172 lines
4.5 KiB
Go
172 lines
4.5 KiB
Go
// Package nebula contains helper functions and types which are useful for
|
|
// setting up nebula configs, processes, and deployments.
|
|
package nebula
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"net/netip"
|
|
"time"
|
|
|
|
"github.com/slackhq/nebula/cert"
|
|
)
|
|
|
|
// HostPublicCredentials contains certificate and signing public keys which are
|
|
// able to be broadcast publicly.
|
|
type HostPublicCredentials struct {
|
|
Cert Certificate
|
|
SigningKey SigningPublicKey
|
|
}
|
|
|
|
// HostPrivateCredentials contains the private key files which will
|
|
// need to be present on a particular host.
|
|
type HostPrivateCredentials struct {
|
|
EncryptingPrivateKey EncryptingPrivateKey
|
|
SigningPrivateKey SigningPrivateKey
|
|
}
|
|
|
|
// CAPublicCredentials contains certificate and signing public keys which are
|
|
// able to be broadcast publicly. The signing public key is the same one which
|
|
// is embedded into the certificate.
|
|
type CAPublicCredentials struct {
|
|
Cert Certificate
|
|
SigningKey SigningPublicKey
|
|
}
|
|
|
|
// CACredentials contains the certificate and private files which can be used to
|
|
// create and validate HostCredentials. Each file is PEM encoded.
|
|
type CACredentials struct {
|
|
Public CAPublicCredentials
|
|
SigningPrivateKey SigningPrivateKey
|
|
}
|
|
|
|
// NewHostCert generates and signs a new host certificate containing the given
|
|
// public key.
|
|
func NewHostCert(
|
|
caCreds CACredentials,
|
|
hostPub EncryptingPublicKey,
|
|
hostName HostName,
|
|
ip netip.Addr,
|
|
) (
|
|
Certificate, error,
|
|
) {
|
|
var (
|
|
caCert = caCreds.Public.Cert
|
|
ipSlice = net.IP(ip.AsSlice())
|
|
)
|
|
|
|
issuer, err := caCert.inner.Sha256Sum()
|
|
if err != nil {
|
|
return Certificate{}, fmt.Errorf("getting ca.crt issuer: %w", err)
|
|
}
|
|
|
|
expireAt := caCert.inner.Details.NotAfter.Add(-1 * time.Second)
|
|
|
|
subnet := caCert.inner.Details.Subnets[0]
|
|
if !subnet.Contains(ipSlice) {
|
|
return Certificate{}, fmt.Errorf("invalid ip %q, not contained by network subnet %q", ip, subnet)
|
|
}
|
|
|
|
hostCert := cert.NebulaCertificate{
|
|
Details: cert.NebulaCertificateDetails{
|
|
Name: string(hostName),
|
|
Ips: []*net.IPNet{{
|
|
IP: ipSlice,
|
|
Mask: subnet.Mask,
|
|
}},
|
|
NotBefore: time.Now(),
|
|
NotAfter: expireAt,
|
|
PublicKey: hostPub.Bytes(),
|
|
IsCA: false,
|
|
Issuer: issuer,
|
|
},
|
|
}
|
|
|
|
if err := hostCert.CheckRootConstrains(&caCert.inner); err != nil {
|
|
return Certificate{}, fmt.Errorf("validating certificate constraints: %w", err)
|
|
}
|
|
|
|
if err := signCert(&hostCert, caCreds.SigningPrivateKey); err != nil {
|
|
return Certificate{}, fmt.Errorf("signing host cert with ca.key: %w", err)
|
|
}
|
|
|
|
c, err := NewCertificate(hostCert)
|
|
if err != nil {
|
|
return Certificate{}, fmt.Errorf("wrapping cert: %w", err)
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
// NewHostCredentials generates a new key/cert for a nebula host using the CA
|
|
// key which will be found in the adminFS.
|
|
func NewHostCredentials(
|
|
caCreds CACredentials, hostName HostName, ip netip.Addr,
|
|
) (
|
|
pub HostPublicCredentials, priv HostPrivateCredentials, err error,
|
|
) {
|
|
|
|
var (
|
|
encPrivKey = NewEncryptingPrivateKey()
|
|
encPubKey = encPrivKey.PublicKey()
|
|
|
|
signingPubKey, signingPrivKey = GenerateSigningPair()
|
|
)
|
|
|
|
hostCert, err := NewHostCert(caCreds, encPubKey, hostName, ip)
|
|
if err != nil {
|
|
err = fmt.Errorf("creating host certificate: %w", err)
|
|
return
|
|
}
|
|
|
|
pub = HostPublicCredentials{
|
|
Cert: hostCert,
|
|
SigningKey: signingPubKey,
|
|
}
|
|
|
|
priv = HostPrivateCredentials{
|
|
EncryptingPrivateKey: encPrivKey,
|
|
SigningPrivateKey: signingPrivKey,
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// NewCACredentials generates a CACredentials. The domain should be the network's root domain,
|
|
// and is included in the signing certificate's Name field.
|
|
func NewCACredentials(domain string, subnet IPNet) (CACredentials, error) {
|
|
var (
|
|
signingPubKey, signingPrivKey = GenerateSigningPair()
|
|
now = time.Now()
|
|
expireAt = now.Add(2 * 365 * 24 * time.Hour)
|
|
)
|
|
|
|
caCertInner := cert.NebulaCertificate{
|
|
Details: cert.NebulaCertificateDetails{
|
|
Name: fmt.Sprintf("%s isle root cert", domain),
|
|
Subnets: []*net.IPNet{(*net.IPNet)(&subnet)},
|
|
NotBefore: now,
|
|
NotAfter: expireAt,
|
|
PublicKey: signingPubKey,
|
|
IsCA: true,
|
|
},
|
|
}
|
|
|
|
if err := signCert(&caCertInner, signingPrivKey); err != nil {
|
|
return CACredentials{}, fmt.Errorf("signing caCert: %w", err)
|
|
}
|
|
|
|
caCert, err := NewCertificate(caCertInner)
|
|
if err != nil {
|
|
return CACredentials{}, fmt.Errorf("wrapping caCert: %w", err)
|
|
}
|
|
|
|
return CACredentials{
|
|
Public: CAPublicCredentials{
|
|
Cert: caCert,
|
|
SigningKey: signingPubKey,
|
|
},
|
|
SigningPrivateKey: signingPrivKey,
|
|
}, nil
|
|
}
|