micropelago/isle
3
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 5 Activity
56f796e3fb
isle/go/nebula/nebula.go

162 lines
4.2 KiB
Go
Raw Normal View History

Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
// Package nebula contains helper functions and types which are useful for
// setting up nebula configs, processes, and deployments.
package nebula
import (
"fmt"
"net"
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
"net/netip"
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
"time"
"github.com/slackhq/nebula/cert"
)
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
// HostPublicCredentials contains certificate and signing public keys which are
// able to be broadcast publicly.
type HostPublicCredentials struct {
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
Cert Certificate
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
SigningKey SigningPublicKey
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
// HostPrivateCredentials contains the private key files which will
// need to be present on a particular host.
type HostPrivateCredentials struct {
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
EncryptingPrivateKey EncryptingPrivateKey
SigningPrivateKey SigningPrivateKey
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
}
// CAPublicCredentials contains certificate and signing public keys which are
// able to be broadcast publicly. The signing public key is the same one which
// is embedded into the certificate.
type CAPublicCredentials struct {
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
Cert Certificate
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
SigningKey SigningPublicKey
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
// CACredentials contains the certificate and private files which can be used to
// create and validate HostCredentials. Each file is PEM encoded.
type CACredentials struct {
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
Public CAPublicCredentials
SigningPrivateKey SigningPrivateKey
Implement creation of CACert
2022-10-15 11:14:38 +00:00
}
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
// NewHostCert generates and signs a new host certificate containing the given
// public key.
func NewHostCert(
caCreds CACredentials,
hostPub EncryptingPublicKey,
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
hostName HostName,
ip netip.Addr,
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
) (
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
Certificate, error,
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
) {
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
var (
caCert = caCreds.Public.Cert
ipSlice = net.IP(ip.AsSlice())
)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
issuer, err := caCert.inner.Sha256Sum()
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
if err != nil {
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
return Certificate{}, fmt.Errorf("getting ca.crt issuer: %w", err)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
expireAt := caCert.inner.Details.NotAfter.Add(-1 * time.Second)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
subnet := caCert.inner.Details.Subnets[0]
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
if !subnet.Contains(ipSlice) {
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
return Certificate{}, fmt.Errorf("invalid ip %q, not contained by network subnet %q", ip, subnet)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
hostCert := cert.NebulaCertificate{
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
Details: cert.NebulaCertificateDetails{
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
Name: string(hostName),
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Ips: []*net.IPNet{{
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
IP: ipSlice,
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Mask: subnet.Mask,
}},
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
NotBefore: time.Now(),
NotAfter: expireAt,
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
PublicKey: hostPub.Bytes(),
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
IsCA: false,
Issuer: issuer,
},
}
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
if err := hostCert.CheckRootConstrains(&caCert.inner); err != nil {
return Certificate{}, fmt.Errorf("validating certificate constraints: %w", err)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
if err := signCert(&hostCert, caCreds.SigningPrivateKey); err != nil {
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
return Certificate{}, fmt.Errorf("signing host cert with ca.key: %w", err)
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
}
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
return Certificate{hostCert}, nil
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
}
// NewHostCredentials generates a new key/cert for a nebula host using the CA
// key which will be found in the adminFS.
func NewHostCredentials(
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
caCreds CACredentials, hostName HostName, ip netip.Addr,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
) (
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
pub HostPublicCredentials, priv HostPrivateCredentials, err error,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
) {
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
var (
encPrivKey = NewEncryptingPrivateKey()
encPubKey = encPrivKey.PublicKey()
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
signingPubKey, signingPrivKey = GenerateSigningPair()
)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
hostCert, err := NewHostCert(caCreds, encPubKey, hostName, ip)
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
if err != nil {
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
err = fmt.Errorf("creating host certificate: %w", err)
return
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
pub = HostPublicCredentials{
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
Cert: hostCert,
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
SigningKey: signingPubKey,
}
priv = HostPrivateCredentials{
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
EncryptingPrivateKey: encPrivKey,
SigningPrivateKey: signingPrivKey,
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
}
return
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files.
2022-10-11 19:24:53 +00:00
}
Implement creation of CACert
2022-10-15 11:14:38 +00:00
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
// NewCACredentials generates a CACredentials. The domain should be the network's root domain,
Implement creation of CACert
2022-10-15 11:14:38 +00:00
// and is included in the signing certificate's Name field.
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
func NewCACredentials(domain string, subnet IPNet) (CACredentials, error) {
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
var (
signingPubKey, signingPrivKey = GenerateSigningPair()
now = time.Now()
expireAt = now.Add(2 * 365 * 24 * time.Hour)
)
Implement creation of CACert
2022-10-15 11:14:38 +00:00
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
caCert := cert.NebulaCertificate{
Implement creation of CACert
2022-10-15 11:14:38 +00:00
Details: cert.NebulaCertificateDetails{
Perform all in-code renames which don't affect actual functionality
2023-08-05 21:53:17 +00:00
Name: fmt.Sprintf("%s isle root cert", domain),
Do proper type-based validation or hostnames and ipnets
2024-07-12 13:30:21 +00:00
Subnets: []*net.IPNet{(*net.IPNet)(&subnet)},
Implement creation of CACert
2022-10-15 11:14:38 +00:00
NotBefore: now,
NotAfter: expireAt,
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
PublicKey: signingPubKey,
Implement creation of CACert
2022-10-15 11:14:38 +00:00
IsCA: true,
},
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
if err := signCert(&caCert, signingPrivKey); err != nil {
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
return CACredentials{}, fmt.Errorf("signing caCert: %w", err)
Implement creation of CACert
2022-10-15 11:14:38 +00:00
}
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
return CACredentials{
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
Public: CAPublicCredentials{
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
Cert: Certificate{caCert},
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
SigningKey: signingPubKey,
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
},
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
SigningPrivateKey: signingPrivKey,
Implement creation of CACert
2022-10-15 11:14:38 +00:00
}, nil
}
Reference in New Issue Copy Permalink