Documentation ¶
Overview ¶
Package identity encapsulates the node identity.
Index ¶
- Constants
- Variables
- func TLSCertPaths(dataDir string) (string, string)
- func TLSSentryClientCertPaths(dataDir string) (string, string)
- type Identity
- func (i *Identity) GetNextTLSCertificate() *tls.Certificate
- func (i *Identity) GetNextTLSSigner() signature.Signer
- func (i *Identity) GetTLSCertificate() *tls.Certificate
- func (i *Identity) GetTLSPubKeys() []signature.PublicKey
- func (i *Identity) GetTLSSigner() signature.Signer
- func (i *Identity) RotateCertificates() error
- func (i *Identity) SetTLSCertificate(cert *tls.Certificate)
- func (i *Identity) WatchCertificateRotations() (<-chan struct{}, pubsub.ClosableSubscription)
Constants ¶
const ( // NodeKeyPubFilename is the filename of the PEM encoded node public key. NodeKeyPubFilename = "identity_pub.pem" // P2PKeyPubFilename is the filename of the PEM encoded p2p public key. P2PKeyPubFilename = "p2p_pub.pem" // ConsensusKeyPubFilename is the filename of the PEM encoded consensus // public key. ConsensusKeyPubFilename = "consensus_pub.pem" // CommonName is the CommonName to use when generating TLS certificates. CommonName = "oasis-node" )
Variables ¶
var ErrCertificateRotationForbidden = errors.New("identity", 1, "identity: TLS certificate rotation forbidden")
ErrCertificateRotationForbidden is returned by RotateCertificates if TLS certificate rotation is forbidden. This happens when rotation is enabled and an existing TLS certificate was successfully loaded (or a new one was generated and persisted to disk).
Functions ¶
func TLSCertPaths ¶
TLSCertPaths returns the TLS private key and certificate paths relative to the passed data directory.
func TLSSentryClientCertPaths ¶
TLSSentryClientCertPaths returns the sentry client TLS private key and certificate paths relative to the passed data directory.
Types ¶
type Identity ¶
type Identity struct { sync.RWMutex // NodeSigner is a node identity key signer. NodeSigner signature.Signer // P2PSigner is a node P2P link key signer. P2PSigner signature.Signer // ConsensusSigner is a node consensus key signer. ConsensusSigner signature.Signer // TLSSentryClientCertificate is the client certificate used for // connecting to the sentry node's control connection. It is never rotated. TLSSentryClientCertificate *tls.Certificate // DoNotRotateTLS flag is true if we mustn't rotate the TLS certificates below. DoNotRotateTLS bool // contains filtered or unexported fields }
Identity is a node identity.
func Load ¶
func Load(dataDir string, signerFactory signature.SignerFactory) (*Identity, error)
Load loads an identity.
func LoadOrGenerate ¶
func LoadOrGenerate(dataDir string, signerFactory signature.SignerFactory, persistTLS bool) (*Identity, error)
LoadOrGenerate loads or generates an identity. If persistTLS is true, it saves the generated TLS certificates to disk.
func (*Identity) GetNextTLSCertificate ¶
func (i *Identity) GetNextTLSCertificate() *tls.Certificate
GetNextTLSCertificate returns the next TLS certificate.
func (*Identity) GetNextTLSSigner ¶
GetNextTLSSigner returns the next TLS signer.
func (*Identity) GetTLSCertificate ¶
func (i *Identity) GetTLSCertificate() *tls.Certificate
GetTLSCertificate returns the current TLS certificate.
func (*Identity) GetTLSPubKeys ¶
GetTLSPubKeys returns a list of currently valid TLS public keys.
func (*Identity) GetTLSSigner ¶
GetTLSSigner returns the current TLS signer.
func (*Identity) RotateCertificates ¶
RotateCertificates rotates the identity's TLS certificates. This is called from worker/registration/worker.go every CfgRegistrationRotateCerts epochs (if it's non-zero).
func (*Identity) SetTLSCertificate ¶
func (i *Identity) SetTLSCertificate(cert *tls.Certificate)
SetTLSCertificate sets the current TLS certificate.
func (*Identity) WatchCertificateRotations ¶
func (i *Identity) WatchCertificateRotations() (<-chan struct{}, pubsub.ClosableSubscription)
WatchCertificateRotations subscribes to TLS certificate rotation notifications.