mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-08 22:43:57 +01:00
a56a97e5c3
Fixes #8. `nebula-cert ca` now supports encrypting the CA's private key with a passphrase. Pass `-encrypt` in order to be prompted for a passphrase. Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF parameters default to RFC recommendations, but can be overridden via CLI flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.
48 lines
1.1 KiB
Protocol Buffer
48 lines
1.1 KiB
Protocol Buffer
syntax = "proto3";
|
|
package cert;
|
|
|
|
option go_package = "github.com/slackhq/nebula/cert";
|
|
|
|
//import "google/protobuf/timestamp.proto";
|
|
|
|
message RawNebulaCertificate {
|
|
RawNebulaCertificateDetails Details = 1;
|
|
bytes Signature = 2;
|
|
}
|
|
|
|
message RawNebulaCertificateDetails {
|
|
string Name = 1;
|
|
|
|
// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
|
|
repeated uint32 Ips = 2;
|
|
repeated uint32 Subnets = 3;
|
|
|
|
repeated string Groups = 4;
|
|
int64 NotBefore = 5;
|
|
int64 NotAfter = 6;
|
|
bytes PublicKey = 7;
|
|
|
|
bool IsCA = 8;
|
|
|
|
// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
|
|
bytes Issuer = 9;
|
|
}
|
|
|
|
message RawNebulaEncryptedData {
|
|
RawNebulaEncryptionMetadata EncryptionMetadata = 1;
|
|
bytes Ciphertext = 2;
|
|
}
|
|
|
|
message RawNebulaEncryptionMetadata {
|
|
string EncryptionAlgorithm = 1;
|
|
RawNebulaArgon2Parameters Argon2Parameters = 2;
|
|
}
|
|
|
|
message RawNebulaArgon2Parameters {
|
|
int32 version = 1; // rune in Go
|
|
uint32 memory = 2;
|
|
uint32 parallelism = 4; // uint8 in Go
|
|
uint32 iterations = 3;
|
|
bytes salt = 5;
|
|
}
|