Beispiel #1
0
// Returns key, cert and cert chain
func InitializeSealedProgramKey(filePath string, t tao.Tao, domain tao.Domain) (
	*tao.Keys, []byte, [][]byte, error) {

	k, derCert, err := CreateSigningKey(t)
	if err != nil || derCert == nil {
		log.Printf("InitializeSealedProgramKey: CreateSigningKey failed with error %s\n", err)
		return nil, nil, nil, err
	}

	// Get program cert.
	domain_response, err := RequestDomainServiceCert("tcp", *caAddr, k,
		domain.Keys.VerifyingKey)
	if err != nil || domain_response == nil {
		log.Printf("InitializeSealedProgramKey: error from RequestDomainServiceCert\n")
		return nil, nil, nil, err
	}
	programCert := domain_response.SignedCert
	certChain := domain_response.CertChain
	k.Cert, err = x509.ParseCertificate(programCert)
	if err != nil {
		log.Printf("InitializeSealedProgramKey: Can't parse certificate\n")
		return nil, nil, nil, err
	}
	k.Cert.Raw = programCert

	// Serialize and save key blob
	programKeyBlob, err := tao.MarshalSignerDER(k.SigningKey)
	if err != nil {
		return nil, nil, nil, errors.New("InitializeSealedProgramKey: Can't produce signing key blob")
	}

	sealedProgramKey, err := t.Seal(programKeyBlob, tao.SealPolicyDefault)
	if err != nil {
		return nil, nil, nil, errors.New("InitializeSealedProgramKey: Can't seal signing key")
	}
	err = ioutil.WriteFile(path.Join(filePath, "sealedsigningKey"), sealedProgramKey, os.ModePerm)
	if err != nil {
		return nil, nil, nil, err
	}
	err = ioutil.WriteFile(path.Join(filePath, "signerCert"), programCert, os.ModePerm)
	if err != nil {
		return nil, nil, nil, err
	}
	/*
		FIX
		if certChain.size() > 0 {
			// Save cert chain
			FIX
			err = ioutil.WriteFile(path.Join(filePath, "certChain"), certChain, os.ModePerm)
			if err != nil {
				return nil, nil, nil, err
			}
		}
	*/
	return k, programCert, certChain, nil
}
Beispiel #2
0
// Create a Program Public/Private key.
func CreateSigningKey(t tao.Tao) (*tao.Keys, []byte, error) {

	self, err := t.GetTaoName()
	k, err := tao.NewTemporaryKeys(tao.Signing)
	if k == nil || err != nil {
		return nil, nil, errors.New("Can't generate signing key")
	}

	publicString := strings.Replace(self.String(), "(", "", -1)
	publicString = strings.Replace(publicString, ")", "", -1)

	// publicString is now a canonicalized Tao Principal name
	us := "US"
	google := "Google"
	details := tao.X509Details{
		Country:      &us,
		Organization: &google,
		CommonName:   &publicString}
	subjectname := tao.NewX509Name(&details)

	derCert, err := k.SigningKey.CreateSelfSignedDER(subjectname)
	if err != nil {
		return nil, nil, errors.New("Can't self sign cert\n")
	}
	cert, err := x509.ParseCertificate(derCert)
	if err != nil {
		return nil, nil, err
	}

	// Construct statement: "ProgramKey (new key) speaksfor Principal Name"
	// ToPrincipal retrieves key's Tao Principal Name.
	k.Cert = cert
	s := &auth.Speaksfor{
		Delegate:  k.SigningKey.ToPrincipal(),
		Delegator: self}
	if s == nil {
		return nil, nil, errors.New("Can't produce speaksfor")
	}

	// Sign attestation statement
	k.Delegation, err = t.Attest(&self, nil, nil, s)
	if err != nil {
		return nil, nil, err
	}
	_, _ = auth.UnmarshalForm(k.Delegation.SerializedStatement)
	return k, derCert, nil
}