mirrors
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
tailscale/tka
History
Anton Tolchanov 01847e0123 ipn/ipnlocal: discard node keys that have been rotated out 
A non-signing node can be allowed to re-sign its new node keys following
key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be
able to do this, node's TLK is written into WrappingPubkey field of the
initial SigDirect signature, signed by a signing node.

The intended use of this field implies that, for each WrappingPubkey, we
typically expect to have at most one active node with a signature
tracing back to that key. Multiple valid signatures referring to the
same WrappingPubkey can occur if a client's state has been cloned, but
it's something we explicitly discourage and don't support:
https://tailscale.com/s/clone

This change propagates rotation details (wrapping public key, a list
of previous node keys that have been rotated out) to netmap processing,
and adds tracking of obsolete node keys that, when found, will get
filtered out.

Updates tailscale/corp#19764

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
 		2024-06-03 10:56:09 +01:00
..
aum.go all: use new AppendEncode methods available in Go 1.22 (#11079) 2024-02-08 17:55:03 -08:00
aum_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
builder.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
builder_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
chaintest_test.go all: use Go 1.22 range-over-int 2024-04-16 15:32:38 -07:00
deeplink.go tka: add function for generating signing deeplinks (#8385) 2023-06-20 09:36:37 -07:00
deeplink_test.go tka: add function for generating signing deeplinks (#8385) 2023-06-20 09:36:37 -07:00
key.go tka: guard against key-length panics when verifying signatures 2023-07-19 15:33:01 -05:00
key_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
scenario_test.go all: cleanup unused code, part 1 (#10661) 2023-12-20 14:50:30 -08:00
sig.go ipn/ipnlocal: discard node keys that have been rotated out 2024-06-03 10:56:09 +01:00
sig_test.go ipn/ipnlocal: discard node keys that have been rotated out 2024-06-03 10:56:09 +01:00
state.go tka: clarify field comment 2023-11-27 18:35:33 -05:00
state_test.go various: add golangci-lint, fix issues (#7905) 2023-04-17 18:38:24 -04:00
sync.go all: use Go 1.22 range-over-int 2024-04-16 15:32:38 -07:00
sync_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
tailchonk.go all: use Go 1.22 range-over-int 2024-04-16 15:32:38 -07:00
tailchonk_test.go tka: fix go vet complaint on copy of lock value in tailchonk_test.go (#8208) 2023-05-25 13:34:13 -07:00
tka.go ipn/ipnlocal: discard node keys that have been rotated out 2024-06-03 10:56:09 +01:00
tka_test.go all: implement lock revoke-keys command 2023-08-01 15:37:55 -05:00