Documentation ¶
Index ¶
- Constants
- func MarshalEd25519PrivateKey(key ed25519.PrivateKey) []byte
- func MarshalEd25519PublicKey(key ed25519.PublicKey) []byte
- func MarshalX25519PrivateKey(b []byte) []byte
- func MarshalX25519PublicKey(b []byte) []byte
- func UnmarshalEd25519PrivateKey(b []byte) (ed25519.PrivateKey, []byte, error)
- func UnmarshalEd25519PublicKey(b []byte) (ed25519.PublicKey, []byte, error)
- func UnmarshalX25519PrivateKey(b []byte) ([]byte, []byte, error)
- func UnmarshalX25519PublicKey(b []byte) ([]byte, []byte, error)
- type NebulaCAPool
- func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error)
- func (ncp *NebulaCAPool) BlacklistFingerprint(f string)
- func (ncp *NebulaCAPool) GetCAForCert(c *NebulaCertificate) (*NebulaCertificate, error)
- func (ncp *NebulaCAPool) GetFingerprints() []string
- func (ncp *NebulaCAPool) IsBlacklisted(c *NebulaCertificate) bool
- func (ncp *NebulaCAPool) ResetCertBlacklist()
- type NebulaCertificate
- func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error
- func (nc *NebulaCertificate) CheckSignature(key ed25519.PublicKey) bool
- func (nc *NebulaCertificate) Expired(t time.Time) bool
- func (nc *NebulaCertificate) Marshal() ([]byte, error)
- func (nc *NebulaCertificate) MarshalJSON() ([]byte, error)
- func (nc *NebulaCertificate) MarshalToPEM() ([]byte, error)
- func (nc *NebulaCertificate) Sha256Sum() (string, error)
- func (nc *NebulaCertificate) Sign(key ed25519.PrivateKey) error
- func (nc *NebulaCertificate) String() string
- func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error)
- func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error
- type NebulaCertificateDetails
- type RawNebulaCertificate
- func (*RawNebulaCertificate) Descriptor() ([]byte, []int)
- func (m *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails
- func (m *RawNebulaCertificate) GetSignature() []byte
- func (*RawNebulaCertificate) ProtoMessage()
- func (m *RawNebulaCertificate) Reset()
- func (m *RawNebulaCertificate) String() string
- func (m *RawNebulaCertificate) XXX_DiscardUnknown()
- func (m *RawNebulaCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RawNebulaCertificate) XXX_Merge(src proto.Message)
- func (m *RawNebulaCertificate) XXX_Size() int
- func (m *RawNebulaCertificate) XXX_Unmarshal(b []byte) error
- type RawNebulaCertificateDetails
- func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)
- func (m *RawNebulaCertificateDetails) GetGroups() []string
- func (m *RawNebulaCertificateDetails) GetIps() []uint32
- func (m *RawNebulaCertificateDetails) GetIsCA() bool
- func (m *RawNebulaCertificateDetails) GetIssuer() []byte
- func (m *RawNebulaCertificateDetails) GetName() string
- func (m *RawNebulaCertificateDetails) GetNotAfter() int64
- func (m *RawNebulaCertificateDetails) GetNotBefore() int64
- func (m *RawNebulaCertificateDetails) GetPublicKey() []byte
- func (m *RawNebulaCertificateDetails) GetSubnets() []uint32
- func (*RawNebulaCertificateDetails) ProtoMessage()
- func (m *RawNebulaCertificateDetails) Reset()
- func (m *RawNebulaCertificateDetails) String() string
- func (m *RawNebulaCertificateDetails) XXX_DiscardUnknown()
- func (m *RawNebulaCertificateDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RawNebulaCertificateDetails) XXX_Merge(src proto.Message)
- func (m *RawNebulaCertificateDetails) XXX_Size() int
- func (m *RawNebulaCertificateDetails) XXX_Unmarshal(b []byte) error
Constants ¶
const ( CertBanner = "NEBULA CERTIFICATE" X25519PrivateKeyBanner = "NEBULA X25519 PRIVATE KEY" X25519PublicKeyBanner = "NEBULA X25519 PUBLIC KEY" Ed25519PrivateKeyBanner = "NEBULA ED25519 PRIVATE KEY" Ed25519PublicKeyBanner = "NEBULA ED25519 PUBLIC KEY" )
Variables ¶
This section is empty.
Functions ¶
func MarshalEd25519PrivateKey ¶
func MarshalEd25519PrivateKey(key ed25519.PrivateKey) []byte
MarshalEd25519PrivateKey is a simple helper to PEM encode an Ed25519 private key
func MarshalEd25519PublicKey ¶
MarshalEd25519PublicKey is a simple helper to PEM encode an Ed25519 public key
func MarshalX25519PrivateKey ¶
MarshalX25519PrivateKey is a simple helper to PEM encode an X25519 private key
func MarshalX25519PublicKey ¶
MarshalX25519PublicKey is a simple helper to PEM encode an X25519 public key
func UnmarshalEd25519PrivateKey ¶
func UnmarshalEd25519PrivateKey(b []byte) (ed25519.PrivateKey, []byte, error)
UnmarshalEd25519PrivateKey will try to pem decode an Ed25519 private key, returning any other bytes b or an error on failure
func UnmarshalEd25519PublicKey ¶
UnmarshalEd25519PublicKey will try to pem decode an Ed25519 public key, returning any other bytes b or an error on failure
func UnmarshalX25519PrivateKey ¶
UnmarshalX25519PrivateKey will try to pem decode an X25519 private key, returning any other bytes b or an error on failure
Types ¶
type NebulaCAPool ¶
type NebulaCAPool struct { CAs map[string]*NebulaCertificate // contains filtered or unexported fields }
func NewCAPoolFromBytes ¶
func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error)
func (*NebulaCAPool) AddCACertificate ¶
func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error)
AddCACertificate verifies a Nebula CA certificate and adds it to the pool Only the first pem encoded object will be consumed, any remaining bytes are returned. Parsed certificates will be verified and must be a CA
func (*NebulaCAPool) BlacklistFingerprint ¶
func (ncp *NebulaCAPool) BlacklistFingerprint(f string)
BlacklistFingerprint adds a cert fingerprint to the blacklist
func (*NebulaCAPool) GetCAForCert ¶
func (ncp *NebulaCAPool) GetCAForCert(c *NebulaCertificate) (*NebulaCertificate, error)
GetCAForCert attempts to return the signing certificate for the provided certificate. No signature validation is performed
func (*NebulaCAPool) GetFingerprints ¶
func (ncp *NebulaCAPool) GetFingerprints() []string
GetFingerprints returns an array of trusted CA fingerprints
func (*NebulaCAPool) IsBlacklisted ¶
func (ncp *NebulaCAPool) IsBlacklisted(c *NebulaCertificate) bool
IsBlacklisted returns true if the fingerprint fails to generate or has been explicitly blacklisted
func (*NebulaCAPool) ResetCertBlacklist ¶
func (ncp *NebulaCAPool) ResetCertBlacklist()
ResetCertBlacklist removes all previously blacklisted cert fingerprints
type NebulaCertificate ¶
type NebulaCertificate struct { Details NebulaCertificateDetails Signature []byte }
func UnmarshalNebulaCertificate ¶
func UnmarshalNebulaCertificate(b []byte) (*NebulaCertificate, error)
UnmarshalNebulaCertificate will unmarshal a protobuf byte representation of a nebula cert
func UnmarshalNebulaCertificateFromPEM ¶
func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, error)
UnmarshalNebulaCertificateFromPEM will unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure
func (*NebulaCertificate) CheckRootConstrains ¶ added in v1.1.0
func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error
CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets)
func (*NebulaCertificate) CheckSignature ¶
func (nc *NebulaCertificate) CheckSignature(key ed25519.PublicKey) bool
CheckSignature verifies the signature against the provided public key
func (*NebulaCertificate) Expired ¶
func (nc *NebulaCertificate) Expired(t time.Time) bool
Expired will return true if the nebula cert is too young or too old compared to the provided time, otherwise false
func (*NebulaCertificate) Marshal ¶
func (nc *NebulaCertificate) Marshal() ([]byte, error)
Marshal will marshal a nebula cert into a protobuf byte array
func (*NebulaCertificate) MarshalJSON ¶
func (nc *NebulaCertificate) MarshalJSON() ([]byte, error)
func (*NebulaCertificate) MarshalToPEM ¶
func (nc *NebulaCertificate) MarshalToPEM() ([]byte, error)
MarshalToPEM will marshal a nebula cert into a protobuf byte array and pem encode the result
func (*NebulaCertificate) Sha256Sum ¶
func (nc *NebulaCertificate) Sha256Sum() (string, error)
Sha256Sum calculates a sha-256 sum of the marshaled certificate
func (*NebulaCertificate) Sign ¶
func (nc *NebulaCertificate) Sign(key ed25519.PrivateKey) error
Sign signs a nebula cert with the provided private key
func (*NebulaCertificate) String ¶
func (nc *NebulaCertificate) String() string
String will return a pretty printed representation of a nebula cert
func (*NebulaCertificate) Verify ¶
func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error)
Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blacklist, etc)
func (*NebulaCertificate) VerifyPrivateKey ¶
func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error
VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match
type RawNebulaCertificate ¶
type RawNebulaCertificate struct { Details *RawNebulaCertificateDetails `protobuf:"bytes,1,opt,name=Details,json=details,proto3" json:"Details,omitempty"` Signature []byte `protobuf:"bytes,2,opt,name=Signature,json=signature,proto3" json:"Signature,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*RawNebulaCertificate) Descriptor ¶
func (*RawNebulaCertificate) Descriptor() ([]byte, []int)
func (*RawNebulaCertificate) GetDetails ¶
func (m *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails
func (*RawNebulaCertificate) GetSignature ¶
func (m *RawNebulaCertificate) GetSignature() []byte
func (*RawNebulaCertificate) ProtoMessage ¶
func (*RawNebulaCertificate) ProtoMessage()
func (*RawNebulaCertificate) Reset ¶
func (m *RawNebulaCertificate) Reset()
func (*RawNebulaCertificate) String ¶
func (m *RawNebulaCertificate) String() string
func (*RawNebulaCertificate) XXX_DiscardUnknown ¶
func (m *RawNebulaCertificate) XXX_DiscardUnknown()
func (*RawNebulaCertificate) XXX_Marshal ¶
func (m *RawNebulaCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*RawNebulaCertificate) XXX_Merge ¶
func (m *RawNebulaCertificate) XXX_Merge(src proto.Message)
func (*RawNebulaCertificate) XXX_Size ¶
func (m *RawNebulaCertificate) XXX_Size() int
func (*RawNebulaCertificate) XXX_Unmarshal ¶
func (m *RawNebulaCertificate) XXX_Unmarshal(b []byte) error
type RawNebulaCertificateDetails ¶
type RawNebulaCertificateDetails struct { Name string `protobuf:"bytes,1,opt,name=Name,json=name,proto3" json:"Name,omitempty"` // Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask Ips []uint32 `protobuf:"varint,2,rep,packed,name=Ips,json=ips,proto3" json:"Ips,omitempty"` Subnets []uint32 `protobuf:"varint,3,rep,packed,name=Subnets,json=subnets,proto3" json:"Subnets,omitempty"` Groups []string `protobuf:"bytes,4,rep,name=Groups,json=groups,proto3" json:"Groups,omitempty"` NotBefore int64 `protobuf:"varint,5,opt,name=NotBefore,json=notBefore,proto3" json:"NotBefore,omitempty"` NotAfter int64 `protobuf:"varint,6,opt,name=NotAfter,json=notAfter,proto3" json:"NotAfter,omitempty"` PublicKey []byte `protobuf:"bytes,7,opt,name=PublicKey,json=publicKey,proto3" json:"PublicKey,omitempty"` IsCA bool `protobuf:"varint,8,opt,name=IsCA,json=isCA,proto3" json:"IsCA,omitempty"` // sha-256 of the issuer certificate, if this field is blank the cert is self-signed Issuer []byte `protobuf:"bytes,9,opt,name=Issuer,json=issuer,proto3" json:"Issuer,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*RawNebulaCertificateDetails) Descriptor ¶
func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)
func (*RawNebulaCertificateDetails) GetGroups ¶
func (m *RawNebulaCertificateDetails) GetGroups() []string
func (*RawNebulaCertificateDetails) GetIps ¶
func (m *RawNebulaCertificateDetails) GetIps() []uint32
func (*RawNebulaCertificateDetails) GetIsCA ¶
func (m *RawNebulaCertificateDetails) GetIsCA() bool
func (*RawNebulaCertificateDetails) GetIssuer ¶
func (m *RawNebulaCertificateDetails) GetIssuer() []byte
func (*RawNebulaCertificateDetails) GetName ¶
func (m *RawNebulaCertificateDetails) GetName() string
func (*RawNebulaCertificateDetails) GetNotAfter ¶
func (m *RawNebulaCertificateDetails) GetNotAfter() int64
func (*RawNebulaCertificateDetails) GetNotBefore ¶
func (m *RawNebulaCertificateDetails) GetNotBefore() int64
func (*RawNebulaCertificateDetails) GetPublicKey ¶
func (m *RawNebulaCertificateDetails) GetPublicKey() []byte
func (*RawNebulaCertificateDetails) GetSubnets ¶
func (m *RawNebulaCertificateDetails) GetSubnets() []uint32
func (*RawNebulaCertificateDetails) ProtoMessage ¶
func (*RawNebulaCertificateDetails) ProtoMessage()
func (*RawNebulaCertificateDetails) Reset ¶
func (m *RawNebulaCertificateDetails) Reset()
func (*RawNebulaCertificateDetails) String ¶
func (m *RawNebulaCertificateDetails) String() string
func (*RawNebulaCertificateDetails) XXX_DiscardUnknown ¶
func (m *RawNebulaCertificateDetails) XXX_DiscardUnknown()
func (*RawNebulaCertificateDetails) XXX_Marshal ¶
func (m *RawNebulaCertificateDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*RawNebulaCertificateDetails) XXX_Merge ¶
func (m *RawNebulaCertificateDetails) XXX_Merge(src proto.Message)
func (*RawNebulaCertificateDetails) XXX_Size ¶
func (m *RawNebulaCertificateDetails) XXX_Size() int
func (*RawNebulaCertificateDetails) XXX_Unmarshal ¶
func (m *RawNebulaCertificateDetails) XXX_Unmarshal(b []byte) error