mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-18 12:24:32 -05:00
a5021c52d3
* add ASK caching in joinservice Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use cached ASK in Azure SEV-SNP attestation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update test charts Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typ Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make caching mechanism less provider-specific Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add `omitempty` flag Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * frontload certificate getter Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * rename frontloaded function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * pass cached certificates to constructor Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix race condition Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix marshalling of empty certs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator usage Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [wip] add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unused fields in validator Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate precedence Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use separate context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Remove unnecessary comment Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * use background context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Use error format directive Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * `azure` -> `Azure` Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * improve error messages Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add x509 -> PEM util function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use crypto util functions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate replacement logic Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only require ASK from certcache Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix comment typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
125 lines
3.4 KiB
Go
125 lines
3.4 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package watcher
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"encoding/asn1"
|
|
"fmt"
|
|
"path/filepath"
|
|
"sync"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
|
)
|
|
|
|
// Updatable implements an updatable atls.Validator.
|
|
type Updatable struct {
|
|
log *logger.Logger
|
|
mux sync.Mutex
|
|
fileHandler file.Handler
|
|
variant variant.Variant
|
|
cachedCerts cachedCerts
|
|
atls.Validator
|
|
}
|
|
|
|
// NewValidator initializes a new updatable validator and performs an initial update (aka. initialization).
|
|
func NewValidator(log *logger.Logger, variant variant.Variant, fileHandler file.Handler, cachedCerts cachedCerts) (*Updatable, error) {
|
|
u := &Updatable{
|
|
log: log,
|
|
fileHandler: fileHandler,
|
|
variant: variant,
|
|
cachedCerts: cachedCerts,
|
|
}
|
|
err := u.Update()
|
|
|
|
return u, err
|
|
}
|
|
|
|
type cachedCerts interface {
|
|
SevSnpCerts() (ask *x509.Certificate, ark *x509.Certificate)
|
|
}
|
|
|
|
// Validate calls the validators Validate method, and prevents any updates during the call.
|
|
func (u *Updatable) Validate(ctx context.Context, attDoc []byte, nonce []byte) ([]byte, error) {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
return u.Validator.Validate(ctx, attDoc, nonce)
|
|
}
|
|
|
|
// OID returns the validators Object Identifier.
|
|
func (u *Updatable) OID() asn1.ObjectIdentifier {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
return u.Validator.OID()
|
|
}
|
|
|
|
// Update switches out the underlying validator.
|
|
func (u *Updatable) Update() error {
|
|
u.mux.Lock()
|
|
defer u.mux.Unlock()
|
|
|
|
u.log.Infof("Updating expected measurements")
|
|
|
|
data, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cfg, err := config.UnmarshalAttestationConfig(data, u.variant)
|
|
if err != nil {
|
|
return fmt.Errorf("unmarshaling config: %w", err)
|
|
}
|
|
u.log.Debugf("New expected measurements: %+v", cfg.GetMeasurements())
|
|
|
|
cfgWithCerts, err := u.configWithCerts(cfg)
|
|
if err != nil {
|
|
return fmt.Errorf("adding cached certificates: %w", err)
|
|
}
|
|
|
|
validator, err := choose.Validator(cfgWithCerts, u.log)
|
|
if err != nil {
|
|
return fmt.Errorf("choosing validator: %w", err)
|
|
}
|
|
u.Validator = validator
|
|
|
|
return nil
|
|
}
|
|
|
|
// addCachedCerts adds the certificates cached by the validator to the attestation config, if applicable.
|
|
func (u *Updatable) configWithCerts(cfg config.AttestationCfg) (config.AttestationCfg, error) {
|
|
switch c := cfg.(type) {
|
|
case *config.AzureSEVSNP:
|
|
ask, err := u.getCachedAskCert()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
|
|
}
|
|
c.AMDSigningKey = config.Certificate(ask)
|
|
return c, nil
|
|
}
|
|
// TODO(derpsteb): Add AWS SEV-SNP
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// getCachedAskCert returns the cached SEV-SNP ASK certificate.
|
|
func (u *Updatable) getCachedAskCert() (x509.Certificate, error) {
|
|
if u.cachedCerts == nil {
|
|
return x509.Certificate{}, fmt.Errorf("no cached certs available")
|
|
}
|
|
ask, _ := u.cachedCerts.SevSnpCerts()
|
|
if ask == nil {
|
|
return x509.Certificate{}, fmt.Errorf("no ASK available")
|
|
}
|
|
return *ask, nil
|
|
}
|