Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-02 12:06:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

atls: rename nonce to clientNonce/serverNonce for clarification

Browse source
This commit is contained in:
Thomas Tendyck 2022-06-02 17:18:42 +02:00 committed by Thomas Tendyck
parent 392ad7fe45
commit 989c128fa6
1 changed files with 16 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

16
internal/atls/atls.go
View file

@ -36,21 +36,21 @@ func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*t
// If no validators are set, the server's attestation document will not be verified. // If no validators are set, the server's attestation document will not be verified.
// If issuer is nil, the client will be unable to perform mutual aTLS. // If issuer is nil, the client will be unable to perform mutual aTLS.
func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) { func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error) {
nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault) clientNonce, err := util.GenerateRandomBytes(config.RNGLengthDefault)
if err != nil { if err != nil {
return nil, err return nil, err
} }
clientConn := &clientConnection{ clientConn := &clientConnection{
issuer: issuer, issuer: issuer,
validators: validators, validators: validators,
clientNonce: nonce, clientNonce: clientNonce,
} }
return &tls.Config{ return &tls.Config{
VerifyPeerCertificate: clientConn.verify, VerifyPeerCertificate: clientConn.verify,
GetClientCertificate: clientConn.getCertificate, // use custom certificate for mutual aTLS connections GetClientCertificate: clientConn.getCertificate, // use custom certificate for mutual aTLS connections
InsecureSkipVerify: true, // disable default verification because we use our own verify func InsecureSkipVerify: true, // disable default verification because we use our own verify func
ServerName: base64.StdEncoding.EncodeToString(nonce), // abuse ServerName as a channel to transmit the nonce ServerName: base64.StdEncoding.EncodeToString(clientNonce), // abuse ServerName as a channel to transmit the nonce
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
}, nil }, nil
} }
@ -78,7 +78,7 @@ func getATLSConfigForClientFunc(issuer Issuer, validators []Validator) (func(*tl
// this function will be called once for every client // this function will be called once for every client
return func(chi *tls.ClientHelloInfo) (*tls.Config, error) { return func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
// generate nonce for this connection // generate nonce for this connection
nonce, err := util.GenerateRandomBytes(config.RNGLengthDefault) serverNonce, err := util.GenerateRandomBytes(config.RNGLengthDefault)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -87,7 +87,7 @@ func getATLSConfigForClientFunc(issuer Issuer, validators []Validator) (func(*tl
privKey: priv, privKey: priv,
issuer: issuer, issuer: issuer,
validators: validators, validators: validators,
nonce: nonce, serverNonce: serverNonce,
} }
clientAuth := tls.NoClientCert clientAuth := tls.NoClientCert
@ -258,7 +258,7 @@ type serverConnection struct {
issuer Issuer issuer Issuer
validators []Validator validators []Validator
privKey *ecdsa.PrivateKey privKey *ecdsa.PrivateKey
nonce []byte serverNonce []byte
} }
// verify the validity of a clients aTLS certificate. // verify the validity of a clients aTLS certificate.
@ -269,7 +269,7 @@ func (c *serverConnection) verify(rawCerts [][]byte, verifiedChains [][]*x509.Ce
return err return err
} }
return verifyEmbeddedReport(c.validators, cert, hash, c.nonce) return verifyEmbeddedReport(c.validators, cert, hash, c.serverNonce)
} }
// getCertificate generates a client certificate for aTLS connections. // getCertificate generates a client certificate for aTLS connections.
@ -283,5 +283,5 @@ func (c *serverConnection) getCertificate(chi *tls.ClientHelloInfo) (*tls.Certif
// create aTLS certificate using the nonce as extracted from the client-hello message // create aTLS certificate using the nonce as extracted from the client-hello message
// we also embed the nonce generated for this connection in case of mutual aTLS // we also embed the nonce generated for this connection in case of mutual aTLS
return getCertificate(c.issuer, c.privKey, &c.privKey.PublicKey, clientNonce, c.nonce) return getCertificate(c.issuer, c.privKey, &c.privKey.PublicKey, clientNonce, c.serverNonce)
} }