mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 23:19:39 -05:00
Allow passing nil issuer to not embed attestation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
49d1212cff
commit
0941ce8c7e
@ -20,11 +20,8 @@ import (
|
||||
|
||||
// CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document.
|
||||
// Pass a list of validators to enable mutual aTLS.
|
||||
// If issuer is nil, no attestation will be embedded.
|
||||
func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) {
|
||||
if issuer == nil {
|
||||
return nil, errors.New("unable to create aTLS server configuration without quote issuer")
|
||||
}
|
||||
|
||||
getConfigForClient, err := getATLSConfigForClientFunc(issuer, validators)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -37,7 +34,7 @@ func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*t
|
||||
|
||||
// CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document.
|
||||
// If no validators are set, the server's attestation document will not be verified.
|
||||
// If issuers is nil, the client will be unable to perform mutual aTLS.
|
||||
// If issuer is nil, the client will be unable to perform mutual aTLS.
|
||||
func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) {
|
||||
nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault)
|
||||
if err != nil {
|
||||
@ -117,18 +114,24 @@ func getCertificate(issuer Issuer, priv, pub any, remoteNonce, localNonce []byte
|
||||
return nil, err
|
||||
}
|
||||
|
||||
hash, err := hashPublicKey(pub)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
var extensions []pkix.Extension
|
||||
|
||||
// create and embed attestation if quote Issuer is available
|
||||
if issuer != nil {
|
||||
hash, err := hashPublicKey(pub)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// create attestation document using the nonce send by the remote party
|
||||
attDoc, err := issuer.Issue(hash, remoteNonce)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
extensions = append(extensions, pkix.Extension{Id: issuer.OID(), Value: attDoc})
|
||||
}
|
||||
|
||||
// create attestation document using the nonce send by the remote party
|
||||
attDoc, err := issuer.Issue(hash, remoteNonce)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
extensions := []pkix.Extension{{Id: issuer.OID(), Value: attDoc}}
|
||||
// embed locally generated nonce in certificate
|
||||
if len(localNonce) > 0 {
|
||||
extensions = append(extensions, pkix.Extension{Id: oid.ATLSNonce, Value: localNonce})
|
||||
@ -237,10 +240,6 @@ func (c *clientConnection) verify(rawCerts [][]byte, verifiedChains [][]*x509.Ce
|
||||
|
||||
// getCertificate generates a client certificate for mutual aTLS connections.
|
||||
func (c *clientConnection) getCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||
if c.issuer == nil {
|
||||
return nil, errors.New("unable to create certificate: no quote issuer available")
|
||||
}
|
||||
|
||||
// generate and hash key
|
||||
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
|
@ -46,27 +46,22 @@ func TestTLSConfig(t *testing.T) {
|
||||
},
|
||||
"client->server client cert is not verified": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
},
|
||||
"server->client basic": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
},
|
||||
"server->client multiple validators": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid2},
|
||||
},
|
||||
"server->client validate error": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
wantErr: true,
|
||||
},
|
||||
"server->client unknown oid": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid2},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid2}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
wantErr: true,
|
||||
@ -83,12 +78,18 @@ func TestTLSConfig(t *testing.T) {
|
||||
clientIssuer: fakeIssuer{fakeOID: oid2},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
|
||||
},
|
||||
"mutual fails if client sends no cert": {
|
||||
"mutual fails if client sends no attestation": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual fails if server sends no attestation": {
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
clientIssuer: fakeIssuer{fakeOID: oid1},
|
||||
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
wantErr: true,
|
||||
},
|
||||
"mutual validate error client side": {
|
||||
serverIssuer: fakeIssuer{fakeOID: oid1},
|
||||
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
|
||||
|
Loading…
Reference in New Issue
Block a user