isle/entrypoint/src/nebula/nebula.go

// Package nebula contains helper functions and types which are useful for
// setting up nebula configs, processes, and deployments.
package nebula

import (
	"crypto/ed25519"
	"crypto/rand"
	"fmt"
	"io"
	"net"
	"time"

	"github.com/slackhq/nebula/cert"
	"golang.org/x/crypto/curve25519"
)

// HostCert contains the certificate and private key files which will need to
// be present on a particular host. Each file is PEM encoded.
type HostCert struct {
	CACert   string
	HostKey  string
	HostCert string
}

// CACert contains the certificate and private files which can be used to create
// HostCerts. Each file is PEM encoded.
type CACert struct {
	CACert string
	CAKey  string
}

// NewHostCert generates a new key/cert for a nebula host using the CA key
// which will be found in the adminFS.
func NewHostCert(
	caCert CACert, hostName string, ip net.IP,
) (
	HostCert, error,
) {

	// The logic here is largely based on
	// https://github.com/slackhq/nebula/blob/v1.4.0/cmd/nebula-cert/sign.go

	caKey, _, err := cert.UnmarshalEd25519PrivateKey([]byte(caCert.CAKey))
	if err != nil {
		return HostCert{}, fmt.Errorf("unmarshaling ca.key: %w", err)
	}

	caCrt, _, err := cert.UnmarshalNebulaCertificateFromPEM([]byte(caCert.CACert))
	if err != nil {
		return HostCert{}, fmt.Errorf("unmarshaling ca.crt: %w", err)
	}

	issuer, err := caCrt.Sha256Sum()
	if err != nil {
		return HostCert{}, fmt.Errorf("getting ca.crt issuer: %w", err)
	}

	expireAt := caCrt.Details.NotAfter.Add(-1 * time.Second)

	subnet := caCrt.Details.Subnets[0]
	if !subnet.Contains(ip) {
		return HostCert{}, fmt.Errorf("invalid ip %q, not contained by network subnet %q", ip, subnet)
	}

	var hostPub, hostKey []byte
	{
		var pubkey, privkey [32]byte
		if _, err := io.ReadFull(rand.Reader, privkey[:]); err != nil {
			return HostCert{}, fmt.Errorf("reading random bytes to form private key: %w", err)
		}
		curve25519.ScalarBaseMult(&pubkey, &privkey)
		hostPub, hostKey = pubkey[:], privkey[:]
	}

	hostCrt := cert.NebulaCertificate{
		Details: cert.NebulaCertificateDetails{
			Name: hostName,
			Ips: []*net.IPNet{{
				IP:   ip,
				Mask: subnet.Mask,
			}},
			NotBefore: time.Now(),
			NotAfter:  expireAt,
			PublicKey: hostPub,
			IsCA:      false,
			Issuer:    issuer,
		},
	}

	if err := hostCrt.CheckRootConstrains(caCrt); err != nil {
		return HostCert{}, fmt.Errorf("validating certificate constraints: %w", err)
	}

	if err := hostCrt.Sign(caKey); err != nil {
		return HostCert{}, fmt.Errorf("signing host cert with ca.key: %w", err)
	}

	hostKeyPEM := cert.MarshalX25519PrivateKey(hostKey)

	hostCrtPEM, err := hostCrt.MarshalToPEM()
	if err != nil {
		return HostCert{}, fmt.Errorf("marshalling host.crt: %w", err)
	}

	return HostCert{
		CACert:   caCert.CACert,
		HostKey:  string(hostKeyPEM),
		HostCert: string(hostCrtPEM),
	}, nil
}

// NewCACert generates a CACert. The domain should be the network's root domain,
// and is included in the signing certificate's Name field.
func NewCACert(domain string, subnet *net.IPNet) (CACert, error) {

	pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		panic(fmt.Errorf("generating ed25519 key: %w", err))
	}

	now := time.Now()
	expireAt := now.Add(2 * 365 * 24 * time.Hour)

	caCrt := cert.NebulaCertificate{
		Details: cert.NebulaCertificateDetails{
			Name:      fmt.Sprintf("%s cryptic-net root cert", domain),
			Subnets:   []*net.IPNet{subnet},
			NotBefore: now,
			NotAfter:  expireAt,
			PublicKey: pubKey,
			IsCA:      true,
		},
	}

	if err := caCrt.Sign(privKey); err != nil {
		return CACert{}, fmt.Errorf("signing caCrt: %w", err)
	}

	caKeyPEM := cert.MarshalEd25519PrivateKey(privKey)

	caCrtPem, err := caCrt.MarshalToPEM()
	if err != nil {
		return CACert{}, fmt.Errorf("marshaling caCrt: %w", err)
	}

	return CACert{
		CACert: string(caCrtPem),
		CAKey:  string(caKeyPEM),
	}, nil
}
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`// Package nebula contains helper functions and types which are useful for`
			`// setting up nebula configs, processes, and deployments.`
			`package nebula`

			`import (`
Implement creation of CACert 2022-10-15 11:14:38 +00:00			`"crypto/ed25519"`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`"crypto/rand"`
			`"fmt"`
			`"io"`
			`"net"`
			`"time"`

			`"github.com/slackhq/nebula/cert"`
			`"golang.org/x/crypto/curve25519"`
			`)`

			`// HostCert contains the certificate and private key files which will need to`
			`// be present on a particular host. Each file is PEM encoded.`
			`type HostCert struct {`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`CACert string`
			`HostKey string`
			`HostCert string`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`}`

Implement creation of CACert 2022-10-15 11:14:38 +00:00			`// CACert contains the certificate and private files which can be used to create`
			`// HostCerts. Each file is PEM encoded.`
			`type CACert struct {`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`CACert string`
			`CAKey string`
Implement creation of CACert 2022-10-15 11:14:38 +00:00			`}`

Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`// NewHostCert generates a new key/cert for a nebula host using the CA key`
			`// which will be found in the adminFS.`
			`func NewHostCert(`
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key. 2022-10-16 20:17:26 +00:00			`caCert CACert, hostName string, ip net.IP,`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`) (`
			`HostCert, error,`
			`) {`

			`// The logic here is largely based on`
			`// https://github.com/slackhq/nebula/blob/v1.4.0/cmd/nebula-cert/sign.go`

Basic implementation of the admin package 2022-10-16 14:39:05 +00:00			`caKey, _, err := cert.UnmarshalEd25519PrivateKey([]byte(caCert.CAKey))`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`if err != nil {`
			`return HostCert{}, fmt.Errorf("unmarshaling ca.key: %w", err)`
			`}`

Basic implementation of the admin package 2022-10-16 14:39:05 +00:00			`caCrt, _, err := cert.UnmarshalNebulaCertificateFromPEM([]byte(caCert.CACert))`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`if err != nil {`
			`return HostCert{}, fmt.Errorf("unmarshaling ca.crt: %w", err)`
			`}`

			`issuer, err := caCrt.Sha256Sum()`
			`if err != nil {`
			`return HostCert{}, fmt.Errorf("getting ca.crt issuer: %w", err)`
			`}`

			`expireAt := caCrt.Details.NotAfter.Add(-1 * time.Second)`

Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key. 2022-10-16 20:17:26 +00:00			`subnet := caCrt.Details.Subnets[0]`
			`if !subnet.Contains(ip) {`
			`return HostCert{}, fmt.Errorf("invalid ip %q, not contained by network subnet %q", ip, subnet)`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`}`

			`var hostPub, hostKey []byte`
			`{`
			`var pubkey, privkey [32]byte`
			`if _, err := io.ReadFull(rand.Reader, privkey[:]); err != nil {`
			`return HostCert{}, fmt.Errorf("reading random bytes to form private key: %w", err)`
			`}`
			`curve25519.ScalarBaseMult(&pubkey, &privkey)`
			`hostPub, hostKey = pubkey[:], privkey[:]`
			`}`

			`hostCrt := cert.NebulaCertificate{`
			`Details: cert.NebulaCertificateDetails{`
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key. 2022-10-16 20:17:26 +00:00			`Name: hostName,`
			`Ips: []*net.IPNet{{`
			`IP: ip,`
			`Mask: subnet.Mask,`
			`}},`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`NotBefore: time.Now(),`
			`NotAfter: expireAt,`
			`PublicKey: hostPub,`
			`IsCA: false,`
			`Issuer: issuer,`
			`},`
			`}`

			`if err := hostCrt.CheckRootConstrains(caCrt); err != nil {`
			`return HostCert{}, fmt.Errorf("validating certificate constraints: %w", err)`
			`}`

			`if err := hostCrt.Sign(caKey); err != nil {`
			`return HostCert{}, fmt.Errorf("signing host cert with ca.key: %w", err)`
			`}`

			`hostKeyPEM := cert.MarshalX25519PrivateKey(hostKey)`

			`hostCrtPEM, err := hostCrt.MarshalToPEM()`
			`if err != nil {`
			`return HostCert{}, fmt.Errorf("marshalling host.crt: %w", err)`
			`}`

			`return HostCert{`
Basic implementation of the admin package 2022-10-16 14:39:05 +00:00			`CACert: caCert.CACert,`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`HostKey: string(hostKeyPEM),`
			`HostCert: string(hostCrtPEM),`
Refactor how bootstrap files are created The new code makes it a lot clearer what the sources of each file/directory is, and makes it more difficult to forget to add a file or directory. This will be helpful when it comes to bootstrapping an entire network, which will require yet a third way of generating bootstrap files. 2022-10-11 19:24:53 +00:00			`}, nil`
			`}`
Implement creation of CACert 2022-10-15 11:14:38 +00:00
			`// NewCACert generates a CACert. The domain should be the network's root domain,`
			`// and is included in the signing certificate's Name field.`
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key. 2022-10-16 20:17:26 +00:00			`func NewCACert(domain string, subnet *net.IPNet) (CACert, error) {`
Implement creation of CACert 2022-10-15 11:14:38 +00:00
			`pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)`
			`if err != nil {`
			`panic(fmt.Errorf("generating ed25519 key: %w", err))`
			`}`

			`now := time.Now()`
			`expireAt := now.Add(2 * 365 * 24 * time.Hour)`

			`caCrt := cert.NebulaCertificate{`
			`Details: cert.NebulaCertificateDetails{`
			`Name: fmt.Sprintf("%s cryptic-net root cert", domain),`
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key. 2022-10-16 20:17:26 +00:00			`Subnets: []*net.IPNet{subnet},`
Implement creation of CACert 2022-10-15 11:14:38 +00:00			`NotBefore: now,`
			`NotAfter: expireAt,`
			`PublicKey: pubKey,`
			`IsCA: true,`
			`},`
			`}`

			`if err := caCrt.Sign(privKey); err != nil {`
			`return CACert{}, fmt.Errorf("signing caCrt: %w", err)`
			`}`

			`caKeyPEM := cert.MarshalEd25519PrivateKey(privKey)`

			`caCrtPem, err := caCrt.MarshalToPEM()`
			`if err != nil {`
			`return CACert{}, fmt.Errorf("marshaling caCrt: %w", err)`
			`}`

			`return CACert{`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`CACert: string(caCrtPem),`
			`CAKey: string(caKeyPEM),`
Implement creation of CACert 2022-10-15 11:14:38 +00:00			`}, nil`
			`}`