security

package
v0.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2026 License: Apache-2.0 Imports: 40 Imported by: 3

Documentation

Overview

Package security provides authentication and encryption protocols for CEDAR streams.

This package implements HTCondor's security methods including SSL, SCITOKENS, and IDTOKENS authentication.

Package security provides FS and CLAIMTOBE authentication implementation for CEDAR streams.

This file implements HTCondor's FS (filesystem) and CLAIMTOBE authentication methods as documented in condor_auth_fs.cpp and condor_auth_claim.cpp.

Package security provides SCITOKENS authentication implementation for CEDAR streams using SSL + SciToken exchange.

This file implements HTCondor's SCITOKENS authentication method based on SSL authentication followed by SciToken verification as documented in HTCondor's condor_auth_ssl.cpp.

Package security provides SSL authentication implementation for HTCondor CEDAR protocol

Package security provides TOKEN/IDTOKENS authentication implementation for CEDAR streams using the AKEP2 protocol.

This file implements HTCondor's TOKEN authentication method based on JWT tokens and the AKEP2 (Authenticated Key Exchange Protocol 2) as documented in HTCondor's condor_auth_passwd.cpp.

Index

Constants

View Source 
const (
	AuthBitmaskNone      = 0    // CAUTH_NONE
	AuthBitmaskAny       = 1    // CAUTH_ANY
	AuthBitmaskClaimToBe = 2    // CAUTH_CLAIMTOBE
	AuthBitmaskFS        = 4    // CAUTH_FILESYSTEM
	AuthBitmaskFSRemote  = 8    // CAUTH_FILESYSTEM_REMOTE
	AuthBitmaskNTSSPI    = 16   // CAUTH_NTSSPI
	AuthBitmaskGSI       = 32   // CAUTH_GSI
	AuthBitmaskKerberos  = 64   // CAUTH_KERBEROS
	AuthBitmaskAnonymous = 128  // CAUTH_ANONYMOUS
	AuthBitmaskSSL       = 256  // CAUTH_SSL
	AuthBitmaskPassword  = 512  // CAUTH_PASSWORD
	AuthBitmaskMunge     = 1024 // CAUTH_MUNGE
	AuthBitmaskToken     = 2048 // CAUTH_TOKEN
	AuthBitmaskSciTokens = 4096 // CAUTH_SCITOKENS
)

Authentication method bitmasks for the authentication handshake These values must match HTCondor's condor_auth.h CAUTH_* constants

View Source 
const (
	// Maximum sizes for DoS protection
	MaxDirPathSize  = 4096 // 4KB max for directory paths
	MaxUsernameSize = 1024 // 1KB max for usernames
)
View Source 
const (
	// ENV_CONDOR_INHERIT contains parent process information and inherited sockets
	EnvCondorInherit = "CONDOR_INHERIT"
	// ENV_CONDOR_PRIVATE_INHERIT contains security session keys
	EnvCondorPrivateInherit = "CONDOR_PRIVATE_INHERIT"
	// ENV_CONDOR_PARENT_ID contains the parent's unique ID
	EnvCondorParentID = "CONDOR_PARENT_ID"
)

Environment variable names used by HTCondor for passing session information

View Source 
const (
	AuthSSLOK        = 0
	AuthSSLSending   = 1
	AuthSSLReceiving = 2
	AuthSSLQuitting  = 3
	AuthSSLHolding   = 4
	AuthSSLError     = -1

	// Session key length for symmetric encryption after SSL handshake
	AuthSSLSessionKeyLen = 256
)

SSL authentication state constants matching HTCondor's implementation

View Source 
const (
	AUTH_PW_A_OK          = 0     // Authentication OK status
	AUTH_PW_ERROR         = -1    // Authentication error status
	AUTH_PW_ABORT         = 1     // Authentication abort status
	AUTH_PW_KEY_LEN       = 256   // Maximum key length in bytes
	AUTH_PW_MAX_NAME_LEN  = 1024  // Maximum length for client/server IDs
	AUTH_PW_MAX_TOKEN_LEN = 65536 // Maximum token length (64KB)
)

AUTH_PW protocol constants matching HTCondor

View Source 
const (
	TokenKeyLength = 32 // 256-bit key length
)

AKEP2 protocol constants for TOKEN authentication

Variables

View Source 
var ErrNetwork = errors.New("network communication error")

ErrNetwork is a singleton error used to wrap network/communication errors from Message Put/Get operations

Functions

func ClearSessionCache 

func ClearSessionCache()

ClearSessionCache removes all sessions from the global cache

func ConvertJWKToPublicKey 

func ConvertJWKToPublicKey(jwk *JWK) (interface{}, error)

ConvertJWKToPublicKey converts a JWK to a public key for verification

func ExportClaimID 

func ExportClaimID(sessionID, sessionInfo, sessionKey string) string

ExportClaimID creates a claim ID string from session components This is the inverse of ParseClaimID

func GenerateJWT 

func GenerateJWT(keyDir, keyID, subject, issuer string, issuedAt, expiration int64, authzLimits []string) (string, error)

GenerateJWT generates a JWT token signed with the specified key Parameters:

  • keyDir: Directory containing signing keys
  • keyID: Name of the key file (used as kid in JWT header)
  • subject: Subject claim (sub) - username
  • issuer: Issuer claim (iss) - trust domain
  • issuedAt: Issued at time (iat)
  • expiration: Expiration time (exp)
  • authzLimits: Optional list of authorization limits (e.g., ["READ", "WRITE"]) encoded as scopes

Returns the JWT token string in format: header.payload.signature

func GeneratePoolSigningKey 

func GeneratePoolSigningKey(keyFile string) error

GeneratePoolSigningKey generates a pool signing key and writes it to the specified file

func GenerateSecuritySessionKey 

func GenerateSecuritySessionKey() (string, error)

GenerateSecuritySessionKey generates a random session key suitable for use in a claim ID

func GenerateSessionID 

func GenerateSessionID(counter int) string

GenerateSessionID generates a unique session ID Format: hostname:pid:timestamp:counter

func GenerateSigningKey 

func GenerateSigningKey(keyFile string) error

GenerateSigningKey generates a signing key and writes it to the specified file The key is scrambled using HTCondor's simple_scramble (XOR with 0xdeadbeef)

func GenerateTestCA 

func GenerateTestCA(certFile, keyFile string) error

GenerateTestCA generates a self-signed CA certificate and private key

func GenerateTestHostCert 

func GenerateTestHostCert(certFile, keyFile, caCertFile, caKeyFile, hostname string) error

GenerateTestHostCert generates a host certificate signed by the CA

func GenerateTestJWT 

func GenerateTestJWT(keyDir, keyID, subject, issuer string, validDuration time.Duration, authzLimits []string) (string, error)

GenerateTestJWT is a convenience function that generates a signing key and JWT for testing Parameters are simplified for common test scenarios

func GetFamilySessionID 

func GetFamilySessionID() string

GetFamilySessionID returns the session ID of the family session, if one was inherited

func GetInheritedParentAddr 

func GetInheritedParentAddr() string

GetInheritedParentAddr returns the parent daemon's address from CONDOR_INHERIT

func GetInheritedParentPID 

func GetInheritedParentPID() int

GetInheritedParentPID returns the parent daemon's PID from CONDOR_INHERIT

func GetNextSessionCounter 

func GetNextSessionCounter() int

GetNextSessionCounter returns the next session counter value

func GetParentSessionID 

func GetParentSessionID() string

GetParentSessionID returns the session ID of the parent session, if one was inherited

func ImportSessionInfoAttributes 

func ImportSessionInfoAttributes(sessionInfo string) (map[string]string, error)

ImportSessionInfoAttributes parses session info string and extracts attributes Session info format: [Attr1="value1";Attr2="value2";...]

func InvalidateExpiredSessions 

func InvalidateExpiredSessions() int

InvalidateExpiredSessions removes all expired sessions from the global cache

func InvalidateSession 

func InvalidateSession(sessionID string) bool

InvalidateSession removes a session from the global cache

func IsSciToken 

func IsSciToken(tokenStr string) bool

IsSciToken determines if a JWT token is a SciToken by checking its signature algorithm SciTokens use asymmetric signatures (RS*, ES*, PS*), not HMAC (HS*)

func IsSessionResumptionError 

func IsSessionResumptionError(err error) bool

IsSessionResumptionError checks if an error is a SessionResumptionError

func ParseCondorInherit 

func ParseCondorInherit(inherit string) (ppid int, parentAddr string, remaining []string)

ParseCondorInherit parses the CONDOR_INHERIT environment variable Format: ppid psinful [socket_info...] [remaining_items...]

Types

type AuthMethod 

type AuthMethod string

AuthMethod represents different authentication methods supported by HTCondor 

const (
	AuthSSL       AuthMethod = "SSL"
	AuthSciTokens AuthMethod = "SCITOKENS"
	AuthIDTokens  AuthMethod = "IDTOKENS"
	AuthToken     AuthMethod = "TOKEN"
	AuthFS        AuthMethod = "FS"
	AuthClaimToBe AuthMethod = "CLAIMTOBE"
	AuthPassword  AuthMethod = "PASSWORD"
	AuthKerberos  AuthMethod = "KERBEROS"
	AuthNone      AuthMethod = "NONE"
)

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator handles the security handshake for a stream

func NewAuthenticator 

func NewAuthenticator(config *SecurityConfig, s *stream.Stream) *Authenticator

NewAuthenticator creates a new authenticator with the given config and stream

func (*Authenticator) ClientHandshake 

func (a *Authenticator) ClientHandshake(ctx context.Context) (*SecurityNegotiation, error)

ClientHandshake performs the client-side security handshake This sends a single message with DC_AUTHENTICATE command followed by client security ClassAd

func (*Authenticator) PerformTokenAuthenticationDemo 

func (a *Authenticator) PerformTokenAuthenticationDemo(method AuthMethod, negotiation *SecurityNegotiation) error

PerformTokenAuthenticationDemo is a simple wrapper for demonstration purposes

func (*Authenticator) ServerHandshake 

func (a *Authenticator) ServerHandshake(ctx context.Context) (*SecurityNegotiation, error)

ServerHandshake performs the server-side security handshake This receives a single message with DC_AUTHENTICATE command and client ClassAd, then responds

func (*Authenticator) WasSessionResumed 

func (a *Authenticator) WasSessionResumed() bool

WasSessionResumed returns true if the session was resumed from cache

type CEDARTLSConnection 

type CEDARTLSConnection struct {
	// contains filtered or unexported fields
}

CEDARTLSConnection implements net.Conn for TLS over CEDAR messages

func (*CEDARTLSConnection) Close 

func (c *CEDARTLSConnection) Close() error

func (*CEDARTLSConnection) LocalAddr 

func (c *CEDARTLSConnection) LocalAddr() net.Addr

func (*CEDARTLSConnection) Read 

func (c *CEDARTLSConnection) Read(b []byte) (int, error)

func (*CEDARTLSConnection) RemoteAddr 

func (c *CEDARTLSConnection) RemoteAddr() net.Addr

func (*CEDARTLSConnection) SetDeadline 

func (c *CEDARTLSConnection) SetDeadline(t time.Time) error

func (*CEDARTLSConnection) SetReadDeadline 

func (c *CEDARTLSConnection) SetReadDeadline(t time.Time) error

func (*CEDARTLSConnection) SetWriteDeadline 

func (c *CEDARTLSConnection) SetWriteDeadline(t time.Time) error

func (*CEDARTLSConnection) Write 

func (c *CEDARTLSConnection) Write(b []byte) (int, error)

type ClaimID 

type ClaimID struct {
	// contains filtered or unexported fields
}

ClaimID represents a parsed HTCondor claim ID Format: session_id#session_info#session_key

func ParseClaimID 

func ParseClaimID(claimID string) *ClaimID

ParseClaimID parses an HTCondor claim ID string Format: session_id#session_info#session_key

func (*ClaimID) PublicClaimID 

func (c *ClaimID) PublicClaimID() string

PublicClaimID returns a version of the claim ID safe for logging (without the key)

func (*ClaimID) Raw 

func (c *ClaimID) Raw() string

Raw returns the original claim ID string

func (*ClaimID) SecSessionID 

func (c *ClaimID) SecSessionID() string

SecSessionID returns the session ID This matches ClaimIdParser::secSessionId() in HTCondor

func (*ClaimID) SecSessionInfo 

func (c *ClaimID) SecSessionInfo() string

SecSessionInfo returns the session info (exported attributes)

func (*ClaimID) SecSessionKey 

func (c *ClaimID) SecSessionKey() string

SecSessionKey returns the session key

type CryptoMethod 

type CryptoMethod string

CryptoMethod represents different encryption methods supported by HTCondor 

const (
	CryptoAES      CryptoMethod = "AES"
	CryptoBlowfish CryptoMethod = "BLOWFISH"
	Crypto3DES     CryptoMethod = "3DES"
)

type InheritedSession 

type InheritedSession struct {
	// Type indicates whether this is a normal or family session
	Type InheritedSessionType

	// SessionID is the unique identifier for this session
	SessionID string

	// SessionInfo contains exported session attributes (ClassAd format)
	SessionInfo string

	// SessionKey is the raw key material for this session
	SessionKey string

	// ParentAddr is the sinful string of the parent daemon (from CONDOR_INHERIT)
	ParentAddr string

	// ParentPID is the process ID of the parent daemon
	ParentPID int
}

InheritedSession represents a security session passed from a parent daemon

func GetInheritedSessions 

func GetInheritedSessions() []*InheritedSession

GetInheritedSessions returns the list of imported inherited sessions

func ImportInheritedSessions 

func ImportInheritedSessions() ([]*InheritedSession, error)

ImportInheritedSessions imports security sessions from environment variables This should be called early in daemon initialization

func LookupInheritedSession 

func LookupInheritedSession(sessionID string) *InheritedSession

LookupInheritedSession looks up an inherited session by ID

func ParseCondorPrivateInherit 

func ParseCondorPrivateInherit(privateInherit string) (sessions []*InheritedSession)

ParseCondorPrivateInherit parses the CONDOR_PRIVATE_INHERIT environment variable Format: space-separated items like "SessionKey:<claim_id>" and "FamilySessionKey:<claim_id>"

type InheritedSessionType 

type InheritedSessionType int

InheritedSessionType indicates the type of inherited session 

const (
	// SessionTypeNormal is a regular session for parent-child communication
	SessionTypeNormal InheritedSessionType = iota
	// SessionTypeFamily is a "family" session for sibling daemon communication
	SessionTypeFamily
)

type JWK 

type JWK struct {
	Kty string `json:"kty"`           // Key type (RSA, EC, etc.)
	Kid string `json:"kid"`           // Key ID
	Use string `json:"use"`           // Key use (sig, enc)
	Alg string `json:"alg"`           // Algorithm
	N   string `json:"n,omitempty"`   // RSA modulus
	E   string `json:"e,omitempty"`   // RSA exponent
	X   string `json:"x,omitempty"`   // EC X coordinate
	Y   string `json:"y,omitempty"`   // EC Y coordinate
	Crv string `json:"crv,omitempty"` // EC curve name
}

JWK represents a JSON Web Key

type JWKS 

type JWKS struct {
	Keys []JWK `json:"keys"`
}

JWKS represents a JSON Web Key Set

func FetchJWKS 

func FetchJWKS(jwksURI string) (*JWKS, error)

FetchJWKS fetches the JSON Web Key Set from the JWKS URI

type KeyInfo 

type KeyInfo struct {
	Data     []byte
	Protocol string // "AESGCM", "BLOWFISH", "3DES", etc.
}

KeyInfo represents a cryptographic key with metadata

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer  string `json:"issuer"`
	JWKSURI string `json:"jwks_uri"`
}

OIDCConfiguration represents the OIDC discovery document

func DiscoverOIDCConfiguration 

func DiscoverOIDCConfiguration(issuer string) (*OIDCConfiguration, error)

DiscoverOIDCConfiguration fetches the OIDC configuration from the issuer

type SSLAuthenticator 

type SSLAuthenticator struct {
	// contains filtered or unexported fields
}

SSLAuthenticator handles SSL certificate-based authentication following HTCondor's protocol

func NewSSLAuthenticator 

func NewSSLAuthenticator(auth *Authenticator) *SSLAuthenticator

NewSSLAuthenticator creates a new SSL authenticator following HTCondor's implementation

func (*SSLAuthenticator) GetSessionKey 

func (ssl *SSLAuthenticator) GetSessionKey() []byte

GetSessionKey returns the SSL session key for stream encryption

func (*SSLAuthenticator) PerformSSLHandshake 

func (ssl *SSLAuthenticator) PerformSSLHandshake(ctx context.Context, negotiation *SecurityNegotiation) error

PerformSSLHandshake performs the complete SSL authentication handshake following HTCondor's protocol

type SciTokenClaims 

type SciTokenClaims struct {
	Subject   string   `json:"sub"`
	Issuer    string   `json:"iss"`
	Scope     string   `json:"scope,omitempty"`
	Audience  []string `json:"aud,omitempty"`
	ExpiresAt int64    `json:"exp"`
	IssuedAt  int64    `json:"iat"`
	NotBefore int64    `json:"nbf,omitempty"`
	JWTID     string   `json:"jti,omitempty"`
	jwt.RegisteredClaims
}

SciTokenClaims represents the claims in a SciToken JWT

func VerifySciToken 

func VerifySciToken(tokenStr string) (*SciTokenClaims, error)

VerifySciToken verifies a SciToken's signature using OIDC discovery Returns the validated claims if successful

type SecurityConfig 

type SecurityConfig struct {
	// Peer name; used by client to recall the server name
	PeerName string

	// Authentication settings
	AuthMethods    []AuthMethod
	Authentication SecurityLevel

	// Encryption settings
	CryptoMethods []CryptoMethod
	Encryption    SecurityLevel
	Integrity     SecurityLevel

	// Certificate/Key files for SSL
	CertFile string
	KeyFile  string
	CAFile   string
	// Server name for SSL certificate verification (optional, defaults to hostname)
	ServerName string

	// Token content for TOKEN authentication (JWT string)
	Token string
	// Token file for TOKEN authentication
	TokenFile string
	// Token directory for discovering multiple tokens (default: ~/.condor/tokens.d)
	TokenDir string

	// Token signing key configuration (server-side)
	// Path to pool signing key file (SEC_TOKEN_POOL_SIGNING_KEY_FILE)
	TokenPoolSigningKeyFile string
	// Directory containing named signing keys (SEC_PASSWORD_DIRECTORY)
	TokenSigningKeyDir string
	// Maximum token age in seconds (SEC_TOKEN_MAX_AGE)
	TokenMaxAge int
	// List of issuer key names accepted by server (from IssuerKeys ClassAd attribute)
	IssuerKeys []string

	// Other settings
	RemoteVersion   string
	TrustDomain     string
	Subsystem       string
	ServerPid       int
	SessionDuration int
	SessionLease    int

	// Command for this session (what the client intends to do)
	Command int

	// AuthCommand specifies a sub-command for the security handshake (optional)
	// For example, when Command is DC_SEC_QUERY (60040), AuthCommand might be
	// DC_NOP_WRITE (60021) to specify the actual operation being authorized.
	// If not set (0), only Command will be sent in the handshake.
	AuthCommand int

	// ECDH key exchange
	ECDHPublicKey string

	// Security tag; used to select specific credentials from the
	// session cache
	SecurityTag string

	// Session cache (optional, if provided will be used instead of global cache)
	SessionCache *SessionCache
}

SecurityConfig holds configuration for stream security

type SecurityLevel 

type SecurityLevel string

SecurityLevel represents security requirement levels 

const (
	SecurityRequired  SecurityLevel = "REQUIRED"
	SecurityPreferred SecurityLevel = "PREFERRED"
	SecurityOptional  SecurityLevel = "OPTIONAL"
	SecurityNever     SecurityLevel = "NEVER"
)

type SecurityManager 

type SecurityManager struct {
	// contains filtered or unexported fields
}

SecurityManager provides a high-level interface for security operations

func NewSecurityManager 

func NewSecurityManager() *SecurityManager

NewSecurityManager creates a new security manager with default configuration

func (*SecurityManager) ClientHandshake 

func (sm *SecurityManager) ClientHandshake(ctx context.Context, s *stream.Stream) error

ClientHandshake performs a client-side security handshake on the given stream

func (*SecurityManager) ServerHandshake 

func (sm *SecurityManager) ServerHandshake(ctx context.Context, s *stream.Stream) error

ServerHandshake performs a server-side security handshake on the given stream

type SecurityNegotiation 

type SecurityNegotiation struct {
	Command          int
	ClientConfig     *SecurityConfig
	ServerConfig     *SecurityConfig
	NegotiatedAuth   AuthMethod
	NegotiatedCrypto CryptoMethod

	Enact          bool
	Authentication bool
	Encryption     bool
	IsClient       bool
	SessionResumed bool // Indicates if this session was resumed from cache
	// Session information from post-auth ClassAd
	SessionId     string
	User          string
	ValidCommands string
	// contains filtered or unexported fields
}

SecurityNegotiation represents the security negotiation state

func (*SecurityNegotiation) GetSharedSecret 

func (sn *SecurityNegotiation) GetSharedSecret() []byte

GetSharedSecret returns the shared secret (read-only access)

type SessionCache 

type SessionCache struct {
	// contains filtered or unexported fields
}

SessionCache manages cached security sessions

func GetSessionCache 

func GetSessionCache() *SessionCache

GetSessionCache returns the global session cache, initializing it if necessary. On first access, this also imports any inherited sessions from the parent daemon (via CONDOR_PRIVATE_INHERIT environment variable).

func NewSessionCache 

func NewSessionCache() *SessionCache

NewSessionCache creates a new session cache

func (*SessionCache) Clear 

func (c *SessionCache) Clear()

Clear removes all sessions from the cache

func (*SessionCache) DebugDump 

func (c *SessionCache) DebugDump() string

DebugDump returns a human-readable snapshot of the session cache for troubleshooting.

func (*SessionCache) Invalidate 

func (c *SessionCache) Invalidate(id string) bool

Invalidate removes a session from the cache

func (*SessionCache) InvalidateExpired 

func (c *SessionCache) InvalidateExpired() int

InvalidateExpired removes all expired sessions from the cache

func (*SessionCache) Lookup 

func (c *SessionCache) Lookup(id string) (*SessionEntry, bool)

Lookup retrieves a session by ID

func (*SessionCache) LookupByCommand 

func (c *SessionCache) LookupByCommand(tag, addr, command string) (*SessionEntry, bool)

LookupByCommand finds a session for a specific command to an address

func (*SessionCache) LookupNonExpired 

func (c *SessionCache) LookupNonExpired(id string) (*SessionEntry, bool)

LookupNonExpired retrieves a non-expired session by ID

func (*SessionCache) MapCommand 

func (c *SessionCache) MapCommand(tag, addr, command, sessionID string)

MapCommand maps a command to a session ID

func (*SessionCache) Size 

func (c *SessionCache) Size() int

Size returns the number of sessions in the cache

func (*SessionCache) Store 

func (c *SessionCache) Store(entry *SessionEntry)

Store adds or updates a session in the cache

type SessionEntry 

type SessionEntry struct {
	// contains filtered or unexported fields
}

SessionEntry represents a cached security session

func CreateNonNegotiatedSession 

func CreateNonNegotiatedSession(session *InheritedSession, peerAddr string) (*SessionEntry, error)

CreateNonNegotiatedSession creates a session entry from inherited session data This is equivalent to SecMan::CreateNonNegotiatedSecuritySession in HTCondor

func NewSessionEntry 

func NewSessionEntry(id, addr string, keyInfo *KeyInfo, policy *classad.ClassAd, expiration time.Time, lease time.Duration, tag string) *SessionEntry

NewSessionEntry creates a new session cache entry

func (*SessionEntry) Addr 

func (s *SessionEntry) Addr() string

Addr returns the remote address

func (*SessionEntry) Expiration 

func (s *SessionEntry) Expiration() time.Time

Expiration returns the expiration time

func (*SessionEntry) ID 

func (s *SessionEntry) ID() string

ID returns the session ID

func (*SessionEntry) IsExpired 

func (s *SessionEntry) IsExpired() bool

IsExpired checks if the session has expired

func (*SessionEntry) KeyInfo 

func (s *SessionEntry) KeyInfo() *KeyInfo

KeyInfo returns the session key

func (*SessionEntry) LastPeerVersion 

func (s *SessionEntry) LastPeerVersion() string

LastPeerVersion returns the last known peer version

func (*SessionEntry) Lease 

func (s *SessionEntry) Lease() time.Duration

Lease returns the lease duration

func (*SessionEntry) Policy 

func (s *SessionEntry) Policy() *classad.ClassAd

Policy returns the security policy

func (*SessionEntry) RenewLease 

func (s *SessionEntry) RenewLease()

RenewLease renews the session lease

func (*SessionEntry) SetLastPeerVersion 

func (s *SessionEntry) SetLastPeerVersion(version string)

SetLastPeerVersion sets the last peer version

func (*SessionEntry) Tag 

func (s *SessionEntry) Tag() string

Tag returns the security context tag

type SessionResumptionError 

type SessionResumptionError struct {
	SessionID string
	Reason    string
}

SessionResumptionError represents an error that occurs when attempting to resume a session This error type can be used with errors.Is and errors.As to detect when a session resumption fails and a new connection should be established

func (*SessionResumptionError) Error 

func (e *SessionResumptionError) Error() string

type TokenAuthData 

type TokenAuthData struct {
	ClientID    string // Client identity (username@domain or token subject)
	ServerID    string // Server identity
	RA          []byte // Client random nonce
	RB          []byte // Server random nonce
	Token       string // JWT token (header.payload)
	Signature   []byte // JWT signature (used as shared key)
	SharedKey   []byte // Derived shared key K
	SharedKeyK  []byte // HMAC key K
	SharedKeyKP []byte // Key derivation key K'
	SessionKey  []byte // Final session key W = h'K'(RB)
	State       TokenAuthState
	// Error handling for graceful handshake completion
	AuthError   error // Stored authentication error
	ErrorStatus int   // AUTH_PW status to send (AUTH_PW_A_OK or AUTH_PW_ERROR)
}

TokenAuthData holds data for AKEP2 protocol

type TokenAuthState 

type TokenAuthState int

TokenAuthState represents the current state in TOKEN authentication protocol 

const (
	TokenStateInit             TokenAuthState = iota
	TokenStateSentRA                          // Client has sent RA
	TokenStateReceivedResponse                // Client has received server response
	TokenStateAuthComplete                    // Authentication complete
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.