commit 39d9c24f7167eb853aed0e1865ef8b187adf5bba
author Jan Schär <jan@monogon.tech> Tue Sep 24 13:49:55 2024 +0200
committer Jan Schär <jan@monogon.tech> Thu Sep 26 11:44:09 2024 +0000
tree dc8229e272c2f78eac56bdf4fde135809444f255
parent 8d82f8d261b14b73385ba66e44279c53bb9fef13

metropolis: reduce usage of identity.NodeID

Eventually, we want to be able to rotate node keypairs. To allow this,
the node ID needs to become independent of the public key. This change
is a refactoring which starts this work by reducing the usage of
identity.NodeID, the function which derives a node ID from a public key.

Change-Id: I5231ed0a7be37c23327fec93481b00c74374af07
Reviewed-on: https://review.monogon.dev/c/monogon/+/3445
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/node/core/identity/certificates.go

diff --git a/metropolis/node/core/identity/certificates.go b/metropolis/node/core/identity/certificates.go
index fca55b7..7735ae6 100644
--- a/metropolis/node/core/identity/certificates.go
+++ b/metropolis/node/core/identity/certificates.go
@@ -22,10 +22,10 @@
 }
 
 // NodeCertificate makes a Metropolis-compatible node certificate template.
-func NodeCertificate(pubkey ed25519.PublicKey) x509.Certificate {
+func NodeCertificate(nodeID string) x509.Certificate {
 	return x509.Certificate{
 		Subject: pkix.Name{
-			CommonName: NodeID(pubkey),
+			CommonName: nodeID,
 		},
 		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 		ExtKeyUsage: []x509.ExtKeyUsage{
@@ -39,7 +39,7 @@
 		// certificate for ease of use within Metropolis, where the local DNS setup
 		// allows each node's IP address to be resolvable through the Node's ID.
 		DNSNames: []string{
-			NodeID(pubkey),
+			nodeID,
 		},
 	}
 }
@@ -123,12 +123,12 @@
 // VerifyNodeInCluster ensures that a given certificate is a Metropolis node
 // certificate emitted by a given Metropolis CA.
 //
-// The node's public key is returned if verification is successful, and error is
+// The node's ID is returned if verification is successful, and error is
 // returned otherwise.
-func VerifyNodeInCluster(node, ca *x509.Certificate) (ed25519.PublicKey, error) {
+func VerifyNodeInCluster(node, ca *x509.Certificate) (string, error) {
 	pk, err := VerifyInCluster(node, ca)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	// Ensure certificate has ServerAuth bit, thereby marking it as a node certificate.
@@ -140,14 +140,14 @@
 		}
 	}
 	if !found {
-		return nil, fmt.Errorf("not a node certificate (missing ServerAuth key usage)")
+		return "", fmt.Errorf("not a node certificate (missing ServerAuth key usage)")
 	}
 
 	id := NodeID(pk)
 
 	// Ensure node ID is present in Subject.CommonName and at least one DNS name.
 	if node.Subject.CommonName != id {
-		return nil, fmt.Errorf("node ID not found in CommonName")
+		return "", fmt.Errorf("node ID not found in CommonName")
 	}
 
 	found = false
@@ -158,10 +158,10 @@
 		}
 	}
 	if !found {
-		return nil, fmt.Errorf("node ID not found in DNSNames")
+		return "", fmt.Errorf("node ID not found in DNSNames")
 	}
 
-	return pk, nil
+	return id, nil
 }
 
 // VerifyUserInCluster ensures that a given certificate is a Metropolis user