfig 

type PeerConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"`
}

PeerConfig allows you to interact with a peer identity (cert, no key) on disk.

func (PeerConfig) Load 

func (ic PeerConfig) Load() (*PeerIdentity, error)

Load loads a PeerIdentity from the config

func (PeerConfig) Save 

func (ic PeerConfig) Save(peerIdent *PeerIdentity) error

Save saves a PeerIdentity according to the config

func (PeerConfig) SaveBackup 

func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename

type PeerIdentity 

type PeerIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
}

PeerIdentity represents another peer on the network.

func PeerIdentityFromChain added in v0.9.0 

func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)

PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.

func PeerIdentityFromContext 

func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)

PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.

func PeerIdentityFromPEM 

func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)

PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.

func PeerIdentityFromPeer 

func PeerIdentityFromPeer(peer *peer.Peer) (*PeerIdentity, error)

PeerIdentityFromPeer loads a PeerIdentity from a peer connection.

type RevocationDB 

type RevocationDB struct {
	DB storage.KeyValueStore
}

RevocationDB stores the most recently seen revocation for each nodeID (i.e. nodeID [CA certificate's public key hash] is the key, values is the most recently seen revocation).

func NewRevocationDB 

func NewRevocationDB(revocationDBURL string) (*RevocationDB, error)

NewRevocationDB returns a new revocation database given the URL

func (RevocationDB) Close 

func (r RevocationDB) Close() error

Close closes the underlying store

func (RevocationDB) Get 

func (r RevocationDB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error)

Get attempts to retrieve the most recent revocation for the given cert chain (the key used in the underlying database is the nodeID of the certificate chain).

func (RevocationDB) List 

func (r RevocationDB) List(ctx context.Context) (revs []*extensions.Revocation, err error)

List lists all revocations in the store

func (RevocationDB) Put 

func (r RevocationDB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error)

Put stores the most recent revocation for the given cert chain IF the timestamp is newer than the current value (the key used in the underlying database is the nodeID of the certificate chain).

type SetupConfig 

type SetupConfig struct {
	CertPath  string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert"`
	KeyPath   string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key"`
	Overwrite bool   `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"`
	Version   string `help:"semantic version of identity storage format" default:"0"`
}

SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (SetupConfig) Create 

func (is SetupConfig) Create(ca *FullCertificateAuthority) (*FullIdentity, error)

Create generates and saves a CA using the config

func (SetupConfig) FullConfig 

func (is SetupConfig) FullConfig() Config

FullConfig converts a `SetupConfig` to `Config`

func (SetupConfig) Status 

func (is SetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the identity cert/key files for the config

type TLSFilesStatus 

type TLSFilesStatus int

TLSFilesStatus is the status of keys

func (TLSFilesStatus) String 

func (t TLSFilesStatus) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.