Hello, I would like know, did I understand Storj authorize algorithm correct.
When I attempt to create a new node using the command ‘identity create storagenode’, the node generates a new certificate. The next code executes:
cmd/identity/main.go | cmd/identity/certificate_authority.go -> cmdNewCA -> newCACfg.CA.Create(ctx, os.Stdout) -> common-main/identity/certificate_authority.go Create(*) -> NewCA(*) (-> GenerateKeys(*) -> GenerateKey(*)) and peertls.CreateSelfSignedCertificate(selectedKey, ct) -> CreateCertificate(*) -> CertsFromDER(*)
When I attempt to authorize storj identity via “identity authorize storagenode email:characterstring” the node sends the request to auth service (certs.alpha.storj.io:8888) via drpc. The next code executes: 1. storj-main/cmd/identity/main.go main() -> cmdAuthorize -> certificateclient.New(*) -> client.Sign(*) -> client.client.Sign(*) -> c.cc.Invoke(*).
On Auth service waits for signing request and signs certificate. Auth service uses only one generated certificate to sign every sign request. The next code executes:
1.cmd/certificate/main.go main() -> runCmd ->certificate.New(*) -> (NewEndpoint(*)) and certificatepb.DRPCRegisterCertificates(*) ???-> certificate/endpoint/sing(*)
2. cmd/certificate/sign.go -> common-main/identity/certificate_authority.go cmdSign -> signer.Sign(ca.Cert) -> peertls.CreateCertificate(cert.PublicKey, ca.Key, cert, ca.Cert) -> pkcrypto.CertFromDER(cb)
I have started to make the diagram and it looks like this:
I can’t figured out, what is the purpose of a token? (email:token). It seems like it is used only for the account in database