void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-05 03:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use Base32 everywhere for blobs to be consistent with core.

Browse source
This commit is contained in:
Adam Ierymenko 2020-10-23 18:10:25 -04:00
parent bd96e53bcc
commit 387d293793
No known key found for this signature in database
GPG key ID: C8877CF2D7A5D7F3
8 changed files with 164 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cmd/zerotier/cli/cert.go
View file

@ -20,6 +20,13 @@ import (
"zerotier/pkg/zerotier" "zerotier/pkg/zerotier"
) )
func interactiveMakeSubject() *zerotier.CertificateSubject {
s := new(zerotier.CertificateSubject)
return s
}
func Cert(basePath string, authTokenGenerator func() string, args []string, jsonOutput bool) int { func Cert(basePath string, authTokenGenerator func() string, args []string, jsonOutput bool) int {
if len(args) < 1 { if len(args) < 1 {
Help() Help()

125
cmd/zerotier/cli/help.go
View file

@ -34,80 +34,81 @@ Global Options:
Common Operations: Common Operations:
help Show this help help Show this help
version Print version version Print version
now [duration] Print current time [-]#[ms|s|m|h]
· status Show node status and configuration · status Show node status and configuration
· set [option] [value] - Get or set node configuration · set [option] [value] List all settings (with no args)
port <port> Primary P2P port · port <port> Primary P2P port
secondaryport <port/0> Secondary P2P port (0 to disable) · secondaryport <port/0> Secondary P2P port (0 to disable)
blacklist cidr <IP/bits> <boolean> Toggle physical path blacklisting · blacklist cidr <IP/bits> <boolean> Toggle physical path blacklisting
blacklist if <prefix> <boolean> Toggle interface prefix blacklisting · blacklist if <prefix> <boolean> Toggle interface prefix blacklisting
portmap <boolean> Toggle use of uPnP or NAT-PMP · portmap <boolean> Toggle use of uPnP or NAT-PMP
· peer [address] [command] [option] - Peer management commands · peer [address] [command] [option] Peer management commands
list List peers · list List peers
listroots List root peers · listroots List root peers
show Show peer details · show Show peer details
try <endpoint> [...] Try peer at explicit endpoint · try <endpoint> [...] Try peer at explicit endpoint
· network list List VL2 networks · network list List VL2 networks
· network <network> [command] [option] - Network management commands · network <network> [command] [option]
show Show network details (default) · show Show network details (default)
set [option] [value] - Get or set network options · set [option] [value] Get or set network options
manageips <boolean> Is IP management allowed? · manageips <boolean> Is IP management allowed?
manageroutes <boolean> Is route management allowed? · manageroutes <boolean> Is route management allowed?
globalips <boolean> Allow assignment of global IPs? · globalips <boolean> Allow assignment of global IPs?
globalroutes <boolean> Can global IP space routes be set? · globalroutes <boolean> Can global IP space routes be set?
defaultroute <boolean> Can default route be overridden? · defaultroute <boolean> Can default route be overridden?
· join [-options] <network> Join a virtual network · join [-options] <network> Join a virtual network
-a <token> Token to submit to controller -a <token> Token to submit to controller
-c <identity | fingerprint> Controller identity or fingerprint -c <identity | fingerprint> Controller identity or fingerprint
· leave <network> Leave a virtual network · leave <network> Leave a virtual network
Advanced Operations: Advanced Operations:
service Start node (seldom used from CLI) service Start this node (runs until stopped)
now [duration] Print current time [-]#[ms|s|m|h]
· controller <command> [option] - Local controller management commands controller <command> [option]
· list List networks run by local controller · list List networks on controller
· new Create a new network · new Create a new network
· set <network> [setting] [value] Show or modify network settings · set <network> [setting] [value] Show or modify network settings
· members <network> List members of a network · members <network> List members of a network
· member <network> [setting] [value] Show or modify member level settings · member <network> [setting] [value] Show or modify member level settings
· auth <address> Authorize a peer · auth <address> Authorize a peer
· deauth <address> Deauthorize a peer · deauth <address> Deauthorize a peer
identity <command> [args] - Identity management identity <command> [args]
new [c25519 | p384] Create identity (default: c25519) new [c25519 | p384] Create identity (default: c25519)
getpublic <identity> Extract only public part of identity getpublic <identity> Extract only public part of identity
fingerprint <identity> Get an identity's fingerprint fingerprint <identity> Get an identity's fingerprint
validate <identity> Locally validate an identity validate <identity> Locally validate an identity
sign <identity> <file> Sign a file with an identity's key sign <identity> <file> Sign a file with an identity's key
verify <identity> <file> <sig> Verify a signature verify <identity> <file> <sig> Verify a signature
locator <command> [args] - Locator management locator <command> [args]
new <identity> <endpoint> [...] Create new signed locator new <identity> <endpoint> [...] Create new signed locator
verify <identity> <locator> Verify locator signature verify <identity> <locator> Verify locator signature
show <locator> Show contents of a locator show <locator> Show contents of a locator
cert <command> [args] - Certificate management cert <command> [args]
· list List certificates in local node store · list List certificates at local node
· show <serial> List or show details of a certificate · show <serial> Show certificate details
newsid <secret out> Create a new subject unique ID newsubject <subject out> Interactive subject creation
newcsr <subject> <secret> <csr out> Create a subject CSR newsid <secret out> Create a new subject unique ID
sign <csr> <identity> <cert out> Sign a CSR to create a certificate newcsr <subject|-> <secret> <csr out> Create a subject CSR
verify <cert> Verify certificate (not entire chain) sign <csr> <identity> <cert out> Sign a CSR to create a certificate
dump <cert> Verify and print certificate verify <cert> Verify certificate (not chain)
· import <cert> [trust,[trust]] Import certificate into this node dump <cert> Verify and print certificate
trust flag: rootca Certificate is a root CA · import <cert> [trust,[trust]] Import certificate into this node
trust flag: ztrootset ZeroTier root node set trust flag: rootca Certificate is a root CA
· restore Re-import default certificates trust flag: ztrootset ZeroTier root node set
· export <serial> [path] Export a certificate from this node · restore Re-import default certificates
· delete <serial|ALL> Delete certificate from this node · export <serial> [path] Export a certificate from this node
· delete <serial|ALL> Delete certificate from this node
· Command requires a running node and access to a local API token. · Command requires a running node and access to a local API token.

39
cmd/zerotier/cli/misc.go
View file

@ -14,11 +14,13 @@
package cli package cli
import ( import (
"bufio"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os" "os"
"strconv"
"strings" "strings"
"zerotier/pkg/zerotier" "zerotier/pkg/zerotier"
@ -235,3 +237,40 @@ func isValidNetworkID(a string) bool {
} }
return false return false
} }
func prompt(str string, dfl string) string {
if len(dfl) > 0 {
fmt.Printf("%s [%s]: ", str, dfl)
text, _ := bufio.NewReader(os.Stdin).ReadString('\n')
text = strings.TrimSpace(text)
if len(text) == 0 {
text = dfl
}
return text
}
fmt.Print(str)
text, _ := bufio.NewReader(os.Stdin).ReadString('\n')
return strings.TrimSpace(text)
}
func promptInt(str string, dfl int64) int64 {
s := prompt(str, "")
if len(s) > 0 {
i, err := strconv.ParseInt(s, 10, 64)
if err == nil {
return i
}
}
return dfl
}
func promptFile(str string) []byte {
s := prompt(str, "")
if len(s) > 0 {
b, err := ioutil.ReadFile(s)
if err == nil {
return b
}
}
return nil
}

38
pkg/zerotier/base32blob.go Normal file
View file

@ -0,0 +1,38 @@
/*
* Copyright (C)2013-2020 ZeroTier, Inc.
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file in the project's root directory.
*
* Change Date: 2025-01-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2.0 of the Apache License.
*/
/****/
package zerotier
import (
"encoding/json"
"strings"
)
// Base32Blob is a byte array that JSON serializes to a Base32 string.
type Base32Blob []byte
// MarshalJSON returns this blob marshaled as a byte array or a string.
func (b *Base32Blob) MarshalJSON() ([]byte, error) {
return []byte("\""+Base32.EncodeToString(*b)+"\""), nil
}
// UnmarshalJSON unmarshals this blob from a JSON array or string.
func (b *Base32Blob) UnmarshalJSON(j []byte) error {
var b32 string
err := json.Unmarshal(j, &b32)
if err != nil {
return err
}
*b, err = Base32.DecodeString(strings.TrimSpace(b32))
return err
}

24
pkg/zerotier/certificate.go
View file

@ -18,7 +18,6 @@ package zerotier
import "C" import "C"
import ( import (
"encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"unsafe" "unsafe"
@ -69,32 +68,32 @@ type CertificateSubject struct {
Timestamp int64 `json:"timestamp"` Timestamp int64 `json:"timestamp"`
Identities []CertificateIdentity `json:"identities,omitempty"` Identities []CertificateIdentity `json:"identities,omitempty"`
Networks []CertificateNetwork `json:"networks,omitempty"` Networks []CertificateNetwork `json:"networks,omitempty"`
Certificates [][]byte `json:"certificates,omitempty"` Certificates []Base32Blob `json:"certificates,omitempty"`
UpdateURLs []string `json:"updateURLs,omitempty"` UpdateURLs []string `json:"updateURLs,omitempty"`
Name CertificateName `json:"name"` Name CertificateName `json:"name"`
UniqueID []byte `json:"uniqueId,omitempty"` UniqueID Base32Blob `json:"uniqueId,omitempty"`
UniqueIDProofSignature []byte `json:"uniqueIdProofSignature,omitempty"` UniqueIDProofSignature Base32Blob `json:"uniqueIdProofSignature,omitempty"`
} }
// Certificate is a Go reflection of the C ZT_Certificate struct. // Certificate is a Go reflection of the C ZT_Certificate struct.
type Certificate struct { type Certificate struct {
SerialNo []byte `json:"serialNo,omitempty"` SerialNo Base32Blob `json:"serialNo,omitempty"`
Flags uint64 `json:"flags"` Flags uint64 `json:"flags"`
Timestamp int64 `json:"timestamp"` Timestamp int64 `json:"timestamp"`
Validity [2]int64 `json:"validity"` Validity [2]int64 `json:"validity"`
Subject CertificateSubject `json:"subject"` Subject CertificateSubject `json:"subject"`
Issuer *Identity `json:"issuer,omitempty"` Issuer *Identity `json:"issuer,omitempty"`
IssuerName CertificateName `json:"issuerName"` IssuerName CertificateName `json:"issuerName"`
ExtendedAttributes []byte `json:"extendedAttributes,omitempty"` ExtendedAttributes Base32Blob `json:"extendedAttributes,omitempty"`
MaxPathLength uint `json:"maxPathLength,omitempty"` MaxPathLength uint `json:"maxPathLength,omitempty"`
CRL [][]byte `json:"crl,omitempty"` CRL []Base32Blob `json:"crl,omitempty"`
Signature []byte `json:"signature,omitempty"` Signature Base32Blob `json:"signature,omitempty"`
} }
// CertificateSubjectUniqueIDSecret bundles a certificate subject unique ID and its secret key. // CertificateSubjectUniqueIDSecret bundles a certificate subject unique ID and its secret key.
type CertificateSubjectUniqueIDSecret struct { type CertificateSubjectUniqueIDSecret struct {
UniqueID []byte `json:"uniqueId,omitempty"` UniqueID Base32Blob `json:"uniqueId,omitempty"`
UniqueIDSecret []byte `json:"uniqueIdSecret,omitempty"` UniqueIDSecret Base32Blob `json:"uniqueIdSecret,omitempty"`
} }
// LocalCertificate combines a certificate with its local trust flags. // LocalCertificate combines a certificate with its local trust flags.
@ -495,11 +494,6 @@ func (c *Certificate) JSON() string {
return string(j) return string(j)
} }
// URLSerialNo returns the serial number encoded for use in /cert/### local API URLs.
func (c *Certificate) URLSerialNo() string {
return base64.URLEncoding.EncodeToString(c.SerialNo)
}
// NewCertificateSubjectUniqueId creates a new certificate subject unique ID and corresponding private key. // NewCertificateSubjectUniqueId creates a new certificate subject unique ID and corresponding private key.
// Right now only one type is supported: CertificateUniqueIdTypeNistP384 // Right now only one type is supported: CertificateUniqueIdTypeNistP384
func NewCertificateSubjectUniqueId(uniqueIdType int) (id []byte, priv []byte, err error) { func NewCertificateSubjectUniqueId(uniqueIdType int) (id []byte, priv []byte, err error) {

4
pkg/zerotier/fingerprint.go
View file

@ -51,7 +51,7 @@ func NewFingerprintFromString(fps string) (*Fingerprint, error) {
return nil, err return nil, err
} }
if len(ss) == 2 { if len(ss) == 2 {
h, err := Base32StdLowerCase.DecodeString(ss[1]) h, err := Base32.DecodeString(ss[1])
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -78,7 +78,7 @@ func newFingerprintFromCFingerprint(cfp *C.ZT_Fingerprint) *Fingerprint {
// String returns an address or a full address-hash depenting on whether a hash is present. // String returns an address or a full address-hash depenting on whether a hash is present.
func (fp *Fingerprint) String() string { func (fp *Fingerprint) String() string {
if len(fp.Hash) == FingerprintHashSize { if len(fp.Hash) == FingerprintHashSize {
return fmt.Sprintf("%.10x-%s", uint64(fp.Address), Base32StdLowerCase.EncodeToString(fp.Hash)) return fmt.Sprintf("%.10x-%s", uint64(fp.Address), Base32.EncodeToString(fp.Hash))
} }
return fp.Address.String() return fp.Address.String()
} }

7
pkg/zerotier/misc.go
View file

@ -32,8 +32,11 @@ const LogoChar = "⏁"
// pointerSize is the size of a pointer on this system // pointerSize is the size of a pointer on this system
const pointerSize = unsafe.Sizeof(uintptr(0)) const pointerSize = unsafe.Sizeof(uintptr(0))
// Base32StdLowerCase is a base32 encoder/decoder using a lower-case standard alphabet and no padding. // Base32Alphabet is the Base32 alphabet used in ZeroTier.
var Base32StdLowerCase = base32.NewEncoding("abcdefghijklmnopqrstuvwxyz234567").WithPadding(base32.NoPadding) const Base32Alphabet = "abcdefghijklmnopqrstuvwxyz234567"
// Base32 is an encoder using the ZeroTier base32 encoding.
var Base32 = base32.NewEncoding(Base32Alphabet)
// unassignedPrivilegedPorts are ports below 1024 that do not appear to be assigned by IANA. // unassignedPrivilegedPorts are ports below 1024 that do not appear to be assigned by IANA.
// The new 2.0+ ZeroTier default is 793, which we will eventually seek to have assigned. These // The new 2.0+ ZeroTier default is 793, which we will eventually seek to have assigned. These

2
pkg/zerotier/node.go
View file

@ -731,7 +731,7 @@ func (n *Node) makeStateObjectPath(objType int, id []uint64) (string, bool) {
fp = path.Join(n.basePath, "truststore") fp = path.Join(n.basePath, "truststore")
case C.ZT_STATE_OBJECT_CERT: case C.ZT_STATE_OBJECT_CERT:
_ = os.Mkdir(n.certsPath, 0755) _ = os.Mkdir(n.certsPath, 0755)
fp = path.Join(n.certsPath, Base32StdLowerCase.EncodeToString((*[48]byte)(unsafe.Pointer(&id[0]))[:])) fp = path.Join(n.certsPath, Base32.EncodeToString((*[48]byte)(unsafe.Pointer(&id[0]))[:]))
} }
return fp, secret return fp, secret
} }