2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2023-01-19 09:57:50 -05:00
|
|
|
// Package atlscredentials handles creation of TLS credentials for attested TLS (ATLS).
|
2022-06-13 05:40:27 -04:00
|
|
|
package atlscredentials
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
|
|
|
"net"
|
|
|
|
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
2022-06-13 05:40:27 -04:00
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
)
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// Credentials for attested TLS (ATLS).
|
2022-06-13 05:40:27 -04:00
|
|
|
type Credentials struct {
|
|
|
|
issuer atls.Issuer
|
|
|
|
validators []atls.Validator
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// New creates new ATLS Credentials.
|
2022-06-13 05:40:27 -04:00
|
|
|
func New(issuer atls.Issuer, validators []atls.Validator) *Credentials {
|
|
|
|
return &Credentials{
|
|
|
|
issuer: issuer,
|
|
|
|
validators: validators,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// ClientHandshake performs the client handshake.
|
2022-06-13 05:40:27 -04:00
|
|
|
func (c *Credentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
|
|
|
clientCfg, err := atls.CreateAttestationClientTLSConfig(c.issuer, c.validators)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return credentials.NewTLS(clientCfg).ClientHandshake(ctx, authority, rawConn)
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// ServerHandshake performs the server handshake.
|
2022-06-13 05:40:27 -04:00
|
|
|
func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
|
|
|
serverCfg, err := atls.CreateAttestationServerTLSConfig(c.issuer, c.validators)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return credentials.NewTLS(serverCfg).ServerHandshake(rawConn)
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// Info provides information about the protocol.
|
2022-06-13 05:40:27 -04:00
|
|
|
func (c *Credentials) Info() credentials.ProtocolInfo {
|
|
|
|
return credentials.NewTLS(nil).Info()
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// Clone the credentials object.
|
2022-06-13 05:40:27 -04:00
|
|
|
func (c *Credentials) Clone() credentials.TransportCredentials {
|
|
|
|
cloned := *c
|
|
|
|
return &cloned
|
|
|
|
}
|
|
|
|
|
2022-11-09 09:57:54 -05:00
|
|
|
// OverrideServerName is not supported and will fail.
|
2023-03-20 06:03:36 -04:00
|
|
|
func (c *Credentials) OverrideServerName(_ string) error {
|
2022-06-13 05:40:27 -04:00
|
|
|
return errors.New("cannot override server name")
|
|
|
|
}
|