func TestRevokeCertificate(t *testing.T) {
	k, err := tao.NewTemporaryKeys(tao.Signing)
	if k == nil || err != nil {
		t.Fatal("Can't generate signing key")
	}
	serialNumber := big.NewInt(5)
	says := auth.Says{
		Speaker: k.SigningKey.ToPrincipal(),
		Message: auth.Pred{
			Name: "revoke",
			Arg:  []auth.Term{auth.Bytes(serialNumber.Bytes())}}}

	att, err := tao.GenerateAttestation(k.SigningKey, nil, says)
	if err != nil {
		t.Fatal("Error generating attestation.")
	}
	serAtt, err := proto.Marshal(att)
	if err != nil {
		t.Fatal("Error serializing attestation.")
	}
	revokedCerts := []pkix.RevokedCertificate{}
	revokedCerts, err = RevokeCertificate(serAtt, revokedCerts, &tao.Domain{Keys: k})
	if err != nil {
		t.Fatal(err)
	}
	if num := revokedCerts[0].SerialNumber.Int64(); num != 5 {
		t.Fatal(fmt.Sprintf("Serial number %v doesnt match expected value 5", num))
	}
}
Example #2
0
func generateAttestation(signingKey *tao.Keys, delegator *auth.Prin) (*tao.Keys, *tao.Attestation) {
	k, err := tao.NewTemporaryKeys(tao.Signing)
	if k == nil || err != nil {
		log.Fatalln("Can't generate signing key")
	}
	speaksFor := &auth.Speaksfor{
		Delegate:  k.SigningKey.ToPrincipal(),
		Delegator: delegator,
	}
	says := &auth.Says{
		Speaker:    signingKey.SigningKey.ToPrincipal(),
		Time:       nil,
		Expiration: nil,
		Message:    speaksFor,
	}
	att, err := tao.GenerateAttestation(signingKey.SigningKey, nil, *says)
	if err != nil {
		log.Fatalln(err)
	}
	return k, att
}
Example #3
0
func main() {
	domain, err := tao.LoadDomain(*configPath, []byte(*domainPass))
	if domain == nil {
		log.Printf("domainserver: no domain path - %s, pass - %s, err - %s\n",
			*configPath, *domainPass, err)
	} else if err != nil {
		log.Printf("domainserver: Couldn't load the config path %s: %s\n",
			*configPath, err)
	}
	policyKey, policyCert := domain.Keys, domain.Keys.Cert
	if policyCert == nil {
		log.Fatalln("Policy cert not found")
	}
	hostKey, hostAtt := generateAttestation(policyKey, hostName)
	programKey, programAtt := generateAttestation(hostKey, programName)
	rawEnd1, err := proto.Marshal(hostAtt)
	if err != nil {
		log.Fatalln("Error serializing attestation.")
	}
	programAtt.SerializedEndorsements = [][]byte{rawEnd1}
	cert, err := domain_service.RequestProgramCert(programAtt, programKey.VerifyingKey,
		*network, *addr)
	if err != nil {
		log.Fatalln("Error:", err)
	}
	rootCerts := x509.NewCertPool()
	rootCerts.AddCert(domain.Keys.Cert)
	options := x509.VerifyOptions{Roots: rootCerts}
	_, err = cert.Verify(options)
	if err != nil {
		log.Fatalln("Program cert fails verification check.", err)
	}
	ver, err := tao.FromX509(cert)
	if err != nil {
		log.Fatalln("Error getting verifier from Program cert", err)
	}
	if v := programKey.VerifyingKey; !v.Equals(cert) {
		log.Fatalf("Key in Program cert %v differs from expected value %v.", ver, v)
	}

	// Test Certificate Revocation.
	serialNumber := cert.SerialNumber
	says := auth.Says{
		Speaker: domain.Keys.SigningKey.ToPrincipal(),
		Message: auth.Pred{
			Name: "revoke",
			Arg:  []auth.Term{auth.Bytes(serialNumber.Bytes())}}}

	att, err := tao.GenerateAttestation(domain.Keys.SigningKey, nil, says)
	if err != nil {
		log.Fatalln("Error generating attestation for certificate revocation.")
	}
	err = domain_service.RequestRevokeCertificate(att, *network, *addr)
	if err != nil {
		log.Fatalln("Error revoking certificate: ", err)
	}
	crl, err := domain_service.RequestCrl(*network, *addr)

	if err != nil {
		log.Fatalln("Error getting CRL: ", err)
	}
	revokedCerts := crl.TBSCertList.RevokedCertificates
	if len(revokedCerts) != 1 {
		log.Fatalf("Revoked 1 cert and got back CRL with %v revoked certs", len(revokedCerts))
	}
	if num := revokedCerts[0].SerialNumber.Int64(); num != serialNumber.Int64() {
		log.Fatalf("Serial number %v doesnt match expected value %v", num, serialNumber)
	}
	log.Println("YAY!")
}
Example #4
0
// First return is terminate flag.
func handleRequest(conn net.Conn, policyKey *tao.Keys, guard tao.Guard) error {
	// Expect an attestation from the client.
	ms := util.NewMessageStream(conn)
	var a tao.Attestation
	if err := ms.ReadMessage(&a); err != nil {
		return err
	}

	peerCert := conn.(*tls.Conn).ConnectionState().PeerCertificates[0]
	p, err := tao.ValidatePeerAttestation(&a, peerCert)
	if err != nil {
		return err
	}
	// TODO(kwalsh) most of this duplicates the work of tao.Conn
	if !guard.IsAuthorized(p, "Execute", nil) {
		return fmt.Errorf("peer is not authorized to execute, hence not authorized to connect either")
	}

	// Sign cert and put it in attestation statement
	// a consists of serialized statement, sig and SignerInfo
	// a is a says speaksfor, Delegate of speaksfor is cert and should be DER encoded

	// Get underlying says
	f, err := auth.UnmarshalForm(a.SerializedStatement)
	if err != nil {
		return err
	}

	var saysStatement *auth.Says
	if ptr, ok := f.(*auth.Says); ok {
		saysStatement = ptr
	} else if val, ok := f.(auth.Says); ok {
		saysStatement = &val
	}
	sf, ok := saysStatement.Message.(auth.Speaksfor)
	if ok != true {
		return fmt.Errorf("keynegoserver: says doesn't have a speaksfor message\n")
	}

	kprin, ok := sf.Delegate.(auth.Prin)
	if ok != true {
		return fmt.Errorf("keynegoserver: speaksfor Delegate is not auth.Prin\n")
	}
	subjectPrin, ok := sf.Delegator.(auth.Prin)
	if ok != true {
		return fmt.Errorf("keynegoserver: can't get subject principal\n")
	}
	subjectName := subjectPrin.String()
	details := &tao.X509Details{
		Country:            proto.String("US"),
		Organization:       proto.String("Google"),
		OrganizationalUnit: proto.String(subjectName),
		CommonName:         proto.String("localhost"),
	}
	subjectname := tao.NewX509Name(details)
	SerialNumber = SerialNumber + 1
	verifier, err := tao.FromPrincipal(kprin)
	if err != nil {
		return errors.New("can't get principal from kprin")
	}
	template := policyKey.SigningKey.X509Template(subjectname)
	template.IsCA = false
	clientCert, err := policyKey.CreateSignedX509(verifier, template, "default")
	if err != nil {
		return fmt.Errorf("keynegoserver: can't create client certificate: %s\n", err)
	}
	clientDERCert := clientCert.Raw
	err = ioutil.WriteFile("ClientCert", clientDERCert, os.ModePerm)

	nowTime := time.Now().UnixNano()
	expireTime := time.Now().AddDate(1, 0, 0).UnixNano()
	// Replace self signed cert in attest request
	newSpeaksFor := &auth.Speaksfor{
		Delegate:  auth.Bytes(clientDERCert),
		Delegator: sf.Delegator,
	}
	keyNegoSays := auth.Says{
		Speaker:    policyKey.SigningKey.ToPrincipal(),
		Time:       &nowTime,
		Expiration: &expireTime,
		Message:    newSpeaksFor,
	}

	delegator, ok := sf.Delegator.(auth.Prin)
	if !ok {
		return fmt.Errorf("keynegoserver: the delegator must be a principal")
	}
	found := false
	for _, sprin := range delegator.Ext {
		if !found && (sprin.Name == "Program") {
			found = true
		}
		if found {
			kprin.Ext = append(kprin.Ext, sprin)
		}
	}
	ra, err := tao.GenerateAttestation(policyKey.SigningKey, nil, keyNegoSays)
	if err != nil {
		return fmt.Errorf("Couldn't attest to the new says statement: %s", err)
	}

	if _, err := ms.WriteMessage(ra); err != nil {
		return fmt.Errorf("Couldn't return the attestation on the channel: %s", err)
	}

	return nil
}