Removed ca from credential signatures.

examples/python/getting-started/main.py

@@ -30,17 +30,12 @@ def create_seed() -> bytes:
     # ---8<--- [end: create_seed]
     return seed
 
-
-def nobody_with_identity(developer_cert: bytes, developer_key: bytes) -> Credentials:
-    ca = Path("ca.pem").open(mode="rb").read()
-    return Credentials.nobody_with(developer_cert, developer_key, ca)
-
 def register_node(seed: bytes, developer_cert_path: str, developer_key_path: str) -> None:
     # ---8<--- [start: dev_creds]
     developer_cert = Path(developer_cert_path).open(mode="rb").read()
     developer_key = Path(developer_key_path).open(mode="rb").read()
 
-    developer_creds = nobody_with_identity(developer_cert, developer_key)
+    developer_creds = Credentials.nobody_with(developer_cert, developer_key)
     # ---8<--- [end: dev_creds]
 
     # ---8<--- [start: init_signer]
@@ -100,7 +95,7 @@ def recover_node(developer_cert: bytes, developer_key: bytes) -> None:
     # ---8<--- [start: recover_node]
     seed = read_file("seed")
     network = "bitcoin"
-    signer_creds = nobody_with_identity(developer_cert, developer_key)
+    signer_creds = Credentials.nobody_with(developer_cert, developer_key)
     signer = Signer(seed, network, signer_creds)
 
     scheduler = Scheduler(

libs/gl-client-py/glclient/glclient.pyi

@@ -20,16 +20,17 @@ class TlsConfig:
 class Credentials:
     def __init__(self) -> None: ...
     @staticmethod
-    def nobody_with(cert: bytes, key: bytes, ca: bytes) -> Credentials: ...
+    def nobody_with(cert: bytes, key: bytes) -> Credentials: ...
     @staticmethod
     def from_bytes(data: bytes) -> Credentials: ...
     @staticmethod
     def from_path(path: str) -> Credentials: ...
     @staticmethod
-    def from_parts(cert: bytes, key: bytes, ca: bytes, rune: str) -> Credentials: ...
+    def from_parts(cert: bytes, key: bytes, rune: str) -> Credentials: ...
     def node_id(self) -> bytes: ...
     def upgrade(self, scheduler: Scheduler, signer: Signer) -> Credentials: ...
     def to_bytes(self) -> bytes: ...
+    def with_ca(self) -> Credentials: ...
 
 class SignerHandle:
     def shutdown(self) -> None: ...

libs/gl-client-py/src/credentials.rs

@@ -103,8 +103,8 @@ impl Credentials {
     }
 
     #[staticmethod]
-    pub fn nobody_with(cert: &[u8], key: &[u8], ca: &[u8]) -> Self {
-        let inner = UnifiedCredentials::Nobody(gl_client::credentials::Nobody::with(cert, key, ca));
+    pub fn nobody_with(cert: &[u8], key: &[u8]) -> Self {
+        let inner = UnifiedCredentials::Nobody(gl_client::credentials::Nobody::with(cert, key));
         log::debug!("Created NOBODY credentials");
         Self { inner }
     }
@@ -124,9 +124,9 @@ impl Credentials {
     }
 
     #[staticmethod]
-    pub fn from_parts(cert: &[u8], key: &[u8], ca: &[u8], rune: &str) -> Self {
+    pub fn from_parts(cert: &[u8], key: &[u8], rune: &str) -> Self {
         let inner =
-            UnifiedCredentials::Device(gl_client::credentials::Device::with(cert, key, ca, rune));
+            UnifiedCredentials::Device(gl_client::credentials::Device::with(cert, key, rune));
         Self { inner }
     }
 
@@ -170,6 +170,21 @@ impl Credentials {
     pub fn node_id(&self) -> Result<Vec<u8>> {
         Ok(self.inner.node_id()?)
     }
+
+    pub fn with_ca(&self, ca: &[u8]) -> Self {
+        match &self.inner {
+            UnifiedCredentials::Nobody(creds) => {
+                let n = creds.clone().with_ca(ca);
+                let inner = UnifiedCredentials::Nobody(n);
+                Self { inner }
+            }
+            UnifiedCredentials::Device(creds) => {
+                let d = creds.clone().with_ca(ca);
+                let inner = UnifiedCredentials::Device(d);
+                Self { inner }
+            },
+        }
+    }
 }
 
 type Result<T, E = ErrorWrapper> = std::result::Result<T, E>;

libs/gl-client-py/tests/fixtures.py

@@ -7,8 +7,8 @@
 def creds(nobody_id):
     """Nobody credentials for the tests."""
     creds = Credentials.nobody_with(
-        nobody_id.cert_chain, nobody_id.private_key, nobody_id.caroot
-    )
+        nobody_id.cert_chain, nobody_id.private_key
+    ).with_ca(nobody_id.caroot)
     return creds
 
 

libs/gl-client/src/credentials.rs

@@ -89,14 +89,27 @@ impl Nobody {
     }
 
     /// Returns a new Nobody instance with a custom set of parameters.
-    pub fn with<V>(cert: V, key: V, ca: V) -> Self
+    pub fn with<V>(cert: V, key: V) -> Self
     where
         V: Into<Vec<u8>>,
     {
+        let ca =
+            load_file_or_default("GL_CA_CRT", CA_RAW).expect("Could not load file from GL_CA_CRT");
+
         Self {
             cert: cert.into(),
             key: key.into(),
+            ca,
+        }
+    }
+
+    pub fn with_ca<V>(self, ca: V) -> Self
+    where
+        V: Into<Vec<u8>>,
+    {
+        Nobody {
             ca: ca.into(),
+            ..self
         }
     }
 }
@@ -167,17 +180,30 @@ impl Device {
 
     /// Creates a new set of `Device` credentials from a complete set of
     /// credentials.
-    pub fn with<V, S>(cert: V, key: V, ca: V, rune: S) -> Self
+    pub fn with<V, S>(cert: V, key: V, rune: S) -> Self
     where
         V: Into<Vec<u8>>,
         S: Into<String>,
     {
+        let ca =
+            load_file_or_default("GL_CA_CRT", CA_RAW).expect("Could not load file from GL_CA_CRT");
+
         Self {
             version: CRED_VERSION,
             cert: cert.into(),
             key: key.into(),
-            ca: ca.into(),
             rune: rune.into(),
+            ca
+        }
+    }
+
+    pub fn with_ca<V>(self, ca: V) -> Self 
+    where
+        V: Into<Vec<u8>>,
+    {
+        Device {
+            ca: ca.into(),
+            ..self
         }
     }
 

libs/gl-client/src/scheduler.rs

@@ -218,7 +218,6 @@ impl<Creds> Scheduler<Creds> {
         let creds = credentials::Device::with(
             res.device_cert.clone().into_bytes(),
             res.device_key.clone().into_bytes(),
-            self.ca.clone(),
             res.rune.clone(),
         );
         res.creds = creds.to_bytes();
@@ -315,7 +314,6 @@ impl<Creds> Scheduler<Creds> {
         let creds = credentials::Device::with(
             res.device_cert.clone().into_bytes(),
             res.device_key.clone().into_bytes(),
-            self.ca.clone(),
             res.rune.clone(),
         );
         res.creds = creds.to_bytes();

libs/gl-testing/gltesting/clients.py

@@ -94,7 +94,6 @@ def creds(self) -> glclient.Credentials:
             creds = glclient.Credentials.nobody_with(
                 certpath.open(mode="rb").read(),
                 keypath.open(mode="rb").read(),
-                capath.open(mode="rb").read(),
             )
             return creds
 

tools/glcli/glcli/cli.py

@@ -36,20 +36,18 @@ def __init__(self) -> "Creds":
         # legacy paths used by TlsConfig
         cert_path = Path("device.crt")
         key_path = Path("device-key.pem")
-        ca_path = Path("ca.pem")
-        have_certs = cert_path.exists() and key_path.exists() and ca_path.exists()
+        have_certs = cert_path.exists() and key_path.exists()
         if creds_path.exists():
             self.creds = Credentials.from_path(str(creds_path))
             logger.info("Configuring client with device credentials")
         elif have_certs:
             logger.info("Configuring client with device credentials (legacy)")
             device_cert = open(str(cert_path), "rb").read()
             device_key = open(str(key_path), "rb").read()
-            ca = open(str(ca_path), "rb").read()
             rune = ""
             if Path("rune").exists():
                 rune = open("rune", "r").read()
-            self.creds = Credentials.from_parts(device_cert, device_key, ca, rune)
+            self.creds = Credentials.from_parts(device_cert, device_key, rune)
         else:
             logger.info("Configuring client with NOBODY credentials.")