identity

package

v0.0.0-...-5fb8a3f Latest Latest Go to latest Published: Sep 30, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/monogon-dev/monogon

Documentation ¶

Index ¶

func CACertificate(cn string) x509.Certificate
func NodeCertificate(nodeID string) x509.Certificate
func NodeID(pub []byte) string
func NodeIDBare(pub []byte) string
func UserCertificate(identity string) x509.Certificate
func VerifyCAInsecure(ca *x509.Certificate) error
func VerifyInCluster(cert, ca *x509.Certificate) (ed25519.PublicKey, error)
func VerifyNodeInCluster(node, ca *x509.Certificate) (string, error)
func VerifyUserInCluster(user, ca *x509.Certificate) (string, error)
type Node
- func NewNode(cert, ca []byte) (*Node, error)
type NodeCredentials
- func NewNodeCredentials(priv, cert, ca []byte) (*NodeCredentials, error)
type PKIDirectory

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CACertificate ¶

func CACertificate(cn string) x509.Certificate

CACertificate makes a Metropolis-compatible CA certificate template.

cn is a human-readable string that can be used to distinguish Metropolis clusters, if needed. It is not machine-parsed, instead only signature verification and CA pinning is performed.

func NodeCertificate ¶

func NodeCertificate(nodeID string) x509.Certificate

NodeCertificate makes a Metropolis-compatible node certificate template.

func NodeID ¶

func NodeID(pub []byte) string

NodeID returns the name of this node, which is `metropolis-{pubkeyHash}`. This name should be the primary way to refer to Metropoils nodes within a cluster, and is guaranteed to be unique by relying on cryptographic randomness.

func NodeIDBare ¶

func NodeIDBare(pub []byte) string

NodeIDBare returns the `{pubkeyHash}` part of the node ID.

func UserCertificate ¶

func UserCertificate(identity string) x509.Certificate

UserCertificate makes a Metropolis-compatible user certificate template.

func VerifyCAInsecure ¶

func VerifyCAInsecure(ca *x509.Certificate) error

VerifyCAInsecure ensures that the given certificate is a valid certificate that is allowed to act as a CA and which is emitted for an Ed25519 keypair.

It does _not_ ensure that the certificate is the local node's CA, and should not be used for security checks, just for data validation checks.

func VerifyInCluster ¶

func VerifyInCluster(cert, ca *x509.Certificate) (ed25519.PublicKey, error)

VerifyInCluster ensures that the given certificate has been signed by a CA certificate and are both certificates emitted for ed25519 keypairs.

The subject certificate's public key is returned if verification is successful, and error is returned otherwise.

func VerifyNodeInCluster ¶

func VerifyNodeInCluster(node, ca *x509.Certificate) (string, error)

VerifyNodeInCluster ensures that a given certificate is a Metropolis node certificate emitted by a given Metropolis CA.

The node's ID is returned if verification is successful, and error is returned otherwise.

func VerifyUserInCluster ¶

func VerifyUserInCluster(user, ca *x509.Certificate) (string, error)

VerifyUserInCluster ensures that a given certificate is a Metropolis user certificate emitted by a given Metropolis CA.

The user certificate's identity is returned if verification is successful, and error is returned otherwise.

Types ¶

type Node ¶

type Node struct {
	// contains filtered or unexported fields
}

Node is the public part of the credentials of a node. They are emitted for a node by the cluster CA contained within the curator.

func NewNode ¶

func NewNode(cert, ca []byte) (*Node, error)

NewNode wraps a pair CA and node DER-encoded certificates into Node, ensuring the given certificate data is valid and compatible with Metropolis assumptions.

func (*Node) Certificate ¶

func (n *Node) Certificate() *x509.Certificate

func (*Node) ClusterCA ¶

func (n *Node) ClusterCA() *x509.Certificate

ClusterCA returns the CA certificate of the cluster for which this Node is emitted.

func (*Node) ID ¶

func (n *Node) ID() string

ID returns the canonical ID/name of the node for which this certificate/credentials were emitted.

func (*Node) PublicKey ¶

func (n *Node) PublicKey() ed25519.PublicKey

PublicKey returns the Ed25519 public key corresponding to this node's certificate/credentials.

type NodeCredentials ¶

type NodeCredentials struct {
	Node
	// contains filtered or unexported fields
}

NodeCredentials are the public and private part of the credentials of a node.

It represents all the data necessary for a node to authenticate over mTLS to other nodes and the rest of the cluster.

It must never be made available to any node other than the node it has been emitted for.

func NewNodeCredentials ¶

func NewNodeCredentials(priv, cert, ca []byte) (*NodeCredentials, error)

NewNodeCredentials wraps a pair of CA and node DER-encoded certificates plus a private key into NodeCredentials, ensuring that the given data is valid and compatible with Metropolis assumptions.

func (*NodeCredentials) Read ¶

func (n *NodeCredentials) Read(d PKIDirectory) error

Read initializes NodeCredentials' contents with the data stored in the PKIDirectory d. It may return an I/O error, or a parsing error.

func (*NodeCredentials) Save ¶

func (n *NodeCredentials) Save(d PKIDirectory) error

Save stores the given node credentials in local storage.

func (*NodeCredentials) TLSCredentials ¶

func (n *NodeCredentials) TLSCredentials() tls.Certificate

type PKIDirectory ¶

type PKIDirectory interface {
	ReadAll() (ca, cert *x509.Certificate, key ed25519.PrivateKey, err error)
	WriteAll(cert []byte, key ed25519.PrivateKey, ca []byte) error
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL