keyserver

package
v0.0.0-...-4d0a3f0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2017 License: BSD-3-Clause Imports: 19 Imported by: 0

README

CONIKS Server implementation in Golang

Usage

⇒  go install github.com/coniks-sys/coniks-go/keyserver/coniksserver
⇒  coniksserver -h
 _______  _______  __    _  ___  ___   _  _______
|       ||       ||  |  | ||   ||   | | ||       |
|       ||   _   ||   |_| ||   ||   |_| ||  _____|
|       ||  | |  ||       ||   ||      _|| |_____
|      _||  |_|  ||  _    ||   ||     |_ |_____  |
|     |_ |       || | |   ||   ||    _  | _____| |
|_______||_______||_|  |__||___||___| |_||_______|

Usage:
  coniksserver [command]

Available Commands:
  init        Create a configuration file and generate all keys
  run         Run a CONIKS server instance

Flags:
  -h, --help   help for coniksserver

Use "coniksserver [command] --help" for more information about a command.
Configure the server
  • Generate the configuration file:
⇒  mkdir coniks; cd coniks
⇒  coniksserver init -c # create all files including a self-signed tls keys/cert
  • By default, the configuration file has two addresses entries: the first is for the registration proxy, the second is the server's public address for "read-only" requests (lookups, monitoring etc).
  • Edit the configuration file as needed:
    • Replace the loaded_history_length with the desired number of snapshots kept in memory.
    • Replace the epoch_deadline with the desired duration in seconds.
    • If using a CONIKS registration proxy, replace the registration proxy address. Otherwise, remove the registration proxy addresses entry, and add allow_registration = true field to the public addresses entry.
    • In either case, replace the public address with the server's public CONIKS address.
  • Test setup (no registration proxy) config file example:
[policies]
...
[[addresses]]
    address = "tcp://public.server.address:port"
    allow_registration = true
    cert = "server.pem"
    key = "server.key"
Run the server
⇒  coniksserver run -p  # run & write down the process ID into coniks.pid

You can reload the server's policies while it's running by editing the config.toml file and possibly replace vrf.priv with a new key, then run

⇒  kill -USR2 `cat coniks.pid`

Disclaimer

Please keep in mind that this CONIKS server implementation is under active development. The repository may contain experimental features that aren't fully tested. We recommend using a tagged release.

Documentation

Overview

Package keyserver provides an executable reference implementation of a server for the CONIKS key management system.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MarshalResponse

func MarshalResponse(response *Response) ([]byte, error)

MarshalResponse returns a JSON encoding of the server's response.

func UnmarshalRequest

func UnmarshalRequest(msg []byte) (*Request, error)

UnmarshalRequest parses a JSON-encoded request msg and creates the corresponding protocol.Request, which will be handled by the server.

Types

type Address

type Address struct {
	// Address is formatted as a url: scheme://address.
	Address           string `toml:"address"`
	AllowRegistration bool   `toml:"allow_registration,omitempty"`
	// TLSCertPath is a path to the server's TLS Certificate,
	// which has to be set if the connection is TCP.
	TLSCertPath string `toml:"cert,omitempty"`
	// TLSKeyPath is a path to the server's TLS private key,
	// which has to be set if the connection is TCP.
	TLSKeyPath string `toml:"key,omitempty"`
}

An Address describes a server's connection. It makes the server connections configurable so that a key server implementation can easily be run by a first-party identity provider or a third-party communication service. It supports two types of connections: a TCP connection ("tcp") and a Unix socket connection ("unix").

Allowing registration has to be specified explicitly for each connection. Other types of requests are allowed by default. One can think of a registration as a "write" to a key directory, while the other request types are "reads". So, by default, addresses are "read-only".

Additionally, TCP connections must use TLS for added security, and each is required to specify a TLS certificate and corresponding private key.

type ConiksServer

type ConiksServer struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

A ConiksServer represents a CONIKS key server. It wraps a ConiksDirectory with a network layer which handles requests/responses and their encoding/decoding. A ConiksServer also supports concurrent handling of requests and a mechanism to update the underlying ConiksDirectory automatically at regular time intervals.

func NewConiksServer

func NewConiksServer(conf *ServerConfig) *ConiksServer

NewConiksServer creates a new reference implementation of a CONIKS key server.

func (*ConiksServer) Run

func (server *ConiksServer) Run(addrs []*Address)

Run implements the main functionality of the key server. It listens for all declared connections with corresponding permissions. It also supports hot-reloading the configuration by listening for SIGUSR2 signal.

func (*ConiksServer) Shutdown

func (server *ConiksServer) Shutdown() error

Shutdown closes all of the server's connections and shuts down the server.

type ServerConfig

type ServerConfig struct {
	// LoadedHistoryLength is the maximum number of
	// snapshots kept in memory.
	LoadedHistoryLength uint64 `toml:"loaded_history_length"`
	// Policies contains the server's CONIKS policies configuration.
	Policies *ServerPolicies `toml:"policies"`
	// Addresses contains the server's connections configuration.
	Addresses []*Address `toml:"addresses"`
	// contains filtered or unexported fields
}

A ServerConfig contains configuration values which are read at initialization time from a TOML format configuration file.

func LoadServerConfig

func LoadServerConfig(file string) (*ServerConfig, error)

LoadServerConfig loads the ServerConfig for the server from the corresponding config file. It reads the siging key pair and the VRF key pair into the ServerConfig instance and updates the path of TLS certificate files of each Address to absolute path.

type ServerPolicies

type ServerPolicies struct {
	EpochDeadline protocol.Timestamp `toml:"epoch_deadline"`
	VRFKeyPath    string             `toml:"vrf_key_path"`
	SignKeyPath   string             `toml:"sign_key_path"` // it should be a part of policies, see #47
	// contains filtered or unexported fields
}

ServerPolicies contains a server's CONIKS policies configuration including paths to the VRF private key, the signing private key and the epoch deadline value in seconds.

Directories

Path Synopsis
Executable CONIKS key server.
Executable CONIKS key server.
internal/cmd
Package cmd implements the CLI commands for a CONIKS key server.
Package cmd implements the CLI commands for a CONIKS key server.
Package testutil provides utility functions for writing server tests and generating a test server configuration.
Package testutil provides utility functions for writing server tests and generating a test server configuration.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL