Generate random salt for key derivation on init (#309)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-07-29 09:52:47 +02:00 committed by GitHub
parent e0ce2e8a51
commit 9a3bd38912
25 changed files with 342 additions and 317 deletions

View File

@ -12,12 +12,14 @@ Styleguide for this document:
--> -->
# Changelog # Changelog
All notable changes to Constellation will be documented in this file. All notable changes to Constellation will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
### Added ### Added
- Kubernetes version is configured through an entry in `constellation-config.yaml`. - Kubernetes version is configured through an entry in `constellation-config.yaml`.
@ -28,7 +30,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
- Nodes add themselves to the cluster after `constellation init` is done - Nodes add themselves to the cluster after `constellation init` is done
- Owner ID and Unique ID merged into a single value: Cluster ID - Owner ID and Unique ID merged into a single value: Cluster ID
### Deprecated ### Deprecated
@ -38,27 +39,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- User facing WireGuard VPN - User facing WireGuard VPN
### Fixed ### Fixed
- Correctly wait for `bootstrapper` to come online in `constellation init` - Correctly wait for `bootstrapper` to come online in `constellation init`
### Security ### Security
- Create Kubernetes CA signed kubelet certificates on activation. - Create Kubernetes CA signed kubelet certificates on activation.
- Add salt to key derivation
### Internal ### Internal
## [1.3.1] - 2022-07-11 ## [1.3.1] - 2022-07-11
### Changed ### Changed
- Update default CoreOS image to latest version (1657199013). - Update default CoreOS image to latest version (1657199013).
### Fixed ### Fixed
- Add load balancer path to Azure deployment so that PCR values can be read. - Add load balancer path to Azure deployment so that PCR values can be read.
- Show correct version number in `constellation version`. - Show correct version number in `constellation version`.
### Removed ### Removed
- Support for Azure `Standard_*_v3` types. - Support for Azure `Standard_*_v3` types.
## [1.3.0] - 2022-07-05 ## [1.3.0] - 2022-07-05
### Added ### Added
- Early boot logging for GCP and Azure. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/workflows/troubleshooting?id=cloud-logging) - Early boot logging for GCP and Azure. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/workflows/troubleshooting?id=cloud-logging)
- `constellation-access-manager` allows users to manage SSH users over a ConfigMap. Enables persistent and dynamic management of SSH users on multiple nodes, even after a reboot. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/workflows/ssh) - `constellation-access-manager` allows users to manage SSH users over a ConfigMap. Enables persistent and dynamic management of SSH users on multiple nodes, even after a reboot. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/workflows/ssh)
- GCP-native Kubernetes load balancing. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/architecture/networking) - GCP-native Kubernetes load balancing. [[Docs]](https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/architecture/networking)
@ -67,23 +76,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- `constellation-id.json` in Constellation workspace now holds cluster IDs, to reduce required arguments in Constellation commands, e.g., `constellation verify`. - `constellation-id.json` in Constellation workspace now holds cluster IDs, to reduce required arguments in Constellation commands, e.g., `constellation verify`.
### Changed ### Changed
- New `constellation-activation-service` offloads Kubernetes node activation from monolithic Coordinator to Kubernetes native micro-service. [[ReadMe]](https://github.com/edgelesssys/constellation/blob/main/activation/README.md) - New `constellation-activation-service` offloads Kubernetes node activation from monolithic Coordinator to Kubernetes native micro-service. [[ReadMe]](https://github.com/edgelesssys/constellation/blob/main/activation/README.md)
- Improve user-friendliness of error messages in Constellation CLI. - Improve user-friendliness of error messages in Constellation CLI.
- Move verification from extracting attestation statements out of aTLS handshake to a dedicated `verify-service` in Kubernetes with gRPC and HTTP endpoints. - Move verification from extracting attestation statements out of aTLS handshake to a dedicated `verify-service` in Kubernetes with gRPC and HTTP endpoints.
### Security ### Security
- GCP WireGuard encryption via cilium. - GCP WireGuard encryption via cilium.
### Internal ### Internal
- Refactore folder structure of repository to better reflect `internal` implementation and public API. - Refactore folder structure of repository to better reflect `internal` implementation and public API.
- Extend `goleak` checks to all tests. - Extend `goleak` checks to all tests.
## [1.2.0] - 2022-06-02 ## [1.2.0] - 2022-06-02
### Changed ### Changed
- Replace flannel CNI with Cilium. - Replace flannel CNI with Cilium.
## [1.1.0] - 2022-06-02 ## [1.1.0] - 2022-06-02
### Added ### Added
- CLI - CLI
- Command `constellation recover` to re-initialize a completely stopped cluster. - Command `constellation recover` to re-initialize a completely stopped cluster.
- Command `constellation config generate` to generate a default configuration file for a specific cloud provider. - Command `constellation config generate` to generate a default configuration file for a specific cloud provider.
@ -96,6 +112,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Option to add SSH users on init. - Option to add SSH users on init.
### Changed ### Changed
- CLI UX - CLI UX
- `constellation create` now requires a configuration file. The usual workflow is to run `constellation config generate` first. - `constellation create` now requires a configuration file. The usual workflow is to run `constellation config generate` first.
- Consistent command format with at most one argument and named flags otherwise. - Consistent command format with at most one argument and named flags otherwise.
@ -110,17 +127,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Rename *PCRs* to *Measurements*. - Rename *PCRs* to *Measurements*.
### Removed ### Removed
- Support for non-CVMs on GCP. - Support for non-CVMs on GCP.
### Fixed ### Fixed
- Pin Kubernetes version deployed by `kubeadm init`. - Pin Kubernetes version deployed by `kubeadm init`.
### Security ### Security
- Replace single, never expiring Kubernetes join token with expiring unique tokens. - Replace single, never expiring Kubernetes join token with expiring unique tokens.
- Apply CIS benchmark for kubeadm clusterconf and kubelet conf. - Apply CIS benchmark for kubeadm clusterconf and kubelet conf.
- Enable Kubernetes audit log. - Enable Kubernetes audit log.
### Internal ### Internal
- Create GCP images in `constellation-images` project so that they can be shared with customers. - Create GCP images in `constellation-images` project so that they can be shared with customers.
- Add customer onboarding docs. - Add customer onboarding docs.
- Add E2E test as Github Action. - Add E2E test as Github Action.
@ -128,6 +149,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Preparations for mutual ATLS. - Preparations for mutual ATLS.
## [1.0.0] - 2022-04-28 ## [1.0.0] - 2022-04-28
Initial release of Constellation. With underlying WireGuard and Kubernetes compliant. Initial release of Constellation. With underlying WireGuard and Kubernetes compliant.
[Unreleased]: https://github.com/edgelesssys/constellation/compare/v1.3.1...HEAD [Unreleased]: https://github.com/edgelesssys/constellation/compare/v1.3.1...HEAD

View File

@ -3,7 +3,7 @@ package main
import ( import (
"context" "context"
"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes" "github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
"github.com/edgelesssys/constellation/bootstrapper/role" "github.com/edgelesssys/constellation/bootstrapper/role"
"github.com/edgelesssys/constellation/internal/cloud/metadata" "github.com/edgelesssys/constellation/internal/cloud/metadata"
"github.com/edgelesssys/constellation/internal/logger" "github.com/edgelesssys/constellation/internal/logger"
@ -14,7 +14,7 @@ import (
type clusterFake struct{} type clusterFake struct{}
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster. // InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, kubernetes.KMSConfig, map[string]string, *logger.Logger, func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
return []byte{}, nil return []byte{}, nil
} }

View File

@ -34,6 +34,7 @@ type InitRequest struct {
CloudServiceAccountUri string `protobuf:"bytes,7,opt,name=cloud_service_account_uri,json=cloudServiceAccountUri,proto3" json:"cloud_service_account_uri,omitempty"` CloudServiceAccountUri string `protobuf:"bytes,7,opt,name=cloud_service_account_uri,json=cloudServiceAccountUri,proto3" json:"cloud_service_account_uri,omitempty"`
KubernetesVersion string `protobuf:"bytes,8,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"` KubernetesVersion string `protobuf:"bytes,8,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"` SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"`
Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"`
} }
func (x *InitRequest) Reset() { func (x *InitRequest) Reset() {
@ -131,6 +132,13 @@ func (x *InitRequest) GetSshUserKeys() []*SSHUserKey {
return nil return nil
} }
func (x *InitRequest) GetSalt() []byte {
if x != nil {
return x.Salt
}
return nil
}
type InitResponse struct { type InitResponse struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@ -253,7 +261,7 @@ var File_init_proto protoreflect.FileDescriptor
var file_init_proto_rawDesc = []byte{ var file_init_proto_rawDesc = []byte{
0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, 0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e,
0x69, 0x74, 0x22, 0xa1, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x69, 0x74, 0x22, 0xb5, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e,
0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67, 0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67,
@ -279,26 +287,27 @@ var file_init_proto_rawDesc = []byte{
0x12, 0x34, 0x0a, 0x0d, 0x73, 0x73, 0x68, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x34, 0x0a, 0x0d, 0x73, 0x73, 0x68, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79,
0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x53, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x53,
0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x55, 0x73, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x55, 0x73,
0x65, 0x72, 0x4b, 0x65, 0x79, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x18, 0x0a,
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e,
0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75,
0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a,
0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77,
0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77,
0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74,
0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x65, 0x72, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b,
0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d,
0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a,
0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x69, 0x6e, 0x03, 0x41, 0x50, 0x49, 0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69,
0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x12, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6e, 0x73, 0x65, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (

View File

@ -18,6 +18,7 @@ message InitRequest {
string cloud_service_account_uri = 7; string cloud_service_account_uri = 7;
string kubernetes_version = 8; string kubernetes_version = 8;
repeated SSHUserKey ssh_user_keys = 9; repeated SSHUserKey ssh_user_keys = 9;
bytes salt = 10;
} }
message InitResponse { message InitResponse {

View File

@ -8,7 +8,7 @@ import (
"github.com/edgelesssys/constellation/bootstrapper/initproto" "github.com/edgelesssys/constellation/bootstrapper/initproto"
"github.com/edgelesssys/constellation/bootstrapper/internal/diskencryption" "github.com/edgelesssys/constellation/bootstrapper/internal/diskencryption"
"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes" "github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
"github.com/edgelesssys/constellation/bootstrapper/nodestate" "github.com/edgelesssys/constellation/bootstrapper/nodestate"
"github.com/edgelesssys/constellation/bootstrapper/role" "github.com/edgelesssys/constellation/bootstrapper/role"
"github.com/edgelesssys/constellation/internal/atls" "github.com/edgelesssys/constellation/internal/atls"
@ -79,7 +79,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
log.Infof("Init called") log.Infof("Init called")
// generate values for cluster attestation // generate values for cluster attestation
measurementSalt, clusterID, err := deriveMeasurementValues(req.MasterSecret) measurementSalt, clusterID, err := deriveMeasurementValues(req.MasterSecret, req.Salt)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "deriving measurement values: %s", err) return nil, status.Errorf(codes.Internal, "deriving measurement values: %s", err)
} }
@ -98,7 +98,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
return nil, status.Error(codes.FailedPrecondition, "node is already being activated") return nil, status.Error(codes.FailedPrecondition, "node is already being activated")
} }
if err := s.setupDisk(req.MasterSecret); err != nil { if err := s.setupDisk(req.MasterSecret, req.Salt); err != nil {
return nil, status.Errorf(codes.Internal, "setting up disk: %s", err) return nil, status.Errorf(codes.Internal, "setting up disk: %s", err)
} }
@ -115,8 +115,9 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
req.CloudServiceAccountUri, req.CloudServiceAccountUri,
req.KubernetesVersion, req.KubernetesVersion,
measurementSalt, measurementSalt,
kubernetes.KMSConfig{ resources.KMSConfig{
MasterSecret: req.MasterSecret, MasterSecret: req.MasterSecret,
Salt: req.Salt,
KMSURI: req.KmsUri, KMSURI: req.KmsUri,
StorageURI: req.StorageUri, StorageURI: req.StorageUri,
KeyEncryptionKeyID: req.KeyEncryptionKeyId, KeyEncryptionKeyID: req.KeyEncryptionKeyId,
@ -141,7 +142,7 @@ func (s *Server) Stop() {
s.grpcServer.GracefulStop() s.grpcServer.GracefulStop()
} }
func (s *Server) setupDisk(masterSecret []byte) error { func (s *Server) setupDisk(masterSecret, salt []byte) error {
if err := s.disk.Open(); err != nil { if err := s.disk.Open(); err != nil {
return fmt.Errorf("opening encrypted disk: %w", err) return fmt.Errorf("opening encrypted disk: %w", err)
} }
@ -153,8 +154,7 @@ func (s *Server) setupDisk(masterSecret []byte) error {
} }
uuid = strings.ToLower(uuid) uuid = strings.ToLower(uuid)
// TODO: Choose a way to salt the key derivation diskKey, err := crypto.DeriveKey(masterSecret, salt, []byte(crypto.HKDFInfoPrefix+uuid), 32)
diskKey, err := crypto.DeriveKey(masterSecret, []byte("Constellation"), []byte(crypto.HKDFInfoPrefix+uuid), 32)
if err != nil { if err != nil {
return err return err
} }
@ -170,16 +170,16 @@ func sshProtoKeysToMap(keys []*initproto.SSHUserKey) map[string]string {
return keyMap return keyMap
} }
func deriveMeasurementValues(masterSecret []byte) (salt, clusterID []byte, err error) { func deriveMeasurementValues(masterSecret, hkdfSalt []byte) (salt, clusterID []byte, err error) {
salt, err = crypto.GenerateRandomBytes(crypto.RNGLengthDefault) salt, err = crypto.GenerateRandomBytes(crypto.RNGLengthDefault)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
secret, err := attestation.DeriveMeasurementSecret(masterSecret) secret, err := attestation.DeriveMeasurementSecret(masterSecret, hkdfSalt)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
clusterID, err = attestation.DeriveClusterID(salt, secret) clusterID, err = attestation.DeriveClusterID(secret, salt)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
@ -196,7 +196,7 @@ type ClusterInitializer interface {
cloudServiceAccountURI string, cloudServiceAccountURI string,
k8sVersion string, k8sVersion string,
measurementSalt []byte, measurementSalt []byte,
kmsConfig kubernetes.KMSConfig, kmsConfig resources.KMSConfig,
sshUserKeys map[string]string, sshUserKeys map[string]string,
log *logger.Logger, log *logger.Logger,
) ([]byte, error) ) ([]byte, error)

View File

@ -9,7 +9,7 @@ import (
"time" "time"
"github.com/edgelesssys/constellation/bootstrapper/initproto" "github.com/edgelesssys/constellation/bootstrapper/initproto"
"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes" "github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
"github.com/edgelesssys/constellation/internal/file" "github.com/edgelesssys/constellation/internal/file"
"github.com/edgelesssys/constellation/internal/logger" "github.com/edgelesssys/constellation/internal/logger"
"github.com/spf13/afero" "github.com/spf13/afero"
@ -218,7 +218,7 @@ type stubClusterInitializer struct {
initClusterErr error initClusterErr error
} }
func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, kubernetes.KMSConfig, map[string]string, *logger.Logger, func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
return i.initClusterKubeconfig, i.initClusterErr return i.initClusterKubeconfig, i.initClusterErr
} }

View File

@ -231,7 +231,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
} }
}() }()
clusterID, err := attestation.DeriveClusterID(ticket.MeasurementSalt, ticket.MeasurementSecret) clusterID, err := attestation.DeriveClusterID(ticket.MeasurementSecret, ticket.MeasurementSalt)
if err != nil { if err != nil {
return err return err
} }

View File

@ -23,8 +23,18 @@ type kmsDeployment struct {
ImagePullSecret k8s.Secret ImagePullSecret k8s.Secret
} }
// KMSConfig is the configuration needed to set up Constellation's key management service.
type KMSConfig struct {
MasterSecret []byte
Salt []byte
KMSURI string
StorageURI string
KeyEncryptionKeyID string
UseExistingKEK bool
}
// NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation. // NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation.
func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment { func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
return &kmsDeployment{ return &kmsDeployment{
ServiceAccount: k8s.ServiceAccount{ ServiceAccount: k8s.ServiceAccount{
TypeMeta: meta.TypeMeta{ TypeMeta: meta.TypeMeta{
@ -187,7 +197,11 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
Items: []k8s.KeyToPath{ Items: []k8s.KeyToPath{
{ {
Key: constants.ConstellationMasterSecretKey, Key: constants.ConstellationMasterSecretKey,
Path: constants.MasterSecretFilename, Path: constants.ConstellationMasterSecretKey,
},
{
Key: constants.ConstellationMasterSecretSalt,
Path: constants.ConstellationMasterSecretSalt,
}, },
}, },
}, },
@ -228,7 +242,8 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
Namespace: "kube-system", Namespace: "kube-system",
}, },
Data: map[string][]byte{ Data: map[string][]byte{
constants.ConstellationMasterSecretKey: masterSecret, constants.ConstellationMasterSecretKey: config.MasterSecret,
constants.ConstellationMasterSecretSalt: config.Salt,
}, },
Type: "Opaque", Type: "Opaque",
}, },

View File

@ -11,8 +11,7 @@ func TestKMSMarshalUnmarshal(t *testing.T) {
require := require.New(t) require := require.New(t)
assert := assert.New(t) assert := assert.New(t)
testMS := []byte{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8} kmsDepl := NewKMSDeployment("test", KMSConfig{MasterSecret: []byte{0x0, 0x1, 0x2}, Salt: []byte{0x3, 0x4, 0x5}})
kmsDepl := NewKMSDeployment("test", testMS)
data, err := kmsDepl.Marshal() data, err := kmsDepl.Marshal()
require.NoError(err) require.NoError(err)

View File

@ -68,18 +68,10 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura
} }
} }
type KMSConfig struct {
MasterSecret []byte
KMSURI string
StorageURI string
KeyEncryptionKeyID string
UseExistingKEK bool
}
// InitCluster initializes a new Kubernetes cluster and applies pod network provider. // InitCluster initializes a new Kubernetes cluster and applies pod network provider.
func (k *KubeWrapper) InitCluster( func (k *KubeWrapper) InitCluster(
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string,
measurementSalt []byte, kmsConfig KMSConfig, sshUsers map[string]string, log *logger.Logger, measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, log *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
k8sVersion, err := versions.NewValidK8sVersion(versionString) k8sVersion, err := versions.NewValidK8sVersion(versionString)
if err != nil { if err != nil {
@ -187,7 +179,7 @@ func (k *KubeWrapper) InitCluster(
return nil, fmt.Errorf("setting up pod network: %w", err) return nil, fmt.Errorf("setting up pod network: %w", err)
} }
kms := resources.NewKMSDeployment(k.cloudProvider, kmsConfig.MasterSecret) kms := resources.NewKMSDeployment(k.cloudProvider, kmsConfig)
if err = k.clusterUtil.SetupKMS(k.client, kms); err != nil { if err = k.clusterUtil.SetupKMS(k.client, kms); err != nil {
return nil, fmt.Errorf("setting up kms: %w", err) return nil, fmt.Errorf("setting up kms: %w", err)
} }

View File

@ -296,7 +296,7 @@ func TestInitCluster(t *testing.T) {
kubeconfigReader: tc.kubeconfigReader, kubeconfigReader: tc.kubeconfigReader,
getIPAddr: func() (string, error) { return privateIP, nil }, getIPAddr: func() (string, error) { return privateIP, nil },
} }
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, KMSConfig{MasterSecret: masterSecret}, nil, logger.NewTest(t)) _, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, logger.NewTest(t))
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)

View File

@ -115,7 +115,8 @@ func initialize(cmd *cobra.Command, dialer grpcDialer, serviceAccCreator service
req := &initproto.InitRequest{ req := &initproto.InitRequest{
AutoscalingNodeGroups: autoscalingNodeGroups, AutoscalingNodeGroups: autoscalingNodeGroups,
MasterSecret: flags.masterSecret, MasterSecret: flags.masterSecret.Key,
Salt: flags.masterSecret.Salt,
KmsUri: kms.ClusterKMSURI, KmsUri: kms.ClusterKMSURI,
StorageUri: kms.NoStoreURI, StorageUri: kms.NoStoreURI,
KeyEncryptionKeyId: "", KeyEncryptionKeyId: "",
@ -129,11 +130,7 @@ func initialize(cmd *cobra.Command, dialer grpcDialer, serviceAccCreator service
return err return err
} }
if err := writeOutput(resp, controlPlanes.PublicIPs()[0], cmd.OutOrStdout(), fileHandler); err != nil { return writeOutput(resp, controlPlanes.PublicIPs()[0], cmd.OutOrStdout(), fileHandler)
return err
}
return nil
} }
func initCall(ctx context.Context, dialer grpcDialer, ip string, req *initproto.InitRequest) (*initproto.InitResponse, error) { func initCall(ctx context.Context, dialer grpcDialer, ip string, req *initproto.InitRequest) (*initproto.InitResponse, error) {
@ -185,7 +182,7 @@ func writeOutput(resp *initproto.InitResponse, ip string, wr io.Writer, fileHand
fmt.Fprintln(wr) fmt.Fprintln(wr)
if err := fileHandler.Write(constants.AdminConfFilename, resp.Kubeconfig, file.OptNone); err != nil { if err := fileHandler.Write(constants.AdminConfFilename, resp.Kubeconfig, file.OptNone); err != nil {
return fmt.Errorf("write kubeconfig: %w", err) return fmt.Errorf("writing kubeconfig: %w", err)
} }
idFile := clusterIDsFile{ idFile := clusterIDsFile{
@ -236,38 +233,52 @@ func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, erro
// initFlags are the resulting values of flag preprocessing. // initFlags are the resulting values of flag preprocessing.
type initFlags struct { type initFlags struct {
configPath string configPath string
masterSecret []byte masterSecret masterSecret
autoscale bool autoscale bool
} }
// masterSecret holds the master key and salt for deriving keys.
type masterSecret struct {
Key []byte `json:"key"`
Salt []byte `json:"salt"`
}
// readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret. // readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret.
func readOrGenerateMasterSecret(writer io.Writer, fileHandler file.Handler, filename string) ([]byte, error) { func readOrGenerateMasterSecret(writer io.Writer, fileHandler file.Handler, filename string) (masterSecret, error) {
if filename != "" { if filename != "" {
// Try to read the base64 secret from file var secret masterSecret
encodedSecret, err := fileHandler.Read(filename) if err := fileHandler.ReadJSON(filename, &secret); err != nil {
if err != nil { return masterSecret{}, err
return nil, err
} }
decoded, err := base64.StdEncoding.DecodeString(string(encodedSecret))
if err != nil { if len(secret.Key) < crypto.MasterSecretLengthMin {
return nil, err return masterSecret{}, fmt.Errorf("provided master secret is smaller than the required minimum of %d Bytes", crypto.MasterSecretLengthMin)
} }
if len(decoded) < crypto.MasterSecretLengthMin { if len(secret.Salt) < crypto.RNGLengthDefault {
return nil, errors.New("provided master secret is smaller than the required minimum of 16 Bytes") return masterSecret{}, fmt.Errorf("provided salt is smaller than the required minimum of %d Bytes", crypto.RNGLengthDefault)
} }
return decoded, nil return secret, nil
} }
// No file given, generate a new secret, and save it to disk // No file given, generate a new secret, and save it to disk
masterSecret, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault) key, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault)
if err != nil { if err != nil {
return nil, err return masterSecret{}, err
} }
if err := fileHandler.Write(constants.MasterSecretFilename, []byte(base64.StdEncoding.EncodeToString(masterSecret)), file.OptNone); err != nil { salt, err := crypto.GenerateRandomBytes(crypto.RNGLengthDefault)
return nil, err if err != nil {
return masterSecret{}, err
}
secret := masterSecret{
Key: key,
Salt: salt,
}
if err := fileHandler.WriteJSON(constants.MasterSecretFilename, secret, file.OptNone); err != nil {
return masterSecret{}, err
} }
fmt.Fprintf(writer, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename) fmt.Fprintf(writer, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename)
return masterSecret, nil return secret, nil
} }
func getScalingGroupsFromState(stat state.ConstellationState, config *config.Config) (controlPlanes, workers cloudtypes.ScalingGroup, err error) { func getScalingGroupsFromState(stat state.ConstellationState, config *config.Config) (controlPlanes, workers cloudtypes.ScalingGroup, err error) {

View File

@ -256,59 +256,80 @@ func TestInitCompletion(t *testing.T) {
func TestReadOrGeneratedMasterSecret(t *testing.T) { func TestReadOrGeneratedMasterSecret(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
filename string filename string
filecontent string createFileFunc func(handler file.Handler) error
createFile bool fs func() afero.Fs
fs func() afero.Fs wantErr bool
wantErr bool
}{ }{
"file with secret exists": { "file with secret exists": {
filename: "someSecret", filename: "someSecret",
filecontent: base64.StdEncoding.EncodeToString([]byte("ConstellationSecret")), fs: afero.NewMemMapFs,
createFile: true, createFileFunc: func(handler file.Handler) error {
fs: afero.NewMemMapFs, return handler.WriteJSON(
wantErr: false, "someSecret",
masterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
file.OptNone,
)
},
wantErr: false,
}, },
"no file given": { "no file given": {
filename: "", filename: "",
filecontent: "", createFileFunc: func(handler file.Handler) error { return nil },
fs: afero.NewMemMapFs, fs: afero.NewMemMapFs,
wantErr: false, wantErr: false,
}, },
"file does not exist": { "file does not exist": {
filename: "nonExistingSecret", filename: "nonExistingSecret",
filecontent: "", createFileFunc: func(handler file.Handler) error { return nil },
createFile: false, fs: afero.NewMemMapFs,
fs: afero.NewMemMapFs, wantErr: true,
wantErr: true,
}, },
"file is empty": { "file is empty": {
filename: "emptySecret", filename: "emptySecret",
filecontent: "", createFileFunc: func(handler file.Handler) error {
createFile: true, return handler.Write("emptySecret", []byte{}, file.OptNone)
fs: afero.NewMemMapFs, },
wantErr: true, fs: afero.NewMemMapFs,
wantErr: true,
}, },
"secret too short": { "salt too short": {
filename: "shortSecret", filename: "shortSecret",
filecontent: base64.StdEncoding.EncodeToString([]byte("short")), createFileFunc: func(handler file.Handler) error {
createFile: true, return handler.WriteJSON(
fs: afero.NewMemMapFs, "shortSecret",
wantErr: true, masterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("short")},
file.OptNone,
)
},
fs: afero.NewMemMapFs,
wantErr: true,
}, },
"secret not encoded": { "key too short": {
filename: "unencodedSecret", filename: "shortSecret",
filecontent: "Constellation", createFileFunc: func(handler file.Handler) error {
createFile: true, return handler.WriteJSON(
fs: afero.NewMemMapFs, "shortSecret",
wantErr: true, masterSecret{Key: []byte("short"), Salt: []byte("constellation-32Byte-length-salt")},
file.OptNone,
)
},
fs: afero.NewMemMapFs,
wantErr: true,
},
"invalid file content": {
filename: "unencodedSecret",
createFileFunc: func(handler file.Handler) error {
return handler.Write("unencodedSecret", []byte("invalid-constellation-master-secret"), file.OptNone)
},
fs: afero.NewMemMapFs,
wantErr: true,
}, },
"file not writeable": { "file not writeable": {
filename: "", filename: "",
filecontent: "", createFileFunc: func(handler file.Handler) error { return nil },
createFile: false, fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) },
fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) }, wantErr: true,
wantErr: true,
}, },
} }
@ -318,10 +339,7 @@ func TestReadOrGeneratedMasterSecret(t *testing.T) {
require := require.New(t) require := require.New(t)
fileHandler := file.NewHandler(tc.fs()) fileHandler := file.NewHandler(tc.fs())
require.NoError(tc.createFileFunc(fileHandler))
if tc.createFile {
require.NoError(fileHandler.Write(tc.filename, []byte(tc.filecontent), file.OptNone))
}
var out bytes.Buffer var out bytes.Buffer
secret, err := readOrGenerateMasterSecret(&out, fileHandler, tc.filename) secret, err := readOrGenerateMasterSecret(&out, fileHandler, tc.filename)
@ -337,9 +355,10 @@ func TestReadOrGeneratedMasterSecret(t *testing.T) {
tc.filename = strings.Trim(filename[1], "\n") tc.filename = strings.Trim(filename[1], "\n")
} }
content, err := fileHandler.Read(tc.filename) var masterSecret masterSecret
require.NoError(err) require.NoError(fileHandler.ReadJSON(tc.filename, &masterSecret))
assert.Equal(content, []byte(base64.StdEncoding.EncodeToString(secret))) assert.Equal(masterSecret.Key, secret.Key)
assert.Equal(masterSecret.Salt, secret.Salt)
} }
}) })
} }

View File

@ -1,7 +1,6 @@
package cmd package cmd
import ( import (
"encoding/base64"
"errors" "errors"
"fmt" "fmt"
"regexp" "regexp"
@ -35,11 +34,11 @@ func NewRecoverCmd() *cobra.Command {
must(cmd.MarkFlagRequired("endpoint")) must(cmd.MarkFlagRequired("endpoint"))
cmd.Flags().String("disk-uuid", "", "disk UUID of the encrypted state disk (required)") cmd.Flags().String("disk-uuid", "", "disk UUID of the encrypted state disk (required)")
must(cmd.MarkFlagRequired("disk-uuid")) must(cmd.MarkFlagRequired("disk-uuid"))
cmd.Flags().String("master-secret", constants.MasterSecretFilename, "path to base64-encoded master secret") cmd.Flags().String("master-secret", constants.MasterSecretFilename, "path to master secret file")
return cmd return cmd
} }
func runRecover(cmd *cobra.Command, args []string) error { func runRecover(cmd *cobra.Command, _ []string) error {
fileHandler := file.NewHandler(afero.NewOsFs()) fileHandler := file.NewHandler(afero.NewOsFs())
recoveryClient := &proto.KeyClient{} recoveryClient := &proto.KeyClient{}
defer recoveryClient.Close() defer recoveryClient.Close()
@ -47,11 +46,16 @@ func runRecover(cmd *cobra.Command, args []string) error {
} }
func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recoveryClient) error { func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recoveryClient) error {
flags, err := parseRecoverFlags(cmd, fileHandler) flags, err := parseRecoverFlags(cmd)
if err != nil { if err != nil {
return err return err
} }
var masterSecret masterSecret
if err := fileHandler.ReadJSON(flags.secretPath, &masterSecret); err != nil {
return err
}
var stat state.ConstellationState var stat state.ConstellationState
if err := fileHandler.ReadJSON(constants.StateFilename, &stat); err != nil { if err := fileHandler.ReadJSON(constants.StateFilename, &stat); err != nil {
return err return err
@ -74,12 +78,12 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
return err return err
} }
diskKey, err := deriveStateDiskKey(flags.masterSecret, flags.diskUUID) diskKey, err := deriveStateDiskKey(masterSecret.Key, masterSecret.Salt, flags.diskUUID)
if err != nil { if err != nil {
return err return err
} }
measurementSecret, err := attestation.DeriveMeasurementSecret(flags.masterSecret) measurementSecret, err := attestation.DeriveMeasurementSecret(masterSecret.Key, masterSecret.Salt)
if err != nil { if err != nil {
return err return err
} }
@ -92,7 +96,7 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
return nil return nil
} }
func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFlags, error) { func parseRecoverFlags(cmd *cobra.Command) (recoverFlags, error) {
endpoint, err := cmd.Flags().GetString("endpoint") endpoint, err := cmd.Flags().GetString("endpoint")
if err != nil { if err != nil {
return recoverFlags{}, fmt.Errorf("parsing endpoint argument: %w", err) return recoverFlags{}, fmt.Errorf("parsing endpoint argument: %w", err)
@ -115,10 +119,6 @@ func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFla
if err != nil { if err != nil {
return recoverFlags{}, fmt.Errorf("parsing master-secret path argument: %w", err) return recoverFlags{}, fmt.Errorf("parsing master-secret path argument: %w", err)
} }
masterSecret, err := readMasterSecret(fileHandler, masterSecretPath)
if err != nil {
return recoverFlags{}, fmt.Errorf("reading the master secret from file %s: %w", masterSecretPath, err)
}
configPath, err := cmd.Flags().GetString("config") configPath, err := cmd.Flags().GetString("config")
if err != nil { if err != nil {
@ -126,35 +126,21 @@ func parseRecoverFlags(cmd *cobra.Command, fileHandler file.Handler) (recoverFla
} }
return recoverFlags{ return recoverFlags{
endpoint: endpoint, endpoint: endpoint,
diskUUID: diskUUID, diskUUID: diskUUID,
masterSecret: masterSecret, secretPath: masterSecretPath,
configPath: configPath, configPath: configPath,
}, nil }, nil
} }
type recoverFlags struct { type recoverFlags struct {
endpoint string endpoint string
diskUUID string diskUUID string
masterSecret []byte secretPath string
configPath string configPath string
} }
// readMasterSecret reads a base64 encoded master secret from file. // deriveStateDiskKey derives a state disk key from a master key, a salt, and a disk UUID.
func readMasterSecret(fileHandler file.Handler, filename string) ([]byte, error) { func deriveStateDiskKey(masterKey, salt []byte, diskUUID string) ([]byte, error) {
// Try to read the base64 secret from file return crypto.DeriveKey(masterKey, salt, []byte(crypto.HKDFInfoPrefix+diskUUID), crypto.StateDiskKeyLength)
encodedSecret, err := fileHandler.Read(filename)
if err != nil {
return nil, err
}
decoded, err := base64.StdEncoding.DecodeString(string(encodedSecret))
if err != nil {
return nil, err
}
return decoded, nil
}
// deriveStateDiskKey derives a state disk key from a master secret and a disk UUID.
func deriveStateDiskKey(masterKey []byte, diskUUID string) ([]byte, error) {
return crypto.DeriveKey(masterKey, []byte("Constellation"), []byte(crypto.HKDFInfoPrefix+diskUUID), crypto.StateDiskKeyLength)
} }

View File

@ -42,6 +42,13 @@ func TestRecover(t *testing.T) {
validState := state.ConstellationState{CloudProvider: "GCP"} validState := state.ConstellationState{CloudProvider: "GCP"}
invalidCSPState := state.ConstellationState{CloudProvider: "invalid"} invalidCSPState := state.ConstellationState{CloudProvider: "invalid"}
writeMasterSecret := func(require *require.Assertions) afero.Fs {
fs := afero.NewMemMapFs()
handler := file.NewHandler(fs)
require.NoError(handler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: []byte("master-secret"), Salt: []byte("salt")}, file.OptNone))
return fs
}
testCases := map[string]struct { testCases := map[string]struct {
setupFs func(*require.Assertions) afero.Fs setupFs func(*require.Assertions) afero.Fs
existingState state.ConstellationState existingState state.ConstellationState
@ -55,62 +62,51 @@ func TestRecover(t *testing.T) {
wantKey []byte wantKey []byte
}{ }{
"works": { "works": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
client: &stubRecoveryClient{}, client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000", diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
wantKey: []byte{0x4d, 0x34, 0x19, 0x1a, 0xf9, 0x23, 0xb9, 0x61, 0x55, 0x9b, 0xb2, 0x6, 0x15, 0x1b, 0x5f, 0xe, 0x21, 0xc2, 0xe5, 0x18, 0x1c, 0xfa, 0x32, 0x79, 0xa4, 0x6b, 0x84, 0x86, 0x7e, 0xd7, 0xf6, 0x76}, wantKey: []byte{
0xcb, 0x31, 0x9d, 0x3d, 0xe0, 0xb7, 0x8a, 0xe9, 0x20, 0xc0, 0x62, 0x00, 0x8f, 0xe4, 0x58, 0xa1,
0x87, 0x85, 0x5d, 0xa0, 0xca, 0xe2, 0x04, 0x5c, 0x80, 0xe8, 0xe6, 0xd5, 0x8a, 0x6c, 0xcb, 0x49,
},
}, },
"uppercase disk uuid works": { "uppercase disk uuid works": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
client: &stubRecoveryClient{}, client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF", diskUUIDFlag: "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF",
wantKey: []byte{0x7e, 0xc0, 0xa8, 0x84, 0xc4, 0x7, 0xda, 0x1, 0xed, 0xa9, 0xc8, 0x87, 0x77, 0xad, 0x86, 0x7c, 0x7d, 0x40, 0xa7, 0x28, 0x3d, 0xbd, 0x92, 0xea, 0xa1, 0x84, 0x67, 0x78, 0x58, 0x76, 0x13, 0x70}, wantKey: []byte{
0x9b, 0xb8, 0x4a, 0x62, 0x01, 0xb3, 0x32, 0xf6, 0xf2, 0x79, 0x43, 0x09, 0x86, 0xe7, 0x25, 0x0e,
0xd2, 0x77, 0xcb, 0x14, 0xe8, 0x8f, 0x38, 0xab, 0xe7, 0xd6, 0x25, 0x14, 0xa5, 0xa1, 0xff, 0xda,
},
}, },
"lowercase disk uuid results in same key": { "lowercase disk uuid results in same key": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
client: &stubRecoveryClient{}, client: &stubRecoveryClient{},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "abcdefab-cdef-abcd-abcd-abcdefabcdef", diskUUIDFlag: "abcdefab-cdef-abcd-abcd-abcdefabcdef",
wantKey: []byte{0x7e, 0xc0, 0xa8, 0x84, 0xc4, 0x7, 0xda, 0x1, 0xed, 0xa9, 0xc8, 0x87, 0x77, 0xad, 0x86, 0x7c, 0x7d, 0x40, 0xa7, 0x28, 0x3d, 0xbd, 0x92, 0xea, 0xa1, 0x84, 0x67, 0x78, 0x58, 0x76, 0x13, 0x70}, wantKey: []byte{
0x9b, 0xb8, 0x4a, 0x62, 0x01, 0xb3, 0x32, 0xf6, 0xf2, 0x79, 0x43, 0x09, 0x86, 0xe7, 0x25, 0x0e,
0xd2, 0x77, 0xcb, 0x14, 0xe8, 0x8f, 0x38, 0xab, 0xe7, 0xd6, 0x25, 0x14, 0xa5, 0xa1, 0xff, 0xda,
},
}, },
"missing flags": { "missing flags": {
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() }, setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
wantErr: true, wantErr: true,
}, },
"missing config": { "missing config": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000", diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
configFlag: "nonexistent-config", configFlag: "nonexistent-config",
wantErr: true, wantErr: true,
}, },
"missing state": { "missing state": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000", diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
@ -118,22 +114,14 @@ func TestRecover(t *testing.T) {
wantErr: true, wantErr: true,
}, },
"invalid cloud provider": { "invalid cloud provider": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: invalidCSPState, existingState: invalidCSPState,
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
diskUUIDFlag: "00000000-0000-0000-0000-000000000000", diskUUIDFlag: "00000000-0000-0000-0000-000000000000",
wantErr: true, wantErr: true,
}, },
"connect fails": { "connect fails": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
client: &stubRecoveryClient{connectErr: errors.New("connect failed")}, client: &stubRecoveryClient{connectErr: errors.New("connect failed")},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
@ -141,11 +129,7 @@ func TestRecover(t *testing.T) {
wantErr: true, wantErr: true,
}, },
"pushing state key fails": { "pushing state key fails": {
setupFs: func(require *require.Assertions) afero.Fs { setupFs: writeMasterSecret,
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
return fs
},
existingState: validState, existingState: validState,
client: &stubRecoveryClient{pushStateDiskKeyErr: errors.New("pushing key failed")}, client: &stubRecoveryClient{pushStateDiskKeyErr: errors.New("pushing key failed")},
endpointFlag: "192.0.2.1", endpointFlag: "192.0.2.1",
@ -160,7 +144,7 @@ func TestRecover(t *testing.T) {
require := require.New(t) require := require.New(t)
cmd := NewRecoverCmd() cmd := NewRecoverCmd()
cmd.Flags().String("config", "", "") // register persisten flag manually cmd.Flags().String("config", "", "") // register persistent flag manually
out := &bytes.Buffer{} out := &bytes.Buffer{}
cmd.SetOut(out) cmd.SetOut(out)
cmd.SetErr(&bytes.Buffer{}) cmd.SetErr(&bytes.Buffer{})
@ -212,36 +196,29 @@ func TestParseRecoverFlags(t *testing.T) {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "invalid"}, args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "invalid"},
wantErr: true, wantErr: true,
}, },
"invalid master secret path": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012", "--master-secret", "invalid"},
wantErr: true,
},
"minimal args set": { "minimal args set": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012"}, args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012"},
wantFlags: recoverFlags{ wantFlags: recoverFlags{
endpoint: "192.0.2.1:2", endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012", diskUUID: "12345678-1234-1234-1234-123456789012",
masterSecret: []byte("constellation-master-secret-leng"), secretPath: "constellation-mastersecret.json",
}, },
}, },
"all args set": { "all args set": {
args: []string{ args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012", "--config", "config-path", "--master-secret", "/path/super-secret.json"},
"-e", "192.0.2.1:2", "--disk-uuid", "12345678-1234-1234-1234-123456789012",
"--master-secret", "constellation-mastersecret.base64", "--config", "config-path",
},
wantFlags: recoverFlags{ wantFlags: recoverFlags{
endpoint: "192.0.2.1:2", endpoint: "192.0.2.1:2",
diskUUID: "12345678-1234-1234-1234-123456789012", diskUUID: "12345678-1234-1234-1234-123456789012",
masterSecret: []byte("constellation-master-secret-leng"), secretPath: "/path/super-secret.json",
configPath: "config-path", configPath: "config-path",
}, },
}, },
"uppercase disk-uuid is converted to lowercase": { "uppercase disk-uuid is converted to lowercase": {
args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF"}, args: []string{"-e", "192.0.2.1:2", "--disk-uuid", "ABCDEFAB-CDEF-ABCD-ABCD-ABCDEFABCDEF"},
wantFlags: recoverFlags{ wantFlags: recoverFlags{
endpoint: "192.0.2.1:2", endpoint: "192.0.2.1:2",
diskUUID: "abcdefab-cdef-abcd-abcd-abcdefabcdef", diskUUID: "abcdefab-cdef-abcd-abcd-abcdefabcdef",
masterSecret: []byte("constellation-master-secret-leng"), secretPath: "constellation-mastersecret.json",
}, },
}, },
} }
@ -251,12 +228,10 @@ func TestParseRecoverFlags(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
require := require.New(t) require := require.New(t)
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="), 0o777))
cmd := NewRecoverCmd() cmd := NewRecoverCmd()
cmd.Flags().String("config", "", "") // register persistent flag manually cmd.Flags().String("config", "", "") // register persistent flag manually
require.NoError(cmd.ParseFlags(tc.args)) require.NoError(cmd.ParseFlags(tc.args))
flags, err := parseRecoverFlags(cmd, file.NewHandler(fs)) flags, err := parseRecoverFlags(cmd)
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)
@ -268,52 +243,10 @@ func TestParseRecoverFlags(t *testing.T) {
} }
} }
func TestReadMasterSecret(t *testing.T) {
testCases := map[string]struct {
fileContents []byte
filename string
wantMasterSecret []byte
wantErr bool
}{
"invalid base64": {
fileContents: []byte("invalid"),
filename: "constellation-mastersecret.base64",
wantErr: true,
},
"invalid filename": {
fileContents: []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="),
filename: "invalid",
wantErr: true,
},
"correct master secret": {
fileContents: []byte("Y29uc3RlbGxhdGlvbi1tYXN0ZXItc2VjcmV0LWxlbmc="),
filename: "constellation-mastersecret.base64",
wantMasterSecret: []byte("constellation-master-secret-leng"),
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
require.NoError(afero.WriteFile(fs, "constellation-mastersecret.base64", tc.fileContents, 0o777))
masterSecret, err := readMasterSecret(file.NewHandler(fs), tc.filename)
if tc.wantErr {
assert.Error(err)
return
}
assert.NoError(err)
assert.Equal(tc.wantMasterSecret, masterSecret)
})
}
}
func TestDeriveStateDiskKey(t *testing.T) { func TestDeriveStateDiskKey(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
masterKey []byte masterKey []byte
salt []byte
diskUUID string diskUUID string
wantStateDiskKey []byte wantStateDiskKey []byte
}{ }{
@ -322,10 +255,14 @@ func TestDeriveStateDiskKey(t *testing.T) {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
}, },
salt: []byte{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
},
diskUUID: "00000000-0000-0000-0000-000000000000", diskUUID: "00000000-0000-0000-0000-000000000000",
wantStateDiskKey: []byte{ wantStateDiskKey: []byte{
0xc6, 0xe0, 0xae, 0xfc, 0xbe, 0x7b, 0x7e, 0x87, 0x7a, 0xdd, 0xb2, 0x87, 0xe0, 0xcd, 0x4c, 0xe4, 0x2b, 0x5c, 0x82, 0x9f, 0x69, 0x1b, 0xfd, 0x42, 0x32, 0xf8, 0xaa, 0xc4, 0x64, 0xbc, 0xcc, 0x07,
0xde, 0xee, 0xb3, 0x57, 0xaa, 0x6c, 0xc9, 0x44, 0x90, 0xc4, 0x07, 0x72, 0x01, 0x7d, 0xd6, 0xb1, 0xe6, 0x05, 0xc7, 0xc8, 0xe8, 0x2c, 0xbc, 0xa0, 0x98, 0x37, 0xe8, 0x6d, 0x0b, 0x6d, 0x06, 0x65,
}, },
}, },
"all 0xff": { "all 0xff": {
@ -333,10 +270,14 @@ func TestDeriveStateDiskKey(t *testing.T) {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
}, },
salt: []byte{
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
},
diskUUID: "ffffffff-ffff-ffff-ffff-ffffffffffff", diskUUID: "ffffffff-ffff-ffff-ffff-ffffffffffff",
wantStateDiskKey: []byte{ wantStateDiskKey: []byte{
0x00, 0x74, 0x4c, 0xb0, 0x92, 0x9d, 0x20, 0x08, 0xfa, 0x72, 0xac, 0xd2, 0xb6, 0xe4, 0xc6, 0x6f, 0x14, 0x84, 0xaa, 0x39, 0xd3, 0x41, 0x5e, 0x90, 0x6e, 0x07, 0x94, 0x0f, 0xf2, 0x15, 0xd8, 0xb1,
0xa3, 0x53, 0x16, 0xb1, 0x9e, 0x77, 0x42, 0xe8, 0xd3, 0x66, 0xe8, 0x22, 0x33, 0xfc, 0x63, 0x4d, 0xee, 0xe7, 0x05, 0xd3, 0x02, 0x7d, 0xba, 0x93, 0x30, 0x6a, 0xf4, 0xab, 0xff, 0x4f, 0x70, 0xbe,
}, },
}, },
} }
@ -345,7 +286,7 @@ func TestDeriveStateDiskKey(t *testing.T) {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
stateDiskKey, err := deriveStateDiskKey(tc.masterKey, tc.diskUUID) stateDiskKey, err := deriveStateDiskKey(tc.masterKey, tc.salt, tc.diskUUID)
assert.NoError(err) assert.NoError(err)
assert.Equal(tc.wantStateDiskKey, stateDiskKey) assert.Equal(tc.wantStateDiskKey, stateDiskKey)

View File

@ -13,12 +13,11 @@ const (
) )
// DeriveClusterID derives the cluster ID from a salt and secret value. // DeriveClusterID derives the cluster ID from a salt and secret value.
func DeriveClusterID(salt, secret []byte) ([]byte, error) { func DeriveClusterID(secret, salt []byte) ([]byte, error) {
return crypto.DeriveKey(secret, salt, []byte(crypto.HKDFInfoPrefix+clusterIDContext), crypto.DerivedKeyLengthDefault) return crypto.DeriveKey(secret, salt, []byte(crypto.HKDFInfoPrefix+clusterIDContext), crypto.DerivedKeyLengthDefault)
} }
// DeriveMeasurementSecret derives the secret value needed to derive ClusterID. // DeriveMeasurementSecret derives the secret value needed to derive ClusterID.
func DeriveMeasurementSecret(masterSecret []byte) ([]byte, error) { func DeriveMeasurementSecret(masterSecret, salt []byte) ([]byte, error) {
// TODO: replace hard coded salt return crypto.DeriveKey(masterSecret, salt, []byte(crypto.HKDFInfoPrefix+MeasurementSecretContext), crypto.DerivedKeyLengthDefault)
return crypto.DeriveKey(masterSecret, []byte("Constellation"), []byte(crypto.HKDFInfoPrefix+MeasurementSecretContext), crypto.DerivedKeyLengthDefault)
} }

View File

@ -17,6 +17,8 @@ const (
ConstellationMasterSecretStoreName = "constellation-mastersecret" ConstellationMasterSecretStoreName = "constellation-mastersecret"
// ConstellationMasterSecretKey is the name of the key for master secret in the master secret store secret. // ConstellationMasterSecretKey is the name of the key for master secret in the master secret store secret.
ConstellationMasterSecretKey = "mastersecret" ConstellationMasterSecretKey = "mastersecret"
// ConstellationMasterSecretSalt is the name of the key for salt in the master secret store secret.
ConstellationMasterSecretSalt = "salt"
// //
// Ports. // Ports.
@ -50,7 +52,7 @@ const (
ConfigFilename = "constellation-conf.yaml" ConfigFilename = "constellation-conf.yaml"
DebugdConfigFilename = "cdbg-conf.yaml" DebugdConfigFilename = "cdbg-conf.yaml"
AdminConfFilename = "constellation-admin.conf" AdminConfFilename = "constellation-admin.conf"
MasterSecretFilename = "constellation-mastersecret.base64" MasterSecretFilename = "constellation-mastersecret.json"
WGQuickConfigFilename = "wg0.conf" WGQuickConfigFilename = "wg0.conf"
CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf" CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf"
KubeadmCertificateDir = "/etc/kubernetes/pki" KubeadmCertificateDir = "/etc/kubernetes/pki"

View File

@ -25,8 +25,6 @@ const (
) )
// DeriveKey derives a key from a secret. // DeriveKey derives a key from a secret.
//
// TODO: decide on a secure key derivation function.
func DeriveKey(secret, salt, info []byte, length uint) ([]byte, error) { func DeriveKey(secret, salt, info []byte, length uint) ([]byte, error) {
hkdf := hkdf.New(sha256.New, secret, salt, info) hkdf := hkdf.New(sha256.New, secret, salt, info)
key := make([]byte, length) key := make([]byte, length)

View File

@ -30,9 +30,9 @@ func IsSupportedK8sVersion(version string) bool {
const ( const (
// Constellation images. // Constellation images.
// These images are built in a way that they support all versions currently listed in VersionConfigs. // These images are built in a way that they support all versions currently listed in VersionConfigs.
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v1.3.2-0.20220725190044-ba09c9c6" JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v1.3.2-0.20220720081316-baf7427f"
AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v1.3.2-0.20220714151638-d295be31" AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v1.3.2-0.20220714151638-d295be31"
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v1.3.2-0.20220722135959-3e250b12" KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v1.3.2-0.20220720081316-baf7427f"
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v1.3.2-0.20220714151638-d295be31" VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v1.3.2-0.20220714151638-d295be31"
GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:latest" GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:latest"

View File

@ -30,8 +30,8 @@ func New(log *logger.Logger, endpoint string) Client {
// GetDataKey returns a data encryption key for the given UUID. // GetDataKey returns a data encryption key for the given UUID.
func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error) { func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error) {
log := c.log.With(zap.String("keyID", keyID), zap.String("endpoint", c.endpoint)) log := c.log.With(zap.String("keyID", keyID), zap.String("endpoint", c.endpoint))
// TODO: update credentials if we enable aTLS on the KMS // the KMS does not use aTLS since traffic is only routed through the Constellation cluster
// For now this is fine since traffic is only routed through the Constellation cluster // cluster internal connections are considered trustworthy
log.Infof("Connecting to KMS at %s", c.endpoint) log.Infof("Connecting to KMS at %s", c.endpoint)
conn, err := grpc.DialContext(ctx, c.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials())) conn, err := grpc.DialContext(ctx, c.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil { if err != nil {

View File

@ -2,9 +2,9 @@ package main
import ( import (
"context" "context"
"encoding/base64"
"errors" "errors"
"flag" "flag"
"fmt"
"path/filepath" "path/filepath"
"strconv" "strconv"
"time" "time"
@ -21,7 +21,8 @@ import (
func main() { func main() {
port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on") port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on")
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.MasterSecretFilename), "Path to the Constellation master secret") masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretSalt), "Path to the Constellation salt")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
flag.Parse() flag.Parse()
@ -30,15 +31,28 @@ func main() {
log.With(zap.String("version", constants.VersionInfo)). log.With(zap.String("version", constants.VersionInfo)).
Infof("Constellation Key Management Service") Infof("Constellation Key Management Service")
// set up Key Management Service // read master secret and salt
masterKey, err := readMainSecret(*masterSecretPath) file := file.NewHandler(afero.NewOsFs())
masterKey, err := file.Read(*masterSecretPath)
if err != nil { if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to read master secret") log.With(zap.Error(err)).Fatalf("Failed to read master secret")
} }
if len(masterKey) < crypto.MasterSecretLengthMin {
log.With(zap.Error(errors.New("invalid key length"))).Fatalf("Provided master secret is smaller than the required minimum of %d bytes", crypto.MasterSecretLengthMin)
}
salt, err := file.Read(*saltPath)
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to read salt")
}
if len(salt) < crypto.RNGLengthDefault {
log.With(zap.Error(errors.New("invalid salt length"))).Fatalf("Expected salt to be %d bytes, but got %d", crypto.RNGLengthDefault, len(salt))
}
keyURI := setup.ClusterKMSURI + "?salt=" + base64.URLEncoding.EncodeToString(salt)
// set up Key Management Service
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel() defer cancel()
conKMS, err := setup.SetUpKMS(ctx, setup.NoStoreURI, setup.ClusterKMSURI) conKMS, err := setup.SetUpKMS(ctx, setup.NoStoreURI, keyURI)
if err != nil { if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to setup KMS") log.With(zap.Error(err)).Fatalf("Failed to setup KMS")
} }
@ -50,22 +64,3 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to run KMS server") log.With(zap.Error(err)).Fatalf("Failed to run KMS server")
} }
} }
// readMainSecret reads the base64 encoded main secret file from specified path and returns the secret as bytes.
func readMainSecret(fileName string) ([]byte, error) {
if fileName == "" {
return nil, errors.New("no filename to master secret provided")
}
fileHandler := file.NewHandler(afero.NewOsFs())
secretBytes, err := fileHandler.Read(fileName)
if err != nil {
return nil, err
}
if len(secretBytes) < crypto.MasterSecretLengthMin {
return nil, fmt.Errorf("provided master secret is smaller than the required minimum of %d bytes", crypto.MasterSecretLengthMin)
}
return secretBytes, nil
}

View File

@ -10,6 +10,12 @@ import (
// ClusterKMS implements the kms.CloudKMS interface for in cluster key management. // ClusterKMS implements the kms.CloudKMS interface for in cluster key management.
type ClusterKMS struct { type ClusterKMS struct {
masterKey []byte masterKey []byte
salt []byte
}
// New creates a new ClusterKMS.
func New(salt []byte) *ClusterKMS {
return &ClusterKMS{salt: salt}
} }
// CreateKEK sets the ClusterKMS masterKey. // CreateKEK sets the ClusterKMS masterKey.
@ -23,6 +29,5 @@ func (c *ClusterKMS) GetDEK(ctx context.Context, kekID string, dekID string, dek
if len(c.masterKey) == 0 { if len(c.masterKey) == 0 {
return nil, errors.New("master key not set for Constellation KMS") return nil, errors.New("master key not set for Constellation KMS")
} }
// TODO: Choose a way to salt key derivation return crypto.DeriveKey(c.masterKey, c.salt, []byte(dekID), uint(dekSize))
return crypto.DeriveKey(c.masterKey, []byte("Constellation"), []byte(dekID), uint(dekSize))
} }

View File

@ -2,6 +2,7 @@ package setup
import ( import (
"context" "context"
"encoding/base64"
"fmt" "fmt"
"net/url" "net/url"
"strconv" "strconv"
@ -123,7 +124,11 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS
return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl)) return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl))
case "cluster-kms": case "cluster-kms":
return &cluster.ClusterKMS{}, nil salt, err := getClusterKMSConfig(uri)
if err != nil {
return nil, err
}
return cluster.New(salt), nil
default: default:
return nil, fmt.Errorf("unknown KMS type: %s", uri.Host) return nil, fmt.Errorf("unknown KMS type: %s", uri.Host)
@ -186,6 +191,14 @@ func getGCPStorageConfig(uri *url.URL) (string, string, error) {
return r[0], r[1], err return r[0], r[1], err
} }
func getClusterKMSConfig(uri *url.URL) ([]byte, error) {
r, err := getConfig(uri.Query(), []string{"salt"})
if err != nil {
return nil, err
}
return base64.URLEncoding.DecodeString(r[0])
}
// getConfig parses url query values, returning a map of the requested values. // getConfig parses url query values, returning a map of the requested values.
// Returns an error if a key has no value. // Returns an error if a key has no value.
// This function MUST always return a slice of the same length as len(keys). // This function MUST always return a slice of the same length as len(keys).

View File

@ -2,6 +2,7 @@ package setup
import ( import (
"context" "context"
"encoding/base64"
"fmt" "fmt"
"net/url" "net/url"
"testing" "testing"
@ -73,7 +74,7 @@ func TestGetKMS(t *testing.T) {
wantErr bool wantErr bool
}{ }{
"cluster kms": { "cluster kms": {
uri: ClusterKMSURI, uri: fmt.Sprintf("%s?salt=%s", ClusterKMSURI, base64.URLEncoding.EncodeToString([]byte("salt"))),
wantErr: false, wantErr: false,
}, },
"aws kms": { "aws kms": {
@ -124,11 +125,11 @@ func TestGetKMS(t *testing.T) {
func TestSetUpKMS(t *testing.T) { func TestSetUpKMS(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
kms, err := SetUpKMS(context.TODO(), "storage://unknown", "kms://unknown") kms, err := SetUpKMS(context.Background(), "storage://unknown", "kms://unknown")
assert.Error(err) assert.Error(err)
assert.Nil(kms) assert.Nil(kms)
kms, err = SetUpKMS(context.Background(), "storage://no-store", "kms://cluster-kms") kms, err = SetUpKMS(context.Background(), "storage://no-store", "kms://cluster-kms?salt="+base64.URLEncoding.EncodeToString([]byte("salt")))
assert.NoError(err) assert.NoError(err)
assert.NotNil(kms) assert.NotNil(kms)
} }
@ -186,6 +187,23 @@ func TestGetGCPKMSConfig(t *testing.T) {
assert.Error(err) assert.Error(err)
} }
func TestGetClusterKMSConfig(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
expectedSalt := []byte{
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
}
uri, err := url.Parse(ClusterKMSURI + "?salt=" + base64.URLEncoding.EncodeToString(expectedSalt))
require.NoError(err)
salt, err := getClusterKMSConfig(uri)
assert.NoError(err)
assert.Equal(expectedSalt, salt)
}
func TestGetConfig(t *testing.T) { func TestGetConfig(t *testing.T) {
const testURI = "test://config?name=test-name&data=test-data&value=test-value" const testURI = "test://config?name=test-name&data=test-data&value=test-value"

View File

@ -82,7 +82,7 @@ getKey:
if err != nil { if err != nil {
return err return err
} }
clusterID, err := attestation.DeriveClusterID(measurementSalt, measurementSecret) clusterID, err := attestation.DeriveClusterID(measurementSecret, measurementSalt)
if err != nil { if err != nil {
return err return err
} }