identity

package
v0.0.0-...-b7b1937 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: MIT Imports: 23 Imported by: 64

Documentation

Overview

Package identity implements CA and Peer identity management and generation.

Index

Constants

View Source
const (
	NoCertNoKey = TLSFilesStatus(iota)
	CertNoKey
	NoCertKey
	CertKey
)

Four possible outcomes for four files.

Variables

View Source
var (
	// ErrZeroBytes is returned for zero slice.
	ErrZeroBytes = errs.New("byte slice was unexpectedly empty")
)
View Source
var (

	// Error is a identity error.
	Error = errs.Class("identity")
)

Functions

func EncodePeerIdentity

func EncodePeerIdentity(pi *PeerIdentity) []byte

EncodePeerIdentity encodes the complete identity chain to bytes.

func GenerateKey

func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (
	k crypto.PrivateKey, id storj.NodeID, err error)

GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.

func GenerateKeys

func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)

GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.

func NodeIDFromCert

func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)

NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.

func NodeIDFromCertPath

func NodeIDFromCertPath(certPath string) (storj.NodeID, error)

NodeIDFromCertPath loads a node ID from a certificate file path.

func NodeIDFromKey

func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)

NodeIDFromKey calculates the node ID for a given public key with the passed version.

func NodeIDFromPEM

func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)

NodeIDFromPEM loads a node ID from certificate bytes.

func ToChains

func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate

ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.

Types

type CASetupConfig

type CASetupConfig struct {
	VersionNumber  uint   `default:"0" help:"which identity version to use (0 is latest)"`
	ParentCertPath string `help:"path to the parent authority's certificate chain"`
	ParentKeyPath  string `help:"path to the parent authority's private key"`
	CertPath       string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath        string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
	Difficulty     uint64 `help:"minimum difficulty for identity generation" default:"36"`
	Timeout        string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"`
	Overwrite      bool   `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"`
	Concurrency    uint   `help:"number of concurrent workers for certificate authority generation" default:"4"`
}

CASetupConfig is for creating a CA.

func (CASetupConfig) Create

func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)

Create generates and saves a CA using the config.

func (CASetupConfig) FullConfig

func (caS CASetupConfig) FullConfig() FullCAConfig

FullConfig converts a `CASetupConfig` to `FullCAConfig`.

func (CASetupConfig) Status

func (caS CASetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the CA cert/key files for the config.

type Config

type Config struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true" path:"true"`
}

Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (Config) Load

func (ic Config) Load() (*FullIdentity, error)

Load loads a FullIdentity from the config.

func (Config) PeerConfig

func (ic Config) PeerConfig() *PeerConfig

PeerConfig converts a Config to a PeerConfig.

func (Config) Save

func (ic Config) Save(fi *FullIdentity) error

Save saves a FullIdentity according to the config.

func (Config) SaveBackup

func (ic Config) SaveBackup(fi *FullIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename.

type FullCAConfig

type FullCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
}

FullCAConfig is for locating a CA certificate and it's private key.

func (FullCAConfig) Load

Load loads a CA from the given configuration.

func (FullCAConfig) PeerConfig

func (fc FullCAConfig) PeerConfig() PeerCAConfig

PeerConfig converts a full ca config to a peer ca config.

func (FullCAConfig) Save

Save saves a CA with the given configuration.

func (FullCAConfig) SaveBackup

func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename.

type FullCertificateAuthority

type FullCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
	// Key is the private key of the CA
	Key crypto.PrivateKey
}

FullCertificateAuthority represents the CA which is used to author and validate full identities.

func FullCertificateAuthorityFromPEM

func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)

FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewCA

func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)

NewCA creates a new full identity with the given difficulty.

func (*FullCertificateAuthority) AddExtension

func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error

AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.

func (*FullCertificateAuthority) Chain

func (ca *FullCertificateAuthority) Chain() []*x509.Certificate

Chain returns the CA's certificate chain.

func (*FullCertificateAuthority) NewIdentity

func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)

NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.

func (*FullCertificateAuthority) PeerCA

PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority.

func (*FullCertificateAuthority) RawChain

func (ca *FullCertificateAuthority) RawChain() [][]byte

RawChain returns the CA's certificate chain as a 2d byte slice.

func (*FullCertificateAuthority) RawRestChain

func (ca *FullCertificateAuthority) RawRestChain() [][]byte

RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice.

func (*FullCertificateAuthority) Revoke

func (ca *FullCertificateAuthority) Revoke() error

Revoke extends the certificate authority certificate with a certificate revocation extension.

func (*FullCertificateAuthority) Sign

Sign signs the passed certificate with ca certificate.

func (*FullCertificateAuthority) Version

func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type FullIdentity

type FullIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA. The ID is taken from this cert.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
	// Key is the key this identity uses with the leaf for communication.
	Key crypto.PrivateKey
}

FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.

func FullIdentityFromPEM

func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)

FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewFullIdentity

func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)

NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.

func (*FullIdentity) Chain

func (fi *FullIdentity) Chain() []*x509.Certificate

Chain returns the Identity's certificate chain.

func (*FullIdentity) PeerIdentity

func (fi *FullIdentity) PeerIdentity() *PeerIdentity

PeerIdentity converts a FullIdentity into a PeerIdentity.

func (*FullIdentity) RawChain

func (fi *FullIdentity) RawChain() [][]byte

RawChain returns all of the certificate chain as a 2d byte slice.

func (*FullIdentity) RawRestChain

func (fi *FullIdentity) RawRestChain() [][]byte

RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice.

func (*FullIdentity) Version

func (fi *FullIdentity) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type GenerateCallback

type GenerateCallback func(crypto.PrivateKey, storj.NodeID) (done bool, err error)

GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error.

type ManageableFullIdentity

type ManageableFullIdentity struct {
	*FullIdentity
	CA *FullCertificateAuthority
}

ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).

func NewManageableFullIdentity

func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity

NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageableFullIdentity) Revoke

func (manageableIdent *ManageableFullIdentity) Revoke() error

Revoke extends the CA certificate with a certificate revocation extension.

type ManageablePeerIdentity

type ManageablePeerIdentity struct {
	*PeerIdentity
	CA *FullCertificateAuthority
}

ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.

func NewManageablePeerIdentity

func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity

NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageablePeerIdentity) AddExtension

func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error

AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.

type NewCAOptions

type NewCAOptions struct {
	// VersionNumber is the IDVersion to use for the identity
	VersionNumber storj.IDVersionNumber
	// Difficulty is the number of trailing zero-bits the nodeID must have
	Difficulty uint16
	// Concurrency is the number of go routines used to generate a CA of sufficient difficulty
	Concurrency uint
	// ParentCert, if provided will be prepended to the certificate chain
	ParentCert *x509.Certificate
	// ParentKey ()
	ParentKey crypto.PrivateKey
	// Logger is used to log generation status updates
	Logger io.Writer
}

NewCAOptions is used to pass parameters to `NewCA`.

type PeerCAConfig

type PeerCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}

PeerCAConfig is for locating a CA certificate without a private key.

func (PeerCAConfig) Load

Load loads a CA from the given configuration.

func (PeerCAConfig) Save

Save saves a peer CA (cert, no key) with the given configuration.

func (PeerCAConfig) SaveBackup

func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename.

type PeerCertificateAuthority

type PeerCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
}

PeerCertificateAuthority represents the CA which is used to validate peer identities.

func PeerCertificateAuthorityFromPEM

func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)

PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

type PeerConfig

type PeerConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true" path:"true"`
}

PeerConfig allows you to interact with a peer identity (cert, no key) on disk.

func (PeerConfig) Load

func (ic PeerConfig) Load() (*PeerIdentity, error)

Load loads a PeerIdentity from the config.

func (PeerConfig) Save

func (ic PeerConfig) Save(peerIdent *PeerIdentity) error

Save saves a PeerIdentity according to the config.

func (PeerConfig) SaveBackup

func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename.

type PeerIdentity

type PeerIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
}

PeerIdentity represents another peer on the network.

func DecodePeerIdentity

func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)

DecodePeerIdentity Decodes the bytes into complete identity chain.

func PeerIdentityFromChain

func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)

PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.

func PeerIdentityFromContext

func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)

PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.

func PeerIdentityFromPEM

func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)

PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.

func PeerIdentityFromPeer

func PeerIdentityFromPeer(peer *rpcpeer.Peer) (*PeerIdentity, error)

PeerIdentityFromPeer loads a PeerIdentity from a peer connection.

type SetupConfig

type SetupConfig struct {
	CertPath  string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" path:"true"`
	KeyPath   string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" path:"true"`
	Overwrite bool   `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"`
	Version   string `help:"semantic version of identity storage format" default:"0"`
}

SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (SetupConfig) Create

Create generates and saves a CA using the config.

func (SetupConfig) FullConfig

func (is SetupConfig) FullConfig() Config

FullConfig converts a `SetupConfig` to `Config`.

func (SetupConfig) Status

func (is SetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the identity cert/key files for the config.

type TLSFilesStatus

type TLSFilesStatus int

TLSFilesStatus is the status of keys.

func (TLSFilesStatus) String

func (t TLSFilesStatus) String() string

Directories

Path Synopsis
Package testidentity contains pregenerated identities for testing.
Package testidentity contains pregenerated identities for testing.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL