Commit Graph

33 Commits

Author SHA1 Message Date
Lars Lehtonen 3a8743d511
cmd/nebula-cert: fix clobbered error (#1032)
* cmd/nebula-cert: fix clobbered error

Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>

* apply suggestions from Nate

This makes it much clearer what is happening in the code

---------

Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>
Co-authored-by: Wade Simmons <wsimmons@slack-corp.com>
2023-12-06 13:20:49 -05:00
guangwu 276978377a
chore: remove refs to deprecated io/ioutil (#987)
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
2023-10-31 10:35:13 -04:00
Nate Brown 5a131b2975
Combine ca, cert, and key handling (#952) 2023-08-14 21:32:40 -05:00
Nate Brown 1e3c155896
Attempt to notify systemd of service readiness on linux (#929) 2023-07-24 11:30:18 -05:00
Wade Simmons e0185c4b01
Support NIST curve P256 (#769)
* Support NIST curve P256

This change adds support for NIST curve P256. When you use `nebula-cert ca`
or `nebula-cert keygen`, you can specify `-curve P256` to enable it. The
curve to use is based on the curve defined in your CA certificate.

Internally, we use ECDSA P256 to sign certificates, and ECDH P256 to do
Noise handshakes. P256 is not supported natively in Noise Protocol, so
we define `DHP256` in the `noiseutil` package to implement support for
it.

You cannot have a mixed network of Curve25519 and P256 certificates,
since the Noise protocol will only attempt to parse using the Curve
defined in the host's certificate.

* verify the curves match in VerifyPrivateKey

This would have failed anyways once we tried to actually use the bytes
in the private key, but its better to detect the issue up front with
a better error message.

* add cert.Curve argument to Sign method

* fix mismerge

* use crypto/ecdh

This is the preferred method for doing ECDH functions now, and also has
a boringcrypto specific codepath.

* remove other ecdh uses of crypto/elliptic

use crypto/ecdh instead
2023-05-04 17:50:23 -04:00
John Maguire a56a97e5c3
Add ability to encrypt CA private key at rest (#386)
Fixes #8.

`nebula-cert ca` now supports encrypting the CA's private key with a
passphrase. Pass `-encrypt` in order to be prompted for a passphrase.
Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF
parameters default to RFC recommendations, but can be overridden via CLI
flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.
2023-04-03 13:59:38 -04:00
John Maguire b7e73da943
Add note indicating modes have usage text (#794) 2022-12-20 16:53:56 -05:00
John Maguire a3e6edf9c7
Use config.yml consistently (not config.yaml) (#789) 2022-12-19 11:45:15 -06:00
Wade Simmons 9af242dc47
switch to new sync/atomic helpers in go1.19 (#728)
These new helpers make the code a lot cleaner. I confirmed that the
simple helpers like `atomic.Int64` don't add any extra overhead as they
get inlined by the compiler. `atomic.Pointer` adds an extra method call
as it no longer gets inlined, but we aren't using these on the hot path
so it is probably okay.
2022-10-31 13:37:41 -04:00
Nate Brown e31006d546
Be more clear about ipv4 in nebula-cert (#604) 2021-12-07 21:40:30 -06:00
Nate Brown 4453964e34
Move util to test, contextual errors to util (#575) 2021-11-10 21:47:38 -06:00
John Maguire 0577c097fb
Fix flaky test (#567) 2021-11-04 14:49:56 -05:00
Nate Brown bcabcfdaca
Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
Nate Brown 32cd9a93f1
Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
Manuel Romei 3a8f533b24
refactor: use X25519 instead of ScalarBaseMult (#533)
As suggested in https://pkg.go.dev/golang.org/x/crypto/curve25519#ScalarBaseMult,
use X25519 instead of ScalarBaseMult. When using Basepoint, it may employ
some precomputed values, enhancing performance.

Co-authored-by: Wade Simmons <wade@wades.im>
Co-authored-by: Wade Simmons <wadey@slack-corp.com>
2021-10-12 12:03:43 -04:00
John Maguire 34d002d695
Check CA cert and key match in nebula-cert sign (#503)
`func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error` would
previously return an error even if passed the correct private key for a
CA certificate `nc`.

That function has been updated to support CA certificates, and
nebula-cert now calls it before signing a new certificate. Previously,
it would perform all constraint checks against the CA certificate
provided, take a SHA256 fingerprint of the provided certificate, insert
it into the new node certificate, and then finally sign it with the
mismatching private key provided.
2021-10-01 12:43:33 -04:00
Nate Brown 1bc6f5fe6c
Minor windows focused improvements (#443)
Co-authored-by: Wade Simmons <wadey@slack-corp.com>
2021-04-30 15:04:47 -05:00
Nathan Brown 3ea7e1b75f
Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
Tim Rots e7e6a23cde
fix a few typos (#302) 2021-03-01 11:14:34 -05:00
Nathan Brown d4b81f9b8d
Add QR code support to `nebula-cert` (#297) 2021-02-11 18:53:25 -06:00
Nathan Brown 68e3e84fdc
More like a library (#279) 2020-09-18 09:20:09 -05:00
Wade Simmons aba42f9fa6
enforce the use of goimports (#248)
* enforce the use of goimports

Instead of enforcing `gofmt`, enforce `goimports`, which also asserts
a separate section for non-builtin packages.

* run `goimports` everywhere

* exclude generated .pb.go files
2020-06-30 18:53:30 -04:00
Nathan Brown 41578ca971
Be more like a library to support mobile (#247) 2020-06-30 13:48:58 -05:00
Stephan 1592da921d fix(nebula-cert): flag duration is optional, so reflect this is the cli help (#117)
* fix: nebula-cert duration is optional, so reflect this is the cli help

nebula-cert sign defaults the duration flag to 1 second before the CA expires, so it is not required to be provided.

* tests: Fix test for duration flag help message

* nebula-cert: add duration default value hint
2020-01-06 10:51:29 -08:00
Nate Brown 328db6bb82 Root constraint usage and support in nebula-cert 2019-12-17 17:59:21 -08:00
Wade Simmons df43f6466e gofmt 2019-12-11 23:15:57 -05:00
Wade Simmons b39a0f422d Fix nebula-cert tests on darwin and windows
This fixes a couple issues:

- NoSuchFileError not defined for darwin.
- ca_test and sign_test do a bunch of filesystem specific tests that
  error differently on Windows. Just disable these tests on Windows for
  now.
- Make the signcert test more deterministic by only testing one existing
  file at a time.
2019-12-11 10:13:19 -05:00
Nate Brown 7076fc0004 Fix impossible error message condition, go fmt 2019-12-09 16:41:27 -08:00
Slack Security Team a5814be1ca clean up code and print Version instead of Build 2019-11-28 16:25:34 +00:00
Ryan Huber 00d6973e27 remove some boilerplate + better messages 2019-11-28 16:20:57 +00:00
Ryan Huber 8ed69c8eaf make nebula a service that can install itself 2019-11-28 16:20:57 +00:00
Nate Brown c4c334fedb Support for 1.0.0 release 2019-11-19 10:31:59 -08:00
Slack Security Team f22b4b584d Public Release 2019-11-19 17:00:20 +00:00