Documentation ¶
Index ¶
- Constants
- Variables
- func EncodePeerIdentity(pi *PeerIdentity) []byte
- func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (k crypto.PrivateKey, id storj.NodeID, err error)
- func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, ...) (err error)
- func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)
- func NodeIDFromCertPath(certPath string) (storj.NodeID, error)
- func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)
- func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)
- func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate
- type CASetupConfig
- type Config
- type FullCAConfig
- type FullCertificateAuthority
- func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error
- func (ca *FullCertificateAuthority) Chain() []*x509.Certificate
- func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)
- func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority
- func (ca *FullCertificateAuthority) RawChain() [][]byte
- func (ca *FullCertificateAuthority) RawRestChain() [][]byte
- func (ca *FullCertificateAuthority) Revoke() error
- func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)
- func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)
- type FullIdentity
- type GenerateCallback
- type ManageableFullIdentity
- type ManageablePeerIdentity
- type NewCAOptions
- type PeerCAConfig
- type PeerCertificateAuthority
- type PeerConfig
- type PeerIdentity
- func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)
- func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)
- func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)
- func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)
- func PeerIdentityFromPeer(peer *peer.Peer) (*PeerIdentity, error)
- type RevocationDB
- func (r RevocationDB) Close() error
- func (r RevocationDB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error)
- func (r RevocationDB) List(ctx context.Context) (revs []*extensions.Revocation, err error)
- func (r RevocationDB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error)
- type SetupConfig
- type TLSFilesStatus
Constants ¶
const ( NoCertNoKey = TLSFilesStatus(iota) CertNoKey NoCertKey CertKey )
Four possible outcomes for four files
Variables ¶
var ( // ErrZeroBytes is returned for zero slice ErrZeroBytes = errs.New("byte slice was unexpectedly empty") )
var ( // Error is a pkg/identity error Error = errs.Class("identity error") )
Functions ¶
func EncodePeerIdentity ¶ added in v0.17.0
func EncodePeerIdentity(pi *PeerIdentity) []byte
EncodePeerIdentity encodes the complete identity chain to bytes
func GenerateKey ¶
func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) ( k crypto.PrivateKey, id storj.NodeID, err error)
GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.
func GenerateKeys ¶
func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)
GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.
func NodeIDFromCert ¶ added in v0.9.0
func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)
NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.
func NodeIDFromCertPath ¶
NodeIDFromCertPath loads a node ID from a certificate file path.
func NodeIDFromKey ¶
NodeIDFromKey calculates the node ID for a given public key with the passed version.
func NodeIDFromPEM ¶
NodeIDFromPEM loads a node ID from certificate bytes.
func ToChains ¶
func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate
ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.
Types ¶
type CASetupConfig ¶
type CASetupConfig struct { VersionNumber uint `default:"0" help:"which identity version to use (0 is latest)"` ParentCertPath string `help:"path to the parent authority's certificate chain"` ParentKeyPath string `help:"path to the parent authority's private key"` CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"` Difficulty uint64 `help:"minimum difficulty for identity generation" default:"30"` Timeout string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"` Overwrite bool `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"` Concurrency uint `help:"number of concurrent workers for certificate authority generation" default:"4"` }
CASetupConfig is for creating a CA
func (CASetupConfig) Create ¶
func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)
Create generates and saves a CA using the config
func (CASetupConfig) FullConfig ¶
func (caS CASetupConfig) FullConfig() FullCAConfig
FullConfig converts a `CASetupConfig` to `FullCAConfig`
func (CASetupConfig) Status ¶
func (caS CASetupConfig) Status() (TLSFilesStatus, error)
Status returns the status of the CA cert/key files for the config
type Config ¶
type Config struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true"` }
Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.
func (Config) Load ¶
func (ic Config) Load() (*FullIdentity, error)
Load loads a FullIdentity from the config
func (Config) PeerConfig ¶
func (ic Config) PeerConfig() *PeerConfig
PeerConfig converts a Config to a PeerConfig
func (Config) Save ¶
func (ic Config) Save(fi *FullIdentity) error
Save saves a FullIdentity according to the config
func (Config) SaveBackup ¶
func (ic Config) SaveBackup(fi *FullIdentity) error
SaveBackup saves the certificate of the config with a timestamped filename
type FullCAConfig ¶
type FullCAConfig struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"` }
FullCAConfig is for locating a CA certificate and it's private key
func (FullCAConfig) Load ¶
func (fc FullCAConfig) Load() (*FullCertificateAuthority, error)
Load loads a CA from the given configuration
func (FullCAConfig) PeerConfig ¶
func (fc FullCAConfig) PeerConfig() PeerCAConfig
PeerConfig converts a full ca config to a peer ca config
func (FullCAConfig) Save ¶
func (fc FullCAConfig) Save(ca *FullCertificateAuthority) error
Save saves a CA with the given configuration
func (FullCAConfig) SaveBackup ¶
func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error
SaveBackup saves the certificate of the config wth a timestamped filename
type FullCertificateAuthority ¶
type FullCertificateAuthority struct { RestChain []*x509.Certificate // Cert is the x509 certificate of the CA Cert *x509.Certificate // The ID is calculated from the CA public key. ID storj.NodeID // Key is the private key of the CA Key crypto.PrivateKey }
FullCertificateAuthority represents the CA which is used to author and validate full identities
func FullCertificateAuthorityFromPEM ¶
func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)
FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
func NewCA ¶
func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)
NewCA creates a new full identity with the given difficulty
func (*FullCertificateAuthority) AddExtension ¶
func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error
AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.
func (*FullCertificateAuthority) Chain ¶
func (ca *FullCertificateAuthority) Chain() []*x509.Certificate
Chain returns the CA's certificate chain
func (*FullCertificateAuthority) NewIdentity ¶
func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)
NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.
func (*FullCertificateAuthority) PeerCA ¶
func (ca *FullCertificateAuthority) PeerCA() *PeerCertificateAuthority
PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority
func (*FullCertificateAuthority) RawChain ¶
func (ca *FullCertificateAuthority) RawChain() [][]byte
RawChain returns the CA's certificate chain as a 2d byte slice
func (*FullCertificateAuthority) RawRestChain ¶
func (ca *FullCertificateAuthority) RawRestChain() [][]byte
RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice
func (*FullCertificateAuthority) Revoke ¶
func (ca *FullCertificateAuthority) Revoke() error
Revoke extends the certificate authority certificate with a certificate revocation extension.
func (*FullCertificateAuthority) Sign ¶
func (ca *FullCertificateAuthority) Sign(cert *x509.Certificate) (*x509.Certificate, error)
Sign signs the passed certificate with ca certificate
type FullIdentity ¶
type FullIdentity struct { RestChain []*x509.Certificate // CA represents the peer's self-signed CA. The ID is taken from this cert. CA *x509.Certificate // Leaf represents the leaf they're currently using. The leaf should be // signed by the CA. The leaf is what is used for communication. Leaf *x509.Certificate // The ID taken from the CA public key. ID storj.NodeID // Key is the key this identity uses with the leaf for communication. Key crypto.PrivateKey }
FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.
func FullIdentityFromPEM ¶
func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)
FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
func NewFullIdentity ¶
func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)
NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.
func (*FullIdentity) Chain ¶
func (fi *FullIdentity) Chain() []*x509.Certificate
Chain returns the Identity's certificate chain
func (*FullIdentity) PeerIdentity ¶
func (fi *FullIdentity) PeerIdentity() *PeerIdentity
PeerIdentity converts a FullIdentity into a PeerIdentity
func (*FullIdentity) RawChain ¶
func (fi *FullIdentity) RawChain() [][]byte
RawChain returns all of the certificate chain as a 2d byte slice
func (*FullIdentity) RawRestChain ¶
func (fi *FullIdentity) RawRestChain() [][]byte
RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice
type GenerateCallback ¶
GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error
type ManageableFullIdentity ¶
type ManageableFullIdentity struct { *FullIdentity CA *FullCertificateAuthority }
ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).
func NewManageableFullIdentity ¶
func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity
NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.
func (*ManageableFullIdentity) Revoke ¶
func (manageableIdent *ManageableFullIdentity) Revoke() error
Revoke extends the CA certificate with a certificate revocation extension.
type ManageablePeerIdentity ¶
type ManageablePeerIdentity struct { *PeerIdentity CA *FullCertificateAuthority }
ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.
func NewManageablePeerIdentity ¶
func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity
NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.
func (*ManageablePeerIdentity) AddExtension ¶
func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error
AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.
type NewCAOptions ¶
type NewCAOptions struct { // VersionNumber is the IDVersion to use for the identity VersionNumber storj.IDVersionNumber // Difficulty is the number of trailing zero-bits the nodeID must have Difficulty uint16 // Concurrency is the number of go routines used to generate a CA of sufficient difficulty Concurrency uint // ParentCert, if provided will be prepended to the certificate chain ParentCert *x509.Certificate // ParentKey () ParentKey crypto.PrivateKey // Logger is used to log generation status updates Logger io.Writer }
NewCAOptions is used to pass parameters to `NewCA`
type PeerCAConfig ¶
type PeerCAConfig struct {
CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}
PeerCAConfig is for locating a CA certificate without a private key
func (PeerCAConfig) Load ¶
func (pc PeerCAConfig) Load() (*PeerCertificateAuthority, error)
Load loads a CA from the given configuration
func (PeerCAConfig) Save ¶
func (pc PeerCAConfig) Save(ca *PeerCertificateAuthority) error
Save saves a peer CA (cert, no key) with the given configuration
func (PeerCAConfig) SaveBackup ¶
func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error
SaveBackup saves the certificate of the config wth a timestamped filename
type PeerCertificateAuthority ¶
type PeerCertificateAuthority struct { RestChain []*x509.Certificate // Cert is the x509 certificate of the CA Cert *x509.Certificate // The ID is calculated from the CA public key. ID storj.NodeID }
PeerCertificateAuthority represents the CA which is used to validate peer identities
func PeerCertificateAuthorityFromPEM ¶
func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)
PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.
type PeerConfig ¶
type PeerConfig struct {
CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"`
}
PeerConfig allows you to interact with a peer identity (cert, no key) on disk.
func (PeerConfig) Load ¶
func (ic PeerConfig) Load() (*PeerIdentity, error)
Load loads a PeerIdentity from the config
func (PeerConfig) Save ¶
func (ic PeerConfig) Save(peerIdent *PeerIdentity) error
Save saves a PeerIdentity according to the config
func (PeerConfig) SaveBackup ¶
func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error
SaveBackup saves the certificate of the config with a timestamped filename
type PeerIdentity ¶
type PeerIdentity struct { RestChain []*x509.Certificate // CA represents the peer's self-signed CA. CA *x509.Certificate // Leaf represents the leaf they're currently using. The leaf should be // signed by the CA. The leaf is what is used for communication. Leaf *x509.Certificate // The ID taken from the CA public key. ID storj.NodeID }
PeerIdentity represents another peer on the network.
func DecodePeerIdentity ¶ added in v0.17.0
func DecodePeerIdentity(ctx context.Context, chain []byte) (_ *PeerIdentity, err error)
DecodePeerIdentity Decodes the bytes into complete identity chain
func PeerIdentityFromChain ¶ added in v0.9.0
func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)
PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.
func PeerIdentityFromContext ¶
func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)
PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.
func PeerIdentityFromPEM ¶
func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)
PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.
func PeerIdentityFromPeer ¶
func PeerIdentityFromPeer(peer *peer.Peer) (*PeerIdentity, error)
PeerIdentityFromPeer loads a PeerIdentity from a peer connection.
type RevocationDB ¶
type RevocationDB struct {
DB storage.KeyValueStore
}
RevocationDB stores the most recently seen revocation for each nodeID (i.e. nodeID [CA certificate's public key hash] is the key, values is the most recently seen revocation).
func NewRevocationDB ¶
func NewRevocationDB(revocationDBURL string) (*RevocationDB, error)
NewRevocationDB returns a new revocation database given the URL
func (RevocationDB) Get ¶
func (r RevocationDB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error)
Get attempts to retrieve the most recent revocation for the given cert chain (the key used in the underlying database is the nodeID of the certificate chain).
func (RevocationDB) List ¶
func (r RevocationDB) List(ctx context.Context) (revs []*extensions.Revocation, err error)
List lists all revocations in the store
func (RevocationDB) Put ¶
func (r RevocationDB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error)
Put stores the most recent revocation for the given cert chain IF the timestamp is newer than the current value (the key used in the underlying database is the nodeID of the certificate chain).
type SetupConfig ¶
type SetupConfig struct { CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert"` KeyPath string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key"` Overwrite bool `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"` Version string `help:"semantic version of identity storage format" default:"0"` }
SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.
func (SetupConfig) Create ¶
func (is SetupConfig) Create(ca *FullCertificateAuthority) (*FullIdentity, error)
Create generates and saves a CA using the config
func (SetupConfig) FullConfig ¶
func (is SetupConfig) FullConfig() Config
FullConfig converts a `SetupConfig` to `Config`
func (SetupConfig) Status ¶
func (is SetupConfig) Status() (TLSFilesStatus, error)
Status returns the status of the identity cert/key files for the config
type TLSFilesStatus ¶
type TLSFilesStatus int
TLSFilesStatus is the status of keys
func (TLSFilesStatus) String ¶
func (t TLSFilesStatus) String() string