From 0941ce8c7e3eba5824420d038debfad199283d32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= Date: Wed, 25 May 2022 09:34:05 +0200 Subject: [PATCH] Allow passing nil issuer to not embed attestation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- coordinator/atls/atls.go | 37 +++++++++++++++++------------------ coordinator/atls/atls_test.go | 13 ++++++------ 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/coordinator/atls/atls.go b/coordinator/atls/atls.go index f5fd4a952..16ef9303f 100644 --- a/coordinator/atls/atls.go +++ b/coordinator/atls/atls.go @@ -20,11 +20,8 @@ import ( // CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document. // Pass a list of validators to enable mutual aTLS. +// If issuer is nil, no attestation will be embedded. func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) { - if issuer == nil { - return nil, errors.New("unable to create aTLS server configuration without quote issuer") - } - getConfigForClient, err := getATLSConfigForClientFunc(issuer, validators) if err != nil { return nil, err @@ -37,7 +34,7 @@ func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*t // CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document. // If no validators are set, the server's attestation document will not be verified. -// If issuers is nil, the client will be unable to perform mutual aTLS. +// If issuer is nil, the client will be unable to perform mutual aTLS. func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) { nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault) if err != nil { @@ -117,18 +114,24 @@ func getCertificate(issuer Issuer, priv, pub any, remoteNonce, localNonce []byte return nil, err } - hash, err := hashPublicKey(pub) - if err != nil { - return nil, err + var extensions []pkix.Extension + + // create and embed attestation if quote Issuer is available + if issuer != nil { + hash, err := hashPublicKey(pub) + if err != nil { + return nil, err + } + + // create attestation document using the nonce send by the remote party + attDoc, err := issuer.Issue(hash, remoteNonce) + if err != nil { + return nil, err + } + + extensions = append(extensions, pkix.Extension{Id: issuer.OID(), Value: attDoc}) } - // create attestation document using the nonce send by the remote party - attDoc, err := issuer.Issue(hash, remoteNonce) - if err != nil { - return nil, err - } - - extensions := []pkix.Extension{{Id: issuer.OID(), Value: attDoc}} // embed locally generated nonce in certificate if len(localNonce) > 0 { extensions = append(extensions, pkix.Extension{Id: oid.ATLSNonce, Value: localNonce}) @@ -237,10 +240,6 @@ func (c *clientConnection) verify(rawCerts [][]byte, verifiedChains [][]*x509.Ce // getCertificate generates a client certificate for mutual aTLS connections. func (c *clientConnection) getCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) { - if c.issuer == nil { - return nil, errors.New("unable to create certificate: no quote issuer available") - } - // generate and hash key priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { diff --git a/coordinator/atls/atls_test.go b/coordinator/atls/atls_test.go index 02c263e14..22a79f458 100644 --- a/coordinator/atls/atls_test.go +++ b/coordinator/atls/atls_test.go @@ -46,27 +46,22 @@ func TestTLSConfig(t *testing.T) { }, "client->server client cert is not verified": { serverIssuer: fakeIssuer{fakeOID: oid1}, - clientIssuer: fakeIssuer{fakeOID: oid1}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}}, }, "server->client basic": { - serverIssuer: fakeIssuer{fakeOID: oid1}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, clientIssuer: fakeIssuer{fakeOID: oid1}, }, "server->client multiple validators": { - serverIssuer: fakeIssuer{fakeOID: oid1}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}}, clientIssuer: fakeIssuer{fakeOID: oid2}, }, "server->client validate error": { - serverIssuer: fakeIssuer{fakeOID: oid1}, serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}}, clientIssuer: fakeIssuer{fakeOID: oid1}, wantErr: true, }, "server->client unknown oid": { - serverIssuer: fakeIssuer{fakeOID: oid2}, serverValidators: []Validator{fakeValidator{fakeOID: oid2}}, clientIssuer: fakeIssuer{fakeOID: oid1}, wantErr: true, @@ -83,12 +78,18 @@ func TestTLSConfig(t *testing.T) { clientIssuer: fakeIssuer{fakeOID: oid2}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}}, }, - "mutual fails if client sends no cert": { + "mutual fails if client sends no attestation": { serverIssuer: fakeIssuer{fakeOID: oid1}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}}, wantErr: true, }, + "mutual fails if server sends no attestation": { + serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, + clientIssuer: fakeIssuer{fakeOID: oid1}, + clientValidators: []Validator{fakeValidator{fakeOID: oid1}}, + wantErr: true, + }, "mutual validate error client side": { serverIssuer: fakeIssuer{fakeOID: oid1}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}},