tokens

package
v10.354.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2021 License: Apache-2.0 Imports: 29 Imported by: 3

Documentation

Index

Constants

View Source
const (
	// MaxServerName must be of UUID size maximum
	MaxServerName = 24
	// NonceLength is the length of the Nonce to be used in the secrets
	NonceLength = 16
)
View Source
const ClaimsEncodedBufSize = 1400

ClaimsEncodedBufSize is the size of maximum buffer that is required for claims to be serialized into

Variables

View Source
var (
	ErrTokenTooSmall           = errors.New("randomize: token is small")
	ErrTokenEncodeFailed       = errors.New("unable to encode token")
	ErrTokenHashFailed         = errors.New("unable to hash token")
	ErrTokenSignFailed         = errors.New("unable to sign token")
	ErrSharedSecretMissing     = errors.New("secret not found")
	ErrInvalidSecret           = errors.New("invalid secret")
	ErrInvalidTokenLength      = errors.New("not enough data")
	ErrMissingSignature        = errors.New("signature is missing")
	ErrInvalidSignature        = errors.New("invalid signature")
	ErrCompressedTagMismatch   = errors.New("Compressed tag mismatch")
	ErrDatapathVersionMismatch = errors.New("Datapath version mismatch")
	ErrTokenDecodeFailed       = errors.New("unable to decode token")
	ErrTokenExpired            = errors.New("token expired")
	ErrSignatureMismatch       = errors.New("signature mismatch")
	ErrSharedKeyHashFailed     = errors.New("unable to hash shared key")
	ErrPublicKeyFailed         = errors.New("unable to verify public key")
)

Custom errors used by this package.

View Source
var AckPattern = []byte("PANWIDENTITY")

AckPattern is added in SYN and ACK tokens.

Functions

func CopyToConnectionClaims

func CopyToConnectionClaims(b *BinaryJWTClaims, connClaims *ConnectionClaims)

CopyToConnectionClaims copies the binary jwt claims to connection claims

Types

type BinaryJWTClaims

type BinaryJWTClaims struct {
	// Tags
	T []string `codec:",omitempty"`
	// Compressed tags
	CT []string `codec:",omitempty"`
	// RMT is the nonce of the remote that has to be signed in the JWT
	RMT []byte `codec:",omitempty"`
	// LCL is the nonce of the local node that has to be signed
	LCL []byte `codec:",omitempty"`
	// DEK is the datapath ephemeral keys used to derived shared keys during the handshake
	DEK []byte `codec:",omitempty"`
	// SDEK is the signature of the ephemeral key
	SDEK []byte `codec:",omitempty"`
	// ID is the source PU ID
	ID string `codec:",omitempty"`
	// Expiration time
	ExpiresAt int64 `codec:",omitempty"`
	// SignerKey
	SignerKey []byte `codec:",omitempty"`
	// P holds the ping payload
	P *policy.PingPayload `codec:",omitempty"`
	// DEKV2 is the datapath ephemeral key V2 used to derived shared keys during the handshake
	DEKV2 []byte `codec:",omitempty"`
	// SDEK is the signature of the ephemeral key V2
	SDEKV2 []byte `codec:",omitempty"`
}

BinaryJWTClaims captures all the custom claims

func ConvertToBinaryClaims

func ConvertToBinaryClaims(j *ConnectionClaims, validity time.Duration) *BinaryJWTClaims

ConvertToBinaryClaims coverts back,

func (*BinaryJWTClaims) CodecDecodeSelf

func (x *BinaryJWTClaims) CodecDecodeSelf(d *codec1978.Decoder)

func (*BinaryJWTClaims) CodecEncodeSelf

func (x *BinaryJWTClaims) CodecEncodeSelf(e *codec1978.Encoder)

func (*BinaryJWTClaims) IsCodecEmpty

func (x *BinaryJWTClaims) IsCodecEmpty() bool

type BinaryJWTConfig

type BinaryJWTConfig struct {
	// ValidityPeriod  period of the JWT
	ValidityPeriod time.Duration
	// Issuer is the server that issues the JWT
	Issuer string
	// contains filtered or unexported fields
}

BinaryJWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server

func NewBinaryJWT

func NewBinaryJWT(validity time.Duration, issuer string) (*BinaryJWTConfig, error)

NewBinaryJWT creates a new JWT token processor

func (*BinaryJWTConfig) CreateAckToken

func (c *BinaryJWTConfig) CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error)

CreateAckToken creates ack token which is attached to the ack packet.

func (*BinaryJWTConfig) CreateSynAckToken

func (c *BinaryJWTConfig) CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error)

CreateSynAckToken creates syn/ack token which is attached to the syn/ack packet.

func (*BinaryJWTConfig) CreateSynToken

func (c *BinaryJWTConfig) CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error)

CreateSynToken creates the token which is attached to the tcp syn packet.

func (*BinaryJWTConfig) DecodeAck

func (c *BinaryJWTConfig) DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error

DecodeAck decodes the ack packet token

func (*BinaryJWTConfig) DecodeSyn

func (c *BinaryJWTConfig) DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error)

DecodeSyn takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted

func (*BinaryJWTConfig) Randomize

func (c *BinaryJWTConfig) Randomize(token []byte, nonce []byte) error

Randomize puts the random nonce in the syn token

func (*BinaryJWTConfig) Sign

func (c *BinaryJWTConfig) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error)

Sign takes in a slice of bytes and a private key, and returns a ecdsa signature.

type ConnectionClaims

type ConnectionClaims struct {
	T *policy.TagStore `json:",omitempty"`
	// RMT is the nonce of the remote that has to be signed in the JWT
	RMT []byte `json:",omitempty"`
	// LCL is the nonce of the local node that has to be signed
	LCL []byte `json:",omitempty"`
	// DEKV1 is the datapath ephemeral keys used to derived shared keys during the handshake
	DEKV1 []byte `json:",omitempty"`
	// SDEKV1 is the signature of the ephemeral key
	SDEKV1 []byte `json:",omitempty"`
	// C is the compressed tags in one string
	CT *policy.TagStore `json:",omitempty"`
	// ID is the source PU ID
	ID string `json:",omitempty"`
	// RemoteID is the ID of the remote if known.
	RemoteID string `json:",omitempty"`
	// H is the claims header
	H claimsheader.HeaderBytes `json:",omitempty"`
	// P holds the ping payload
	P *policy.PingPayload `codec:",omitempty"`
	// DEKV2 is the datapath ephemeral keys used to derived shared keys during the handshake
	DEKV2 []byte `json:",omitempty"`
	// SDEKV2 is the signature of the ephemeral key
	SDEKV2 []byte `json:",omitempty"`
}

ConnectionClaims captures all the claim information

type JWTClaims

type JWTClaims struct {
	*ConnectionClaims
	jwt.StandardClaims
}

JWTClaims captures all the custom clains

func ConvertToJWTClaims

func ConvertToJWTClaims(b *BinaryJWTClaims) *JWTClaims

ConvertToJWTClaims converts to old claims

func (*JWTClaims) CodecDecodeSelf

func (x *JWTClaims) CodecDecodeSelf(d *codec1978.Decoder)

func (*JWTClaims) CodecEncodeSelf

func (x *JWTClaims) CodecEncodeSelf(e *codec1978.Encoder)

func (*JWTClaims) IsCodecEmpty

func (x *JWTClaims) IsCodecEmpty() bool

type JWTConfig

type JWTConfig struct {
	// ValidityPeriod  period of the JWT
	ValidityPeriod time.Duration
	// Issuer is the server that issues the JWT
	Issuer string
	// contains filtered or unexported fields
}

JWTConfig configures the JWT token generator with the standard parameters. One configuration is assigned to each server

func NewJWT

func NewJWT(validity time.Duration, issuer string, s secrets.Secrets) (*JWTConfig, error)

NewJWT creates a new JWT token processor

func (*JWTConfig) CreateAndSign

func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) (token []byte, err error)

CreateAndSign creates a new token, attaches an ephemeral key pair and signs with the issuer key. It also randomizes the source nonce of the token. It returns back the token and the private key.

func (*JWTConfig) Decode

func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}, secrets secrets.Secrets) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error)

Decode takes as argument the JWT token and the certificate of the issuer. First it verifies the certificate with the local CA pool, and the decodes the JWT if the certificate is trusted

func (*JWTConfig) Randomize

func (c *JWTConfig) Randomize(token []byte, nonce []byte) (err error)

Randomize adds a nonce to an existing token. Returns the nonce

type TokenEngine

type TokenEngine interface {
	// CreteAndSign creates a token, signs it and produces the final byte string
	CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error)
	CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error)
	CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error)

	DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error)
	DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error

	// Randomize inserts a source nonce in an existing token - New nonce will be
	// create every time the token is transmitted as a challenge to the other side
	// even when the token is cached. There should be space in the token already.
	// Returns an error if there is no space
	Randomize([]byte, []byte) (err error)
	Sign([]byte, *ecdsa.PrivateKey) ([]byte, error)
}

TokenEngine is the interface to the different implementations of tokens

Directories

Path Synopsis
Package mocktokens is a generated GoMock package.
Package mocktokens is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL