assorted: plumb tka initialization & network-lock key into tailscaled

- A network-lock key is generated if it doesn't already exist, and stored in the StateStore. The public component is communicated to control during registration. - If TKA state exists on the filesystem, a tailnet key authority is initialized (but nothing is done with it for now). Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2022-08-01 15:46:41 -07:00
parent 8d45d7e312
commit 4001d0bf25
8 changed files with 124 additions and 1 deletions
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -67,6 +67,7 @@ type Direct struct {
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            key.DiscoPublic
 	getMachinePrivKey      func() (key.MachinePrivate, error)
+	getNLPublicKey         func() (key.NLPublic, error)
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
@@ -107,6 +108,7 @@ type Options struct {
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
 	Dialer               *tsdial.Dialer   // non-nil
+	GetNLPublicKey       func() (key.NLPublic, error)

 	// Status is called when there's a change in status.
 	Status func(Status)
@@ -190,6 +192,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	c := &Direct{
 		httpc:                  httpc,
 		getMachinePrivKey:      opts.GetMachinePrivateKey,
+		getNLPublicKey:         opts.GetNLPublicKey,
 		serverURL:              opts.ServerURL,
 		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
@@ -424,6 +427,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}

+	nlPub, err := c.getNLPublicKey()
+	if err != nil {
+		return false, "", fmt.Errorf("get nl key: %v", err)
+	}
+
 	if tryingNewKey.IsZero() {
 		if opt.Logout {
 			return false, "", errors.New("no nodekey to log out")
@@ -439,6 +447,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		Version:    1,
 		OldNodeKey: oldNodeKey,
 		NodeKey:    tryingNewKey.Public(),
+		NLKey:      nlPub,
 		Hostinfo:   hi,
 		Followup:   opt.URL,
 		Timestamp:  &now,