types

package
v0.1.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 22, 2022 License: MPL-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	KEYTYPE_name = map[int32]string{
		0: "UNSPECIFIED",
		1: "ED25519",
		2: "X25519",
	}
	KEYTYPE_value = map[string]int32{
		"UNSPECIFIED": 0,
		"ED25519":     1,
		"X25519":      2,
	}
)

Enum value maps for KEYTYPE.

View Source 
var File_types_github_com_hashicorp_nodeenrollment_types_v1_proto protoreflect.FileDescriptor

Functions

func ValidateMessage 

func ValidateMessage(msg proto.Message) error

ValidateMessage contains some common functions that can be used to ensure that the message is valid before further processing:

* It's not nil * It's a known type

func X25519EncryptionKey 

func X25519EncryptionKey(privKey []byte, privKeyType KEYTYPE, pubKey []byte, pubKeyType KEYTYPE) ([]byte, error)

X25519EncryptionKey takes in public and private keys and performs the X25519 operation on them.

NOTE: This function is tested by tests on the individual implementations in NodeCredentials and NodeInformation, which also perform nil checks, and which are a thin wrapper around this.

Types

type CertificateBundle 

type CertificateBundle struct {
	CertificateDer       []byte                 `protobuf:"bytes,1,opt,name=certificate_der,proto3" json:"certificate_der,omitempty"`
	CaCertificateDer     []byte                 `protobuf:"bytes,2,opt,name=ca_certificate_der,proto3" json:"ca_certificate_der,omitempty"`
	CertificateNotBefore *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=certificate_not_before,proto3" json:"certificate_not_before,omitempty"`
	CertificateNotAfter  *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=certificate_not_after,proto3" json:"certificate_not_after,omitempty"`
	// contains filtered or unexported fields
}

CertificateBundle contains information about a certificate the its issuing certificate

func (*CertificateBundle) Descriptor deprecated 

func (*CertificateBundle) Descriptor() ([]byte, []int)

Deprecated: Use CertificateBundle.ProtoReflect.Descriptor instead.

func (*CertificateBundle) GetCaCertificateDer 

func (x *CertificateBundle) GetCaCertificateDer() []byte

func (*CertificateBundle) GetCertificateDer 

func (x *CertificateBundle) GetCertificateDer() []byte

func (*CertificateBundle) GetCertificateNotAfter 

func (x *CertificateBundle) GetCertificateNotAfter() *timestamppb.Timestamp

func (*CertificateBundle) GetCertificateNotBefore 

func (x *CertificateBundle) GetCertificateNotBefore() *timestamppb.Timestamp

func (*CertificateBundle) ProtoMessage 

func (*CertificateBundle) ProtoMessage()

func (*CertificateBundle) ProtoReflect 

func (x *CertificateBundle) ProtoReflect() protoreflect.Message

func (*CertificateBundle) Reset 

func (x *CertificateBundle) Reset()

func (*CertificateBundle) String 

func (x *CertificateBundle) String() string

type FetchNodeCredentialsInfo 

type FetchNodeCredentialsInfo struct {
	Id                       string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // Key id derived from pkix public key
	CertificatePublicKeyPkix []byte                 `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePublicKeyType KEYTYPE                `` /* 166-byte string literal not displayed */
	EncryptionPublicKeyBytes []byte                 `protobuf:"bytes,10,opt,name=encryption_public_key_bytes,proto3" json:"encryption_public_key_bytes,omitempty"`
	EncryptionPublicKeyType  KEYTYPE                `` /* 165-byte string literal not displayed */
	Nonce                    []byte                 `protobuf:"bytes,20,opt,name=nonce,proto3" json:"nonce,omitempty"`
	NotBefore                *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=not_before,proto3" json:"not_before,omitempty"`
	NotAfter                 *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=not_after,proto3" json:"not_after,omitempty"`
	// contains filtered or unexported fields
}

FetchNodeCredentialsInfo contains the values bundled and signed into a FetchNodeCredentialsRequest. These values contain the ID (for identification, although the server should always re-derive this itself), the claimed certificate public key (which is also used to sign these values), and the public encryption key, as well as the registration nonce.

Because the signature from the certificate public key is across both itself and the encryption key, if the key ID is authorized, then after verification of the signature we can trust the public encryption key too, which is an important property for preventing MITM/replay scenarios.

func (*FetchNodeCredentialsInfo) Descriptor deprecated 

func (*FetchNodeCredentialsInfo) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsInfo.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsInfo) GetCertificatePublicKeyPkix 

func (x *FetchNodeCredentialsInfo) GetCertificatePublicKeyPkix() []byte

func (*FetchNodeCredentialsInfo) GetCertificatePublicKeyType 

func (x *FetchNodeCredentialsInfo) GetCertificatePublicKeyType() KEYTYPE

func (*FetchNodeCredentialsInfo) GetEncryptionPublicKeyBytes 

func (x *FetchNodeCredentialsInfo) GetEncryptionPublicKeyBytes() []byte

func (*FetchNodeCredentialsInfo) GetEncryptionPublicKeyType 

func (x *FetchNodeCredentialsInfo) GetEncryptionPublicKeyType() KEYTYPE

func (*FetchNodeCredentialsInfo) GetId 

func (x *FetchNodeCredentialsInfo) GetId() string

func (*FetchNodeCredentialsInfo) GetNonce 

func (x *FetchNodeCredentialsInfo) GetNonce() []byte

func (*FetchNodeCredentialsInfo) GetNotAfter 

func (x *FetchNodeCredentialsInfo) GetNotAfter() *timestamppb.Timestamp

func (*FetchNodeCredentialsInfo) GetNotBefore 

func (x *FetchNodeCredentialsInfo) GetNotBefore() *timestamppb.Timestamp

func (*FetchNodeCredentialsInfo) ProtoMessage 

func (*FetchNodeCredentialsInfo) ProtoMessage()

func (*FetchNodeCredentialsInfo) ProtoReflect 

func (x *FetchNodeCredentialsInfo) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsInfo) Reset 

func (x *FetchNodeCredentialsInfo) Reset()

func (*FetchNodeCredentialsInfo) String 

func (x *FetchNodeCredentialsInfo) String() string

type FetchNodeCredentialsRequest 

type FetchNodeCredentialsRequest struct {
	Bundle          []byte `protobuf:"bytes,28,opt,name=bundle,proto3" json:"bundle,omitempty"`
	BundleSignature []byte `protobuf:"bytes,29,opt,name=bundle_signature,proto3" json:"bundle_signature,omitempty"`
	// contains filtered or unexported fields
}

FetchNodeCredentialsRequest contains the marshaled FetchNodeCredentialsInfo message and a signature using private key corresponding to the certificate public key contained within the marshaled bundle.

func (*FetchNodeCredentialsRequest) Descriptor deprecated 

func (*FetchNodeCredentialsRequest) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsRequest.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsRequest) GetBundle 

func (x *FetchNodeCredentialsRequest) GetBundle() []byte

func (*FetchNodeCredentialsRequest) GetBundleSignature 

func (x *FetchNodeCredentialsRequest) GetBundleSignature() []byte

func (*FetchNodeCredentialsRequest) ProtoMessage 

func (*FetchNodeCredentialsRequest) ProtoMessage()

func (*FetchNodeCredentialsRequest) ProtoReflect 

func (x *FetchNodeCredentialsRequest) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsRequest) Reset 

func (x *FetchNodeCredentialsRequest) Reset()

func (*FetchNodeCredentialsRequest) String 

func (x *FetchNodeCredentialsRequest) String() string

type FetchNodeCredentialsResponse 

type FetchNodeCredentialsResponse struct {
	ServerEncryptionPublicKeyBytes    []byte  `` /* 155-byte string literal not displayed */
	ServerEncryptionPublicKeyType     KEYTYPE `` /* 211-byte string literal not displayed */
	EncryptedNodeCredentials          []byte  `protobuf:"bytes,40,opt,name=encrypted_node_credentials,proto3" json:"encrypted_node_credentials,omitempty"`
	EncryptedNodeCredentialsSignature []byte  `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

FetchNodeCredentialsResponse contains a response to a fetch request. If unauthorized, only that bool will be returned. If authorized, the encrypted node credentials will contain a marshaled NodeCredentials struct containing certificates and other server-provided information, with the encryption key derived from a DH operation on the node's submitted public key and the server's private key corresponding to the given public encryption key.

The encrypted node credentials are signed with the current root certificate key. This is an optional step that can be taken by the node if it has pre-distributed CA certificates to validate the signature on the encrypted node credentials. This mostly is a guard against the failure of an operator to actually validate the key ID that they are authorizing.

func (*FetchNodeCredentialsResponse) Descriptor deprecated 

func (*FetchNodeCredentialsResponse) Descriptor() ([]byte, []int)

Deprecated: Use FetchNodeCredentialsResponse.ProtoReflect.Descriptor instead.

func (*FetchNodeCredentialsResponse) GetEncryptedNodeCredentials 

func (x *FetchNodeCredentialsResponse) GetEncryptedNodeCredentials() []byte

func (*FetchNodeCredentialsResponse) GetEncryptedNodeCredentialsSignature 

func (x *FetchNodeCredentialsResponse) GetEncryptedNodeCredentialsSignature() []byte

func (*FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyBytes 

func (x *FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyBytes() []byte

func (*FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyType 

func (x *FetchNodeCredentialsResponse) GetServerEncryptionPublicKeyType() KEYTYPE

func (*FetchNodeCredentialsResponse) ProtoMessage 

func (*FetchNodeCredentialsResponse) ProtoMessage()

func (*FetchNodeCredentialsResponse) ProtoReflect 

func (x *FetchNodeCredentialsResponse) ProtoReflect() protoreflect.Message

func (*FetchNodeCredentialsResponse) Reset 

func (x *FetchNodeCredentialsResponse) Reset()

func (*FetchNodeCredentialsResponse) String 

func (x *FetchNodeCredentialsResponse) String() string

type GenerateServerCertificatesRequest 

type GenerateServerCertificatesRequest struct {
	CertificatePublicKeyPkix []byte `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	Nonce                    []byte `protobuf:"bytes,20,opt,name=nonce,proto3" json:"nonce,omitempty"`
	NonceSignature           []byte `protobuf:"bytes,21,opt,name=nonce_signature,proto3" json:"nonce_signature,omitempty"`
	CommonName               string `protobuf:"bytes,24,opt,name=common_name,proto3" json:"common_name,omitempty"`
	SkipVerification         bool   `protobuf:"varint,25,opt,name=skip_verification,proto3" json:"skip_verification,omitempty"`
	// contains filtered or unexported fields
}

GenerateServerCertificatesRequest holds values necessary for the server to generate a server-side TLS certificate, either for itself or for a middle node in a multi-hop scenario. The nonce and signature are provided by the authenticating node, so that the server can validate the signature and ensure that the node is authorized, then embed the nonce in the returned certificate to authorize the upstream node (or server) to the authenticating node.

The common name and skip verification parameters would ideally be options to downstream functions, however, since multihop goes over gRPC (or could go over some other transport) the options cannot be carried in that way. If desired, in the future, an options message could be created and these (and any other) values aggregated there.

func (*GenerateServerCertificatesRequest) Descriptor deprecated 

func (*GenerateServerCertificatesRequest) Descriptor() ([]byte, []int)

Deprecated: Use GenerateServerCertificatesRequest.ProtoReflect.Descriptor instead.

func (*GenerateServerCertificatesRequest) GetCertificatePublicKeyPkix 

func (x *GenerateServerCertificatesRequest) GetCertificatePublicKeyPkix() []byte

func (*GenerateServerCertificatesRequest) GetCommonName 

func (x *GenerateServerCertificatesRequest) GetCommonName() string

func (*GenerateServerCertificatesRequest) GetNonce 

func (x *GenerateServerCertificatesRequest) GetNonce() []byte

func (*GenerateServerCertificatesRequest) GetNonceSignature 

func (x *GenerateServerCertificatesRequest) GetNonceSignature() []byte

func (*GenerateServerCertificatesRequest) GetSkipVerification 

func (x *GenerateServerCertificatesRequest) GetSkipVerification() bool

func (*GenerateServerCertificatesRequest) ProtoMessage 

func (*GenerateServerCertificatesRequest) ProtoMessage()

func (*GenerateServerCertificatesRequest) ProtoReflect 

func (x *GenerateServerCertificatesRequest) ProtoReflect() protoreflect.Message

func (*GenerateServerCertificatesRequest) Reset 

func (x *GenerateServerCertificatesRequest) Reset()

func (*GenerateServerCertificatesRequest) String 

func (x *GenerateServerCertificatesRequest) String() string

type GenerateServerCertificatesResponse 

type GenerateServerCertificatesResponse struct {
	CertificatePrivateKeyPkcs8 []byte               `protobuf:"bytes,4,opt,name=certificate_private_key_pkcs8,proto3" json:"certificate_private_key_pkcs8,omitempty"`
	CertificatePrivateKeyType  KEYTYPE              `` /* 168-byte string literal not displayed */
	CertificateBundles         []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	// contains filtered or unexported fields
}

GenerateServerCertificatesResponse contains values for a successful response to the request: a private key for the server (or intemediate node) to use along with the returned certificates.

func (*GenerateServerCertificatesResponse) Descriptor deprecated 

func (*GenerateServerCertificatesResponse) Descriptor() ([]byte, []int)

Deprecated: Use GenerateServerCertificatesResponse.ProtoReflect.Descriptor instead.

func (*GenerateServerCertificatesResponse) GetCertificateBundles 

func (x *GenerateServerCertificatesResponse) GetCertificateBundles() []*CertificateBundle

func (*GenerateServerCertificatesResponse) GetCertificatePrivateKeyPkcs8 

func (x *GenerateServerCertificatesResponse) GetCertificatePrivateKeyPkcs8() []byte

func (*GenerateServerCertificatesResponse) GetCertificatePrivateKeyType 

func (x *GenerateServerCertificatesResponse) GetCertificatePrivateKeyType() KEYTYPE

func (*GenerateServerCertificatesResponse) ProtoMessage 

func (*GenerateServerCertificatesResponse) ProtoMessage()

func (*GenerateServerCertificatesResponse) ProtoReflect 

func (x *GenerateServerCertificatesResponse) ProtoReflect() protoreflect.Message

func (*GenerateServerCertificatesResponse) Reset 

func (x *GenerateServerCertificatesResponse) Reset()

func (*GenerateServerCertificatesResponse) String 

func (x *GenerateServerCertificatesResponse) String() string

type KEYTYPE 

type KEYTYPE int32

KEYTYPE is an enum holding known key types 

const (
	KEYTYPE_UNSPECIFIED KEYTYPE = 0
	KEYTYPE_ED25519     KEYTYPE = 1
	KEYTYPE_X25519      KEYTYPE = 2
)

func (KEYTYPE) Descriptor 

func (KEYTYPE) Descriptor() protoreflect.EnumDescriptor

func (KEYTYPE) Enum 

func (x KEYTYPE) Enum() *KEYTYPE

func (KEYTYPE) EnumDescriptor deprecated 

func (KEYTYPE) EnumDescriptor() ([]byte, []int)

Deprecated: Use KEYTYPE.Descriptor instead.

func (KEYTYPE) Number 

func (x KEYTYPE) Number() protoreflect.EnumNumber

func (KEYTYPE) String 

func (x KEYTYPE) String() string

func (KEYTYPE) Type 

func (KEYTYPE) Type() protoreflect.EnumType

type NodeCredentials 

type NodeCredentials struct {
	Id                             string               `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // "current" or "next"
	CertificatePublicKeyPkix       []byte               `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePrivateKeyPkcs8     []byte               `protobuf:"bytes,4,opt,name=certificate_private_key_pkcs8,proto3" json:"certificate_private_key_pkcs8,omitempty"`
	CertificatePrivateKeyType      KEYTYPE              `` /* 168-byte string literal not displayed */
	CertificateBundles             []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	EncryptionPrivateKeyBytes      []byte               `protobuf:"bytes,10,opt,name=encryption_private_key_bytes,proto3" json:"encryption_private_key_bytes,omitempty"`
	EncryptionPrivateKeyType       KEYTYPE              `` /* 167-byte string literal not displayed */
	ServerEncryptionPublicKeyBytes []byte               `protobuf:"bytes,12,opt,name=server_encryption_public_key_bytes,proto3" json:"server_encryption_public_key_bytes,omitempty"`
	ServerEncryptionPublicKeyType  KEYTYPE              `` /* 179-byte string literal not displayed */
	RegistrationNonce              []byte               `protobuf:"bytes,20,opt,name=registration_nonce,proto3" json:"registration_nonce,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private keys
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a verison number on the resource for
	// implementing transactions.
	State *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	// contains filtered or unexported fields
}

NodeCredentials is the corresponding struct for NodeInformation on the node side, containing the values necessary for proving identity. At various points in registration/authorization flows this may have some or all fields filled in.

func LoadNodeCredentials 

func LoadNodeCredentials(ctx context.Context, storage nodeenrollment.Storage, id nodeenrollment.KnownId, opt ...nodeenrollment.Option) (*NodeCredentials, error)

LoadNodeCredentials loads the node credentials from storage, unwrapping encrypted values if needed

Supported options: WithWrapper

func NewNodeCredentials 

func NewNodeCredentials(
	ctx context.Context,
	storage nodeenrollment.Storage,
	opt ...nodeenrollment.Option,
) (*NodeCredentials, error)

NewNodeCredentials creates a new node credentials object and populates it with suitable parameters for presenting for registration.

Once registration succeeds, the node credentials stored here can be used to decrypt the incoming bundle with the server's view of the node credentials, which can then be merged; this happens in a different function.

Supported options: WithRandomReader, WithWrapper (passed through to NodeCredentials.Store), WithSkipStorage

func (*NodeCredentials) CreateFetchNodeCredentialsRequest 

func (n *NodeCredentials) CreateFetchNodeCredentialsRequest(
	ctx context.Context,
	opt ...nodeenrollment.Option,
) (*FetchNodeCredentialsRequest, error)

CreateFetchNodeCredentialsRequest creates and returns a fetch request based on the current node creds

Supported options: WithRandomReader

func (*NodeCredentials) Descriptor deprecated 

func (*NodeCredentials) Descriptor() ([]byte, []int)

Deprecated: Use NodeCredentials.ProtoReflect.Descriptor instead.

func (*NodeCredentials) GetCertificateBundles 

func (x *NodeCredentials) GetCertificateBundles() []*CertificateBundle

func (*NodeCredentials) GetCertificatePrivateKeyPkcs8 

func (x *NodeCredentials) GetCertificatePrivateKeyPkcs8() []byte

func (*NodeCredentials) GetCertificatePrivateKeyType 

func (x *NodeCredentials) GetCertificatePrivateKeyType() KEYTYPE

func (*NodeCredentials) GetCertificatePublicKeyPkix 

func (x *NodeCredentials) GetCertificatePublicKeyPkix() []byte

func (*NodeCredentials) GetEncryptionPrivateKeyBytes 

func (x *NodeCredentials) GetEncryptionPrivateKeyBytes() []byte

func (*NodeCredentials) GetEncryptionPrivateKeyType 

func (x *NodeCredentials) GetEncryptionPrivateKeyType() KEYTYPE

func (*NodeCredentials) GetId 

func (x *NodeCredentials) GetId() string

func (*NodeCredentials) GetRegistrationNonce 

func (x *NodeCredentials) GetRegistrationNonce() []byte

func (*NodeCredentials) GetServerEncryptionPublicKeyBytes 

func (x *NodeCredentials) GetServerEncryptionPublicKeyBytes() []byte

func (*NodeCredentials) GetServerEncryptionPublicKeyType 

func (x *NodeCredentials) GetServerEncryptionPublicKeyType() KEYTYPE

func (*NodeCredentials) GetState 

func (x *NodeCredentials) GetState() *structpb.Struct

func (*NodeCredentials) GetWrappingKeyId 

func (x *NodeCredentials) GetWrappingKeyId() string

func (*NodeCredentials) HandleFetchNodeCredentialsResponse 

func (n *NodeCredentials) HandleFetchNodeCredentialsResponse(
	ctx context.Context,
	storage nodeenrollment.Storage,
	input *FetchNodeCredentialsResponse,
	opt ...nodeenrollment.Option,
) (*NodeCredentials, error)

HandleFetchNodeCredentialsResponse parses the response from a server for node credentials and attempts to decrypt and merge with the existing NodeCredentials, storing the result. It returns the updated value and any error and stores the result in storage, unless WithSkipStorage is passed.

Supported options: WithWrapping (passed through to NodeCredentials.Store), WithSkipStorage

func (*NodeCredentials) ProtoMessage 

func (*NodeCredentials) ProtoMessage()

func (*NodeCredentials) ProtoReflect 

func (x *NodeCredentials) ProtoReflect() protoreflect.Message

func (*NodeCredentials) Reset 

func (x *NodeCredentials) Reset()

func (*NodeCredentials) Store 

func (n *NodeCredentials) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores node credentials to storage, wrapping values along the way if given a wrapper

Supported options: WithWrapper

func (*NodeCredentials) String 

func (x *NodeCredentials) String() string

func (*NodeCredentials) X25519EncryptionKey 

func (n *NodeCredentials) X25519EncryptionKey() ([]byte, error)

X25519EncryptionKey uses the NodeCredentials values to produce a shared encryption key via X25519

type NodeInformation 

type NodeInformation struct {
	Id                              string               `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	CertificatePublicKeyPkix        []byte               `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	CertificatePublicKeyType        KEYTYPE              `` /* 166-byte string literal not displayed */
	CertificateBundles              []*CertificateBundle `protobuf:"bytes,6,rep,name=certificate_bundles,proto3" json:"certificate_bundles,omitempty"`
	EncryptionPublicKeyBytes        []byte               `protobuf:"bytes,10,opt,name=encryption_public_key_bytes,proto3" json:"encryption_public_key_bytes,omitempty"`
	EncryptionPublicKeyType         KEYTYPE              `` /* 165-byte string literal not displayed */
	ServerEncryptionPrivateKeyBytes []byte               `protobuf:"bytes,12,opt,name=server_encryption_private_key_bytes,proto3" json:"server_encryption_private_key_bytes,omitempty"`
	ServerEncryptionPrivateKeyType  KEYTYPE              `` /* 181-byte string literal not displayed */
	RegistrationNonce               []byte               `protobuf:"bytes,20,opt,name=registration_nonce,proto3" json:"registration_nonce,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private key and
	// the nonce
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a verison number on the resource for
	// implementing transactions.
	State *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	// contains filtered or unexported fields
}

NodeInformation contains server-side information about a node: its certificate public key, any issued certificates (purely for informational purposes), its encryption public key and the corresponding server private key. Nonce may or may not have a value depending on the flow used to register the node and the current state of that flow. The first seen value can be useful for display to an operator looking to authorize a node. Authorized stores whether or not this node is authorized; technically we could derive this based on whether we have complete key/certificate information, but it's nice to be explicit.

The ID corresponds to a key identifier generated by this library's KeyIdFromPkix function; unlike RootCertificate or NodeCredentials, which will only have at most two active values, here we need to identify an incoming node's information so use the actual key ID. Rotation simply means a new entry will be added with the new ID.

func LoadNodeInformation 

func LoadNodeInformation(ctx context.Context, storage nodeenrollment.Storage, id string, opt ...nodeenrollment.Option) (*NodeInformation, error)

LoadNodeInformation loads the node information from storage, unwrapping encrypted values if needed.

Supported options: WithWrapper

func (*NodeInformation) Descriptor deprecated 

func (*NodeInformation) Descriptor() ([]byte, []int)

Deprecated: Use NodeInformation.ProtoReflect.Descriptor instead.

func (*NodeInformation) GetCertificateBundles 

func (x *NodeInformation) GetCertificateBundles() []*CertificateBundle

func (*NodeInformation) GetCertificatePublicKeyPkix 

func (x *NodeInformation) GetCertificatePublicKeyPkix() []byte

func (*NodeInformation) GetCertificatePublicKeyType 

func (x *NodeInformation) GetCertificatePublicKeyType() KEYTYPE

func (*NodeInformation) GetEncryptionPublicKeyBytes 

func (x *NodeInformation) GetEncryptionPublicKeyBytes() []byte

func (*NodeInformation) GetEncryptionPublicKeyType 

func (x *NodeInformation) GetEncryptionPublicKeyType() KEYTYPE

func (*NodeInformation) GetId 

func (x *NodeInformation) GetId() string

func (*NodeInformation) GetRegistrationNonce 

func (x *NodeInformation) GetRegistrationNonce() []byte

func (*NodeInformation) GetServerEncryptionPrivateKeyBytes 

func (x *NodeInformation) GetServerEncryptionPrivateKeyBytes() []byte

func (*NodeInformation) GetServerEncryptionPrivateKeyType 

func (x *NodeInformation) GetServerEncryptionPrivateKeyType() KEYTYPE

func (*NodeInformation) GetState 

func (x *NodeInformation) GetState() *structpb.Struct

func (*NodeInformation) GetWrappingKeyId 

func (x *NodeInformation) GetWrappingKeyId() string

func (*NodeInformation) ProtoMessage 

func (*NodeInformation) ProtoMessage()

func (*NodeInformation) ProtoReflect 

func (x *NodeInformation) ProtoReflect() protoreflect.Message

func (*NodeInformation) Reset 

func (x *NodeInformation) Reset()

func (*NodeInformation) Store 

func (n *NodeInformation) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores node information to server storage, wrapping values along the way if given a wrapper

Supported options: WithWrapper

func (*NodeInformation) String 

func (x *NodeInformation) String() string

func (*NodeInformation) X25519EncryptionKey 

func (n *NodeInformation) X25519EncryptionKey() ([]byte, error)

X25519EncryptionKey uses the NodeInformation's values to produce a shared encryption key via X25519

type RootCertificate 

type RootCertificate struct {
	Id              string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // "current" or "next"
	PublicKeyPkix   []byte                 `protobuf:"bytes,2,opt,name=public_key_pkix,proto3" json:"public_key_pkix,omitempty"`
	PrivateKeyPkcs8 []byte                 `protobuf:"bytes,4,opt,name=private_key_pkcs8,proto3" json:"private_key_pkcs8,omitempty"`
	PrivateKeyType  KEYTYPE                `` /* 144-byte string literal not displayed */
	CertificateDer  []byte                 `protobuf:"bytes,6,opt,name=certificate_der,proto3" json:"certificate_der,omitempty"`
	NotBefore       *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=not_before,proto3" json:"not_before,omitempty"`
	NotAfter        *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=not_after,proto3" json:"not_after,omitempty"`
	// contains filtered or unexported fields
}

RootCertificate contains information about a root CA certificate and its associated public/private keys

func (*RootCertificate) Descriptor deprecated 

func (*RootCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RootCertificate.ProtoReflect.Descriptor instead.

func (*RootCertificate) GetCertificateDer 

func (x *RootCertificate) GetCertificateDer() []byte

func (*RootCertificate) GetId 

func (x *RootCertificate) GetId() string

func (*RootCertificate) GetNotAfter 

func (x *RootCertificate) GetNotAfter() *timestamppb.Timestamp

func (*RootCertificate) GetNotBefore 

func (x *RootCertificate) GetNotBefore() *timestamppb.Timestamp

func (*RootCertificate) GetPrivateKeyPkcs8 

func (x *RootCertificate) GetPrivateKeyPkcs8() []byte

func (*RootCertificate) GetPrivateKeyType 

func (x *RootCertificate) GetPrivateKeyType() KEYTYPE

func (*RootCertificate) GetPublicKeyPkix 

func (x *RootCertificate) GetPublicKeyPkix() []byte

func (*RootCertificate) ProtoMessage 

func (*RootCertificate) ProtoMessage()

func (*RootCertificate) ProtoReflect 

func (x *RootCertificate) ProtoReflect() protoreflect.Message

func (*RootCertificate) Reset 

func (x *RootCertificate) Reset()

func (*RootCertificate) SigningParams 

func (r *RootCertificate) SigningParams(ctx context.Context) (*x509.Certificate, crypto.Signer, error)

SigningParams is a helper to extract the necessary information from the RootCertificate to use as a CA certificate

func (*RootCertificate) String 

func (x *RootCertificate) String() string

type RootCertificates 

type RootCertificates struct {
	Id      string           `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	Current *RootCertificate `protobuf:"bytes,2,opt,name=current,proto3" json:"current,omitempty"`
	Next    *RootCertificate `protobuf:"bytes,3,opt,name=next,proto3" json:"next,omitempty"`
	// If set, the key ID of the wrapping key used to encrypt the private key
	WrappingKeyId string `protobuf:"bytes,30,opt,name=wrapping_key_id,proto3" json:"wrapping_key_id,omitempty"`
	// State is data that the implementor of a Store can use to round-trip data
	// through this library; as an example, a verison number on the resource for
	// implementing transactions.
	State *structpb.Struct `protobuf:"bytes,50,opt,name=state,proto3" json:"state,omitempty"`
	// contains filtered or unexported fields
}

RootCertificates is a message that holds two root certificates for easy usage/identification. The ID will always be "roots".

func LoadRootCertificates 

func LoadRootCertificates(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) (*RootCertificates, error)

LoadRootCertificates loads the RootCertificates from storage, unwrapping encrypted values if needed

Supported options: WithWrapper

func (*RootCertificates) Descriptor deprecated 

func (*RootCertificates) Descriptor() ([]byte, []int)

Deprecated: Use RootCertificates.ProtoReflect.Descriptor instead.

func (*RootCertificates) GetCurrent 

func (x *RootCertificates) GetCurrent() *RootCertificate

func (*RootCertificates) GetId 

func (x *RootCertificates) GetId() string

func (*RootCertificates) GetNext 

func (x *RootCertificates) GetNext() *RootCertificate

func (*RootCertificates) GetState 

func (x *RootCertificates) GetState() *structpb.Struct

func (*RootCertificates) GetWrappingKeyId 

func (x *RootCertificates) GetWrappingKeyId() string

func (*RootCertificates) ProtoMessage 

func (*RootCertificates) ProtoMessage()

func (*RootCertificates) ProtoReflect 

func (x *RootCertificates) ProtoReflect() protoreflect.Message

func (*RootCertificates) Reset 

func (x *RootCertificates) Reset()

func (*RootCertificates) Store 

func (r *RootCertificates) Store(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) error

Store stores the certificates to the given storage, possibly encrypting secret values along the way if a wrapper is passed

Supported options: WithWrapper

func (*RootCertificates) String 

func (x *RootCertificates) String() string

type RotateNodeCredentialsRequest 

type RotateNodeCredentialsRequest struct {

	// For identification of the node, in case it's not trivial from the
	// connection
	CertificatePublicKeyPkix []byte `protobuf:"bytes,2,opt,name=certificate_public_key_pkix,proto3" json:"certificate_public_key_pkix,omitempty"`
	// Encrypted FetchNodeCredentialsRequest, with the current encryption
	// parameters used for key generation
	EncryptedFetchNodeCredentialsRequest []byte `` /* 134-byte string literal not displayed */
	// contains filtered or unexported fields
}

RotateNodeCredentialsRequest is the message used when a node wants to rotate credentials

func (*RotateNodeCredentialsRequest) Descriptor deprecated 

func (*RotateNodeCredentialsRequest) Descriptor() ([]byte, []int)

Deprecated: Use RotateNodeCredentialsRequest.ProtoReflect.Descriptor instead.

func (*RotateNodeCredentialsRequest) GetCertificatePublicKeyPkix 

func (x *RotateNodeCredentialsRequest) GetCertificatePublicKeyPkix() []byte

func (*RotateNodeCredentialsRequest) GetEncryptedFetchNodeCredentialsRequest 

func (x *RotateNodeCredentialsRequest) GetEncryptedFetchNodeCredentialsRequest() []byte

func (*RotateNodeCredentialsRequest) ProtoMessage 

func (*RotateNodeCredentialsRequest) ProtoMessage()

func (*RotateNodeCredentialsRequest) ProtoReflect 

func (x *RotateNodeCredentialsRequest) ProtoReflect() protoreflect.Message

func (*RotateNodeCredentialsRequest) Reset 

func (x *RotateNodeCredentialsRequest) Reset()

func (*RotateNodeCredentialsRequest) String 

func (x *RotateNodeCredentialsRequest) String() string

type RotateNodeCredentialsResponse 

type RotateNodeCredentialsResponse struct {

	// Encrypted FetchNodeCredentialsResponse, with the current encryption
	// parameters used for key generation. The new key will be used for the
	// encrypted node credentials in the response.
	EncryptedFetchNodeCredentialsResponse []byte `` /* 136-byte string literal not displayed */
	// contains filtered or unexported fields
}

RotateNodeCredentialsResponse is the message used to return values

func (*RotateNodeCredentialsResponse) Descriptor deprecated 

func (*RotateNodeCredentialsResponse) Descriptor() ([]byte, []int)

Deprecated: Use RotateNodeCredentialsResponse.ProtoReflect.Descriptor instead.

func (*RotateNodeCredentialsResponse) GetEncryptedFetchNodeCredentialsResponse 

func (x *RotateNodeCredentialsResponse) GetEncryptedFetchNodeCredentialsResponse() []byte

func (*RotateNodeCredentialsResponse) ProtoMessage 

func (*RotateNodeCredentialsResponse) ProtoMessage()

func (*RotateNodeCredentialsResponse) ProtoReflect 

func (x *RotateNodeCredentialsResponse) ProtoReflect() protoreflect.Message

func (*RotateNodeCredentialsResponse) Reset 

func (x *RotateNodeCredentialsResponse) Reset()

func (*RotateNodeCredentialsResponse) String 

func (x *RotateNodeCredentialsResponse) String() string

type ServerLedRegistrationRequest 

type ServerLedRegistrationRequest struct {
	// contains filtered or unexported fields
}

ServerLedRegistrationRequest is a request for the "operator-led" registration flow. Although currently empty it's required to ensure that we can add parameters later without an API change.

func (*ServerLedRegistrationRequest) Descriptor deprecated 

func (*ServerLedRegistrationRequest) Descriptor() ([]byte, []int)

Deprecated: Use ServerLedRegistrationRequest.ProtoReflect.Descriptor instead.

func (*ServerLedRegistrationRequest) ProtoMessage 

func (*ServerLedRegistrationRequest) ProtoMessage()

func (*ServerLedRegistrationRequest) ProtoReflect 

func (x *ServerLedRegistrationRequest) ProtoReflect() protoreflect.Message

func (*ServerLedRegistrationRequest) Reset 

func (x *ServerLedRegistrationRequest) Reset()

func (*ServerLedRegistrationRequest) String 

func (x *ServerLedRegistrationRequest) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.