func main() {
caAddr := flag.String("caAddr", "localhost:8124", "The address of the CA for setting up a certificate signed by the policy key")
hostcfg := flag.String("hostconfig", "tao.config", "path to host tao configuration")
serverHost := flag.String("host", "localhost", "address for client/server")
serverPort := flag.String("port", "8123", "port for client/server")
fileServerPath := flag.String("fileserver_files", "fileserver_files/", "fileserver directory")
fileServerFilePath := flag.String("stored_files", "fileserver_files/stored_files/", "fileserver directory")
country := flag.String("country", "US", "The country for the fileclient certificate")
org := flag.String("organization", "Google", "The organization for the fileclient certificate")
flag.Parse()
serverAddr := net.JoinHostPort(*serverHost, *serverPort)
hostDomain, err := tao.LoadDomain(*hostcfg, nil)
if err != nil {
log.Fatalln("fileserver: can't LoadDomain")
}
var policyCert []byte
if hostDomain.Keys.Cert != nil {
policyCert = hostDomain.Keys.Cert.Raw
}
if policyCert == nil {
log.Fatalln("fileserver: can't retrieve policy cert")
}
parentTao := tao.Parent()
if err := hostDomain.ExtendTaoName(parentTao); err != nil {
log.Fatalln("fileserver: can't extend the Tao with the policy key")
}
e := auth.PrinExt{Name: "fileserver_version_1"}
if err = parentTao.ExtendTaoName(auth.SubPrin{e}); err != nil {
log.Fatalln("fileserver: couldn't extend the Tao name")
}
taoName, err := parentTao.GetTaoName()
if err != nil {
log.Fatalln("fileserver: couldn't get tao name")
}
// Create or read the keys for fileclient.
fsKeys, err := tao.NewOnDiskTaoSealedKeys(tao.Signing|tao.Crypting, parentTao, *fileServerPath, tao.SealPolicyDefault)
if err != nil {
log.Fatalln("fileserver: couldn't set up the Tao-sealed keys:", err)
}
// Set up a temporary cert for communication with keyNegoServer.
fsKeys.Cert, err = fsKeys.SigningKey.CreateSelfSignedX509(tao.NewX509Name(&tao.X509Details{
Country: proto.String(*country),
Organization: proto.String(*org),
CommonName: proto.String(taoName.String()),
}))
if err != nil {
log.Fatalln("fileserver: couldn't create a self-signed cert for fileclient keys:", err)
}
// Contact keyNegoServer for the certificate.
if err := fileproxy.EstablishCert("tcp", *caAddr, fsKeys, hostDomain.Keys.VerifyingKey); err != nil {
log.Fatalf("fileserver: couldn't establish a cert signed by the policy key: %s", err)
}
symKeysPath := path.Join(*fileServerPath, "sealedEncKeys")
symKeys, err := fsKeys.NewSecret(symKeysPath, fileproxy.SymmetricKeySize)
if err != nil {
log.Fatalln("fileserver: couldn't get the file encryption keys")
}
tao.ZeroBytes(symKeys)
progPolicy := fileproxy.NewProgramPolicy(policyCert, taoName.String(), fsKeys, symKeys, fsKeys.Cert.Raw)
// Set up the file storage path if it doesn't exist.
if _, err := os.Stat(*fileServerFilePath); err != nil {
if err := os.MkdirAll(*fileServerFilePath, 0700); err != nil {
log.Fatalln("fileserver: couldn't create a file storage directory:", err)
}
}
if err := serve(serverAddr, *fileServerFilePath, policyCert, fsKeys, progPolicy); err != nil {
log.Fatalln("fileserver: couldn't serve connections:", err)
}
log.Printf("fileserver: done\n")
}
func main() {
caAddr := flag.String("caAddr", "localhost:8124", "The address of the CA for setting up a certificate signed by the policy key")
hostcfg := flag.String("hostconfig", "tao.config", "path to host tao configuration")
serverHost := flag.String("host", "localhost", "address for client/server")
serverPort := flag.String("port", "8129", "port for client/server")
rollbackServerPath := flag.String("rollbackserver_files", "rollbackserver_files", "rollbackserver directory")
country := flag.String("country", "US", "The country for the fileclient certificate")
org := flag.String("organization", "Google", "The organization for the fileclient certificate")
flag.Parse()
serverAddr := net.JoinHostPort(*serverHost, *serverPort)
hostDomain, err := tao.LoadDomain(*hostcfg, nil)
if err != nil {
log.Fatalln("rollbackserver: can't load domain:", err)
}
var policyCert []byte
if hostDomain.Keys.Cert != nil {
policyCert = hostDomain.Keys.Cert.Raw
}
if policyCert == nil {
log.Fatalln("rollbackserver: can't retrieve policy cert")
}
parentTao := tao.Parent()
if err := hostDomain.ExtendTaoName(parentTao); err != nil {
log.Fatalln("fileserver: can't extend the Tao with the policy key")
}
e := auth.PrinExt{Name: "rollbackserver_version_1"}
if err = parentTao.ExtendTaoName(auth.SubPrin{e}); err != nil {
log.Fatalln("rollbackserver: can't extend name")
}
taoName, err := parentTao.GetTaoName()
if err != nil {
return
}
// Create or read the keys for rollbackserver.
rbKeys, err := tao.NewOnDiskTaoSealedKeys(tao.Signing|tao.Crypting, parentTao, *rollbackServerPath, tao.SealPolicyDefault)
if err != nil {
log.Fatalln("rollbackserver: couldn't set up the Tao-sealed keys:", err)
}
// Set up a temporary cert for communication with keyNegoServer.
rbKeys.Cert, err = rbKeys.SigningKey.CreateSelfSignedX509(tao.NewX509Name(&tao.X509Details{
Country: proto.String(*country),
Organization: proto.String(*org),
CommonName: proto.String(taoName.String()),
}))
if err != nil {
log.Fatalln("rollbackserver: couldn't create a self-signed cert for rollbackserver keys:", err)
}
// Contact keyNegoServer for the certificate.
if err := fileproxy.EstablishCert("tcp", *caAddr, rbKeys, hostDomain.Keys.VerifyingKey); err != nil {
log.Fatalf("rollbackserver: couldn't establish a cert signed by the policy key: %s", err)
}
// The symmetric keys aren't used by the rollback server.
progPolicy := fileproxy.NewProgramPolicy(policyCert, taoName.String(), rbKeys, nil, rbKeys.Cert.Raw)
m := fileproxy.NewRollbackMaster(taoName.String())
if err := serve(serverAddr, taoName.String(), policyCert, rbKeys, progPolicy, m); err != nil {
log.Fatalf("rollbackserver: server error: %s\n", err)
}
log.Println("rollbackserver: done")
}
func main() {
caAddr := flag.String("caAddr", "localhost:8124", "The address of the CA for setting up a certificate signed by the policy key")
hostcfg := flag.String("hostconfig", "tao.config", "path to host tao configuration")
serverHost := flag.String("host", "localhost", "address for client/server")
serverPort := flag.String("port", "8123", "port for client/server")
rollbackServerHost := flag.String("rollbackhost", "localhost", "address for rollback client/server")
rollbackServerPort := flag.String("rollbackport", "8129", "port for client/server")
fileClientPassword := flag.String("password", "BogusPass", "A password for unlocking the user certificates")
fileClientPath := flag.String("fileclient_files", "fileclient_files", "fileclient directory")
fileClientFilePath := flag.String("stored_files", "fileclient_files/stored_files", "fileclient file directory")
testFile := flag.String("test_file", "originalTestFile", "test file")
fileClientKeyPath := flag.String("usercreds", "usercreds", "user keys and certs")
country := flag.String("country", "US", "The country for the fileclient certificate")
org := flag.String("organization", "Google", "The organization for the fileclient certificate")
flag.Parse()
serverAddr := net.JoinHostPort(*serverHost, *serverPort)
hostDomain, err := tao.LoadDomain(*hostcfg, nil)
if err != nil {
log.Fatalln("fileclient: Can't load domain")
}
var derPolicyCert []byte
if hostDomain.Keys.Cert["default"] != nil {
derPolicyCert = hostDomain.Keys.Cert["default"].Raw
}
if derPolicyCert == nil {
log.Fatalln("fileclient: Can't retrieve policy cert")
}
parentTao := tao.Parent()
if err := hostDomain.ExtendTaoName(parentTao); err != nil {
log.Fatalln("fileclient: can't extend the Tao with the policy key")
}
e := auth.PrinExt{Name: "fileclient_version_1"}
if err = parentTao.ExtendTaoName(auth.SubPrin{e}); err != nil {
log.Fatalln("fileclient: couldn't extend the tao name with the policy key")
}
taoName, err := parentTao.GetTaoName()
if err != nil {
log.Fatalln("fileclient: Can't get tao name")
}
// Create or read the keys for fileclient.
// Set up a temporary cert for communication with keyNegoServer.
// TODO(kwalsh) This may no longer be needed. Is there a significance to
// this cert?
name := tao.NewX509Name(&tao.X509Details{
Country: proto.String(*country),
Organization: proto.String(*org),
CommonName: proto.String(taoName.String()),
})
fcKeys, err := tao.NewOnDiskTaoSealedKeys(tao.Signing|tao.Crypting, name, parentTao, *fileClientPath, tao.SealPolicyDefault)
if err != nil {
log.Fatalln("fileclient: couldn't set up the Tao-sealed keys:", err)
}
if err != nil {
log.Fatalln("fileclient: couldn't create a self-signed cert for fileclient keys:", err)
}
// Contact keyNegoServer for the certificate.
if err := fileproxy.EstablishCert("tcp", *caAddr, fcKeys, hostDomain.Keys.VerifyingKey); err != nil {
log.Fatalf("fileclient: couldn't establish a cert signed by the policy key: %s", err)
}
// Get the policy cert and set up TLS.
conf, err := fcKeys.TLSClientConfig(hostDomain.Keys.Cert["default"])
if err != nil {
log.Fatalln("fileclient, encode error: ", err)
}
conn, err := tls.Dial("tcp", serverAddr, conf)
if err != nil {
log.Fatalln("fileclient: can't establish channel: ", err)
}
ms := util.NewMessageStream(conn)
// Before doing any tests, create a simple file to send to the server.
testContents := `
This is a simple file to test
It has some new lines
And it doesn't have very much content.
`
if _, err := os.Stat(*fileClientFilePath); err != nil {
if err := os.MkdirAll(*fileClientFilePath, 0700); err != nil {
log.Fatalf("fileclient: couldn't create the file storage path %s: %s", *fileClientFilePath, err)
}
}
sentFileName := *testFile
sentFilePath := path.Join(*fileClientFilePath, sentFileName)
if err := ioutil.WriteFile(sentFilePath, []byte(testContents), 0600); err != nil {
log.Fatalf("fileclient: couldn't create a test file at %s: %s", sentFilePath, err)
}
// Authenticate user principal(s).
if _, err := os.Stat(*fileClientKeyPath); err != nil {
log.Fatalf("fileclient: couldn't get user credentials from %s: %s\n", *fileClientKeyPath, err)
}
// This method won't generate the right certificate in general for
// signing, which is why we check first to make sure the right directory
// already exists. But it will successfully read the signer and the
// certificate.
userKeys, err := tao.NewOnDiskPBEKeys(tao.Signing, []byte(*fileClientPassword), *fileClientKeyPath, nil)
if err != nil {
log.Fatalf("Couldn't read the keys from %s: %s\n", *fileClientKeyPath, err)
}
userCert := userKeys.Cert["default"].Raw
// Authenticate a key to use for requests to the server.
if err = fileproxy.AuthenticatePrincipal(ms, userKeys, userCert); err != nil {
log.Fatalf("fileclient: can't authenticate principal: %s", err)
}
// Create a file.
if err = fileproxy.CreateFile(ms, userCert, sentFileName); err != nil {
log.Fatalln("fileclient: can't create file:", err)
}
// Send File.
if err = fileproxy.WriteFile(ms, userCert, *fileClientFilePath, sentFileName); err != nil {
log.Fatalf("fileclient: couldn't write the file %s to the server: %s", sentFileName, err)
}
// Get file.
outputFileName := sentFileName + ".out"
if err = fileproxy.ReadFile(ms, userCert, *fileClientFilePath, sentFileName, outputFileName); err != nil {
log.Fatalf("fileclient: couldn't get file %s to output file %s: %s", sentFileName, outputFileName, err)
}
// TODO(tmroeder): compare the received file against the sent file.
// Set up a TLS connection to the rollback server, just like the one to
// the file server.
rollbackServerAddr := net.JoinHostPort(*rollbackServerHost, *rollbackServerPort)
rbconn, err := tls.Dial("tcp", rollbackServerAddr, conf)
if err != nil {
log.Fatalf("fileclient: can't establish rollback channel: %s", err)
}
newms := util.NewMessageStream(rbconn)
// Create a fake hash value, and set this value for an item.
hashLen := 32
hash := make([]byte, hashLen)
if _, err := rand.Read(hash); err != nil {
log.Fatalf("fileclient: failed to read a random value for the hash")
}
progName := taoName.String()
resName := "test_resource"
if err := fileproxy.SetHash(newms, resName, hash); err != nil {
log.Fatalf("Couldn't set the hash for program '%s', resource '%s', hash % x on the remote server: %s", progName, resName, hash, err)
}
// Set the counter to 10 and check that we get the same value back.
if err := fileproxy.SetCounter(newms, uint64(10)); err != nil {
log.Fatalf("fileclient: couldn't set the counter in the file client")
}
c, err := fileproxy.GetCounter(newms)
if err != nil {
log.Fatalf("fileclient: couldn't get the value of the counter from the rollback server")
}
// Get the hash verification value.
newHash, err := fileproxy.GetHashedVerifier(newms, resName)
if err != nil {
log.Fatalf("fileclient: couldn't get the hashed verifier from the rollback server")
}
// Try to recompute the hashed verifier directly to see if it matches.
sh := sha256.New()
vi := fileproxy.EncodeCounter(c)
sh.Write(vi)
sh.Write(hash)
sh.Write(vi)
computed := sh.Sum(nil)
if subtle.ConstantTimeCompare(newHash, computed) != 1 {
log.Fatalf("fileclient: the hashed verifier % x returned by the server didn't match the value % x computed locally", newHash, computed)
}
log.Println("All fileclient tests pass")
}