v2

package
v0.24.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 17, 2024 License: MIT Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CertBanner                       = "NEBULA CERTIFICATE"
	X25519PrivateKeyBanner           = "NEBULA X25519 PRIVATE KEY"
	X25519PublicKeyBanner            = "NEBULA X25519 PUBLIC KEY"
	EncryptedEd25519PrivateKeyBanner = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
	Ed25519PrivateKeyBanner          = "NEBULA ED25519 PRIVATE KEY"
	Ed25519PublicKeyBanner           = "NEBULA ED25519 PUBLIC KEY"

	P256PrivateKeyBanner               = "NEBULA P256 PRIVATE KEY"
	P256PublicKeyBanner                = "NEBULA P256 PUBLIC KEY"
	EncryptedECDSAP256PrivateKeyBanner = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
	ECDSAP256PrivateKeyBanner          = "NEBULA ECDSA P256 PRIVATE KEY"
)

Variables

View Source 
var (
	Curve_name = map[int32]string{
		0: "CURVE25519",
		1: "P256",
	}
	Curve_value = map[string]int32{
		"CURVE25519": 0,
		"P256":       1,
	}
)

Enum value maps for Curve.

View Source 
var (
	ErrRootExpired       = errors.New("root certificate is expired")
	ErrExpired           = errors.New("certificate is expired")
	ErrNotCA             = errors.New("certificate is not a CA")
	ErrNotSelfSigned     = errors.New("certificate is not self-signed")
	ErrBlockListed       = errors.New("certificate is in the block list")
	ErrSignatureMismatch = errors.New("certificate signature did not match")
)
View Source 
var ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")

Returned if we try to unmarshal an encrypted private key without a passphrase

View Source 
var File_certv2_proto protoreflect.FileDescriptor

Functions

func EncryptAndMarshalSigningPrivateKey 

func EncryptAndMarshalSigningPrivateKey(curve Curve, b []byte, passphrase []byte, kdfParams *Argon2Parameters) ([]byte, error)

EncryptAndMarshalSigningPrivateKey is a simple helper to encrypt and PEM encode a private key

func MarshalEd25519PrivateKey 

func MarshalEd25519PrivateKey(key ed25519.PrivateKey) []byte

MarshalEd25519PrivateKey is a simple helper to PEM encode an Ed25519 private key

func MarshalEd25519PublicKey 

func MarshalEd25519PublicKey(key ed25519.PublicKey) []byte

MarshalEd25519PublicKey is a simple helper to PEM encode an Ed25519 public key

func MarshalPrivateKey 

func MarshalPrivateKey(curve Curve, b []byte) []byte

func MarshalPublicKey 

func MarshalPublicKey(curve Curve, b []byte) []byte

func MarshalSigningPrivateKey 

func MarshalSigningPrivateKey(curve Curve, b []byte) []byte

func MarshalX25519PrivateKey 

func MarshalX25519PrivateKey(b []byte) []byte

MarshalX25519PrivateKey is a simple helper to PEM encode an X25519 private key

func MarshalX25519PublicKey 

func MarshalX25519PublicKey(b []byte) []byte

MarshalX25519PublicKey is a simple helper to PEM encode an X25519 public key

func UnmarshalEd25519PrivateKey 

func UnmarshalEd25519PrivateKey(b []byte) (ed25519.PrivateKey, []byte, error)

UnmarshalEd25519PrivateKey will try to pem decode an Ed25519 private key, returning any other bytes b or an error on failure

func UnmarshalEd25519PublicKey 

func UnmarshalEd25519PublicKey(b []byte) (ed25519.PublicKey, []byte, error)

UnmarshalEd25519PublicKey will try to pem decode an Ed25519 public key, returning any other bytes b or an error on failure

func UnmarshalX25519PrivateKey 

func UnmarshalX25519PrivateKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PrivateKey will try to pem decode an X25519 private key, returning any other bytes b or an error on failure

func UnmarshalX25519PublicKey 

func UnmarshalX25519PublicKey(b []byte) ([]byte, []byte, error)

UnmarshalX25519PublicKey will try to pem decode an X25519 public key, returning any other bytes b or an error on failure

Types

type Argon2Parameters 

type Argon2Parameters struct {
	Memory      uint32 // KiB
	Parallelism uint8
	Iterations  uint32
	// contains filtered or unexported fields
}

KDF factors

func NewArgon2Parameters 

func NewArgon2Parameters(memory uint32, parallelism uint8, iterations uint32) *Argon2Parameters

Returns a new Argon2Parameters object with current version set

type Curve 

type Curve int32
const (
	Curve_CURVE25519 Curve = 0
	Curve_P256       Curve = 1
)

func DecryptAndUnmarshalSigningPrivateKey 

func DecryptAndUnmarshalSigningPrivateKey(passphrase, b []byte) (Curve, []byte, []byte, error)

DecryptAndUnmarshalSigningPrivateKey will try to pem decode and decrypt an Ed25519/ECDSA private key with the given passphrase, returning any other bytes b or an error on failure

func UnmarshalPrivateKey 

func UnmarshalPrivateKey(b []byte) ([]byte, []byte, Curve, error)

func UnmarshalPublicKey 

func UnmarshalPublicKey(b []byte) ([]byte, []byte, Curve, error)

func UnmarshalSigningPrivateKey 

func UnmarshalSigningPrivateKey(b []byte) ([]byte, []byte, Curve, error)

func (Curve) Descriptor 

func (Curve) Descriptor() protoreflect.EnumDescriptor

func (Curve) Enum 

func (x Curve) Enum() *Curve

func (Curve) EnumDescriptor deprecated 

func (Curve) EnumDescriptor() ([]byte, []int)

Deprecated: Use Curve.Descriptor instead.

func (Curve) Number 

func (x Curve) Number() protoreflect.EnumNumber

func (Curve) String 

func (x Curve) String() string

func (Curve) Type 

func (Curve) Type() protoreflect.EnumType

type NebulaCAPool 

type NebulaCAPool struct {
	CAs map[string]*NebulaCertificate
	// contains filtered or unexported fields
}

func NewCAPool 

func NewCAPool() *NebulaCAPool

NewCAPool creates a CAPool

func NewCAPoolFromBytes 

func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error)

NewCAPoolFromBytes will create a new CA pool from the provided input bytes, which must be a PEM-encoded set of nebula certificates. If the pool contains any expired certificates, an ErrExpired will be returned along with the pool. The caller must handle any such errors.

func (*NebulaCAPool) AddCACertificate 

func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error)

AddCACertificate verifies a Nebula CA certificate and adds it to the pool Only the first pem encoded object will be consumed, any remaining bytes are returned. Parsed certificates will be verified and must be a CA

func (*NebulaCAPool) BlocklistFingerprint 

func (ncp *NebulaCAPool) BlocklistFingerprint(f string)

BlocklistFingerprint adds a cert fingerprint to the blocklist

func (*NebulaCAPool) GetCAForCert 

func (ncp *NebulaCAPool) GetCAForCert(c *NebulaCertificate) (*NebulaCertificate, error)

GetCAForCert attempts to return the signing certificate for the provided certificate. No signature validation is performed

func (*NebulaCAPool) GetFingerprints 

func (ncp *NebulaCAPool) GetFingerprints() []string

GetFingerprints returns an array of trusted CA fingerprints

func (*NebulaCAPool) IsBlocklisted 

func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool

NOTE: This uses an internal cache for Sha256Sum() that will not be invalidated automatically if you manually change any fields in the NebulaCertificate.

func (*NebulaCAPool) ResetCertBlocklist 

func (ncp *NebulaCAPool) ResetCertBlocklist()

ResetCertBlocklist removes all previously blocklisted cert fingerprints

type NebulaCertificate 

type NebulaCertificate struct {
	Details   NebulaCertificateDetails
	Signature []byte
	// contains filtered or unexported fields
}

func UnmarshalNebulaCertificate 

func UnmarshalNebulaCertificate(b []byte) (*NebulaCertificate, error)

UnmarshalNebulaCertificate will unmarshal a protobuf byte representation of a nebula cert

func UnmarshalNebulaCertificateFromPEM 

func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, error)

UnmarshalNebulaCertificateFromPEM will unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure

func (*NebulaCertificate) CheckRootConstrains 

func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error

CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets)

func (*NebulaCertificate) CheckSignature 

func (nc *NebulaCertificate) CheckSignature(key []byte) bool

CheckSignature verifies the signature against the provided public key

func (*NebulaCertificate) Copy 

func (nc *NebulaCertificate) Copy() *NebulaCertificate

func (*NebulaCertificate) Expired 

func (nc *NebulaCertificate) Expired(t time.Time) bool

Expired will return true if the nebula cert is too young or too old compared to the provided time, otherwise false

func (*NebulaCertificate) Marshal 

func (nc *NebulaCertificate) Marshal() ([]byte, error)

Marshal will marshal a nebula cert into a protobuf byte array

func (*NebulaCertificate) MarshalJSON 

func (nc *NebulaCertificate) MarshalJSON() ([]byte, error)

func (*NebulaCertificate) MarshalToPEM 

func (nc *NebulaCertificate) MarshalToPEM() ([]byte, error)

MarshalToPEM will marshal a nebula cert into a protobuf byte array and pem encode the result

func (*NebulaCertificate) ResetCache 

func (nc *NebulaCertificate) ResetCache()

ResetCache resets the cache used by VerifyWithCache.

func (*NebulaCertificate) Sha256Sum 

func (nc *NebulaCertificate) Sha256Sum() (string, error)

Sha256Sum calculates a sha-256 sum of the marshaled certificate

func (*NebulaCertificate) Sign 

func (nc *NebulaCertificate) Sign(curve Curve, key []byte) error

Sign signs a nebula cert with the provided private key

func (*NebulaCertificate) String 

func (nc *NebulaCertificate) String() string

String will return a pretty printed representation of a nebula cert

func (*NebulaCertificate) Verify 

func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error)

Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)

func (*NebulaCertificate) VerifyPrivateKey 

func (nc *NebulaCertificate) VerifyPrivateKey(curve Curve, key []byte) error

VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match

func (*NebulaCertificate) VerifyWithCache 

func (nc *NebulaCertificate) VerifyWithCache(t time.Time, ncp *NebulaCAPool) (bool, error)

VerifyWithCache will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)

NOTE: This uses an internal cache that will not be invalidated automatically if you manually change any fields in the NebulaCertificate.

type NebulaCertificateDetails 

type NebulaCertificateDetails struct {
	Name      string
	Ips       []*net.IPNet
	Subnets   []*net.IPNet
	Groups    []string
	NotBefore time.Time
	NotAfter  time.Time
	PublicKey []byte
	IsCA      bool
	Issuer    string

	// Map of groups for faster lookup
	InvertedGroups map[string]struct{}

	Curve Curve
}

type NebulaEncryptedData 

type NebulaEncryptedData struct {
	EncryptionMetadata NebulaEncryptionMetadata
	Ciphertext         []byte
}

func UnmarshalNebulaEncryptedData 

func UnmarshalNebulaEncryptedData(b []byte) (*NebulaEncryptedData, error)

UnmarshalNebulaEncryptedData will unmarshal a protobuf byte representation of a nebula cert into its protobuf-generated struct.

type NebulaEncryptionMetadata 

type NebulaEncryptionMetadata struct {
	EncryptionAlgorithm string
	Argon2Parameters    Argon2Parameters
}

type RawNebulaArgon2Parameters 

type RawNebulaArgon2Parameters struct {
	Version     int32  `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"` // rune in Go
	Memory      uint32 `protobuf:"varint,2,opt,name=memory,proto3" json:"memory,omitempty"`
	Parallelism uint32 `protobuf:"varint,4,opt,name=parallelism,proto3" json:"parallelism,omitempty"` // uint8 in Go
	Iterations  uint32 `protobuf:"varint,3,opt,name=iterations,proto3" json:"iterations,omitempty"`
	Salt        []byte `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaArgon2Parameters) Descriptor deprecated 

func (*RawNebulaArgon2Parameters) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaArgon2Parameters.ProtoReflect.Descriptor instead.

func (*RawNebulaArgon2Parameters) GetIterations 

func (x *RawNebulaArgon2Parameters) GetIterations() uint32

func (*RawNebulaArgon2Parameters) GetMemory 

func (x *RawNebulaArgon2Parameters) GetMemory() uint32

func (*RawNebulaArgon2Parameters) GetParallelism 

func (x *RawNebulaArgon2Parameters) GetParallelism() uint32

func (*RawNebulaArgon2Parameters) GetSalt 

func (x *RawNebulaArgon2Parameters) GetSalt() []byte

func (*RawNebulaArgon2Parameters) GetVersion 

func (x *RawNebulaArgon2Parameters) GetVersion() int32

func (*RawNebulaArgon2Parameters) ProtoMessage 

func (*RawNebulaArgon2Parameters) ProtoMessage()

func (*RawNebulaArgon2Parameters) ProtoReflect 

func (x *RawNebulaArgon2Parameters) ProtoReflect() protoreflect.Message

func (*RawNebulaArgon2Parameters) Reset 

func (x *RawNebulaArgon2Parameters) Reset()

func (*RawNebulaArgon2Parameters) String 

func (x *RawNebulaArgon2Parameters) String() string

type RawNebulaCertificate 

type RawNebulaCertificate struct {
	Details   *RawNebulaCertificateDetails `protobuf:"bytes,1,opt,name=Details,proto3" json:"Details,omitempty"`
	Signature []byte                       `protobuf:"bytes,2,opt,name=Signature,proto3" json:"Signature,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificate) Descriptor deprecated 

func (*RawNebulaCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificate.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificate) GetDetails 

func (x *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails

func (*RawNebulaCertificate) GetSignature 

func (x *RawNebulaCertificate) GetSignature() []byte

func (*RawNebulaCertificate) ProtoMessage 

func (*RawNebulaCertificate) ProtoMessage()

func (*RawNebulaCertificate) ProtoReflect 

func (x *RawNebulaCertificate) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificate) Reset 

func (x *RawNebulaCertificate) Reset()

func (*RawNebulaCertificate) String 

func (x *RawNebulaCertificate) String() string

type RawNebulaCertificateDetails 

type RawNebulaCertificateDetails struct {
	Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
	// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
	Ips       []uint32 `protobuf:"varint,2,rep,packed,name=Ips,proto3" json:"Ips,omitempty"`
	Subnets   []uint32 `protobuf:"varint,3,rep,packed,name=Subnets,proto3" json:"Subnets,omitempty"`
	Groups    []string `protobuf:"bytes,4,rep,name=Groups,proto3" json:"Groups,omitempty"`
	NotBefore int64    `protobuf:"varint,5,opt,name=NotBefore,proto3" json:"NotBefore,omitempty"`
	NotAfter  int64    `protobuf:"varint,6,opt,name=NotAfter,proto3" json:"NotAfter,omitempty"`
	PublicKey []byte   `protobuf:"bytes,7,opt,name=PublicKey,proto3" json:"PublicKey,omitempty"`
	IsCA      bool     `protobuf:"varint,8,opt,name=IsCA,proto3" json:"IsCA,omitempty"`
	// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
	Issuer []byte `protobuf:"bytes,9,opt,name=Issuer,proto3" json:"Issuer,omitempty"`
	Curve  Curve  `protobuf:"varint,100,opt,name=curve,proto3,enum=v2.Curve" json:"curve,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificateDetails) Descriptor deprecated 

func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificateDetails.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificateDetails) GetCurve 

func (x *RawNebulaCertificateDetails) GetCurve() Curve

func (*RawNebulaCertificateDetails) GetGroups 

func (x *RawNebulaCertificateDetails) GetGroups() []string

func (*RawNebulaCertificateDetails) GetIps 

func (x *RawNebulaCertificateDetails) GetIps() []uint32

func (*RawNebulaCertificateDetails) GetIsCA 

func (x *RawNebulaCertificateDetails) GetIsCA() bool

func (*RawNebulaCertificateDetails) GetIssuer 

func (x *RawNebulaCertificateDetails) GetIssuer() []byte

func (*RawNebulaCertificateDetails) GetName 

func (x *RawNebulaCertificateDetails) GetName() string

func (*RawNebulaCertificateDetails) GetNotAfter 

func (x *RawNebulaCertificateDetails) GetNotAfter() int64

func (*RawNebulaCertificateDetails) GetNotBefore 

func (x *RawNebulaCertificateDetails) GetNotBefore() int64

func (*RawNebulaCertificateDetails) GetPublicKey 

func (x *RawNebulaCertificateDetails) GetPublicKey() []byte

func (*RawNebulaCertificateDetails) GetSubnets 

func (x *RawNebulaCertificateDetails) GetSubnets() []uint32

func (*RawNebulaCertificateDetails) ProtoMessage 

func (*RawNebulaCertificateDetails) ProtoMessage()

func (*RawNebulaCertificateDetails) ProtoReflect 

func (x *RawNebulaCertificateDetails) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificateDetails) Reset 

func (x *RawNebulaCertificateDetails) Reset()

func (*RawNebulaCertificateDetails) String 

func (x *RawNebulaCertificateDetails) String() string

type RawNebulaEncryptedData 

type RawNebulaEncryptedData struct {
	EncryptionMetadata *RawNebulaEncryptionMetadata `protobuf:"bytes,1,opt,name=EncryptionMetadata,proto3" json:"EncryptionMetadata,omitempty"`
	Ciphertext         []byte                       `protobuf:"bytes,2,opt,name=Ciphertext,proto3" json:"Ciphertext,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptedData) Descriptor deprecated 

func (*RawNebulaEncryptedData) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptedData.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptedData) GetCiphertext 

func (x *RawNebulaEncryptedData) GetCiphertext() []byte

func (*RawNebulaEncryptedData) GetEncryptionMetadata 

func (x *RawNebulaEncryptedData) GetEncryptionMetadata() *RawNebulaEncryptionMetadata

func (*RawNebulaEncryptedData) ProtoMessage 

func (*RawNebulaEncryptedData) ProtoMessage()

func (*RawNebulaEncryptedData) ProtoReflect 

func (x *RawNebulaEncryptedData) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptedData) Reset 

func (x *RawNebulaEncryptedData) Reset()

func (*RawNebulaEncryptedData) String 

func (x *RawNebulaEncryptedData) String() string

type RawNebulaEncryptionMetadata 

type RawNebulaEncryptionMetadata struct {
	EncryptionAlgorithm string                     `protobuf:"bytes,1,opt,name=EncryptionAlgorithm,proto3" json:"EncryptionAlgorithm,omitempty"`
	Argon2Parameters    *RawNebulaArgon2Parameters `protobuf:"bytes,2,opt,name=Argon2Parameters,proto3" json:"Argon2Parameters,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptionMetadata) Descriptor deprecated 

func (*RawNebulaEncryptionMetadata) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptionMetadata.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptionMetadata) GetArgon2Parameters 

func (x *RawNebulaEncryptionMetadata) GetArgon2Parameters() *RawNebulaArgon2Parameters

func (*RawNebulaEncryptionMetadata) GetEncryptionAlgorithm 

func (x *RawNebulaEncryptionMetadata) GetEncryptionAlgorithm() string

func (*RawNebulaEncryptionMetadata) ProtoMessage 

func (*RawNebulaEncryptionMetadata) ProtoMessage()

func (*RawNebulaEncryptionMetadata) ProtoReflect 

func (x *RawNebulaEncryptionMetadata) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptionMetadata) Reset 

func (x *RawNebulaEncryptionMetadata) Reset()

func (*RawNebulaEncryptionMetadata) String 

func (x *RawNebulaEncryptionMetadata) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.