cert

package
v1.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2022 License: MIT Imports: 20 Imported by: 14

README

cert

This is a library for interacting with nebula style certificates and authorities.

A protobuf definition of the certificate format is also included

Compiling the protobuf definition

Make sure you have protoc installed.

To compile for go with the same version of protobuf specified in go.mod:

make

Documentation

Index

Constants

View Source 
const (
	CertBanner              = "NEBULA CERTIFICATE"
	X25519PrivateKeyBanner  = "NEBULA X25519 PRIVATE KEY"
	X25519PublicKeyBanner   = "NEBULA X25519 PUBLIC KEY"
	Ed25519PrivateKeyBanner = "NEBULA ED25519 PRIVATE KEY"
	Ed25519PublicKeyBanner  = "NEBULA ED25519 PUBLIC KEY"
)

Variables

View Source 
var (
	ErrExpired       = errors.New("certificate is expired")
	ErrNotCA         = errors.New("certificate is not a CA")
	ErrNotSelfSigned = errors.New("certificate is not self-signed")
)
View Source 
var File_cert_proto protoreflect.FileDescriptor

Functions

func MarshalEd25519PrivateKey 

func MarshalEd25519PrivateKey(key ed25519.PrivateKey) []byte

MarshalEd25519PrivateKey is a simple helper to PEM encode an Ed25519 private key

func MarshalEd25519PublicKey 

func MarshalEd25519PublicKey(key ed25519.PublicKey) []byte

MarshalEd25519PublicKey is a simple helper to PEM encode an Ed25519 public key

func MarshalX25519PrivateKey 

func MarshalX25519PrivateKey(b []byte) []byte

MarshalX25519PrivateKey is a simple helper to PEM encode an X25519 private key

func MarshalX25519PublicKey 

func MarshalX25519PublicKey(b []byte) []byte

MarshalX25519PublicKey is a simple helper to PEM encode an X25519 public key

func UnmarshalEd25519PrivateKey 

func UnmarshalEd25519PrivateKey(b []byte) (ed25519.PrivateKey, []byte, error)

UnmarshalEd25519PrivateKey will try to pem decode an Ed25519 private key, returning any other bytes b or an error on failure

func UnmarshalEd25519PublicKey 

func UnmarshalEd25519PublicKey(b []byte) (ed25519.PublicKey, []byte, error)

UnmarshalEd25519PublicKey will try to pem decode an Ed25519 public key, returning any other bytes b or an error on failure

func UnmarshalX25519PrivateKey 

func UnmarshalX25519PrivateKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PrivateKey will try to pem decode an X25519 private key, returning any other bytes b or an error on failure

func UnmarshalX25519PublicKey 

func UnmarshalX25519PublicKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PublicKey will try to pem decode an X25519 public key, returning any other bytes b or an error on failure

Types

type NebulaCAPool 

type NebulaCAPool struct {
	CAs map[string]*NebulaCertificate
	// contains filtered or unexported fields
}

func NewCAPool 

func NewCAPool() *NebulaCAPool

NewCAPool creates a CAPool

func NewCAPoolFromBytes 

func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error)

NewCAPoolFromBytes will create a new CA pool from the provided input bytes, which must be a PEM-encoded set of nebula certificates. If the pool contains any expired certificates, an ErrExpired will be returned along with the pool. The caller must handle any such errors.

func (*NebulaCAPool) AddCACertificate 

func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error)

AddCACertificate verifies a Nebula CA certificate and adds it to the pool Only the first pem encoded object will be consumed, any remaining bytes are returned. Parsed certificates will be verified and must be a CA

func (*NebulaCAPool) BlocklistFingerprint added in v1.3.0 

func (ncp *NebulaCAPool) BlocklistFingerprint(f string)

BlocklistFingerprint adds a cert fingerprint to the blocklist

func (*NebulaCAPool) GetCAForCert 

func (ncp *NebulaCAPool) GetCAForCert(c *NebulaCertificate) (*NebulaCertificate, error)

GetCAForCert attempts to return the signing certificate for the provided certificate. No signature validation is performed

func (*NebulaCAPool) GetFingerprints 

func (ncp *NebulaCAPool) GetFingerprints() []string

GetFingerprints returns an array of trusted CA fingerprints

func (*NebulaCAPool) IsBlocklisted added in v1.3.0 

func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool

IsBlocklisted returns true if the fingerprint fails to generate or has been explicitly blocklisted

func (*NebulaCAPool) ResetCertBlocklist added in v1.3.0 

func (ncp *NebulaCAPool) ResetCertBlocklist()

ResetCertBlocklist removes all previously blocklisted cert fingerprints

type NebulaCertificate 

type NebulaCertificate struct {
	Details   NebulaCertificateDetails
	Signature []byte
}

func UnmarshalNebulaCertificate 

func UnmarshalNebulaCertificate(b []byte) (*NebulaCertificate, error)

UnmarshalNebulaCertificate will unmarshal a protobuf byte representation of a nebula cert

func UnmarshalNebulaCertificateFromPEM 

func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, error)

UnmarshalNebulaCertificateFromPEM will unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure

func (*NebulaCertificate) CheckRootConstrains added in v1.1.0 

func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error

CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets)

func (*NebulaCertificate) CheckSignature 

func (nc *NebulaCertificate) CheckSignature(key ed25519.PublicKey) bool

CheckSignature verifies the signature against the provided public key

func (*NebulaCertificate) Copy added in v1.3.0 

func (nc *NebulaCertificate) Copy() *NebulaCertificate

func (*NebulaCertificate) Expired 

func (nc *NebulaCertificate) Expired(t time.Time) bool

Expired will return true if the nebula cert is too young or too old compared to the provided time, otherwise false

func (*NebulaCertificate) Marshal 

func (nc *NebulaCertificate) Marshal() ([]byte, error)

Marshal will marshal a nebula cert into a protobuf byte array

func (*NebulaCertificate) MarshalJSON 

func (nc *NebulaCertificate) MarshalJSON() ([]byte, error)

func (*NebulaCertificate) MarshalToPEM 

func (nc *NebulaCertificate) MarshalToPEM() ([]byte, error)

MarshalToPEM will marshal a nebula cert into a protobuf byte array and pem encode the result

func (*NebulaCertificate) Sha256Sum 

func (nc *NebulaCertificate) Sha256Sum() (string, error)

Sha256Sum calculates a sha-256 sum of the marshaled certificate

func (*NebulaCertificate) Sign 

func (nc *NebulaCertificate) Sign(key ed25519.PrivateKey) error

Sign signs a nebula cert with the provided private key

func (*NebulaCertificate) String 

func (nc *NebulaCertificate) String() string

String will return a pretty printed representation of a nebula cert

func (*NebulaCertificate) Verify 

func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error)

Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)

func (*NebulaCertificate) VerifyPrivateKey 

func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error

VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match

type NebulaCertificateDetails 

type NebulaCertificateDetails struct {
	Name      string
	Ips       []*net.IPNet
	Subnets   []*net.IPNet
	Groups    []string
	NotBefore time.Time
	NotAfter  time.Time
	PublicKey []byte
	IsCA      bool
	Issuer    string

	// Map of groups for faster lookup
	InvertedGroups map[string]struct{}
}

type RawNebulaCertificate 

type RawNebulaCertificate struct {
	Details   *RawNebulaCertificateDetails `protobuf:"bytes,1,opt,name=Details,proto3" json:"Details,omitempty"`
	Signature []byte                       `protobuf:"bytes,2,opt,name=Signature,proto3" json:"Signature,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificate) Descriptor deprecated 

func (*RawNebulaCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificate.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificate) GetDetails 

func (x *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails

func (*RawNebulaCertificate) GetSignature 

func (x *RawNebulaCertificate) GetSignature() []byte

func (*RawNebulaCertificate) ProtoMessage 

func (*RawNebulaCertificate) ProtoMessage()

func (*RawNebulaCertificate) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificate) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificate) Reset 

func (x *RawNebulaCertificate) Reset()

func (*RawNebulaCertificate) String 

func (x *RawNebulaCertificate) String() string

type RawNebulaCertificateDetails 

type RawNebulaCertificateDetails struct {
	Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
	// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
	Ips       []uint32 `protobuf:"varint,2,rep,packed,name=Ips,proto3" json:"Ips,omitempty"`
	Subnets   []uint32 `protobuf:"varint,3,rep,packed,name=Subnets,proto3" json:"Subnets,omitempty"`
	Groups    []string `protobuf:"bytes,4,rep,name=Groups,proto3" json:"Groups,omitempty"`
	NotBefore int64    `protobuf:"varint,5,opt,name=NotBefore,proto3" json:"NotBefore,omitempty"`
	NotAfter  int64    `protobuf:"varint,6,opt,name=NotAfter,proto3" json:"NotAfter,omitempty"`
	PublicKey []byte   `protobuf:"bytes,7,opt,name=PublicKey,proto3" json:"PublicKey,omitempty"`
	IsCA      bool     `protobuf:"varint,8,opt,name=IsCA,proto3" json:"IsCA,omitempty"`
	// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
	Issuer []byte `protobuf:"bytes,9,opt,name=Issuer,proto3" json:"Issuer,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificateDetails) Descriptor deprecated 

func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificateDetails.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificateDetails) GetGroups 

func (x *RawNebulaCertificateDetails) GetGroups() []string

func (*RawNebulaCertificateDetails) GetIps 

func (x *RawNebulaCertificateDetails) GetIps() []uint32

func (*RawNebulaCertificateDetails) GetIsCA 

func (x *RawNebulaCertificateDetails) GetIsCA() bool

func (*RawNebulaCertificateDetails) GetIssuer 

func (x *RawNebulaCertificateDetails) GetIssuer() []byte

func (*RawNebulaCertificateDetails) GetName 

func (x *RawNebulaCertificateDetails) GetName() string

func (*RawNebulaCertificateDetails) GetNotAfter 

func (x *RawNebulaCertificateDetails) GetNotAfter() int64

func (*RawNebulaCertificateDetails) GetNotBefore 

func (x *RawNebulaCertificateDetails) GetNotBefore() int64

func (*RawNebulaCertificateDetails) GetPublicKey 

func (x *RawNebulaCertificateDetails) GetPublicKey() []byte

func (*RawNebulaCertificateDetails) GetSubnets 

func (x *RawNebulaCertificateDetails) GetSubnets() []uint32

func (*RawNebulaCertificateDetails) ProtoMessage 

func (*RawNebulaCertificateDetails) ProtoMessage()

func (*RawNebulaCertificateDetails) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificateDetails) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificateDetails) Reset 

func (x *RawNebulaCertificateDetails) Reset()

func (*RawNebulaCertificateDetails) String 

func (x *RawNebulaCertificateDetails) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.