client,cmd/tailscale,ipn,tka,types: implement tka initialization flow

This PR implements the client-side of initializing network-lock with the
Coordination server.

Signed-off-by: Tom DNetto <tom@tailscale.com>

tka/aum.go

@@ -216,7 +216,7 @@ func (a *AUM) StaticValidate() error {
 // We would implement encoding.BinaryMarshaler, except that would
 // unfortunately get called by the cbor marshaller resulting in infinite
 // recursion.
-func (a *AUM) Serialize() []byte {
+func (a *AUM) Serialize() tkatype.MarshaledAUM {
 	// Why CBOR and not something like JSON?
 	//
 	// The main function of an AUM is to carry signed data. Signatures are

tka/aum_test.go

@@ -158,7 +158,7 @@ func TestSerialization(t *testing.T) {
 
 	for _, tc := range tcs {
 		t.Run(tc.Name, func(t *testing.T) {
-			data := tc.AUM.Serialize()
+			data := []byte(tc.AUM.Serialize())
 			if diff := cmp.Diff(tc.Expect, data); diff != "" {
 				t.Errorf("serialization differs (-want, +got):\n%s", diff)
 			}

tka/builder.go

@@ -12,6 +12,7 @@ import (
 
 // Types implementing Signer can sign update messages.
 type Signer interface {
+	// SignAUM returns signatures for the AUM encoded by the given AUMSigHash.
 	SignAUM(tkatype.AUMSigHash) ([]tkatype.Signature, error)
 }
 

tka/key.go

@@ -91,6 +91,9 @@ func (k Key) StaticValidate() error {
 	if k.Votes > 4096 {
 		return fmt.Errorf("excessive key weight: %d > 4096", k.Votes)
 	}
+	if k.Votes == 0 {
+		return errors.New("key votes must be non-zero")
+	}
 
 	// We have an arbitrary upper limit on the amount
 	// of metadata that can be associated with a key, so

tka/sig.go

@@ -55,13 +55,13 @@ type NodeKeySignature struct {
 	Signature []byte `cbor:"4,keyasint,omitempty"`
 }
 
-// sigHash returns the cryptographic digest which a signature
+// SigHash returns the cryptographic digest which a signature
 // is over.
 //
 // This is a hash of the serialized structure, sans the signature.
 // Without this exclusion, the hash used for the signature
 // would be circularly dependent on the signature.
-func (s NodeKeySignature) sigHash() [blake2s.Size]byte {
+func (s NodeKeySignature) SigHash() [blake2s.Size]byte {
 	dupe := s
 	dupe.Signature = nil
 	return blake2s.Sum256(dupe.Serialize())
@@ -100,7 +100,7 @@ func (s *NodeKeySignature) Unserialize(data []byte) error {
 // verifySignature checks that the NodeKeySignature is authentic and certified
 // by the given verificationKey.
 func (s *NodeKeySignature) verifySignature(verificationKey Key) error {
-	sigHash := s.sigHash()
+	sigHash := s.SigHash()
 	switch verificationKey.Kind {
 	case Key25519:
 		if ed25519consensus.Verify(ed25519.PublicKey(verificationKey.Public), sigHash[:], s.Signature) {

tka/sig_test.go

@@ -23,11 +23,11 @@ func TestSigDirect(t *testing.T) {
 		KeyID:   key.ID(),
 		Pubkey:  nodeKeyPub,
 	}
-	sigHash := sig.sigHash()
+	sigHash := sig.SigHash()
 	sig.Signature = ed25519.Sign(priv, sigHash[:])
 
-	if sig.sigHash() != sigHash {
-		t.Errorf("sigHash changed after signing: %x != %x", sig.sigHash(), sigHash)
+	if sig.SigHash() != sigHash {
+		t.Errorf("sigHash changed after signing: %x != %x", sig.SigHash(), sigHash)
 	}
 
 	if err := sig.verifySignature(key); err != nil {
@@ -44,7 +44,7 @@ func TestSigSerializeUnserialize(t *testing.T) {
 		KeyID:   key.ID(),
 		Pubkey:  nodeKeyPub,
 	}
-	sigHash := sig.sigHash()
+	sigHash := sig.SigHash()
 	sig.Signature = ed25519.Sign(priv, sigHash[:])
 
 	var decoded NodeKeySignature