mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
04dd6d1dae
control/controlclient: sign RegisterRequest Some customers wish to verify eligibility for devices to join their tailnets using machine identity certificates. TLS client certs could potentially fulfill this role but the initial customer for this feature has technical requirements that prevent their use. Instead, the certificate is loaded from the Windows local machine certificate store and uses its RSA public key to sign the RegisterRequest message. There is room to improve the flexibility of this feature in future and it is currently only tested on Windows (although Darwin theoretically works too), but this offers a reasonable starting place for now. Updates tailscale/coral#6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
32 lines
911 B
Go
32 lines
911 B
Go
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package controlclient
|
|
|
|
import (
|
|
"crypto"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"tailscale.com/types/wgkey"
|
|
)
|
|
|
|
var (
|
|
errNoCertStore = errors.New("no certificate store")
|
|
errCertificateNotConfigured = errors.New("no certificate subject configured")
|
|
)
|
|
|
|
// HashRegisterRequest generates the hash required sign or verify a
|
|
// tailcfg.RegisterRequest with tailcfg.SignatureV1.
|
|
func HashRegisterRequest(ts time.Time, serverURL string, deviceCert []byte, serverPubKey, machinePubKey wgkey.Key) []byte {
|
|
h := crypto.SHA256.New()
|
|
|
|
// hash.Hash.Write never returns an error, so we don't check for one here.
|
|
fmt.Fprintf(h, "%s%s%s%s%s",
|
|
ts.UTC().Format(time.RFC3339), serverURL, deviceCert, serverPubKey, machinePubKey)
|
|
|
|
return h.Sum(nil)
|
|
}
|