-
Notifications
You must be signed in to change notification settings - Fork 963
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V2 certificate format #1216
base: cert-interface
Are you sure you want to change the base?
V2 certificate format #1216
Conversation
|
||
-- At least 1 ipv4 or ipv6 address must be present if isCA is false | ||
networks SEQUENCE OF Network, | ||
unsafeNetworks SEQUENCE OF Network OPTIONAL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very happy to see this getting renamed from -ips
and -subnets
which were a bit confusing (many people believed subnets was essentially the CIDR part of -ips
.) That being said, calling them both "networks" might also be confusing. I think I'd lean towards simply calling this unsafeRoutes
to match the config option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not opposed to calling these unsafeRoutes
, it doesn't quite feel right though since this field is describing a network that can be used to configure unsafe routes on another host.
cert/cert_v2.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thoughts on each cert variety going in its own subpackage for namespacing and stuff?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I started there but then came around to stuffing it all in cert
so that we could hide away all the unnecessary bits.
Nebula DEFINITIONS AUTOMATIC TAGS ::= BEGIN | ||
|
||
Name ::= UTF8String (SIZE (1..253)) | ||
Time ::= INTEGER (0..18446744073709551615) -- uint64 maximum |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is seconds-since-epoch, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
@@ -62,6 +62,7 @@ message NebulaHandshakeDetails { | |||
uint32 ResponderIndex = 3; | |||
uint64 Cookie = 4; | |||
uint64 Time = 5; | |||
uint32 CertVersion = 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thoughts on making this an enum to match cert.go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be a cyclical import for the cert
package or else we'd have to do silly type conversions between the two packages.
I will say using cert.Version*
for protocol level stuff gave me the ick.
default: | ||
return nil, r, ErrInvalidPEMCertificateBanner | ||
} | ||
|
||
if err != nil { | ||
return nil, r, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semantics changed a little bit here -- we used to not return the pem-remainder on err, now we do. It's probably fine? It's more consistent with the default/ErrInvalidPEMCertificateBanner
branch.
WIP based on cert-interface branch