README ¶
CONIKS Server implementation in Golang
Usage
⇒ go install github.com/coniks-sys/coniks-go/keyserver/coniksserver
⇒ coniksserver -h
_______ _______ __ _ ___ ___ _ _______
| || || | | || || | | || |
| || _ || |_| || || |_| || _____|
| || | | || || || _|| |_____
| _|| |_| || _ || || |_ |_____ |
| |_ | || | | || || _ | _____| |
|_______||_______||_| |__||___||___| |_||_______|
Usage:
coniksserver [command]
Available Commands:
init Create a configuration file and generate all keys
run Run a CONIKS server instance
Flags:
-h, --help help for coniksserver
Use "coniksserver [command] --help" for more information about a command.
Configure the server
- Generate the configuration file:
⇒ mkdir coniks; cd coniks
⇒ coniksserver init -c # create all files including a self-signed tls keys/cert
- By default, the configuration file has two
addresses
entries: the first is for the registration proxy, the second is the server's public address for "read-only" requests (lookups, monitoring etc). - Edit the configuration file as needed:
- Replace the
loaded_history_length
with the desired number of snapshots kept in memory. - Replace the
epoch_deadline
with the desired duration in seconds. - If using a CONIKS registration proxy, replace the registration proxy
address
. Otherwise, remove the registration proxyaddresses
entry, and addallow_registration = true
field to the publicaddresses
entry. - In either case, replace the public
address
with the server's public CONIKS address.
- Replace the
- Test setup (no registration proxy) config file example:
[policies]
...
[[addresses]]
address = "tcp://public.server.address:port" # or "https://public.server.address:port"
allow_registration = true
cert = "server.pem"
key = "server.key"
[logger]
...
Run the server
⇒ coniksserver run -p # run & write down the process ID into coniks.pid
You can reload the server's policies while it's running by editing the config.toml
file
and possibly replace vrf.priv
with a new key, then run
⇒ kill -USR2 `cat coniks.pid`
Disclaimer
Please keep in mind that this CONIKS server implementation is under active development. The repository may contain experimental features that aren't fully tested. We recommend using a tagged release.
Documentation ¶
Overview ¶
Package keyserver provides an executable reference implementation of a server for the CONIKS key management system.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MarshalResponse ¶
MarshalResponse returns a JSON encoding of the server's response.
func UnmarshalRequest ¶
UnmarshalRequest parses a JSON-encoded request msg and creates the corresponding protocol.Request, which will be handled by the server.
Types ¶
type Address ¶
type Address struct { // Address is formatted as a url: scheme://address. Address string `toml:"address"` AllowRegistration bool `toml:"allow_registration,omitempty"` // TLSCertPath is a path to the server's TLS Certificate, // which has to be set if the connection is TCP. TLSCertPath string `toml:"cert,omitempty"` // TLSKeyPath is a path to the server's TLS private key, // which has to be set if the connection is TCP. TLSKeyPath string `toml:"key,omitempty"` }
An Address describes a server's connection. It makes the server connections configurable so that a key server implementation can easily be run by a first-party identity provider or a third-party communication service. It supports two types of connections: a TCP connection ("tcp") and a Unix socket connection ("unix").
Allowing registration has to be specified explicitly for each connection. Other types of requests are allowed by default. One can think of a registration as a "write" to a key directory, while the other request types are "reads". So, by default, addresses are "read-only".
Additionally, TCP connections must use TLS for added security, and each is required to specify a TLS certificate and corresponding private key.
type ConiksServer ¶
A ConiksServer represents a CONIKS key server. It wraps a ConiksDirectory with a network layer which handles requests/responses and their encoding/decoding. A ConiksServer also supports concurrent handling of requests and a mechanism to update the underlying ConiksDirectory automatically at regular time intervals.
func NewConiksServer ¶
func NewConiksServer(conf *ServerConfig) *ConiksServer
NewConiksServer creates a new reference implementation of a CONIKS key server.
func (*ConiksServer) EnableTrusternityAudit ¶
func (server *ConiksServer) EnableTrusternityAudit(ethConfigFile string)
EnableTrusternityAudit enable Ethereum audit for a CONIKS key server
func (*ConiksServer) Run ¶
func (server *ConiksServer) Run(addrs []*Address)
Run implements the main functionality of the key server. It listens for all declared connections with corresponding permissions. It also supports hot-reloading the configuration by listening for SIGUSR2 signal.
func (*ConiksServer) Shutdown ¶
func (server *ConiksServer) Shutdown() error
Shutdown closes all of the server's connections and shuts down the server.
type ServerConfig ¶
type ServerConfig struct { // LoadedHistoryLength is the maximum number of // snapshots kept in memory. LoadedHistoryLength uint64 `toml:"loaded_history_length"` // Policies contains the server's CONIKS policies configuration. Policies *ServerPolicies `toml:"policies"` // Addresses contains the server's connections configuration. Addresses []*Address `toml:"addresses"` Logger *utils.LoggerConfig `toml:"logger"` // contains filtered or unexported fields }
A ServerConfig contains configuration values which are read at initialization time from a TOML format configuration file.
func LoadServerConfig ¶
func LoadServerConfig(file string) (*ServerConfig, error)
LoadServerConfig loads the ServerConfig for the server from the corresponding config file. It reads the siging key pair and the VRF key pair into the ServerConfig instance and updates the path of TLS certificate files of each Address to absolute path.
type ServerPolicies ¶
type ServerPolicies struct { EpochDeadline protocol.Timestamp `toml:"epoch_deadline"` VRFKeyPath string `toml:"vrf_key_path"` SignKeyPath string `toml:"sign_key_path"` // it should be a part of policies, see #47 // contains filtered or unexported fields }
ServerPolicies contains a server's CONIKS policies configuration including paths to the VRF private key, the signing private key and the epoch deadline value in seconds.
Directories ¶
Path | Synopsis |
---|---|
Executable CONIKS key server.
|
Executable CONIKS key server. |
Package testutil provides utility functions for writing server tests and generating a test server configuration.
|
Package testutil provides utility functions for writing server tests and generating a test server configuration. |