Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-12 16:09:39 -05:00
Code Issues Packages Projects Releases Wiki Activity

Allow passing nil issuer to not embed attestation

Browse Source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-05-25 09:34:05 +02:00 committed by Daniel Weiße
parent 49d1212cff
commit 0941ce8c7e
2 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
coordinator/atls/atls.go
View File

@ -20,11 +20,8 @@ import (
// CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document. // CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document.
// Pass a list of validators to enable mutual aTLS. // Pass a list of validators to enable mutual aTLS.
// If issuer is nil, no attestation will be embedded.
func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) { func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) {
if issuer == nil {
return nil, errors.New("unable to create aTLS server configuration without quote issuer")
}
getConfigForClient, err := getATLSConfigForClientFunc(issuer, validators) getConfigForClient, err := getATLSConfigForClientFunc(issuer, validators)
if err != nil { if err != nil {
return nil, err return nil, err
@ -37,7 +34,7 @@ func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*t
// CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document. // CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document.
// If no validators are set, the server's attestation document will not be verified. // If no validators are set, the server's attestation document will not be verified.
// If issuers is nil, the client will be unable to perform mutual aTLS. // If issuer is nil, the client will be unable to perform mutual aTLS.
func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) { func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) {
nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault) nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault)
if err != nil { if err != nil {
@ -117,18 +114,24 @@ func getCertificate(issuer Issuer, priv, pub any, remoteNonce, localNonce []byte
return nil, err return nil, err
} }
hash, err := hashPublicKey(pub) var extensions []pkix.Extension
if err != nil {
return nil, err // create and embed attestation if quote Issuer is available
if issuer != nil {
hash, err := hashPublicKey(pub)
if err != nil {
return nil, err
}
// create attestation document using the nonce send by the remote party
attDoc, err := issuer.Issue(hash, remoteNonce)
if err != nil {
return nil, err
}
extensions = append(extensions, pkix.Extension{Id: issuer.OID(), Value: attDoc})
} }
// create attestation document using the nonce send by the remote party
attDoc, err := issuer.Issue(hash, remoteNonce)
if err != nil {
return nil, err
}
extensions := []pkix.Extension{{Id: issuer.OID(), Value: attDoc}}
// embed locally generated nonce in certificate // embed locally generated nonce in certificate
if len(localNonce) > 0 { if len(localNonce) > 0 {
extensions = append(extensions, pkix.Extension{Id: oid.ATLSNonce, Value: localNonce}) extensions = append(extensions, pkix.Extension{Id: oid.ATLSNonce, Value: localNonce})
@ -237,10 +240,6 @@ func (c *clientConnection) verify(rawCerts [][]byte, verifiedChains [][]*x509.Ce
// getCertificate generates a client certificate for mutual aTLS connections. // getCertificate generates a client certificate for mutual aTLS connections.
func (c *clientConnection) getCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) { func (c *clientConnection) getCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
if c.issuer == nil {
return nil, errors.New("unable to create certificate: no quote issuer available")
}
// generate and hash key // generate and hash key
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil { if err != nil {

13
coordinator/atls/atls_test.go
View File

@ -46,27 +46,22 @@ func TestTLSConfig(t *testing.T) {
}, },
"client->server client cert is not verified": { "client->server client cert is not verified": {
serverIssuer: fakeIssuer{fakeOID: oid1}, serverIssuer: fakeIssuer{fakeOID: oid1},
clientIssuer: fakeIssuer{fakeOID: oid1},
clientValidators: []Validator{fakeValidator{fakeOID: oid1}}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
}, },
"server->client basic": { "server->client basic": {
serverIssuer: fakeIssuer{fakeOID: oid1},
serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
clientIssuer: fakeIssuer{fakeOID: oid1}, clientIssuer: fakeIssuer{fakeOID: oid1},
}, },
"server->client multiple validators": { "server->client multiple validators": {
serverIssuer: fakeIssuer{fakeOID: oid1},
serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
clientIssuer: fakeIssuer{fakeOID: oid2}, clientIssuer: fakeIssuer{fakeOID: oid2},
}, },
"server->client validate error": { "server->client validate error": {
serverIssuer: fakeIssuer{fakeOID: oid1},
serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}}, serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
clientIssuer: fakeIssuer{fakeOID: oid1}, clientIssuer: fakeIssuer{fakeOID: oid1},
wantErr: true, wantErr: true,
}, },
"server->client unknown oid": { "server->client unknown oid": {
serverIssuer: fakeIssuer{fakeOID: oid2},
serverValidators: []Validator{fakeValidator{fakeOID: oid2}}, serverValidators: []Validator{fakeValidator{fakeOID: oid2}},
clientIssuer: fakeIssuer{fakeOID: oid1}, clientIssuer: fakeIssuer{fakeOID: oid1},
wantErr: true, wantErr: true,
@ -83,12 +78,18 @@ func TestTLSConfig(t *testing.T) {
clientIssuer: fakeIssuer{fakeOID: oid2}, clientIssuer: fakeIssuer{fakeOID: oid2},
clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
}, },
"mutual fails if client sends no cert": { "mutual fails if client sends no attestation": {
serverIssuer: fakeIssuer{fakeOID: oid1}, serverIssuer: fakeIssuer{fakeOID: oid1},
serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
clientValidators: []Validator{fakeValidator{fakeOID: oid1}}, clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
wantErr: true, wantErr: true,
}, },
"mutual fails if server sends no attestation": {
serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
clientIssuer: fakeIssuer{fakeOID: oid1},
clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
wantErr: true,
},
"mutual validate error client side": { "mutual validate error client side": {
serverIssuer: fakeIssuer{fakeOID: oid1}, serverIssuer: fakeIssuer{fakeOID: oid1},
serverValidators: []Validator{fakeValidator{fakeOID: oid1}}, serverValidators: []Validator{fakeValidator{fakeOID: oid1}},