cert

package
v1.7.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2023 License: MIT Imports: 29 Imported by: 14

README

cert

This is a library for interacting with nebula style certificates and authorities.

A protobuf definition of the certificate format is also included

Compiling the protobuf definition

Make sure you have protoc installed.

To compile for go with the same version of protobuf specified in go.mod:

make

Documentation

Index

Constants

View Source 
const (
	CertBanner                       = "NEBULA CERTIFICATE"
	X25519PrivateKeyBanner           = "NEBULA X25519 PRIVATE KEY"
	X25519PublicKeyBanner            = "NEBULA X25519 PUBLIC KEY"
	EncryptedEd25519PrivateKeyBanner = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
	Ed25519PrivateKeyBanner          = "NEBULA ED25519 PRIVATE KEY"
	Ed25519PublicKeyBanner           = "NEBULA ED25519 PUBLIC KEY"

	P256PrivateKeyBanner               = "NEBULA P256 PRIVATE KEY"
	P256PublicKeyBanner                = "NEBULA P256 PUBLIC KEY"
	EncryptedECDSAP256PrivateKeyBanner = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
	ECDSAP256PrivateKeyBanner          = "NEBULA ECDSA P256 PRIVATE KEY"
)

Variables

View Source 
var (
	Curve_name = map[int32]string{
		0: "CURVE25519",
		1: "P256",
	}
	Curve_value = map[string]int32{
		"CURVE25519": 0,
		"P256":       1,
	}
)

Enum value maps for Curve.

View Source 
var (
	ErrRootExpired       = errors.New("root certificate is expired")
	ErrExpired           = errors.New("certificate is expired")
	ErrNotCA             = errors.New("certificate is not a CA")
	ErrNotSelfSigned     = errors.New("certificate is not self-signed")
	ErrBlockListed       = errors.New("certificate is in the block list")
	ErrSignatureMismatch = errors.New("certificate signature did not match")
)
View Source 
var ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")

Returned if we try to unmarshal an encrypted private key without a passphrase

View Source 
var File_cert_proto protoreflect.FileDescriptor

Functions

func EncryptAndMarshalSigningPrivateKey added in v1.7.0 

func EncryptAndMarshalSigningPrivateKey(curve Curve, b []byte, passphrase []byte, kdfParams *Argon2Parameters) ([]byte, error)

EncryptAndMarshalSigningPrivateKey is a simple helper to encrypt and PEM encode a private key

func MarshalEd25519PrivateKey 

func MarshalEd25519PrivateKey(key ed25519.PrivateKey) []byte

MarshalEd25519PrivateKey is a simple helper to PEM encode an Ed25519 private key

func MarshalEd25519PublicKey 

func MarshalEd25519PublicKey(key ed25519.PublicKey) []byte

MarshalEd25519PublicKey is a simple helper to PEM encode an Ed25519 public key

func MarshalPrivateKey added in v1.7.0 

func MarshalPrivateKey(curve Curve, b []byte) []byte

func MarshalPublicKey added in v1.7.0 

func MarshalPublicKey(curve Curve, b []byte) []byte

func MarshalSigningPrivateKey added in v1.7.0 

func MarshalSigningPrivateKey(curve Curve, b []byte) []byte

func MarshalX25519PrivateKey 

func MarshalX25519PrivateKey(b []byte) []byte

MarshalX25519PrivateKey is a simple helper to PEM encode an X25519 private key

func MarshalX25519PublicKey 

func MarshalX25519PublicKey(b []byte) []byte

MarshalX25519PublicKey is a simple helper to PEM encode an X25519 public key

func UnmarshalEd25519PrivateKey 

func UnmarshalEd25519PrivateKey(b []byte) (ed25519.PrivateKey, []byte, error)

UnmarshalEd25519PrivateKey will try to pem decode an Ed25519 private key, returning any other bytes b or an error on failure

func UnmarshalEd25519PublicKey 

func UnmarshalEd25519PublicKey(b []byte) (ed25519.PublicKey, []byte, error)

UnmarshalEd25519PublicKey will try to pem decode an Ed25519 public key, returning any other bytes b or an error on failure

func UnmarshalX25519PrivateKey 

func UnmarshalX25519PrivateKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PrivateKey will try to pem decode an X25519 private key, returning any other bytes b or an error on failure

func UnmarshalX25519PublicKey 

func UnmarshalX25519PublicKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PublicKey will try to pem decode an X25519 public key, returning any other bytes b or an error on failure

Types

type Argon2Parameters added in v1.7.0 

type Argon2Parameters struct {
	Memory      uint32 // KiB
	Parallelism uint8
	Iterations  uint32
	// contains filtered or unexported fields
}

KDF factors

func NewArgon2Parameters added in v1.7.0 

func NewArgon2Parameters(memory uint32, parallelism uint8, iterations uint32) *Argon2Parameters

Returns a new Argon2Parameters object with current version set

type Curve added in v1.7.0 

type Curve int32
const (
	Curve_CURVE25519 Curve = 0
	Curve_P256       Curve = 1
)

func DecryptAndUnmarshalSigningPrivateKey added in v1.7.0 

func DecryptAndUnmarshalSigningPrivateKey(passphrase, b []byte) (Curve, []byte, []byte, error)

DecryptAndUnmarshalSigningPrivateKey will try to pem decode and decrypt an Ed25519/ECDSA private key with the given passphrase, returning any other bytes b or an error on failure

func UnmarshalPrivateKey added in v1.7.0 

func UnmarshalPrivateKey(b []byte) ([]byte, []byte, Curve, error)

func UnmarshalPublicKey added in v1.7.0 

func UnmarshalPublicKey(b []byte) ([]byte, []byte, Curve, error)

func UnmarshalSigningPrivateKey added in v1.7.0 

func UnmarshalSigningPrivateKey(b []byte) ([]byte, []byte, Curve, error)

func (Curve) Descriptor added in v1.7.0 

func (Curve) Descriptor() protoreflect.EnumDescriptor

func (Curve) Enum added in v1.7.0 

func (x Curve) Enum() *Curve

func (Curve) EnumDescriptor deprecated added in v1.7.0 

func (Curve) EnumDescriptor() ([]byte, []int)

Deprecated: Use Curve.Descriptor instead.

func (Curve) Number added in v1.7.0 

func (x Curve) Number() protoreflect.EnumNumber

func (Curve) String added in v1.7.0 

func (x Curve) String() string

func (Curve) Type added in v1.7.0 

func (Curve) Type() protoreflect.EnumType

type NebulaCAPool 

type NebulaCAPool struct {
	CAs map[string]*NebulaCertificate
	// contains filtered or unexported fields
}

func NewCAPool 

func NewCAPool() *NebulaCAPool

NewCAPool creates a CAPool

func NewCAPoolFromBytes 

func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error)

NewCAPoolFromBytes will create a new CA pool from the provided input bytes, which must be a PEM-encoded set of nebula certificates. If the pool contains any expired certificates, an ErrExpired will be returned along with the pool. The caller must handle any such errors.

func (*NebulaCAPool) AddCACertificate 

func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error)

AddCACertificate verifies a Nebula CA certificate and adds it to the pool Only the first pem encoded object will be consumed, any remaining bytes are returned. Parsed certificates will be verified and must be a CA

func (*NebulaCAPool) BlocklistFingerprint added in v1.3.0 

func (ncp *NebulaCAPool) BlocklistFingerprint(f string)

BlocklistFingerprint adds a cert fingerprint to the blocklist

func (*NebulaCAPool) GetCAForCert 

func (ncp *NebulaCAPool) GetCAForCert(c *NebulaCertificate) (*NebulaCertificate, error)

GetCAForCert attempts to return the signing certificate for the provided certificate. No signature validation is performed

func (*NebulaCAPool) GetFingerprints 

func (ncp *NebulaCAPool) GetFingerprints() []string

GetFingerprints returns an array of trusted CA fingerprints

func (*NebulaCAPool) IsBlocklisted added in v1.3.0 

func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool

NOTE: This uses an internal cache for Sha256Sum() that will not be invalidated automatically if you manually change any fields in the NebulaCertificate.

func (*NebulaCAPool) ResetCertBlocklist added in v1.3.0 

func (ncp *NebulaCAPool) ResetCertBlocklist()

ResetCertBlocklist removes all previously blocklisted cert fingerprints

type NebulaCertificate 

type NebulaCertificate struct {
	Details   NebulaCertificateDetails
	Signature []byte
	// contains filtered or unexported fields
}

func UnmarshalNebulaCertificate 

func UnmarshalNebulaCertificate(b []byte) (*NebulaCertificate, error)

UnmarshalNebulaCertificate will unmarshal a protobuf byte representation of a nebula cert

func UnmarshalNebulaCertificateFromPEM 

func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, error)

UnmarshalNebulaCertificateFromPEM will unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure

func (*NebulaCertificate) CheckRootConstrains added in v1.1.0 

func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error

CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets)

func (*NebulaCertificate) CheckSignature 

func (nc *NebulaCertificate) CheckSignature(key []byte) bool

CheckSignature verifies the signature against the provided public key

func (*NebulaCertificate) Copy added in v1.3.0 

func (nc *NebulaCertificate) Copy() *NebulaCertificate

func (*NebulaCertificate) Expired 

func (nc *NebulaCertificate) Expired(t time.Time) bool

Expired will return true if the nebula cert is too young or too old compared to the provided time, otherwise false

func (*NebulaCertificate) Marshal 

func (nc *NebulaCertificate) Marshal() ([]byte, error)

Marshal will marshal a nebula cert into a protobuf byte array

func (*NebulaCertificate) MarshalJSON 

func (nc *NebulaCertificate) MarshalJSON() ([]byte, error)

func (*NebulaCertificate) MarshalToPEM 

func (nc *NebulaCertificate) MarshalToPEM() ([]byte, error)

MarshalToPEM will marshal a nebula cert into a protobuf byte array and pem encode the result

func (*NebulaCertificate) ResetCache added in v1.7.0 

func (nc *NebulaCertificate) ResetCache()

ResetCache resets the cache used by VerifyWithCache.

func (*NebulaCertificate) Sha256Sum 

func (nc *NebulaCertificate) Sha256Sum() (string, error)

Sha256Sum calculates a sha-256 sum of the marshaled certificate

func (*NebulaCertificate) Sign 

func (nc *NebulaCertificate) Sign(curve Curve, key []byte) error

Sign signs a nebula cert with the provided private key

func (*NebulaCertificate) String 

func (nc *NebulaCertificate) String() string

String will return a pretty printed representation of a nebula cert

func (*NebulaCertificate) Verify 

func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error)

Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)

func (*NebulaCertificate) VerifyPrivateKey 

func (nc *NebulaCertificate) VerifyPrivateKey(curve Curve, key []byte) error

VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match

func (*NebulaCertificate) VerifyWithCache added in v1.7.0 

func (nc *NebulaCertificate) VerifyWithCache(t time.Time, ncp *NebulaCAPool) (bool, error)

VerifyWithCache will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)

NOTE: This uses an internal cache that will not be invalidated automatically if you manually change any fields in the NebulaCertificate.

type NebulaCertificateDetails 

type NebulaCertificateDetails struct {
	Name      string
	Ips       []*net.IPNet
	Subnets   []*net.IPNet
	Groups    []string
	NotBefore time.Time
	NotAfter  time.Time
	PublicKey []byte
	IsCA      bool
	Issuer    string

	// Map of groups for faster lookup
	InvertedGroups map[string]struct{}

	Curve Curve
}

type NebulaEncryptedData added in v1.7.0 

type NebulaEncryptedData struct {
	EncryptionMetadata NebulaEncryptionMetadata
	Ciphertext         []byte
}

func UnmarshalNebulaEncryptedData added in v1.7.0 

func UnmarshalNebulaEncryptedData(b []byte) (*NebulaEncryptedData, error)

UnmarshalNebulaCertificate will unmarshal a protobuf byte representation of a nebula cert into its protobuf-generated struct.

type NebulaEncryptionMetadata added in v1.7.0 

type NebulaEncryptionMetadata struct {
	EncryptionAlgorithm string
	Argon2Parameters    Argon2Parameters
}

type RawNebulaArgon2Parameters added in v1.7.0 

type RawNebulaArgon2Parameters struct {
	Version     int32  `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"` // rune in Go
	Memory      uint32 `protobuf:"varint,2,opt,name=memory,proto3" json:"memory,omitempty"`
	Parallelism uint32 `protobuf:"varint,4,opt,name=parallelism,proto3" json:"parallelism,omitempty"` // uint8 in Go
	Iterations  uint32 `protobuf:"varint,3,opt,name=iterations,proto3" json:"iterations,omitempty"`
	Salt        []byte `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaArgon2Parameters) Descriptor deprecated added in v1.7.0 

func (*RawNebulaArgon2Parameters) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaArgon2Parameters.ProtoReflect.Descriptor instead.

func (*RawNebulaArgon2Parameters) GetIterations added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetIterations() uint32

func (*RawNebulaArgon2Parameters) GetMemory added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetMemory() uint32

func (*RawNebulaArgon2Parameters) GetParallelism added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetParallelism() uint32

func (*RawNebulaArgon2Parameters) GetSalt added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetSalt() []byte

func (*RawNebulaArgon2Parameters) GetVersion added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetVersion() int32

func (*RawNebulaArgon2Parameters) ProtoMessage added in v1.7.0 

func (*RawNebulaArgon2Parameters) ProtoMessage()

func (*RawNebulaArgon2Parameters) ProtoReflect added in v1.7.0 

func (x *RawNebulaArgon2Parameters) ProtoReflect() protoreflect.Message

func (*RawNebulaArgon2Parameters) Reset added in v1.7.0 

func (x *RawNebulaArgon2Parameters) Reset()

func (*RawNebulaArgon2Parameters) String added in v1.7.0 

func (x *RawNebulaArgon2Parameters) String() string

type RawNebulaCertificate 

type RawNebulaCertificate struct {
	Details   *RawNebulaCertificateDetails `protobuf:"bytes,1,opt,name=Details,proto3" json:"Details,omitempty"`
	Signature []byte                       `protobuf:"bytes,2,opt,name=Signature,proto3" json:"Signature,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificate) Descriptor deprecated 

func (*RawNebulaCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificate.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificate) GetDetails 

func (x *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails

func (*RawNebulaCertificate) GetSignature 

func (x *RawNebulaCertificate) GetSignature() []byte

func (*RawNebulaCertificate) ProtoMessage 

func (*RawNebulaCertificate) ProtoMessage()

func (*RawNebulaCertificate) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificate) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificate) Reset 

func (x *RawNebulaCertificate) Reset()

func (*RawNebulaCertificate) String 

func (x *RawNebulaCertificate) String() string

type RawNebulaCertificateDetails 

type RawNebulaCertificateDetails struct {
	Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
	// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
	Ips       []uint32 `protobuf:"varint,2,rep,packed,name=Ips,proto3" json:"Ips,omitempty"`
	Subnets   []uint32 `protobuf:"varint,3,rep,packed,name=Subnets,proto3" json:"Subnets,omitempty"`
	Groups    []string `protobuf:"bytes,4,rep,name=Groups,proto3" json:"Groups,omitempty"`
	NotBefore int64    `protobuf:"varint,5,opt,name=NotBefore,proto3" json:"NotBefore,omitempty"`
	NotAfter  int64    `protobuf:"varint,6,opt,name=NotAfter,proto3" json:"NotAfter,omitempty"`
	PublicKey []byte   `protobuf:"bytes,7,opt,name=PublicKey,proto3" json:"PublicKey,omitempty"`
	IsCA      bool     `protobuf:"varint,8,opt,name=IsCA,proto3" json:"IsCA,omitempty"`
	// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
	Issuer []byte `protobuf:"bytes,9,opt,name=Issuer,proto3" json:"Issuer,omitempty"`
	Curve  Curve  `protobuf:"varint,100,opt,name=curve,proto3,enum=cert.Curve" json:"curve,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificateDetails) Descriptor deprecated 

func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificateDetails.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificateDetails) GetCurve added in v1.7.0 

func (x *RawNebulaCertificateDetails) GetCurve() Curve

func (*RawNebulaCertificateDetails) GetGroups 

func (x *RawNebulaCertificateDetails) GetGroups() []string

func (*RawNebulaCertificateDetails) GetIps 

func (x *RawNebulaCertificateDetails) GetIps() []uint32

func (*RawNebulaCertificateDetails) GetIsCA 

func (x *RawNebulaCertificateDetails) GetIsCA() bool

func (*RawNebulaCertificateDetails) GetIssuer 

func (x *RawNebulaCertificateDetails) GetIssuer() []byte

func (*RawNebulaCertificateDetails) GetName 

func (x *RawNebulaCertificateDetails) GetName() string

func (*RawNebulaCertificateDetails) GetNotAfter 

func (x *RawNebulaCertificateDetails) GetNotAfter() int64

func (*RawNebulaCertificateDetails) GetNotBefore 

func (x *RawNebulaCertificateDetails) GetNotBefore() int64

func (*RawNebulaCertificateDetails) GetPublicKey 

func (x *RawNebulaCertificateDetails) GetPublicKey() []byte

func (*RawNebulaCertificateDetails) GetSubnets 

func (x *RawNebulaCertificateDetails) GetSubnets() []uint32

func (*RawNebulaCertificateDetails) ProtoMessage 

func (*RawNebulaCertificateDetails) ProtoMessage()

func (*RawNebulaCertificateDetails) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificateDetails) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificateDetails) Reset 

func (x *RawNebulaCertificateDetails) Reset()

func (*RawNebulaCertificateDetails) String 

func (x *RawNebulaCertificateDetails) String() string

type RawNebulaEncryptedData added in v1.7.0 

type RawNebulaEncryptedData struct {
	EncryptionMetadata *RawNebulaEncryptionMetadata `protobuf:"bytes,1,opt,name=EncryptionMetadata,proto3" json:"EncryptionMetadata,omitempty"`
	Ciphertext         []byte                       `protobuf:"bytes,2,opt,name=Ciphertext,proto3" json:"Ciphertext,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptedData) Descriptor deprecated added in v1.7.0 

func (*RawNebulaEncryptedData) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptedData.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptedData) GetCiphertext added in v1.7.0 

func (x *RawNebulaEncryptedData) GetCiphertext() []byte

func (*RawNebulaEncryptedData) GetEncryptionMetadata added in v1.7.0 

func (x *RawNebulaEncryptedData) GetEncryptionMetadata() *RawNebulaEncryptionMetadata

func (*RawNebulaEncryptedData) ProtoMessage added in v1.7.0 

func (*RawNebulaEncryptedData) ProtoMessage()

func (*RawNebulaEncryptedData) ProtoReflect added in v1.7.0 

func (x *RawNebulaEncryptedData) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptedData) Reset added in v1.7.0 

func (x *RawNebulaEncryptedData) Reset()

func (*RawNebulaEncryptedData) String added in v1.7.0 

func (x *RawNebulaEncryptedData) String() string

type RawNebulaEncryptionMetadata added in v1.7.0 

type RawNebulaEncryptionMetadata struct {
	EncryptionAlgorithm string                     `protobuf:"bytes,1,opt,name=EncryptionAlgorithm,proto3" json:"EncryptionAlgorithm,omitempty"`
	Argon2Parameters    *RawNebulaArgon2Parameters `protobuf:"bytes,2,opt,name=Argon2Parameters,proto3" json:"Argon2Parameters,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptionMetadata) Descriptor deprecated added in v1.7.0 

func (*RawNebulaEncryptionMetadata) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptionMetadata.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptionMetadata) GetArgon2Parameters added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) GetArgon2Parameters() *RawNebulaArgon2Parameters

func (*RawNebulaEncryptionMetadata) GetEncryptionAlgorithm added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) GetEncryptionAlgorithm() string

func (*RawNebulaEncryptionMetadata) ProtoMessage added in v1.7.0 

func (*RawNebulaEncryptionMetadata) ProtoMessage()

func (*RawNebulaEncryptionMetadata) ProtoReflect added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptionMetadata) Reset added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) Reset()

func (*RawNebulaEncryptionMetadata) String added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.