Beispiel #1
0
func outputPrincipal() {
	if path := *options.String["program"]; path != "" {
		subprin, err := makeProgramSubPrin(path)
		options.FailIf(err, "Can't create program principal")
		pt := auth.PrinTail{Ext: subprin}
		fmt.Println(pt)
	}
	if path := *options.String["container"]; path != "" {
		subprin, err := makeContainerSubPrin(path)
		options.FailIf(err, "Can't create container principal")
		pt := auth.PrinTail{Ext: subprin}
		fmt.Println(pt)
	}
	if *options.Bool["tpm"] {
		tpmPath, aikFile, pcrVals := getTPMConfig()
		prin := makeTPMPrin(tpmPath, aikFile, pcrVals)
		// In the domain template the host name is in quotes. We need to escape
		// quote strings in the Principal string so that domain_template.pb gets
		// parsed correctly.
		name := strings.Replace(prin.String(), "\"", "\\\"", -1)
		fmt.Println(name)
	}
	if lhpath := *options.String["soft"]; lhpath != "" {
		if !path.IsAbs(lhpath) {
			lhpath = path.Join(domainPath(), lhpath)
		}
		k, err := tao.NewOnDiskPBEKeys(tao.Signing, nil, lhpath, nil)
		options.FailIf(err, "Can't create soft tao keys")
		fmt.Println(k.VerifyingKey.ToPrincipal())
	}
}
Beispiel #2
0
func main() {
	network := flag.String("network", "tcp", "The network to use for connections")
	addr := flag.String("addr", "localhost:8124", "The address to listen on")
	domainPass := flag.String("password", "nopassword", "The domain password for the policy key")
	configPath := flag.String("config", "tao.config", "The Tao domain config")

	flag.Parse()
	domain, err := tao.LoadDomain(*configPath, []byte(*domainPass))
	if err != nil {
		log.Fatalf("keynegoserver: Couldn't load the config path %s: %s\n", *configPath, err)
	}

	// Set up temporary keys for the connection, since the only thing that
	// matters to the remote client is that they receive a correctly-signed new
	// attestation from the policy key.
	// JLM:  I left this in place but I'm not sure what a TLS connection with a
	//   self signed Cert buys in terms of security.  The security of this protocol should
	//   not depend on the confidentiality or intergity of the channel.  All that said,
	//   if we do ever distribute a signed keynegoserver cert for this TLS channel, it would
	//   be good.
	keys, err := tao.NewTemporaryKeys(tao.Signing)
	if err != nil {
		log.Fatalln("keynegoserver: Couldn't set up temporary keys for the connection:", err)
	}
	keys.Cert, err = keys.SigningKey.CreateSelfSignedX509(&pkix.Name{
		Organization: []string{"Google Tao Demo"}})
	if err != nil {
		log.Fatalln("keynegoserver: Couldn't set up a self-signed cert:", err)
	}
	SerialNumber = int64(time.Now().UnixNano()) / (1000000)
	policyKey, err := tao.NewOnDiskPBEKeys(tao.Signing, []byte(*domainPass), "policy_keys", nil)
	if err != nil {
		log.Fatalln("keynegoserver: Couldn't get policy key:", err)
	}

	tlsc, err := tao.EncodeTLSCert(keys)
	if err != nil {
		log.Fatalln("keynegoserver: Couldn't encode a TLS cert:", err)
	}
	conf := &tls.Config{
		RootCAs:            x509.NewCertPool(),
		Certificates:       []tls.Certificate{*tlsc},
		InsecureSkipVerify: true,
		ClientAuth:         tls.RequireAnyClientCert,
	}
	sock, err := tls.Listen(*network, *addr, conf)
	if err != nil {
		log.Printf("keynegoserver: error: %s", err)
	}
	defer sock.Close()

	for {
		conn, err := sock.Accept()
		if err != nil {
			log.Fatalln("keynegoserver: couldn't accept a connection:", err)
		}

		go handleRequest(conn, policyKey, domain.Guard)
	}
}
Beispiel #3
0
func createSoftTaoKeys() {
	dt := template()

	args := flag.Args()
	if len(args) != 1 {
		options.Usage("Must supply a path for the new key set")
	}
	keypath := args[0]

	pwd := getKey("soft tao key password", "soft_pass")

	k, err := tao.NewOnDiskPBEKeys(tao.Signing|tao.Crypting|tao.Deriving, pwd, keypath, tao.NewX509Name(dt.Config.X509Info))
	options.FailIf(err, "Can't create keys")

	fmt.Println(k.VerifyingKey.ToPrincipal())
}
func setUpDomain(t *testing.T) {
	var err error
	if _, err = os.Stat("./tmpdir"); os.IsNotExist(err) {
		err = os.Mkdir("./tmpdir", 0777)
		if err != nil {
			t.Fatal(err)
		}
	}
	aclGuardType := "ACLs"
	aclGuardPath := "acls"
	cfg := tao.DomainConfig{
		DomainInfo: &tao.DomainDetails{
			GuardType: &aclGuardType},
		AclGuardInfo: &tao.ACLGuardDetails{
			SignedAclsPath: &aclGuardPath}}
	domain, err = tao.CreateDomain(cfg, "./tmpdir/domain", []byte("xxx"))
	if err != nil {
		t.Fatal(err)
	}
	encKey, err = tao.NewOnDiskPBEKeys(tao.Crypting, []byte("xxx"), "./tmpdir/keys", nil)
	if err != nil {
		t.Fatal(err)
	}
}
Beispiel #5
0
func main() {
	caAddr := flag.String("caAddr", "localhost:8124", "The address of the CA for setting up a certificate signed by the policy key")
	hostcfg := flag.String("hostconfig", "tao.config", "path to host tao configuration")
	serverHost := flag.String("host", "localhost", "address for client/server")
	serverPort := flag.String("port", "8123", "port for client/server")
	rollbackServerHost := flag.String("rollbackhost", "localhost", "address for rollback client/server")
	rollbackServerPort := flag.String("rollbackport", "8129", "port for client/server")
	fileClientPassword := flag.String("password", "BogusPass", "A password for unlocking the user certificates")
	fileClientPath := flag.String("fileclient_files", "fileclient_files", "fileclient directory")
	fileClientFilePath := flag.String("stored_files", "fileclient_files/stored_files", "fileclient file directory")
	testFile := flag.String("test_file", "originalTestFile", "test file")
	fileClientKeyPath := flag.String("usercreds", "usercreds", "user keys and certs")
	country := flag.String("country", "US", "The country for the fileclient certificate")
	org := flag.String("organization", "Google", "The organization for the fileclient certificate")

	flag.Parse()

	serverAddr := net.JoinHostPort(*serverHost, *serverPort)
	hostDomain, err := tao.LoadDomain(*hostcfg, nil)
	if err != nil {
		log.Fatalln("fileclient: Can't load domain")
	}
	var derPolicyCert []byte
	if hostDomain.Keys.Cert["default"] != nil {
		derPolicyCert = hostDomain.Keys.Cert["default"].Raw
	}
	if derPolicyCert == nil {
		log.Fatalln("fileclient: Can't retrieve policy cert")
	}

	parentTao := tao.Parent()
	if err := hostDomain.ExtendTaoName(parentTao); err != nil {
		log.Fatalln("fileclient: can't extend the Tao with the policy key")
	}
	e := auth.PrinExt{Name: "fileclient_version_1"}
	if err = parentTao.ExtendTaoName(auth.SubPrin{e}); err != nil {
		log.Fatalln("fileclient: couldn't extend the tao name with the policy key")
	}

	taoName, err := parentTao.GetTaoName()
	if err != nil {
		log.Fatalln("fileclient: Can't get tao name")
	}

	// Create or read the keys for fileclient.
	// Set up a temporary cert for communication with keyNegoServer.
	// TODO(kwalsh) This may no longer be needed. Is there a significance to
	// this cert?
	name := tao.NewX509Name(&tao.X509Details{
		Country:      proto.String(*country),
		Organization: proto.String(*org),
		CommonName:   proto.String(taoName.String()),
	})
	fcKeys, err := tao.NewOnDiskTaoSealedKeys(tao.Signing|tao.Crypting, name, parentTao, *fileClientPath, tao.SealPolicyDefault)
	if err != nil {
		log.Fatalln("fileclient: couldn't set up the Tao-sealed keys:", err)
	}

	if err != nil {
		log.Fatalln("fileclient: couldn't create a self-signed cert for fileclient keys:", err)
	}

	// Contact keyNegoServer for the certificate.
	if err := fileproxy.EstablishCert("tcp", *caAddr, fcKeys, hostDomain.Keys.VerifyingKey); err != nil {
		log.Fatalf("fileclient: couldn't establish a cert signed by the policy key: %s", err)
	}

	// Get the policy cert and set up TLS.
	conf, err := fcKeys.TLSClientConfig(hostDomain.Keys.Cert["default"])
	if err != nil {
		log.Fatalln("fileclient, encode error: ", err)
	}
	conn, err := tls.Dial("tcp", serverAddr, conf)
	if err != nil {
		log.Fatalln("fileclient: can't establish channel: ", err)
	}
	ms := util.NewMessageStream(conn)

	// Before doing any tests, create a simple file to send to the server.
	testContents := `
This is a simple file to test
It has some new lines
And it doesn't have very much content.
	`

	if _, err := os.Stat(*fileClientFilePath); err != nil {
		if err := os.MkdirAll(*fileClientFilePath, 0700); err != nil {
			log.Fatalf("fileclient: couldn't create the file storage path %s: %s", *fileClientFilePath, err)
		}
	}

	sentFileName := *testFile
	sentFilePath := path.Join(*fileClientFilePath, sentFileName)
	if err := ioutil.WriteFile(sentFilePath, []byte(testContents), 0600); err != nil {
		log.Fatalf("fileclient: couldn't create a test file at %s: %s", sentFilePath, err)
	}

	// Authenticate user principal(s).
	if _, err := os.Stat(*fileClientKeyPath); err != nil {
		log.Fatalf("fileclient: couldn't get user credentials from %s: %s\n", *fileClientKeyPath, err)
	}

	// This method won't generate the right certificate in general for
	// signing, which is why we check first to make sure the right directory
	// already exists. But it will successfully read the signer and the
	// certificate.
	userKeys, err := tao.NewOnDiskPBEKeys(tao.Signing, []byte(*fileClientPassword), *fileClientKeyPath, nil)
	if err != nil {
		log.Fatalf("Couldn't read the keys from %s: %s\n", *fileClientKeyPath, err)
	}
	userCert := userKeys.Cert["default"].Raw

	// Authenticate a key to use for requests to the server.
	if err = fileproxy.AuthenticatePrincipal(ms, userKeys, userCert); err != nil {
		log.Fatalf("fileclient: can't authenticate principal: %s", err)
	}

	// Create a file.
	if err = fileproxy.CreateFile(ms, userCert, sentFileName); err != nil {
		log.Fatalln("fileclient: can't create file:", err)
	}

	// Send File.
	if err = fileproxy.WriteFile(ms, userCert, *fileClientFilePath, sentFileName); err != nil {
		log.Fatalf("fileclient: couldn't write the file %s to the server: %s", sentFileName, err)
	}

	// Get file.
	outputFileName := sentFileName + ".out"
	if err = fileproxy.ReadFile(ms, userCert, *fileClientFilePath, sentFileName, outputFileName); err != nil {
		log.Fatalf("fileclient: couldn't get file %s to output file %s: %s", sentFileName, outputFileName, err)
	}

	// TODO(tmroeder): compare the received file against the sent file.

	// Set up a TLS connection to the rollback server, just like the one to
	// the file server.
	rollbackServerAddr := net.JoinHostPort(*rollbackServerHost, *rollbackServerPort)
	rbconn, err := tls.Dial("tcp", rollbackServerAddr, conf)
	if err != nil {
		log.Fatalf("fileclient: can't establish rollback channel: %s", err)
	}
	newms := util.NewMessageStream(rbconn)

	// Create a fake hash value, and set this value for an item.
	hashLen := 32
	hash := make([]byte, hashLen)
	if _, err := rand.Read(hash); err != nil {
		log.Fatalf("fileclient: failed to read a random value for the hash")
	}

	progName := taoName.String()
	resName := "test_resource"
	if err := fileproxy.SetHash(newms, resName, hash); err != nil {
		log.Fatalf("Couldn't set the hash for program '%s', resource '%s', hash % x on the remote server: %s", progName, resName, hash, err)
	}

	// Set the counter to 10 and check that we get the same value back.
	if err := fileproxy.SetCounter(newms, uint64(10)); err != nil {
		log.Fatalf("fileclient: couldn't set the counter in the file client")
	}

	c, err := fileproxy.GetCounter(newms)
	if err != nil {
		log.Fatalf("fileclient: couldn't get the value of the counter from the rollback server")
	}

	// Get the hash verification value.
	newHash, err := fileproxy.GetHashedVerifier(newms, resName)
	if err != nil {
		log.Fatalf("fileclient: couldn't get the hashed verifier from the rollback server")
	}

	// Try to recompute the hashed verifier directly to see if it matches.
	sh := sha256.New()
	vi := fileproxy.EncodeCounter(c)
	sh.Write(vi)
	sh.Write(hash)
	sh.Write(vi)
	computed := sh.Sum(nil)
	if subtle.ConstantTimeCompare(newHash, computed) != 1 {
		log.Fatalf("fileclient: the hashed verifier % x returned by the server didn't match the value % x computed locally", newHash, computed)
	}

	log.Println("All fileclient tests pass")
}