Documentation ¶
Overview ¶
Package identity implements CA and Peer identity management and generation.
Index ¶
- Constants
- Variables
- func EncodePeerIdentity(pi *PeerIdentity) []byte
- func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (k crypto.PrivateKey, id storj.NodeID, err error)
- func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, ...) (err error)
- func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)
- func NodeIDFromCertPath(certPath string) (storj.NodeID, error)
- func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)
- func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)
- func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate
- type CASetupConfig
- type Config
- type FullCAConfig
- type FullCertificateAuthority
- func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error
- func (ca *FullCertificateAuthority) Chain() []*x509.Certificate
- func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)
- func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority
- func (ca *FullCertificateAuthority) RawChain() [][]byte
- func (ca *FullCertificateAuthority) RawRestChain() [][]byte
- func (ca *FullCertificateAuthority) Revoke() error
- func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)
- func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)
- type FullIdentity
- type GenerateCallback
- type ManageableFullIdentity
- type ManageablePeerIdentity
- type NewCAOptions
- type PeerCAConfig
- type PeerCertificateAuthority
- type PeerConfig
- type PeerIdentity
- func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)
- func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)
- func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)
- func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)
- func PeerIdentityFromPeer(peer *rpcpeer.Peer) (*PeerIdentity, error)
- type SetupConfig
- type TLSFilesStatus
Constants ¶
const ( NoCertNoKey = TLSFilesStatus(iota) CertNoKey NoCertKey CertKey )
Four possible outcomes for four files.
Variables ¶
var ( // ErrZeroBytes is returned for zero slice. ErrZeroBytes = errs.New("byte slice was unexpectedly empty") )
var ( // Error is a identity error. Error = errs.Class("identity") )
Functions ¶
func EncodePeerIdentity ¶
func EncodePeerIdentity(pi *PeerIdentity) []byte
EncodePeerIdentity encodes the complete identity chain to bytes.
func GenerateKey ¶
func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) ( k crypto.PrivateKey, id storj.NodeID, err error)
GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.
func GenerateKeys ¶
func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)
GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.
func NodeIDFromCert ¶
func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)
NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.
func NodeIDFromCertPath ¶
NodeIDFromCertPath loads a node ID from a certificate file path.
func NodeIDFromKey ¶
NodeIDFromKey calculates the node ID for a given public key with the passed version.
func NodeIDFromPEM ¶
NodeIDFromPEM loads a node ID from certificate bytes.
func ToChains ¶
func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate
ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.
Types ¶
type CASetupConfig ¶
type CASetupConfig struct { VersionNumber uint `default:"0" help:"which identity version to use (0 is latest)"` ParentCertPath string `help:"path to the parent authority's certificate chain"` ParentKeyPath string `help:"path to the parent authority's private key"` CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"` Difficulty uint64 `help:"minimum difficulty for identity generation" default:"36"` Timeout string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"` Overwrite bool `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"` Concurrency uint `help:"number of concurrent workers for certificate authority generation" default:"4"` }
CASetupConfig is for creating a CA.
func (CASetupConfig) Create ¶
func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)
Create generates and saves a CA using the config.
func (CASetupConfig) FullConfig ¶
func (caS CASetupConfig) FullConfig() FullCAConfig
FullConfig converts a `CASetupConfig` to `FullCAConfig`.
func (CASetupConfig) Status ¶
func (caS CASetupConfig) Status() (TLSFilesStatus, error)
Status returns the status of the CA cert/key files for the config.
type Config ¶
type Config struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true" path:"true"` }
Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.
func (Config) Load ¶
func (ic Config) Load() (*FullIdentity, error)
Load loads a FullIdentity from the config.
func (Config) PeerConfig ¶
func (ic Config) PeerConfig() *PeerConfig
PeerConfig converts a Config to a PeerConfig.
func (Config) Save ¶
func (ic Config) Save(fi *FullIdentity) error
Save saves a FullIdentity according to the config.
func (Config) SaveBackup ¶
func (ic Config) SaveBackup(fi *FullIdentity) error
SaveBackup saves the certificate of the config with a timestamped filename.
type FullCAConfig ¶
type FullCAConfig struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"` }
FullCAConfig is for locating a CA certificate and it's private key.
func (FullCAConfig) Load ¶
func (fc FullCAConfig) Load() (*FullCertificateAuthority, error)
Load loads a CA from the given configuration.
func (FullCAConfig) PeerConfig ¶
func (fc FullCAConfig) PeerConfig() PeerCAConfig
PeerConfig converts a full ca config to a peer ca config.
func (FullCAConfig) Save ¶
func (fc FullCAConfig) Save(ca *FullCertificateAuthority) error
Save saves a CA with the given configuration.
func (FullCAConfig) SaveBackup ¶
func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error
SaveBackup saves the certificate of the config wth a timestamped filename.
type FullCertificateAuthority ¶
type FullCertificateAuthority struct { RestChain []*x509.Certificate // Cert is the x509 certificate of the CA Cert *x509.Certificate // The ID is calculated from the CA public key. ID storj.NodeID // Key is the private key of the CA Key crypto.PrivateKey }
FullCertificateAuthority represents the CA which is used to author and validate full identities.
func FullCertificateAuthorityFromPEM ¶
func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)
FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
func NewCA ¶
func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)
NewCA creates a new full identity with the given difficulty.
func (*FullCertificateAuthority) AddExtension ¶
func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error
AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.
func (*FullCertificateAuthority) Chain ¶
func (ca *FullCertificateAuthority) Chain() []*x509.Certificate
Chain returns the CA's certificate chain.
func (*FullCertificateAuthority) NewIdentity ¶
func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)
NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.
func (*FullCertificateAuthority) PeerCA ¶
func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority
PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority.
func (*FullCertificateAuthority) RawChain ¶
func (ca *FullCertificateAuthority) RawChain() [][]byte
RawChain returns the CA's certificate chain as a 2d byte slice.
func (*FullCertificateAuthority) RawRestChain ¶
func (ca *FullCertificateAuthority) RawRestChain() [][]byte
RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice.
func (*FullCertificateAuthority) Revoke ¶
func (ca *FullCertificateAuthority) Revoke() error
Revoke extends the certificate authority certificate with a certificate revocation extension.
func (*FullCertificateAuthority) Sign ¶
func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)
Sign signs the passed certificate with ca certificate.
type FullIdentity ¶
type FullIdentity struct { RestChain []*x509.Certificate // CA represents the peer's self-signed CA. The ID is taken from this cert. CA *x509.Certificate // Leaf represents the leaf they're currently using. The leaf should be // signed by the CA. The leaf is what is used for communication. Leaf *x509.Certificate // The ID taken from the CA public key. ID storj.NodeID // Key is the key this identity uses with the leaf for communication. Key crypto.PrivateKey }
FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.
func FullIdentityFromPEM ¶
func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)
FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
func NewFullIdentity ¶
func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)
NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.
func (*FullIdentity) Chain ¶
func (fi *FullIdentity) Chain() []*x509.Certificate
Chain returns the Identity's certificate chain.
func (*FullIdentity) PeerIdentity ¶
func (fi *FullIdentity) PeerIdentity() *PeerIdentity
PeerIdentity converts a FullIdentity into a PeerIdentity.
func (*FullIdentity) RawChain ¶
func (fi *FullIdentity) RawChain() [][]byte
RawChain returns all of the certificate chain as a 2d byte slice.
func (*FullIdentity) RawRestChain ¶
func (fi *FullIdentity) RawRestChain() [][]byte
RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice.
type GenerateCallback ¶
GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error.
type ManageableFullIdentity ¶
type ManageableFullIdentity struct { *FullIdentity CA *FullCertificateAuthority }
ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).
func NewManageableFullIdentity ¶
func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity
NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.
func (*ManageableFullIdentity) Revoke ¶
func (manageableIdent *ManageableFullIdentity) Revoke() error
Revoke extends the CA certificate with a certificate revocation extension.
type ManageablePeerIdentity ¶
type ManageablePeerIdentity struct { *PeerIdentity CA *FullCertificateAuthority }
ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.
func NewManageablePeerIdentity ¶
func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity
NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.
func (*ManageablePeerIdentity) AddExtension ¶
func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error
AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.
type NewCAOptions ¶
type NewCAOptions struct { // VersionNumber is the IDVersion to use for the identity VersionNumber storj.IDVersionNumber // Difficulty is the number of trailing zero-bits the nodeID must have Difficulty uint16 // Concurrency is the number of go routines used to generate a CA of sufficient difficulty Concurrency uint // ParentCert, if provided will be prepended to the certificate chain ParentCert *x509.Certificate // ParentKey () ParentKey crypto.PrivateKey // Logger is used to log generation status updates Logger io.Writer }
NewCAOptions is used to pass parameters to `NewCA`.
type PeerCAConfig ¶
type PeerCAConfig struct {
CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}
PeerCAConfig is for locating a CA certificate without a private key.
func (PeerCAConfig) Load ¶
func (pc PeerCAConfig) Load() (*PeerCertificateAuthority, error)
Load loads a CA from the given configuration.
func (PeerCAConfig) Save ¶
func (pc PeerCAConfig) Save(ca *PeerCertificateAuthority) error
Save saves a peer CA (cert, no key) with the given configuration.
func (PeerCAConfig) SaveBackup ¶
func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error
SaveBackup saves the certificate of the config wth a timestamped filename.
type PeerCertificateAuthority ¶
type PeerCertificateAuthority struct { RestChain []*x509.Certificate // Cert is the x509 certificate of the CA Cert *x509.Certificate // The ID is calculated from the CA public key. ID storj.NodeID }
PeerCertificateAuthority represents the CA which is used to validate peer identities.
func PeerCertificateAuthorityFromPEM ¶
func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)
PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
type PeerConfig ¶
type PeerConfig struct {
CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"`
}
PeerConfig allows you to interact with a peer identity (cert, no key) on disk.
func (PeerConfig) Load ¶
func (ic PeerConfig) Load() (*PeerIdentity, error)
Load loads a PeerIdentity from the config.
func (PeerConfig) Save ¶
func (ic PeerConfig) Save(peerIdent *PeerIdentity) error
Save saves a PeerIdentity according to the config.
func (PeerConfig) SaveBackup ¶
func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error
SaveBackup saves the certificate of the config with a timestamped filename.
type PeerIdentity ¶
type PeerIdentity struct { RestChain []*x509.Certificate // CA represents the peer's self-signed CA. CA *x509.Certificate // Leaf represents the leaf they're currently using. The leaf should be // signed by the CA. The leaf is what is used for communication. Leaf *x509.Certificate // The ID taken from the CA public key. ID storj.NodeID }
PeerIdentity represents another peer on the network.
func DecodePeerIdentity ¶
func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)
DecodePeerIdentity Decodes the bytes into complete identity chain.
func PeerIdentityFromChain ¶
func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)
PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.
func PeerIdentityFromContext ¶
func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)
PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.
func PeerIdentityFromPEM ¶
func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)
PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.
func PeerIdentityFromPeer ¶
func PeerIdentityFromPeer(peer *rpcpeer.Peer) (*PeerIdentity, error)
PeerIdentityFromPeer loads a PeerIdentity from a peer connection.
type SetupConfig ¶
type SetupConfig struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" path:"true"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" path:"true"` Overwrite bool `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"` Version string `help:"semantic version of identity storage format" default:"0"` }
SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.
func (SetupConfig) Create ¶
func (is SetupConfig) Create(ca *FullCertificateAuthority) (*FullIdentity, error)
Create generates and saves a CA using the config.
func (SetupConfig) FullConfig ¶
func (is SetupConfig) FullConfig() Config
FullConfig converts a `SetupConfig` to `Config`.
func (SetupConfig) Status ¶
func (is SetupConfig) Status() (TLSFilesStatus, error)
Status returns the status of the identity cert/key files for the config.
type TLSFilesStatus ¶
type TLSFilesStatus int
TLSFilesStatus is the status of keys.
func (TLSFilesStatus) String ¶
func (t TLSFilesStatus) String() string
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package testidentity contains pregenerated identities for testing.
|
Package testidentity contains pregenerated identities for testing. |