isle/go/nebula/nebula.go

158 lines
4.2 KiB
Go

// Package nebula contains helper functions and types which are useful for
// setting up nebula configs, processes, and deployments.
package nebula
import (
"fmt"
"net"
"time"
"github.com/slackhq/nebula/cert"
)
// HostPublicCredentials contains certificate and signing public keys which are
// able to be broadcast publicly.
type HostPublicCredentials struct {
Cert cert.NebulaCertificate
SigningKey SigningPublicKey
}
// HostPrivateCredentials contains the private key files which will
// need to be present on a particular host.
type HostPrivateCredentials struct {
EncryptingPrivateKey EncryptingPrivateKey
SigningPrivateKey SigningPrivateKey
}
// CAPublicCredentials contains certificate and signing public keys which are
// able to be broadcast publicly. The signing public key is the same one which
// is embedded into the certificate.
type CAPublicCredentials struct {
Cert cert.NebulaCertificate
SigningKey SigningPublicKey
}
// CACredentials contains the certificate and private files which can be used to
// create and validate HostCredentials. Each file is PEM encoded.
type CACredentials struct {
Public CAPublicCredentials
SigningPrivateKey SigningPrivateKey
}
// NewHostCert generates and signs a new host certificate containing the given
// public key.
func NewHostCert(
caCreds CACredentials,
hostPub EncryptingPublicKey,
hostName string,
ip net.IP,
) (
cert.NebulaCertificate, error,
) {
caCert := caCreds.Public.Cert
issuer, err := caCert.Sha256Sum()
if err != nil {
return cert.NebulaCertificate{}, fmt.Errorf("getting ca.crt issuer: %w", err)
}
expireAt := caCert.Details.NotAfter.Add(-1 * time.Second)
subnet := caCert.Details.Subnets[0]
if !subnet.Contains(ip) {
return cert.NebulaCertificate{}, fmt.Errorf("invalid ip %q, not contained by network subnet %q", ip, subnet)
}
hostCert := cert.NebulaCertificate{
Details: cert.NebulaCertificateDetails{
Name: hostName,
Ips: []*net.IPNet{{
IP: ip,
Mask: subnet.Mask,
}},
NotBefore: time.Now(),
NotAfter: expireAt,
PublicKey: hostPub.Bytes(),
IsCA: false,
Issuer: issuer,
},
}
if err := hostCert.CheckRootConstrains(&caCert); err != nil {
return cert.NebulaCertificate{}, fmt.Errorf("validating certificate constraints: %w", err)
}
if err := signCert(&hostCert, caCreds.SigningPrivateKey); err != nil {
return cert.NebulaCertificate{}, fmt.Errorf("signing host cert with ca.key: %w", err)
}
return hostCert, nil
}
// NewHostCredentials generates a new key/cert for a nebula host using the CA
// key which will be found in the adminFS.
func NewHostCredentials(
caCreds CACredentials, hostName string, ip net.IP,
) (
pub HostPublicCredentials, priv HostPrivateCredentials, err error,
) {
var (
encPrivKey = NewEncryptingPrivateKey()
encPubKey = encPrivKey.PublicKey()
signingPubKey, signingPrivKey = GenerateSigningPair()
)
hostCert, err := NewHostCert(caCreds, encPubKey, hostName, ip)
if err != nil {
err = fmt.Errorf("creating host certificate: %w", err)
return
}
pub = HostPublicCredentials{
Cert: hostCert,
SigningKey: signingPubKey,
}
priv = HostPrivateCredentials{
EncryptingPrivateKey: encPrivKey,
SigningPrivateKey: signingPrivKey,
}
return
}
// NewCACredentials generates a CACredentials. The domain should be the network's root domain,
// and is included in the signing certificate's Name field.
func NewCACredentials(domain string, subnet *net.IPNet) (CACredentials, error) {
var (
signingPubKey, signingPrivKey = GenerateSigningPair()
now = time.Now()
expireAt = now.Add(2 * 365 * 24 * time.Hour)
)
caCert := cert.NebulaCertificate{
Details: cert.NebulaCertificateDetails{
Name: fmt.Sprintf("%s isle root cert", domain),
Subnets: []*net.IPNet{subnet},
NotBefore: now,
NotAfter: expireAt,
PublicKey: signingPubKey,
IsCA: true,
},
}
if err := signCert(&caCert, signingPrivKey); err != nil {
return CACredentials{}, fmt.Errorf("signing caCert: %w", err)
}
return CACredentials{
Public: CAPublicCredentials{
Cert: caCert,
SigningKey: signingPubKey,
},
SigningPrivateKey: signingPrivKey,
}, nil
}