V2 certificate format #1216
V2 certificate format #1216
Conversation
|
|
||
| -- At least 1 ipv4 or ipv6 address must be present if isCA is false | ||
| networks SEQUENCE OF Network, | ||
| unsafeNetworks SEQUENCE OF Network OPTIONAL, |
There was a problem hiding this comment.
Very happy to see this getting renamed from -ips and -subnets which were a bit confusing (many people believed subnets was essentially the CIDR part of -ips.) That being said, calling them both "networks" might also be confusing. I think I'd lean towards simply calling this unsafeRoutes to match the config option.
There was a problem hiding this comment.
I'm not opposed to calling these unsafeRoutes, it doesn't quite feel right though since this field is describing a network that can be used to configure unsafe routes on another host.
cert/cert_v2.go
Outdated
There was a problem hiding this comment.
thoughts on each cert variety going in its own subpackage for namespacing and stuff?
There was a problem hiding this comment.
I started there but then came around to stuffing it all in cert so that we could hide away all the unnecessary bits.
| Nebula DEFINITIONS AUTOMATIC TAGS ::= BEGIN | ||
|
|
||
| Name ::= UTF8String (SIZE (1..253)) | ||
| Time ::= INTEGER (0..18446744073709551615) -- uint64 maximum |
There was a problem hiding this comment.
this is seconds-since-epoch, right?
| @@ -62,6 +62,7 @@ message NebulaHandshakeDetails { | |||
| uint32 ResponderIndex = 3; | |||
| uint64 Cookie = 4; | |||
| uint64 Time = 5; | |||
| uint32 CertVersion = 8; | |||
There was a problem hiding this comment.
thoughts on making this an enum to match cert.go?
There was a problem hiding this comment.
It would be a cyclical import for the cert package or else we'd have to do silly type conversions between the two packages.
I will say using cert.Version* for protocol level stuff gave me the ick.
| default: | ||
| return nil, r, ErrInvalidPEMCertificateBanner | ||
| } | ||
|
|
||
| if err != nil { | ||
| return nil, r, err |
There was a problem hiding this comment.
semantics changed a little bit here -- we used to not return the pem-remainder on err, now we do. It's probably fine? It's more consistent with the default/ErrInvalidPEMCertificateBanner branch.
WIP based on cert-interface branch