cert

package
v1.10.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2026 License: MIT Imports: 33 Imported by: 33

README

cert

This is a library for interacting with nebula style certificates and authorities.

There are now 2 versions of nebula certificates:

v1

This version is deprecated.

A protobuf definition of the certificate format is included at cert_v1.proto

To compile the definition you will need protoc installed.

To compile for go with the same version of protobuf specified in go.mod:

make proto

v2

This is the latest version which uses asn.1 DER encoding. It can support ipv4 and ipv6 and tolerate future certificate changes better than v1.

cert_v2.asn1 defines the wire format and can be used to compile marshalers.

Documentation

Index

Constants

View Source 
const (
	TagCertDetails   = 0 | classConstructed | classContextSpecific
	TagCertCurve     = 1 | classContextSpecific
	TagCertPublicKey = 2 | classContextSpecific
	TagCertSignature = 3 | classContextSpecific

	TagDetailsName           = 0 | classContextSpecific
	TagDetailsNetworks       = 1 | classConstructed | classContextSpecific
	TagDetailsUnsafeNetworks = 2 | classConstructed | classContextSpecific
	TagDetailsGroups         = 3 | classConstructed | classContextSpecific
	TagDetailsIsCA           = 4 | classContextSpecific
	TagDetailsNotBefore      = 5 | classContextSpecific
	TagDetailsNotAfter       = 6 | classContextSpecific
	TagDetailsIssuer         = 7 | classContextSpecific
)
View Source 
const (
	// MaxCertificateSize is the maximum length a valid certificate can be
	MaxCertificateSize = 65536

	// MaxNameLength is limited to a maximum realistic DNS domain name to help facilitate DNS systems
	MaxNameLength = 253

	// MaxNetworkLength is the maximum length a network value can be.
	// 16 bytes for an ipv6 address + 1 byte for the prefix length
	MaxNetworkLength = 17
)
View Source 
const (
	CertificateBanner   = "NEBULA CERTIFICATE"
	CertificateV2Banner = "NEBULA CERTIFICATE V2"
)
View Source 
const (
	X25519PrivateKeyBanner = "NEBULA X25519 PRIVATE KEY"
	X25519PublicKeyBanner  = "NEBULA X25519 PUBLIC KEY"
	P256PrivateKeyBanner   = "NEBULA P256 PRIVATE KEY"
	P256PublicKeyBanner    = "NEBULA P256 PUBLIC KEY"
)
View Source 
const (
	EncryptedECDSAP256PrivateKeyBanner = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
	ECDSAP256PrivateKeyBanner          = "NEBULA ECDSA P256 PRIVATE KEY"
	ECDSAP256PublicKeyBanner           = "NEBULA ECDSA P256 PUBLIC KEY"
	EncryptedEd25519PrivateKeyBanner   = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
	Ed25519PrivateKeyBanner            = "NEBULA ED25519 PRIVATE KEY"
	Ed25519PublicKeyBanner             = "NEBULA ED25519 PUBLIC KEY"
)

including "ECDSA" in the P256 banners is a clue that these keys should be used only for signing

Variables

View Source 
var (
	Curve_name = map[int32]string{
		0: "CURVE25519",
		1: "P256",
	}
	Curve_value = map[string]int32{
		"CURVE25519": 0,
		"P256":       1,
	}
)

Enum value maps for Curve.

View Source 
var (
	ErrBadFormat                  = errors.New("bad wire format")
	ErrRootExpired                = errors.New("root certificate is expired")
	ErrExpired                    = errors.New("certificate is expired")
	ErrNotCA                      = errors.New("certificate is not a CA")
	ErrNotSelfSigned              = errors.New("certificate is not self-signed")
	ErrBlockListed                = errors.New("certificate is in the block list")
	ErrFingerprintMismatch        = errors.New("certificate fingerprint did not match")
	ErrSignatureMismatch          = errors.New("certificate signature did not match")
	ErrInvalidPublicKey           = errors.New("invalid public key")
	ErrInvalidPrivateKey          = errors.New("invalid private key")
	ErrPublicPrivateCurveMismatch = errors.New("public key does not match private key curve")
	ErrPublicPrivateKeyMismatch   = errors.New("public key and private key are not a pair")
	ErrPrivateKeyEncrypted        = errors.New("private key must be decrypted")
	ErrCaNotFound                 = errors.New("could not find ca for the certificate")
	ErrUnknownVersion             = errors.New("certificate version unrecognized")
	ErrCertPubkeyPresent          = errors.New("certificate has unexpected pubkey present")

	ErrInvalidPEMBlock                   = errors.New("input did not contain a valid PEM encoded block")
	ErrInvalidPEMCertificateBanner       = errors.New("bytes did not contain a proper certificate banner")
	ErrInvalidPEMX25519PublicKeyBanner   = errors.New("bytes did not contain a proper X25519 public key banner")
	ErrInvalidPEMX25519PrivateKeyBanner  = errors.New("bytes did not contain a proper X25519 private key banner")
	ErrInvalidPEMEd25519PublicKeyBanner  = errors.New("bytes did not contain a proper Ed25519 public key banner")
	ErrInvalidPEMEd25519PrivateKeyBanner = errors.New("bytes did not contain a proper Ed25519 private key banner")

	ErrNoPeerStaticKey = errors.New("no peer static key was present")
	ErrNoPayload       = errors.New("provided payload was empty")

	ErrMissingDetails  = errors.New("certificate did not contain details")
	ErrEmptySignature  = errors.New("empty signature")
	ErrEmptyRawDetails = errors.New("empty rawDetails not allowed")
)
View Source 
var File_cert_v1_proto protoreflect.FileDescriptor

Functions

func CalculateAlternateFingerprint added in v1.10.3 

func CalculateAlternateFingerprint(c Certificate) (string, error)

CalculateAlternateFingerprint calculates a 2nd fingerprint representation for P256 certificates CAPool blocklist testing through `VerifyCertificate` and `VerifyCachedCertificate` automatically performs this step.

func CheckCAConstraints added in v1.10.0 

func CheckCAConstraints(signer Certificate, sub Certificate) error

CheckCAConstraints returns an error if the sub certificate violates constraints present in the signer certificate.

func EncryptAndMarshalSigningPrivateKey added in v1.7.0 

func EncryptAndMarshalSigningPrivateKey(curve Curve, b []byte, passphrase []byte, kdfParams *Argon2Parameters) ([]byte, error)

EncryptAndMarshalSigningPrivateKey is a simple helper to encrypt and PEM encode a private key

func MarshalPrivateKeyToPEM added in v1.10.0 

func MarshalPrivateKeyToPEM(curve Curve, b []byte) []byte

func MarshalPublicKeyToPEM added in v1.10.0 

func MarshalPublicKeyToPEM(curve Curve, b []byte) []byte

MarshalPublicKeyToPEM returns a PEM representation of a public key used for ECDH. if your public key came from a certificate, prefer Certificate.PublicKeyPEM() if possible, to avoid mistakes!

func MarshalSigningPrivateKeyToPEM added in v1.10.0 

func MarshalSigningPrivateKeyToPEM(curve Curve, b []byte) []byte

func MarshalSigningPublicKeyToPEM added in v1.10.0 

func MarshalSigningPublicKeyToPEM(curve Curve, b []byte) []byte

MarshalSigningPublicKeyToPEM returns a PEM representation of a public key used for signing. if your public key came from a certificate, prefer Certificate.PublicKeyPEM() if possible, to avoid mistakes!

func NewErrInvalidCertificateProperties added in v1.10.0 

func NewErrInvalidCertificateProperties(format string, a ...any) error

Types

type Argon2Parameters added in v1.7.0 

type Argon2Parameters struct {
	Memory      uint32 // KiB
	Parallelism uint8
	Iterations  uint32
	// contains filtered or unexported fields
}

Argon2Parameters KDF factors

func NewArgon2Parameters added in v1.7.0 

func NewArgon2Parameters(memory uint32, parallelism uint8, iterations uint32) *Argon2Parameters

NewArgon2Parameters Returns a new Argon2Parameters object with current version set

type CAPool added in v1.10.0 

type CAPool struct {
	CAs map[string]*CachedCertificate
	// contains filtered or unexported fields
}

func NewCAPool 

func NewCAPool() *CAPool

NewCAPool creates an empty CAPool

func NewCAPoolFromPEM added in v1.10.0 

func NewCAPoolFromPEM(caPEMs []byte) (*CAPool, error)

NewCAPoolFromPEM will create a new CA pool from the provided input bytes, which must be a PEM-encoded set of nebula certificates. If the pool contains any expired certificates, an ErrExpired will be returned along with the pool. The caller must handle any such errors.

func (*CAPool) AddCA added in v1.10.0 

func (ncp *CAPool) AddCA(c Certificate) error

AddCA verifies a Nebula CA certificate and adds it to the pool.

func (*CAPool) AddCAFromPEM added in v1.10.0 

func (ncp *CAPool) AddCAFromPEM(pemBytes []byte) ([]byte, error)

AddCAFromPEM verifies a Nebula CA certificate and adds it to the pool. Only the first pem encoded object will be consumed, any remaining bytes are returned. Parsed certificates will be verified and must be a CA

func (*CAPool) BlocklistFingerprint added in v1.10.0 

func (ncp *CAPool) BlocklistFingerprint(f string)

BlocklistFingerprint adds a cert fingerprint to the blocklist

func (*CAPool) GetCAForCert added in v1.10.0 

func (ncp *CAPool) GetCAForCert(c Certificate) (*CachedCertificate, error)

GetCAForCert attempts to return the signing certificate for the provided certificate. No signature validation is performed

func (*CAPool) GetFingerprints added in v1.10.0 

func (ncp *CAPool) GetFingerprints() []string

GetFingerprints returns an array of trusted CA fingerprints

func (*CAPool) IsBlocklisted added in v1.10.0 

func (ncp *CAPool) IsBlocklisted(fingerprint string) bool

IsBlocklisted tests the provided fingerprint against the pools blocklist. Returns true if the fingerprint is blocked.

func (*CAPool) ResetCertBlocklist added in v1.10.0 

func (ncp *CAPool) ResetCertBlocklist()

ResetCertBlocklist removes all previously blocklisted cert fingerprints

func (*CAPool) VerifyCachedCertificate added in v1.10.0 

func (ncp *CAPool) VerifyCachedCertificate(now time.Time, c *CachedCertificate) error

VerifyCachedCertificate is the same as VerifyCertificate other than it operates on a pre-verified structure and is a cheaper operation to perform as a result.

func (*CAPool) VerifyCertificate added in v1.10.0 

func (ncp *CAPool) VerifyCertificate(now time.Time, c Certificate) (*CachedCertificate, error)

VerifyCertificate verifies the certificate is valid and is signed by a trusted CA in the pool. If the certificate is valid then the returned CachedCertificate can be used in subsequent verification attempts to increase performance.

type CachedCertificate added in v1.10.0 

type CachedCertificate struct {
	Certificate    Certificate
	InvertedGroups map[string]struct{}
	Fingerprint    string
	// contains filtered or unexported fields
}

CachedCertificate represents a verified certificate with some cached fields to improve performance.

func (*CachedCertificate) String added in v1.10.0 

func (cc *CachedCertificate) String() string

type Certificate added in v1.10.0 

type Certificate interface {
	// Version defines the underlying certificate structure and wire protocol version
	// Version1 certificates are ipv4 only and uses protobuf serialization
	// Version2 certificates are ipv4 or ipv6 and uses asn.1 serialization
	Version() Version

	// Name is the human-readable name that identifies this certificate.
	Name() string

	// Networks is a list of ip addresses and network sizes assigned to this certificate.
	// If IsCA is true then certificates signed by this CA can only have ip addresses and
	// networks that are contained by an entry in this list.
	Networks() []netip.Prefix

	// UnsafeNetworks is a list of networks that this host can act as an unsafe router for.
	// If IsCA is true then certificates signed by this CA can only have networks that are
	// contained by an entry in this list.
	UnsafeNetworks() []netip.Prefix

	// Groups is a list of identities that can be used to write more general firewall rule
	// definitions.
	// If IsCA is true then certificates signed by this CA can only use groups that are
	// in this list.
	Groups() []string

	// IsCA signifies if this is a certificate authority (true) or a host certificate (false).
	// It is invalid to use a CA certificate as a host certificate.
	IsCA() bool

	// NotBefore is the time at which this certificate becomes valid.
	// If IsCA is true then certificate signed by this CA can not have a time before this.
	NotBefore() time.Time

	// NotAfter is the time at which this certificate becomes invalid.
	// If IsCA is true then certificate signed by this CA can not have a time after this.
	NotAfter() time.Time

	// Issuer is the fingerprint of the CA that signed this certificate.
	// If IsCA is true then this will be empty.
	Issuer() string

	// PublicKey is the raw bytes to be used in asymmetric cryptographic operations.
	PublicKey() []byte

	// MarshalPublicKeyPEM is the value of PublicKey marshalled to PEM
	MarshalPublicKeyPEM() []byte

	// Curve identifies which curve was used for the PublicKey and Signature.
	Curve() Curve

	// Signature is the cryptographic seal for all the details of this certificate.
	// CheckSignature can be used to verify that the details of this certificate are valid.
	Signature() []byte

	// CheckSignature will check that the certificate Signature() matches the
	// computed signature. A true result means this certificate has not been tampered with.
	CheckSignature(signingPublicKey []byte) bool

	// Fingerprint returns the hex encoded sha256 sum of the certificate.
	// This acts as a unique fingerprint and can be used to blocklist certificates.
	Fingerprint() (string, error)

	// Expired tests if the certificate is valid for the provided time.
	Expired(t time.Time) bool

	// VerifyPrivateKey returns an error if the private key is not a pair with the certificates public key.
	VerifyPrivateKey(curve Curve, privateKey []byte) error

	// Marshal will return the byte representation of this certificate
	// This is primarily the format transmitted on the wire.
	Marshal() ([]byte, error)

	// MarshalForHandshakes prepares the bytes needed to use directly in a handshake
	MarshalForHandshakes() ([]byte, error)

	// MarshalPEM will return a PEM encoded representation of this certificate
	// This is primarily the format stored on disk
	MarshalPEM() ([]byte, error)

	// MarshalJSON will return the json representation of this certificate
	MarshalJSON() ([]byte, error)

	// String will return a human-readable representation of this certificate
	String() string

	// Copy creates a copy of the certificate
	Copy() Certificate
}

func Recombine added in v1.10.0 

func Recombine(v Version, rawCertBytes, publicKey []byte, curve Curve) (Certificate, error)

Recombine will attempt to unmarshal a certificate received in a handshake. Handshakes save space by placing the peers public key in a different part of the packet, we have to reassemble the actual certificate structure with that in mind. Implementations MUST assert the public key is not in the raw certificate bytes if the passed in public key is not empty.

func UnmarshalCertificateFromPEM added in v1.10.0 

func UnmarshalCertificateFromPEM(b []byte) (Certificate, []byte, error)

UnmarshalCertificateFromPEM will try to unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure

type Curve added in v1.7.0 

type Curve int32
const (
	Curve_CURVE25519 Curve = 0
	Curve_P256       Curve = 1
)

func DecryptAndUnmarshalSigningPrivateKey added in v1.7.0 

func DecryptAndUnmarshalSigningPrivateKey(passphrase, b []byte) (Curve, []byte, []byte, error)

DecryptAndUnmarshalSigningPrivateKey will try to pem decode and decrypt an Ed25519/ECDSA private key with the given passphrase, returning any other bytes b or an error on failure

func UnmarshalPrivateKeyFromPEM added in v1.10.0 

func UnmarshalPrivateKeyFromPEM(b []byte) ([]byte, []byte, Curve, error)

UnmarshalPrivateKeyFromPEM will try to unmarshal the first pem block in a byte array, returning any non consumed data or an error on failure

func UnmarshalPublicKeyFromPEM added in v1.10.0 

func UnmarshalPublicKeyFromPEM(b []byte) ([]byte, []byte, Curve, error)

func UnmarshalSigningPrivateKeyFromPEM added in v1.10.0 

func UnmarshalSigningPrivateKeyFromPEM(b []byte) ([]byte, []byte, Curve, error)

func (Curve) Descriptor added in v1.7.0 

func (Curve) Descriptor() protoreflect.EnumDescriptor

func (Curve) Enum added in v1.7.0 

func (x Curve) Enum() *Curve

func (Curve) EnumDescriptor deprecated added in v1.7.0 

func (Curve) EnumDescriptor() ([]byte, []int)

Deprecated: Use Curve.Descriptor instead.

func (Curve) Number added in v1.7.0 

func (x Curve) Number() protoreflect.EnumNumber

func (Curve) String added in v1.7.0 

func (x Curve) String() string

func (Curve) Type added in v1.7.0 

func (Curve) Type() protoreflect.EnumType

type ErrInvalidCertificateProperties added in v1.10.0 

type ErrInvalidCertificateProperties struct {
	// contains filtered or unexported fields
}

func (*ErrInvalidCertificateProperties) Error added in v1.10.0 

func (e *ErrInvalidCertificateProperties) Error() string

type NebulaEncryptedData added in v1.7.0 

type NebulaEncryptedData struct {
	EncryptionMetadata NebulaEncryptionMetadata
	Ciphertext         []byte
}

func UnmarshalNebulaEncryptedData added in v1.7.0 

func UnmarshalNebulaEncryptedData(b []byte) (*NebulaEncryptedData, error)

UnmarshalNebulaEncryptedData will unmarshal a protobuf byte representation of a nebula cert into its protobuf-generated struct.

type NebulaEncryptionMetadata added in v1.7.0 

type NebulaEncryptionMetadata struct {
	EncryptionAlgorithm string
	Argon2Parameters    Argon2Parameters
}

type RawNebulaArgon2Parameters added in v1.7.0 

type RawNebulaArgon2Parameters struct {
	Version     int32  `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"` // rune in Go
	Memory      uint32 `protobuf:"varint,2,opt,name=memory,proto3" json:"memory,omitempty"`
	Parallelism uint32 `protobuf:"varint,4,opt,name=parallelism,proto3" json:"parallelism,omitempty"` // uint8 in Go
	Iterations  uint32 `protobuf:"varint,3,opt,name=iterations,proto3" json:"iterations,omitempty"`
	Salt        []byte `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaArgon2Parameters) Descriptor deprecated added in v1.7.0 

func (*RawNebulaArgon2Parameters) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaArgon2Parameters.ProtoReflect.Descriptor instead.

func (*RawNebulaArgon2Parameters) GetIterations added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetIterations() uint32

func (*RawNebulaArgon2Parameters) GetMemory added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetMemory() uint32

func (*RawNebulaArgon2Parameters) GetParallelism added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetParallelism() uint32

func (*RawNebulaArgon2Parameters) GetSalt added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetSalt() []byte

func (*RawNebulaArgon2Parameters) GetVersion added in v1.7.0 

func (x *RawNebulaArgon2Parameters) GetVersion() int32

func (*RawNebulaArgon2Parameters) ProtoMessage added in v1.7.0 

func (*RawNebulaArgon2Parameters) ProtoMessage()

func (*RawNebulaArgon2Parameters) ProtoReflect added in v1.7.0 

func (x *RawNebulaArgon2Parameters) ProtoReflect() protoreflect.Message

func (*RawNebulaArgon2Parameters) Reset added in v1.7.0 

func (x *RawNebulaArgon2Parameters) Reset()

func (*RawNebulaArgon2Parameters) String added in v1.7.0 

func (x *RawNebulaArgon2Parameters) String() string

type RawNebulaCertificate 

type RawNebulaCertificate struct {
	Details   *RawNebulaCertificateDetails `protobuf:"bytes,1,opt,name=Details,proto3" json:"Details,omitempty"`
	Signature []byte                       `protobuf:"bytes,2,opt,name=Signature,proto3" json:"Signature,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificate) Descriptor deprecated 

func (*RawNebulaCertificate) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificate.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificate) GetDetails 

func (x *RawNebulaCertificate) GetDetails() *RawNebulaCertificateDetails

func (*RawNebulaCertificate) GetSignature 

func (x *RawNebulaCertificate) GetSignature() []byte

func (*RawNebulaCertificate) ProtoMessage 

func (*RawNebulaCertificate) ProtoMessage()

func (*RawNebulaCertificate) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificate) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificate) Reset 

func (x *RawNebulaCertificate) Reset()

func (*RawNebulaCertificate) String 

func (x *RawNebulaCertificate) String() string

type RawNebulaCertificateDetails 

type RawNebulaCertificateDetails struct {
	Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
	// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
	Ips       []uint32 `protobuf:"varint,2,rep,packed,name=Ips,proto3" json:"Ips,omitempty"`
	Subnets   []uint32 `protobuf:"varint,3,rep,packed,name=Subnets,proto3" json:"Subnets,omitempty"`
	Groups    []string `protobuf:"bytes,4,rep,name=Groups,proto3" json:"Groups,omitempty"`
	NotBefore int64    `protobuf:"varint,5,opt,name=NotBefore,proto3" json:"NotBefore,omitempty"`
	NotAfter  int64    `protobuf:"varint,6,opt,name=NotAfter,proto3" json:"NotAfter,omitempty"`
	PublicKey []byte   `protobuf:"bytes,7,opt,name=PublicKey,proto3" json:"PublicKey,omitempty"`
	IsCA      bool     `protobuf:"varint,8,opt,name=IsCA,proto3" json:"IsCA,omitempty"`
	// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
	Issuer []byte `protobuf:"bytes,9,opt,name=Issuer,proto3" json:"Issuer,omitempty"`
	Curve  Curve  `protobuf:"varint,100,opt,name=curve,proto3,enum=cert.Curve" json:"curve,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaCertificateDetails) Descriptor deprecated 

func (*RawNebulaCertificateDetails) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaCertificateDetails.ProtoReflect.Descriptor instead.

func (*RawNebulaCertificateDetails) GetCurve added in v1.7.0 

func (x *RawNebulaCertificateDetails) GetCurve() Curve

func (*RawNebulaCertificateDetails) GetGroups 

func (x *RawNebulaCertificateDetails) GetGroups() []string

func (*RawNebulaCertificateDetails) GetIps 

func (x *RawNebulaCertificateDetails) GetIps() []uint32

func (*RawNebulaCertificateDetails) GetIsCA 

func (x *RawNebulaCertificateDetails) GetIsCA() bool

func (*RawNebulaCertificateDetails) GetIssuer 

func (x *RawNebulaCertificateDetails) GetIssuer() []byte

func (*RawNebulaCertificateDetails) GetName 

func (x *RawNebulaCertificateDetails) GetName() string

func (*RawNebulaCertificateDetails) GetNotAfter 

func (x *RawNebulaCertificateDetails) GetNotAfter() int64

func (*RawNebulaCertificateDetails) GetNotBefore 

func (x *RawNebulaCertificateDetails) GetNotBefore() int64

func (*RawNebulaCertificateDetails) GetPublicKey 

func (x *RawNebulaCertificateDetails) GetPublicKey() []byte

func (*RawNebulaCertificateDetails) GetSubnets 

func (x *RawNebulaCertificateDetails) GetSubnets() []uint32

func (*RawNebulaCertificateDetails) ProtoMessage 

func (*RawNebulaCertificateDetails) ProtoMessage()

func (*RawNebulaCertificateDetails) ProtoReflect added in v1.4.0 

func (x *RawNebulaCertificateDetails) ProtoReflect() protoreflect.Message

func (*RawNebulaCertificateDetails) Reset 

func (x *RawNebulaCertificateDetails) Reset()

func (*RawNebulaCertificateDetails) String 

func (x *RawNebulaCertificateDetails) String() string

type RawNebulaEncryptedData added in v1.7.0 

type RawNebulaEncryptedData struct {
	EncryptionMetadata *RawNebulaEncryptionMetadata `protobuf:"bytes,1,opt,name=EncryptionMetadata,proto3" json:"EncryptionMetadata,omitempty"`
	Ciphertext         []byte                       `protobuf:"bytes,2,opt,name=Ciphertext,proto3" json:"Ciphertext,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptedData) Descriptor deprecated added in v1.7.0 

func (*RawNebulaEncryptedData) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptedData.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptedData) GetCiphertext added in v1.7.0 

func (x *RawNebulaEncryptedData) GetCiphertext() []byte

func (*RawNebulaEncryptedData) GetEncryptionMetadata added in v1.7.0 

func (x *RawNebulaEncryptedData) GetEncryptionMetadata() *RawNebulaEncryptionMetadata

func (*RawNebulaEncryptedData) ProtoMessage added in v1.7.0 

func (*RawNebulaEncryptedData) ProtoMessage()

func (*RawNebulaEncryptedData) ProtoReflect added in v1.7.0 

func (x *RawNebulaEncryptedData) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptedData) Reset added in v1.7.0 

func (x *RawNebulaEncryptedData) Reset()

func (*RawNebulaEncryptedData) String added in v1.7.0 

func (x *RawNebulaEncryptedData) String() string

type RawNebulaEncryptionMetadata added in v1.7.0 

type RawNebulaEncryptionMetadata struct {
	EncryptionAlgorithm string                     `protobuf:"bytes,1,opt,name=EncryptionAlgorithm,proto3" json:"EncryptionAlgorithm,omitempty"`
	Argon2Parameters    *RawNebulaArgon2Parameters `protobuf:"bytes,2,opt,name=Argon2Parameters,proto3" json:"Argon2Parameters,omitempty"`
	// contains filtered or unexported fields
}

func (*RawNebulaEncryptionMetadata) Descriptor deprecated added in v1.7.0 

func (*RawNebulaEncryptionMetadata) Descriptor() ([]byte, []int)

Deprecated: Use RawNebulaEncryptionMetadata.ProtoReflect.Descriptor instead.

func (*RawNebulaEncryptionMetadata) GetArgon2Parameters added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) GetArgon2Parameters() *RawNebulaArgon2Parameters

func (*RawNebulaEncryptionMetadata) GetEncryptionAlgorithm added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) GetEncryptionAlgorithm() string

func (*RawNebulaEncryptionMetadata) ProtoMessage added in v1.7.0 

func (*RawNebulaEncryptionMetadata) ProtoMessage()

func (*RawNebulaEncryptionMetadata) ProtoReflect added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) ProtoReflect() protoreflect.Message

func (*RawNebulaEncryptionMetadata) Reset added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) Reset()

func (*RawNebulaEncryptionMetadata) String added in v1.7.0 

func (x *RawNebulaEncryptionMetadata) String() string

type SignerLambda added in v1.10.0 

type SignerLambda func(certBytes []byte) ([]byte, error)

type TBSCertificate added in v1.10.0 

type TBSCertificate struct {
	Version        Version
	Name           string
	Networks       []netip.Prefix
	UnsafeNetworks []netip.Prefix
	Groups         []string
	IsCA           bool
	NotBefore      time.Time
	NotAfter       time.Time
	PublicKey      []byte
	Curve          Curve
	// contains filtered or unexported fields
}

TBSCertificate represents a certificate intended to be signed. It is invalid to use this structure as a Certificate.

func (*TBSCertificate) Sign added in v1.10.0 

func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Certificate, error)

Sign will create a sealed certificate using details provided by the TBSCertificate as long as those details do not violate constraints of the signing certificate. If the TBSCertificate is a CA then signer must be nil.

func (*TBSCertificate) SignWith added in v1.10.0 

func (t *TBSCertificate) SignWith(signer Certificate, curve Curve, sp SignerLambda) (Certificate, error)

SignWith does the same thing as sign, but uses the function in `sp` to calculate the signature. You should only use SignWith if you do not have direct access to your private key.

type Version added in v1.10.0 

type Version uint8
const (
	VersionPre1 Version = 0
	Version1    Version = 1
	Version2    Version = 2
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.