Documentation ¶
Overview ¶
Package node implements common node identity routines.
Index ¶
- Constants
- Variables
- func HashAttestation(reportData []byte, nodeID signature.PublicKey, height uint64) []byte
- func HashRAK(rak signature.PublicKey) hash.Hash
- type Address
- func (a *Address) Equal(other *Address) bool
- func (a *Address) FromIP(ip net.IP, port uint16) error
- func (a *Address) IsRoutable() bool
- func (a *Address) MarshalText() ([]byte, error)
- func (a Address) String() string
- func (a *Address) ToTCPAddr() *net.TCPAddr
- func (a *Address) UnmarshalText(text []byte) error
- type Capabilities
- type CapabilityTEE
- type ConsensusAddress
- type ConsensusInfo
- type MultiSignedNode
- type Node
- func (n *Node) AddOrUpdateRuntime(id common.Namespace, version version.Version) *Runtime
- func (n *Node) AddRoles(r RolesMask)
- func (n *Node) GetRuntime(id common.Namespace, version version.Version) *Runtime
- func (n *Node) HasRoles(r RolesMask) bool
- func (n *Node) HasRuntime(id common.Namespace) bool
- func (n *Node) IsExpired(epoch uint64) bool
- func (n *Node) OnlyHasRoles(r RolesMask) bool
- func (n *Node) String() string
- func (n *Node) UnmarshalCBOR(data []byte) error
- func (n *Node) ValidateBasic(strictVersion bool) error
- type P2PInfo
- type RolesMask
- type Runtime
- type SGXAttestation
- type SGXConstraints
- type TEEFeatures
- type TEEFeaturesSGX
- type TEEHardware
- type TLSAddress
- type TLSInfo
- type VRFInfo
Constants ¶
const ( // RoleComputeWorker is the compute worker role. RoleComputeWorker RolesMask = 1 << 0 // RoleKeyManager is the the key manager role. RoleKeyManager RolesMask = 1 << 2 // RoleValidator is the validator role. RoleValidator RolesMask = 1 << 3 // RoleConsensusRPC is the public consensus RPC services worker role. RoleConsensusRPC RolesMask = 1 << 4 // RoleStorageRPC is the public storage RPC services worker role. RoleStorageRPC RolesMask = 1 << 5 // RoleReserved are all the bits of the Oasis node roles bitmask // that are reserved and must not be used. RoleReserved RolesMask = ((1<<32)-1) & ^((RoleStorageRPC<<1)-1) | roleReserved2 RoleComputeWorkerName = "compute" RoleKeyManagerName = "key-manager" RoleValidatorName = "validator" RoleConsensusRPCName = "consensus-rpc" RoleStorageRPCName = "storage-rpc" )
const ( // LatestNodeDescriptorVersion is the latest node descriptor version that should be used for all // new descriptors. Using earlier versions may be rejected. LatestNodeDescriptorVersion = 2 )
const ( // LatestSGXAttestationVersion is the latest SGX attestation structure version that should be // used for all new descriptors. LatestSGXAttestationVersion = 1 )
const ( // LatestSGXConstraintsVersion is the latest SGX constraints structure version that should be // used for all new descriptors. LatestSGXConstraintsVersion = 1 )
Variables ¶
var ( // ErrInvalidAddress is the error returned when a transport address is // invalid. ErrInvalidAddress = errors.New("node: invalid transport address") // ErrConsensusAddressNoID is the error returned when a consensus address // doesn't have the ID@ part. ErrConsensusAddressNoID = errors.New("node: consensus address doesn't have ID@ part") // ErrTLSAddressNoPubKey is the error returned when a TLS address doesn't have the PubKey@ part. ErrTLSAddressNoPubKey = errors.New("node: TLS address missing PubKey@ part") )
var ( // ErrInvalidRole is the error returned when a node role is invalid. ErrInvalidRole = errors.New("node: invalid role") // ErrDuplicateRole is the error returned when a node role is duplicated. ErrDuplicateRole = errors.New("node: duplicate role") // ErrInvalidTEEHardware is the error returned when a TEE hardware // implementation is invalid. ErrInvalidTEEHardware = errors.New("node: invalid TEE implementation") // ErrRAKHashMismatch is the error returned when the TEE attestation // does not contain the node's RAK hash. ErrRAKHashMismatch = errors.New("node: RAK hash mismatch") // ErrBadEnclaveIdentity is the error returned when the TEE enclave // identity doesn't match the required values. ErrBadEnclaveIdentity = errors.New("node: bad TEE enclave identity") // ErrInvalidAttestationSignature is the error returned when the TEE attestation // signature fails verification. ErrInvalidAttestationSignature = errors.New("node: invalid TEE attestation signature") // ErrAttestationNotFresh is the error returned when the TEE attestation is // not fresh enough. ErrAttestationNotFresh = errors.New("node: TEE attestation not fresh enough") // ErrAttestationFromFuture is the error returned when the TEE attestation appears // to be from the future. ErrAttestationFromFuture = errors.New("node: TEE attestation from the future") // AttestationSignatureContext is the signature context used for TEE attestation signatures. AttestationSignatureContext = signature.NewContext("oasis-core/node: TEE attestation signature") )
Functions ¶
func HashAttestation ¶ added in v0.2202.0
HashAttestation hashes the required data that needs to be signed by RAK producing the attestation signature. The hash is computed as follows:
TupleHash[AttestationSignatureContext](reportData, nodeID, height)
Types ¶
type Address ¶
Address represents a TCP address for the purpose of node descriptors.
func (*Address) IsRoutable ¶
IsRoutable returns true iff the address is likely to be globally routable.
func (*Address) MarshalText ¶
MarshalText implements the encoding.TextMarshaler interface.
func (*Address) UnmarshalText ¶
UnmarshalText implements the encoding.TextUnmarshaler interface.
type Capabilities ¶
type Capabilities struct { // TEE is the capability of a node executing batches in a TEE. TEE *CapabilityTEE `json:"tee,omitempty"` }
Capabilities represents a node's capabilities.
type CapabilityTEE ¶
type CapabilityTEE struct { // TEE hardware type. Hardware TEEHardware `json:"hardware"` // Runtime attestation key. RAK signature.PublicKey `json:"rak"` // Attestation. Attestation []byte `json:"attestation"` }
CapabilityTEE represents the node's TEE capability.
type ConsensusAddress ¶
type ConsensusAddress struct { // ID is public key identifying the node. ID signature.PublicKey `json:"id"` // Address is the address at which the node can be reached. Address Address `json:"address"` }
ConsensusAddress represents a Tendermint consensus address that includes an ID and a TCP address. NOTE: The consensus address ID could be different from the consensus ID to allow using a sentry node's ID and address instead of the validator's.
func (*ConsensusAddress) MarshalText ¶
func (ca *ConsensusAddress) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface.
func (*ConsensusAddress) String ¶
func (ca *ConsensusAddress) String() string
String returns a string representation of a consensus address.
func (*ConsensusAddress) UnmarshalText ¶
func (ca *ConsensusAddress) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface.
type ConsensusInfo ¶
type ConsensusInfo struct { // ID is the unique identifier of the node as a consensus member. ID signature.PublicKey `json:"id"` // Addresses is the list of addresses at which the node can be reached. Addresses []ConsensusAddress `json:"addresses"` }
ConsensusInfo contains information for connecting to this node as a consensus member.
type MultiSignedNode ¶
type MultiSignedNode struct {
signature.MultiSigned
}
MultiSignedNode is a multi-signed blob containing a CBOR-serialized Node.
func MultiSignNode ¶
func MultiSignNode(signers []signature.Signer, context signature.Context, node *Node) (*MultiSignedNode, error)
MultiSignNode serializes the Node and multi-signs the result.
func (*MultiSignedNode) Open ¶
func (s *MultiSignedNode) Open(context signature.Context, node *Node) error
Open first verifies the blob signatures and then unmarshals the blob.
func (MultiSignedNode) PrettyPrint ¶
PrettyPrint writes a pretty-printed representation of the type to the given writer.
func (MultiSignedNode) PrettyType ¶
func (s MultiSignedNode) PrettyType() (interface{}, error)
PrettyType returns a representation of the type that can be used for pretty printing.
type Node ¶
type Node struct { cbor.Versioned // ID is the public key identifying the node. ID signature.PublicKey `json:"id"` // EntityID is the public key identifying the Entity controlling // the node. EntityID signature.PublicKey `json:"entity_id"` // Expiration is the epoch in which this node's commitment expires. Expiration uint64 `json:"expiration"` // TLS contains information for connecting to this node via TLS. TLS TLSInfo `json:"tls"` // P2P contains information for connecting to this node via P2P. P2P P2PInfo `json:"p2p"` // Consensus contains information for connecting to this node as a // consensus member. Consensus ConsensusInfo `json:"consensus"` // VRF contains information for this node's participation in VRF // based elections. VRF *VRFInfo `json:"vrf,omitempty"` // DeprecatedBeacon contains information for this node's // participation in the old PVSS based random beacon protocol. DeprecatedBeacon cbor.RawMessage `json:"beacon,omitempty"` // Runtimes are the node's runtimes. Runtimes []*Runtime `json:"runtimes"` // Roles is a bitmask representing the node roles. Roles RolesMask `json:"roles"` // SoftwareVersion is the node's oasis-node software version. SoftwareVersion string `json:"software_version,omitempty"` }
Node represents public connectivity information about an Oasis node.
func (*Node) AddOrUpdateRuntime ¶
AddOrUpdateRuntime searches for an existing supported runtime descriptor in Runtimes with the specified version and returns it. In case a runtime descriptor for the given runtime and version doesn't exist yet, a new one is created appended to the list of supported runtimes and returned.
func (*Node) GetRuntime ¶
GetRuntime searches for an existing supported runtime descriptor in Runtimes with the specified version and returns it.
func (*Node) HasRuntime ¶ added in v0.2200.0
HasRuntime returns true iff the node supports a runtime (ignoring version).
func (*Node) IsExpired ¶
IsExpired returns true if the node expiration epoch is strictly smaller than the passed (current) epoch.
func (*Node) OnlyHasRoles ¶
OnlyHasRoles checks if the node only has the specified roles and no others.
func (*Node) UnmarshalCBOR ¶ added in v0.2200.0
UnmarshalCBOR is a custom deserializer that handles both v1 and v2 Node structures.
func (*Node) ValidateBasic ¶
ValidateBasic performs basic descriptor validity checks.
type P2PInfo ¶
type P2PInfo struct { // ID is the unique identifier of the node on the P2P transport. ID signature.PublicKey `json:"id"` // Addresses is the list of addresses at which the node can be reached. Addresses []Address `json:"addresses"` }
P2PInfo contains information for connecting to this node via P2P transport.
type RolesMask ¶
type RolesMask uint32
RolesMask is Oasis node roles bitmask.
func Roles ¶ added in v0.2012.3
func Roles() (roles []RolesMask)
Roles returns a list of available valid roles.
func (RolesMask) IsSingleRole ¶
IsSingleRole returns true if RolesMask encodes a single valid role.
func (RolesMask) MarshalText ¶ added in v0.2103.0
MarshalText encodes a RolesMask into text form.
func (*RolesMask) UnmarshalText ¶ added in v0.2103.0
UnmarshalText decodes a text slice into a RolesMask.
type Runtime ¶
type Runtime struct { // ID is the public key identifying the runtime. ID common.Namespace `json:"id"` // Version is the version of the runtime. Version version.Version `json:"version"` // Capabilities are the node's capabilities for a given runtime. Capabilities Capabilities `json:"capabilities"` // ExtraInfo is the extra per node + per runtime opaque data associated // with the current instance. ExtraInfo []byte `json:"extra_info"` }
Runtime represents the runtimes supported by a given Oasis node.
type SGXAttestation ¶ added in v0.2202.0
type SGXAttestation struct { cbor.Versioned // Quote is an Intel SGX quote. Quote quote.Quote `json:"quote"` // Height is the runtime's view of the consensus layer height at the time of attestation. Height uint64 `json:"height"` // Signature is the signature of the attestation by the enclave (RAK). Signature signature.RawSignature `json:"signature"` }
SGXAttestation is an Intel SGX remote attestation.
func (*SGXAttestation) MarshalCBOR ¶ added in v0.2202.0
func (sa *SGXAttestation) MarshalCBOR() ([]byte, error)
MarshalCBOR is a custom serializer that handles different structure versions.
func (*SGXAttestation) UnmarshalCBOR ¶ added in v0.2202.0
func (sa *SGXAttestation) UnmarshalCBOR(data []byte) error
UnmarshalCBOR is a custom deserializer that handles different structure versions.
func (*SGXAttestation) ValidateBasic ¶ added in v0.2202.0
func (sa *SGXAttestation) ValidateBasic(cfg *TEEFeatures) error
ValidateBasic performs basic structure validity checks.
func (*SGXAttestation) Verify ¶ added in v0.2202.0
func (sa *SGXAttestation) Verify( cfg *TEEFeatures, ts time.Time, height uint64, sc *SGXConstraints, rak signature.PublicKey, nodeID signature.PublicKey, ) error
Verify verifies the SGX attestation.
type SGXConstraints ¶ added in v0.2200.0
type SGXConstraints struct { cbor.Versioned // Enclaves is the allowed MRENCLAVE/MRSIGNER pairs. Enclaves []sgx.EnclaveIdentity `json:"enclaves,omitempty"` // Policy is the quote policy. Policy *quote.Policy `json:"policy,omitempty"` // MaxAttestationAge is the maximum attestation age (in blocks). MaxAttestationAge uint64 `json:"max_attestation_age,omitempty"` }
SGXConstraints are the Intel SGX TEE constraints.
func (*SGXConstraints) ContainsEnclave ¶ added in v0.2202.0
func (sc *SGXConstraints) ContainsEnclave(eid sgx.EnclaveIdentity) bool
ContainsEnclave returns true iff the allowed enclave list in SGX constraints contain the given enclave identity.
func (*SGXConstraints) MarshalCBOR ¶ added in v0.2202.0
func (sc *SGXConstraints) MarshalCBOR() ([]byte, error)
MarshalCBOR is a custom serializer that handles different structure versions.
func (*SGXConstraints) UnmarshalCBOR ¶ added in v0.2202.0
func (sc *SGXConstraints) UnmarshalCBOR(data []byte) error
UnmarshalCBOR is a custom deserializer that handles different structure versions.
func (*SGXConstraints) ValidateBasic ¶ added in v0.2202.0
func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures) error
ValidateBasic performs basic structure validity checks.
type TEEFeatures ¶ added in v0.2202.0
type TEEFeatures struct { // SGX contains the supported TEE features for Intel SGX. SGX TEEFeaturesSGX `json:"sgx"` // FreshnessProofs is a feature flag specifying whether ProveFreshness transactions are // supported and processed, or ignored and handled as non-existing transactions. FreshnessProofs bool `json:"freshness_proofs"` }
TEEFeatures are the supported TEE features as advertised by the consensus layer.
type TEEFeaturesSGX ¶ added in v0.2202.0
type TEEFeaturesSGX struct { // PCS is a feature flag specifying whether support for Platform Certification Service-based // remote attestation is supported for Intel SGX-based TEEs. PCS bool `json:"pcs"` // SignedAttestations is a feature flag specifying whether attestations need to include an // additional signature binding it to a specific node. SignedAttestations bool `json:"signed_attestations,omitempty"` // DefaultPolicy is the default quote policy. DefaultPolicy *quote.Policy `json:"default_policy,omitempty"` // DefaultMaxAttestationAge is the default maximum attestation age (in blocks). DefaultMaxAttestationAge uint64 `json:"max_attestation_age,omitempty"` }
TEEFeaturesSGX are the supported Intel SGX-specific TEE features.
func (*TEEFeaturesSGX) ApplyDefaultConstraints ¶ added in v0.2202.0
func (fs *TEEFeaturesSGX) ApplyDefaultConstraints(sc *SGXConstraints)
ApplyDefaultConstraints applies configured SGX constraint defaults to the given structure.
type TEEHardware ¶
type TEEHardware uint8
TEEHardware is a TEE hardware implementation.
const ( // TEEHardwareInvalid is a non-TEE implementation. TEEHardwareInvalid TEEHardware = 0 // TEEHardwareIntelSGX is an Intel SGX TEE implementation. TEEHardwareIntelSGX TEEHardware = 1 // TEEHardwareReserved is the first reserved hardware implementation // identifier. All equal or greater identifiers are reserved. TEEHardwareReserved TEEHardware = TEEHardwareIntelSGX + 1 )
TEE Hardware implementations.
func (*TEEHardware) FromString ¶
func (h *TEEHardware) FromString(str string) error
FromString deserializes a string into a TEEHardware.
func (TEEHardware) String ¶
func (h TEEHardware) String() string
String returns the string representation of a TEEHardware.
type TLSAddress ¶
type TLSAddress struct { // PubKey is the public key used for establishing TLS connections. PubKey signature.PublicKey `json:"pub_key"` // Address is the address at which the node can be reached. Address Address `json:"address"` }
TLSAddress represents an Oasis committee address that includes a TLS public key and a TCP address.
NOTE: The address TLS public key can be different from the actual node TLS public key to allow using a sentry node's addresses.
func (*TLSAddress) Equal ¶
func (ta *TLSAddress) Equal(other *TLSAddress) bool
Equal compares vs another TLSAddress for equality.
func (*TLSAddress) MarshalText ¶
func (ta *TLSAddress) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface.
func (*TLSAddress) String ¶
func (ta *TLSAddress) String() string
String returns a string representation of a TLS address.
func (*TLSAddress) UnmarshalText ¶
func (ta *TLSAddress) UnmarshalText(text []byte) error
UnmarshalText implements the encoding.TextUnmarshaler interface.
type TLSInfo ¶
type TLSInfo struct { // PubKey is the public key used for establishing TLS connections. PubKey signature.PublicKey `json:"pub_key"` // NextPubKey is the public key that will be used for establishing TLS connections after // certificate rotation (if enabled). NextPubKey signature.PublicKey `json:"next_pub_key,omitempty"` // Addresses is the list of addresses at which the node can be reached. Addresses []TLSAddress `json:"addresses"` }
TLSInfo contains information for connecting to this node via TLS.