mirror of
https://github.com/gogrlx/nats-server.git
synced 2026-04-14 10:10:42 -07:00
Merge pull request #751 from nats-io/nkey_update
Update for nkey changes
This commit is contained in:
Derek Collison
GitHub
@@ -251,7 +251,7 @@ func (s *Server) isClientAuthorized(c *client) bool {
|
||||
if c.opts.Sig == "" {
|
||||
return false
|
||||
}
|
||||
sig, err := base64.RawURLEncoding.DecodeString(c.opts.Sig)
|
||||
sig, err := base64.StdEncoding.DecodeString(c.opts.Sig)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -19,8 +19,8 @@ import (
|
||||
|
||||
// Raw length of the nonce challenge
|
||||
const (
|
||||
nonceRawLen = 16
|
||||
nonceLen = 22 // base64.RawURLEncoding.EncodedLen(nonceRawLen)
|
||||
nonceRawLen = 11
|
||||
nonceLen = 16 // base64.StdEncoding.EncodedLen(nonceRawLen)
|
||||
)
|
||||
|
||||
// nonceRequired tells us if we should send a nonce.
|
||||
@@ -35,5 +35,5 @@ func (s *Server) generateNonce(n []byte) {
|
||||
var raw [nonceRawLen]byte
|
||||
data := raw[:]
|
||||
s.prand.Read(data)
|
||||
base64.RawURLEncoding.Encode(n, data)
|
||||
base64.StdEncoding.Encode(n, data)
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ type nonceInfo struct {
|
||||
}
|
||||
|
||||
// This is a seed for a user. We can extract public and private keys from this for testing.
|
||||
const seed = "SUAOB32VQGYIOM622XYNXN4Q6GQR5I6DFZPPYZMNI5MMNVAQZDAL3OLH554ISOUTJM4EC6NWS5UHMS4CMONVVRW3VXXEQULMR6MDLPOEUVFPU"
|
||||
const seed = "SUAKYRHVIOREXV7EUZTBHUHL7NUMHPMAS7QMDU3GTIUWEI5LDNOXD43IZY"
|
||||
|
||||
func nkeyBasicSetup() (*Server, *client, *bufio.Reader, string) {
|
||||
kp, _ := nkeys.FromSeed(seed)
|
||||
@@ -161,7 +161,7 @@ func TestNkeyClientConnect(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatalf("Failed signing nonce: %v", err)
|
||||
}
|
||||
sig := base64.RawURLEncoding.EncodeToString(sigraw)
|
||||
sig := base64.StdEncoding.EncodeToString(sigraw)
|
||||
|
||||
// PING needed to flush the +OK to us.
|
||||
cs = fmt.Sprintf("CONNECT {\"nkey\":%q,\"sig\":\"%s\",\"verbose\":true,\"pedantic\":true}\r\nPING\r\n", pubKey, sig)
|
||||
@@ -199,7 +199,7 @@ func TestMixedClientConnect(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatalf("Failed signing nonce: %v", err)
|
||||
}
|
||||
sig := base64.RawURLEncoding.EncodeToString(sigraw)
|
||||
sig := base64.StdEncoding.EncodeToString(sigraw)
|
||||
|
||||
// PING needed to flush the +OK to us.
|
||||
cs := fmt.Sprintf("CONNECT {\"nkey\":%q,\"sig\":\"%s\",\"verbose\":true,\"pedantic\":true}\r\nPING\r\n", pubKey, sig)
|
||||
@@ -252,7 +252,7 @@ func BenchmarkNonceGeneration(b *testing.B) {
|
||||
prand := mrand.New(mrand.NewSource(time.Now().UnixNano()))
|
||||
for i := 0; i < b.N; i++ {
|
||||
prand.Read(data)
|
||||
base64.RawURLEncoding.Encode(b64, data)
|
||||
base64.StdEncoding.Encode(b64, data)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -260,9 +260,9 @@ func BenchmarkPublicVerify(b *testing.B) {
|
||||
data := make([]byte, nonceRawLen)
|
||||
nonce := make([]byte, nonceLen)
|
||||
mrand.Read(data)
|
||||
base64.RawURLEncoding.Encode(nonce, data)
|
||||
base64.StdEncoding.Encode(nonce, data)
|
||||
|
||||
user, err := nkeys.CreateUser(nil)
|
||||
user, err := nkeys.CreateUser()
|
||||
if err != nil {
|
||||
b.Fatalf("Error creating User Nkey: %v", err)
|
||||
}
|
||||
|
||||
10
vendor/github.com/nats-io/nkeys/keypair.go
generated
vendored
10
vendor/github.com/nats-io/nkeys/keypair.go
generated
vendored
@@ -15,6 +15,7 @@ package nkeys
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"io"
|
||||
|
||||
"golang.org/x/crypto/ed25519"
|
||||
@@ -26,12 +27,15 @@ type kp struct {
|
||||
}
|
||||
|
||||
// createPair will create a KeyPair based on the rand entropy and a type/prefix byte. rand can be nil.
|
||||
func createPair(rand io.Reader, prefix PrefixByte) (KeyPair, error) {
|
||||
_, privateKey, err := ed25519.GenerateKey(rand)
|
||||
func createPair(prefix PrefixByte) (KeyPair, error) {
|
||||
var rawSeed [32]byte
|
||||
|
||||
_, err := io.ReadFull(rand.Reader, rawSeed[:])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
seed, err := EncodeSeed(prefix, privateKey)
|
||||
|
||||
seed, err := EncodeSeed(prefix, rawSeed[:])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
40
vendor/github.com/nats-io/nkeys/main.go
generated
vendored
40
vendor/github.com/nats-io/nkeys/main.go
generated
vendored
@@ -17,7 +17,6 @@ package nkeys
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
)
|
||||
|
||||
// Errors
|
||||
@@ -42,32 +41,32 @@ type KeyPair interface {
|
||||
Verify(input []byte, sig []byte) error
|
||||
}
|
||||
|
||||
// CreateUser will create an User typed KeyPair.
|
||||
func CreateUser(rand io.Reader) (KeyPair, error) {
|
||||
return createPair(rand, PrefixByteUser)
|
||||
// CreateUser will create a User typed KeyPair.
|
||||
func CreateUser() (KeyPair, error) {
|
||||
return createPair(PrefixByteUser)
|
||||
}
|
||||
|
||||
// CreateAccount will create an Account typed KeyPair.
|
||||
func CreateAccount(rand io.Reader) (KeyPair, error) {
|
||||
return createPair(rand, PrefixByteAccount)
|
||||
func CreateAccount() (KeyPair, error) {
|
||||
return createPair(PrefixByteAccount)
|
||||
}
|
||||
|
||||
// CreateServer will create a server typed KeyPair.
|
||||
func CreateServer(rand io.Reader) (KeyPair, error) {
|
||||
return createPair(rand, PrefixByteServer)
|
||||
// CreateServer will create a Server typed KeyPair.
|
||||
func CreateServer() (KeyPair, error) {
|
||||
return createPair(PrefixByteServer)
|
||||
}
|
||||
|
||||
// CreateCluster will create a cluster typed KeyPair.
|
||||
func CreateCluster(rand io.Reader) (KeyPair, error) {
|
||||
return createPair(rand, PrefixByteCluster)
|
||||
// CreateCluster will create a Cluster typed KeyPair.
|
||||
func CreateCluster() (KeyPair, error) {
|
||||
return createPair(PrefixByteCluster)
|
||||
}
|
||||
|
||||
// CreateOperator will create an operator typed KeyPair.
|
||||
func CreateOperator(rand io.Reader) (KeyPair, error) {
|
||||
return createPair(rand, PrefixByteOperator)
|
||||
// CreateOperator will create an Operator typed KeyPair.
|
||||
func CreateOperator() (KeyPair, error) {
|
||||
return createPair(PrefixByteOperator)
|
||||
}
|
||||
|
||||
// FromPublicKey will create a KeyPair capable fo verifying signatures.
|
||||
// FromPublicKey will create a KeyPair capable of verifying signatures.
|
||||
func FromPublicKey(public string) (KeyPair, error) {
|
||||
raw, err := decode(public)
|
||||
if err != nil {
|
||||
@@ -88,3 +87,12 @@ func FromSeed(seed string) (KeyPair, error) {
|
||||
}
|
||||
return &kp{seed}, nil
|
||||
}
|
||||
|
||||
// Create a KeyPair from the raw 32 byte seed for a given type.
|
||||
func FromRawSeed(prefix PrefixByte, rawSeed []byte) (KeyPair, error) {
|
||||
seed, err := EncodeSeed(prefix, rawSeed)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &kp{seed}, nil
|
||||
}
|
||||
|
||||
48
vendor/github.com/nats-io/nkeys/nk/main.go
generated
vendored
48
vendor/github.com/nats-io/nkeys/nk/main.go
generated
vendored
@@ -14,6 +14,7 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"flag"
|
||||
"io"
|
||||
@@ -26,7 +27,7 @@ import (
|
||||
)
|
||||
|
||||
func usage() {
|
||||
log.Fatalf("Usage: nk [-gen type] [-sign file] [-verify file] [-inkey keyfile] [-pubin keyfile] [-pubout] [-e entropy]\n")
|
||||
log.Fatalf("Usage: nk [-gen type] [-sign file] [-verify file] [-inkey keyfile] [-pubin keyfile] [-sigfile file] [-pubout] [-e entropy]\n")
|
||||
}
|
||||
|
||||
func main() {
|
||||
@@ -116,7 +117,7 @@ func sign(fname, keyFile string) {
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
log.Printf("%s", base64.RawURLEncoding.EncodeToString(sigraw))
|
||||
log.Printf("%s", base64.StdEncoding.EncodeToString(sigraw))
|
||||
}
|
||||
|
||||
func verify(fname, keyFile, pubFile, sigFile string) {
|
||||
@@ -157,23 +158,37 @@ func verify(fname, keyFile, pubFile, sigFile string) {
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
sig, err := base64.RawURLEncoding.DecodeString(string(sigEnc))
|
||||
sig, err := base64.StdEncoding.DecodeString(string(sigEnc))
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
if err := kp.Verify(content, sig); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
log.Printf("verification succeeded")
|
||||
log.Printf("Verified OK")
|
||||
}
|
||||
|
||||
func createKey(keyType, entropy string) {
|
||||
keyType = strings.ToLower(keyType)
|
||||
var kp nkeys.KeyPair
|
||||
var err error
|
||||
var pre nkeys.PrefixByte
|
||||
|
||||
var ef io.Reader
|
||||
switch keyType {
|
||||
case "user":
|
||||
pre = nkeys.PrefixByteUser
|
||||
case "account":
|
||||
pre = nkeys.PrefixByteAccount
|
||||
case "server":
|
||||
pre = nkeys.PrefixByteServer
|
||||
case "cluster":
|
||||
pre = nkeys.PrefixByteCluster
|
||||
case "operator":
|
||||
pre = nkeys.PrefixByteOperator
|
||||
default:
|
||||
log.Fatalf("Usage: nk -gen [user|account|server|cluster|operator]\n")
|
||||
}
|
||||
|
||||
// See if we override entropy.
|
||||
ef := rand.Reader
|
||||
if entropy != "" {
|
||||
r, err := os.Open(entropy)
|
||||
if err != nil {
|
||||
@@ -182,20 +197,13 @@ func createKey(keyType, entropy string) {
|
||||
ef = r
|
||||
}
|
||||
|
||||
switch keyType {
|
||||
case "user":
|
||||
kp, err = nkeys.CreateUser(ef)
|
||||
case "account":
|
||||
kp, err = nkeys.CreateAccount(ef)
|
||||
case "server":
|
||||
kp, err = nkeys.CreateServer(ef)
|
||||
case "cluster":
|
||||
kp, err = nkeys.CreateCluster(ef)
|
||||
case "operator":
|
||||
kp, err = nkeys.CreateOperator(ef)
|
||||
default:
|
||||
log.Fatalf("Usage: nk -gen [user|account|server|cluster|operator]\n")
|
||||
// Create raw seed from source or random.
|
||||
var rawSeed [32]byte
|
||||
_, err := io.ReadFull(ef, rawSeed[:]) // Or some other random source.
|
||||
if err != nil {
|
||||
log.Fatalf("Error reading from %s: %v", ef, err)
|
||||
}
|
||||
kp, err := nkeys.FromRawSeed(pre, rawSeed[:])
|
||||
if err != nil {
|
||||
log.Fatalf("Error creating %s: %v", keyType, err)
|
||||
}
|
||||
|
||||
2
vendor/github.com/nats-io/nkeys/strkey.go
generated
vendored
2
vendor/github.com/nats-io/nkeys/strkey.go
generated
vendored
@@ -83,7 +83,7 @@ func EncodeSeed(public PrefixByte, src []byte) (string, error) {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if len(src) != ed25519.PrivateKeySize {
|
||||
if len(src) != ed25519.SeedSize {
|
||||
return "", ErrInvalidSeedLen
|
||||
}
|
||||
|
||||
|
||||
2
vendor/manifest
vendored
2
vendor/manifest
vendored
@@ -5,7 +5,7 @@
|
||||
"importpath": "github.com/nats-io/nkeys",
|
||||
"repository": "https://github.com/nats-io/nkeys",
|
||||
"vcs": "git",
|
||||
"revision": "b1c20ce69b6a01afa42403ea6f7b408d6cbc8e4e",
|
||||
"revision": "9206fa847ab4dfdf7378fb1965717f32978852e2",
|
||||
"branch": "master",
|
||||
"notests": true
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user