Documentation ¶
Index ¶
- Constants
- Variables
- func CopyToConnectionClaims(b *BinaryJWTClaims, connClaims *ConnectionClaims)
- type BinaryJWTClaims
- type BinaryJWTConfig
- func (c *BinaryJWTConfig) CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, ...) ([]byte, error)
- func (c *BinaryJWTConfig) CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, ...) ([]byte, error)
- func (c *BinaryJWTConfig) CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, ...) ([]byte, error)
- func (c *BinaryJWTConfig) DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error
- func (c *BinaryJWTConfig) DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, ...) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, ...)
- func (c *BinaryJWTConfig) Randomize(token []byte, nonce []byte) error
- func (c *BinaryJWTConfig) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error)
- type ConnectionClaims
- type JWTClaims
- type JWTConfig
- func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte, ...) (token []byte, err error)
- func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}, secrets secrets.Secrets) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)
- func (c *JWTConfig) Randomize(token []byte, nonce []byte) (err error)
- type TokenEngine
Constants ¶
const ( // MaxServerName must be of UUID size maximum MaxServerName = 24 // NonceLength is the length of the Nonce to be used in the secrets NonceLength = 16 )
const ClaimsEncodedBufSize = 1400
ClaimsEncodedBufSize is the size of maximum buffer that is required for claims to be serialized into
Variables ¶
var ( ErrTokenTooSmall = errors.New("randomize: token is small") ErrTokenEncodeFailed = errors.New("unable to encode token") ErrTokenHashFailed = errors.New("unable to hash token") ErrTokenSignFailed = errors.New("unable to sign token") ErrInvalidSecret = errors.New("invalid secret") ErrInvalidTokenLength = errors.New("not enough data") ErrMissingSignature = errors.New("signature is missing") ErrInvalidSignature = errors.New("invalid signature") ErrCompressedTagMismatch = errors.New("Compressed tag mismatch") ErrDatapathVersionMismatch = errors.New("Datapath version mismatch") ErrTokenDecodeFailed = errors.New("unable to decode token") ErrTokenExpired = errors.New("token expired") ErrSignatureMismatch = errors.New("signature mismatch") ErrPublicKeyFailed = errors.New("unable to verify public key") )
Custom errors used by this package.
var AckPattern = []byte("PANWIDENTITY")
AckPattern is added in SYN and ACK tokens.
Functions ¶
func CopyToConnectionClaims ¶
func CopyToConnectionClaims(b *BinaryJWTClaims, connClaims *ConnectionClaims)
CopyToConnectionClaims copies the binary jwt claims to connection claims
Types ¶
type BinaryJWTClaims ¶
type BinaryJWTClaims struct { // Tags T []string `codec:",omitempty"` // Compressed tags CT []string `codec:",omitempty"` // RMT is the nonce of the remote that has to be signed in the JWT RMT []byte `codec:",omitempty"` // LCL is the nonce of the local node that has to be signed LCL []byte `codec:",omitempty"` // DEK is the datapath ephemeral keys used to derived shared keys during the handshake DEK []byte `codec:",omitempty"` // SDEK is the signature of the ephemeral key SDEK []byte `codec:",omitempty"` // ID is the source PU ID ID string `codec:",omitempty"` // Expiration time ExpiresAt int64 `codec:",omitempty"` // SignerKey SignerKey []byte `codec:",omitempty"` // P holds the ping payload P *policy.PingPayload `codec:",omitempty"` // DEKV2 is the datapath ephemeral key V2 used to derived shared keys during the handshake DEKV2 []byte `codec:",omitempty"` // SDEK is the signature of the ephemeral key V2 SDEKV2 []byte `codec:",omitempty"` }
BinaryJWTClaims captures all the custom claims
func ConvertToBinaryClaims ¶
func ConvertToBinaryClaims(j *ConnectionClaims, validity time.Duration) *BinaryJWTClaims
ConvertToBinaryClaims coverts back,
func (*BinaryJWTClaims) CodecDecodeSelf ¶
func (x *BinaryJWTClaims) CodecDecodeSelf(d *codec1978.Decoder)
func (*BinaryJWTClaims) CodecEncodeSelf ¶
func (x *BinaryJWTClaims) CodecEncodeSelf(e *codec1978.Encoder)
func (*BinaryJWTClaims) IsCodecEmpty ¶
func (x *BinaryJWTClaims) IsCodecEmpty() bool
type BinaryJWTConfig ¶
type BinaryJWTConfig struct { // ValidityPeriod period of the JWT ValidityPeriod time.Duration // Issuer is the server that issues the JWT Issuer string // contains filtered or unexported fields }
BinaryJWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server
func NewBinaryJWT ¶
func NewBinaryJWT(validity time.Duration, issuer string) (*BinaryJWTConfig, error)
NewBinaryJWT creates a new JWT token processor
func (*BinaryJWTConfig) CreateAckToken ¶
func (c *BinaryJWTConfig) CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error)
CreateAckToken creates ack token which is attached to the ack packet.
func (*BinaryJWTConfig) CreateSynAckToken ¶
func (c *BinaryJWTConfig) CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error)
CreateSynAckToken creates syn/ack token which is attached to the syn/ack packet.
func (*BinaryJWTConfig) CreateSynToken ¶
func (c *BinaryJWTConfig) CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error)
CreateSynToken creates the token which is attached to the tcp syn packet.
func (*BinaryJWTConfig) DecodeAck ¶
func (c *BinaryJWTConfig) DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error
DecodeAck decodes the ack packet token
func (*BinaryJWTConfig) DecodeSyn ¶
func (c *BinaryJWTConfig) DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error)
DecodeSyn takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted
func (*BinaryJWTConfig) Randomize ¶
func (c *BinaryJWTConfig) Randomize(token []byte, nonce []byte) error
Randomize puts the random nonce in the syn token
func (*BinaryJWTConfig) Sign ¶
func (c *BinaryJWTConfig) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error)
Sign takes in a slice of bytes and a private key, and returns a ecdsa signature.
type ConnectionClaims ¶
type ConnectionClaims struct { T *policy.TagStore `json:",omitempty"` // RMT is the nonce of the remote that has to be signed in the JWT RMT []byte `json:",omitempty"` // LCL is the nonce of the local node that has to be signed LCL []byte `json:",omitempty"` // DEKV1 is the datapath ephemeral keys used to derived shared keys during the handshake DEKV1 []byte `json:",omitempty"` // SDEKV1 is the signature of the ephemeral key SDEKV1 []byte `json:",omitempty"` // C is the compressed tags in one string CT *policy.TagStore `json:",omitempty"` // ID is the source PU ID ID string `json:",omitempty"` // RemoteID is the ID of the remote if known. RemoteID string `json:",omitempty"` // H is the claims header H claimsheader.HeaderBytes `json:",omitempty"` // P holds the ping payload P *policy.PingPayload `codec:",omitempty"` // DEKV2 is the datapath ephemeral keys used to derived shared keys during the handshake DEKV2 []byte `json:",omitempty"` // SDEKV2 is the signature of the ephemeral key SDEKV2 []byte `json:",omitempty"` }
ConnectionClaims captures all the claim information
type JWTClaims ¶
type JWTClaims struct { *ConnectionClaims jwt.StandardClaims }
JWTClaims captures all the custom clains
func ConvertToJWTClaims ¶
func ConvertToJWTClaims(b *BinaryJWTClaims) *JWTClaims
ConvertToJWTClaims converts to old claims
func (*JWTClaims) CodecDecodeSelf ¶
func (*JWTClaims) CodecEncodeSelf ¶
func (*JWTClaims) IsCodecEmpty ¶
func (x *JWTClaims) IsCodecEmpty() bool
type JWTConfig ¶
type JWTConfig struct { // ValidityPeriod period of the JWT ValidityPeriod time.Duration // Issuer is the server that issues the JWT Issuer string // contains filtered or unexported fields }
JWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server
func (*JWTConfig) CreateAndSign ¶
func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) (token []byte, err error)
CreateAndSign creates a new token, attaches an ephemeral key pair and signs with the issuer key. It also randomizes the source nonce of the token. It returns back the token and the private key.
func (*JWTConfig) Decode ¶
func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}, secrets secrets.Secrets) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)
Decode takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted
type TokenEngine ¶
type TokenEngine interface { // CreteAndSign creates a token, signs it and produces the final byte string CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error) CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error) CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error) DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error) DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error // Randomize inserts a source nonce in an existing token - New nonce will be // create every time the token is transmitted as a challenge to the other side // even when the token is cached. There should be space in the token already. // Returns an error if there is no space Randomize([]byte, []byte) (err error) Sign([]byte, *ecdsa.PrivateKey) ([]byte, error) }
TokenEngine is the interface to the different implementations of tokens
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package mocktokens is a generated GoMock package.
|
Package mocktokens is a generated GoMock package. |