Documentation ¶
Index ¶
- Constants
- type ConnectionClaims
- type CustomTokenConfig
- type CustomTokenSignMethod
- type JWTClaims
- type JWTConfig
- func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte) (token []byte, err error)
- func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)
- func (c *JWTConfig) Randomize(token []byte, nonce []byte) (err error)
- func (c *JWTConfig) RetrieveNonce(token []byte) ([]byte, error)
- type TokenEngine
Constants ¶
const ( // MaxServerName must be of UUID size maximum MaxServerName = 36 // NonceLength is the length of the Nonce to be used in the secrets NonceLength = 16 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConnectionClaims ¶
type ConnectionClaims struct { T *policy.TagStore // RMT is the nonce of the remote that has to be signed in the JWT RMT []byte // LCL is the nonce of the local node that has to be signed LCL []byte // EK is the ephemeral EC key for encryption EK []byte }
ConnectionClaims captures all the claim information
type CustomTokenConfig ¶
type CustomTokenConfig struct { // ValidityPeriod for the signed token ValidityPeriod time.Duration // Issuer is the server that signs the request Issuer string // SignMethod is the method to use for signing the labels SignMethod CustomTokenSignMethod // Key is an interface for either the Private Key or the Preshared Key Key interface{} // CA is the certificate of the CA that has signed the server keys CA *x509.Certificate // Cert is the certificate of the server Cert *x509.Certificate // CertPEM is a buffer of the PEM file that is send to other servers - Cached for efficiency CertPEM []byte // IncludeCert instructs the engine to transmit the certificate with each token IncludeCert bool // CertPool is pool of certificates that are already distributed out of band PublicKeyCache map[string]*ecdsa.PublicKey }
CustomTokenConfig configures the custom token generator with the standard parameters
func NewPSKCustomToken ¶
func NewPSKCustomToken(validity time.Duration, issuer string, psk []byte) *CustomTokenConfig
NewPSKCustomToken creates a new token generator for custom tokens
func (*CustomTokenConfig) CreateAndSign ¶
func (c *CustomTokenConfig) CreateAndSign(isAck bool, claims *ConnectionClaims) []byte
CreateAndSign creates a buffer for a new custom token and signs the token. Format is Signature, Random Local, Random Remote, Tags separated by the spaces
func (*CustomTokenConfig) Decode ¶
func (c *CustomTokenConfig) Decode(isAck bool, data []byte, previousCert interface{}) (*ConnectionClaims, interface{})
Decode decodes a string into the data structures for a custom token
type CustomTokenSignMethod ¶
type CustomTokenSignMethod int
CustomTokenSignMethod describes the sign methods for the custome tokens
const ( CustomTokenSignMethod = iota // PKI defines a public/private key implementation PKI )PreSharedKey
type JWTClaims ¶
type JWTClaims struct { *ConnectionClaims jwt.StandardClaims }
JWTClaims captures all the custom clains
type JWTConfig ¶
type JWTConfig struct { // ValidityPeriod period of the JWT ValidityPeriod time.Duration // Issuer is the server that issues the JWT Issuer string // contains filtered or unexported fields }
JWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server
func (*JWTConfig) CreateAndSign ¶
func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte) (token []byte, err error)
CreateAndSign creates a new token, attaches an ephemeral key pair and signs with the issuer key. It also randomizes the source nonce of the token. It returns back the token and the private key.
func (*JWTConfig) Decode ¶
func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)
Decode takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted
type TokenEngine ¶
type TokenEngine interface { // CreteAndSign creates a token, signs it and produces the final byte string CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte) (token []byte, err error) // Decode decodes an incoming buffer and returns the claims and the sender certificate Decode(isAck bool, data []byte, previousCert interface{}) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error) // Randomize inserts a source nonce in an existing token - New nonce will be // create every time the token is transmitted as a challenge to the other side // even when the token is cached. There should be space in the token already. // Returns an error if there is no space Randomize([]byte, []byte) (err error) // RetrieveNonce retrieves the nonce from the token only. Returns the nonce // or an error if the nonce cannot be decoded RetrieveNonce([]byte) ([]byte, error) }
TokenEngine is the interface to the different implementations of tokens