{"id":19965546,"url":"https://github.com/tencent/edgeone-keyless-server","last_synced_at":"2026-01-10T17:02:19.831Z","repository":{"id":258136186,"uuid":"872758865","full_name":"Tencent/edgeone-keyless-server","owner":"Tencent","description":"It is used for the keyless feature in EdgeOne.","archived":false,"fork":false,"pushed_at":"2024-10-16T08:52:14.000Z","size":69,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-10-17T20:04:52.498Z","etag":null,"topics":["edgeone","keyless"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Tencent.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-15T02:55:30.000Z","updated_at":"2024-10-17T01:44:49.000Z","dependencies_parsed_at":"2024-10-17T20:04:55.910Z","dependency_job_id":"4e264df2-e27c-4300-aad0-089e5fcfbf14","html_url":"https://github.com/Tencent/edgeone-keyless-server","commit_stats":null,"previous_names":["tencent/edgeone-keyless-server"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tencent%2Fedgeone-keyless-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tencent%2Fedgeone-keyless-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tencent%2Fedgeone-keyless-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tencent%2Fedgeone-keyless-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Tencent","download_url":"https://codeload.github.com/Tencent/edgeone-keyless-server/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224377832,"owners_count":17301225,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edgeone","keyless"],"created_at":"2024-11-13T02:29:27.053Z","updated_at":"2026-01-10T17:02:19.751Z","avatar_url":"https://github.com/Tencent.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"English | [中文](readme.zh_CN.md)\n# Edgeone Keyless Server\n\nA service developed based on the trpc-go framework that supports the independent deployment of private keys during the SSL handshake authentication process, ensuring higher security for private keys. It also supports the following features:\n```\n1. Supports mutual authentication (mutual authentication with handshake nodes)\n2. Supports multiple certificate types for mutual authentication (RSA, ECC)\n3. Supports hot loading of public and private key certificates (as public and private key certificates for establishing SSL handshake nodes)\n4. Supports remote authentication certificate types (RSA)\n5. Supports simple configuration management services, such as certificates, IPs, ports, logs, etc.\n6. Supports viewing current actual access performance parameters (QPS, counts, average response time, etc.)\n```\n\n## Quick Start\n\n### Prerequisites\n\n- **[Go](https://go.dev/doc/install)**, version should be greater than or equal to go1.20.\n- **[tRPC cmdline tools](https://github.com/trpc-group/trpc-cmdline)**, used for generating PB (protobuf) protocol code.\n- **[trpc-go](https://github.com/trpc-group/trpc-go)**, version v1.0.3.\n- **[OpenSSL](https://github.com/openssl/openssl?tab=readme-ov-file#build-and-install)**, requires related libraries `openssl-static`(1:1.1.1k-12.tl3.1), `openssl-devel`(1:1.1.1k-12.tl3.1), and `zlib-devel`(1.2.11-25.tl3 ).\n ```bash\n # On CentOS:\n sudo yum install openssl-static -y\n sudo yum install openssl-devel -y\n sudo yum install zlib-devel -y\n ```\n ```\n # On Debian-based Linux:\n sudo apt-get install openssl-static\n sudo apt-get install openssl-devel \n sudo apt-get install zlib-devel\n ```\n\n### Installation\n\nYou can run the server by compiling the source code. An RPM package will be provided later for direct installation.\n\n## Get the Source Code\n```\ngit clone https://github.com/tencent/edgeone-keyless-server.git\ncd edgeone-keyless-server\n```\n### Directory Structure\n```\nedgeone-keyless-server\n├── application\n├── config // Configuration file directory\n│ └── keyless.yaml // Configuration file\n├── domain // Domain layer\n│ ├── entity // Entity layer\n│ │ ├── cipher_suites.go // Key suites\n│ │ ├── common.go\n│ │ ├── config.go\n│ │ ├── ecc.go\n│ │ ├── load_cert_info.go // Load certificate information\n│ │ ├── metric.go // QPS and other metrics statistics\n│ │ ├── rsa.go // RSA algorithm\n│ │ └── rwlock.go // Read-write lock\n│ ├── repository // Data access layer\n│ │ ├── key_agreement.go // Define data encryption, decryption, signature, etc.\n│ │ └── keyless.go // Define data access layer\n│ └── service // Service layer\n│ ├── keyless.go // Define service layer (define request certificate encryption, decryption, signature; reload certificate and other services;)\n│ └── load_cert.go // Load certificate\n├── go.mod\n├── go.sum\n├── infrastructure // Infrastructure layer\n│ ├── config\n│ ├── constant // Constants\n│ │ ├── const.go\n│ │ ├── error.go // Error information\n│ │ └── response.go // Error codes\n│ ├── db\n│ ├── log\n│ ├── middleware\n│ ├── protocol // Protocol layer\n│ │ ├── keyless // Define protocol layer\n│ │ │ ├── keyless_server.pb.go\n│ │ │ ├── keyless_server.trpc.go\n│ │ │ └── mock\n│ │ │ └── keyless_server_mock.go\n│ │ └── pb\n│ │ ├── keyless.go // Generate protocol\n│ │ └── keyless_server.proto // Define protocol layer\n│ └── utils // Utility layer\n│ ├── system.go // System common functions\n│ ├── system_test.go\n│ ├── time.go // Time common functions\n│ └── time_test.go\n├── log // Log directory\n├── main.go // Server entry\n├── mutual_ssl // Mutual authentication certificate directory\n├── presentation\n│ └── api\n├── readme.md\n├── readme.zh_CN.md\n├── ssl // SSL certificate directory\n├── testdata\n└── trpc_go.yaml // trpc-go configuration\n```\n\n### Execution Example\n\n1. Compile and run the server code; related configurations have been completed in `trpc_go.yaml`.\n```\ngo build -o keyless main.go\nchmod a+x keyless\n./keyless\n```\n\n2. Explanation of `trpc_go.yaml` configuration:\n```\nserver: # Server configuration\n service: # Specific business service configuration\n - name: trpc.app.server.keylessHTTP # Local access (optional), convenient for locally reloading edge authentication certificates (non-mutual authentication certificates)\n protocol: http # Application layer protocol trpc http\n ip: 127.0.0.1\n port: 8080\n - name: trpc.app.server.keylessHTTPSMutual\n timeout: 10000 # Unit ms, each received request is allowed a maximum execution time of 1000ms, so be careful to balance the timeout allocation for all serial RPC calls within the current request, default is 0, no timeout set\n protocol: http # Application layer protocol trpc http\n ip: x.x.x.x # Bind the external service IP\n port: 443 # Default SSL port\n tls_cert: \"/your_keyless_path/mutual_ssl/yourcert.crt\" # Public key\n tls_key: \"/your_keyless_path/mutual_ssl/yourprivatecert.key\" # Private key\n ca_cert: \"/your_keyless_path/mutual_ssl/yourca.pem\" # CA certificate, must be configured if mutual authentication is required\nplugins:\n log: # All log configurations\n default: # Default log configuration, log.Debug(\"xxx\")\n - writer: console # Console standard output default\n level: debug # Standard output log level\n custom: # Default log configuration, log.Debug(\"xxx\")\n - writer: console # Console standard output default\n level: debug # Standard output log level\n - writer: file # Local file log\n level: debug # Local file rolling log level\n formatter: json # Standard output log format\n formatter_config:\n time_fmt: 2006-01-02 15:04:05 # Log time format. \"2006-01-02 15:04:05\" is the conventional time format, \"seconds\" is second-level timestamp, \"milliseconds\" is millisecond-level timestamp, \"nanoseconds\" is nanosecond-level timestamp\n time_key: Time # Log time field name, not filled defaults to \"T\", fill \"none\" to disable this field\n level_key: Level # Log level field name, not filled defaults to \"L\", fill \"none\" to disable this field\n name_key: Name # Log name field name, not filled defaults to \"N\", fill \"none\" to disable this field\n caller_key: Caller # Log caller field name, not filled defaults to \"C\", fill \"none\" to disable this field\n message_key: Message # Log message body field name, not filled defaults to \"M\", fill \"none\" to disable this field\n stacktrace_key: StackTrace # Log stack trace field name, not filled defaults to \"S\", fill \"none\" to disable this field\n writer_config:\n log_path: ./log/\n filename: keyless.log # Local file rolling log storage path\n write_mode: 1 # Log writing mode, 1-synchronous, 2-asynchronous, 3-ultra-fast (asynchronous discard), defaults to asynchronous mode\n roll_type: size # File rolling type, size for rolling by size\n max_age: 360 # Maximum log retention days\n max_backups: 3 # Maximum number of log files\n compress: true # Whether to compress log files\n max_size: 100 # Local file rolling log size in MB\n```\n\n3. Explanation of project configuration (`keyless.yaml`):\n```\nprivate_key_path: /ssl # Directory for business authentication (edge node authentication) certificates, including public and private keys\nmutual_certs_path: /mutual_ssl # Directory for certificates for mutual authentication with forwarding nodes, including public and private keys, root certificate (optional)\nprefer_server_cipher_suites: true # Based on server certificate algorithm (currently not used)\nlog_path: /log # Log path\n```\n\n### Testing\n#### Verify Mutual Authentication Using curl Command\nUse the `curl` command to test directly. Note that the protocol content must conform to JSON format; otherwise, it cannot be processed correctly.\n\n```\ncurl --resolve your.site.com:443:127.1.1.1 \\\n https://your.site.com/KeylessRequest \\\n -d '{ \"Type\": 1, \"CertType\": 11, \"CertSn\": \"your_cert_sn\", \"CertIssuer\": \"your_cert_issuer\", \"Data\": \"base64\", \"SignType\": 1, \"Padding\": 1, \"Seq\": \"123\" }' \\\n -H \"Content-Type: application/json\" -v \\\n --cacert yourcacert.crt --cert yourcert.crt --key yourprivate.key\n```\n#### Test Dynamic Update of Edge Handshake Certificate\n* Both public and private key updates need to be uploaded to the ./ssl directory.\n* Call the local hot update certificate command locally, this is the trpc.app.server.keylessHTTP service, configured locally to prevent external network access.\n```\ncurl -v http://127.0.0.1/KeylessReloadCerts\n```\n## Deployment\n\nThe following files must be included and placed in a separate directory:\n* keyless (executable file)\n* log\n* mutual_ssl\n* ssl\n* config\n* trpc_go.yaml\n\n## License\n\nThis project is licensed under the MIT License - for more details, please see the LICENSE file.\n\n## Contribution\nIf you have any ideas or suggestions to improve Edgeone Keyless Server, welcome to submit an issue/pull request.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftencent%2Fedgeone-keyless-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftencent%2Fedgeone-keyless-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftencent%2Fedgeone-keyless-server/lists"}