// First return is terminate flag.
func handleRequest(conn net.Conn, policyKey *tao.Keys, guard tao.Guard) error {
// Expect an attestation from the client.
ms := util.NewMessageStream(conn)
var a tao.Attestation
if err := ms.ReadMessage(&a); err != nil {
return err
}
peerCert := conn.(*tls.Conn).ConnectionState().PeerCertificates[0]
p, err := tao.ValidatePeerAttestation(&a, peerCert)
if err != nil {
return err
}
// TODO(kwalsh) most of this duplicates the work of tao.Conn
if !guard.IsAuthorized(p, "Execute", nil) {
return fmt.Errorf("peer is not authorized to execute, hence not authorized to connect either")
}
// Sign cert and put it in attestation statement
// a consists of serialized statement, sig and SignerInfo
// a is a says speaksfor, Delegate of speaksfor is cert and should be DER encoded
// Get underlying says
f, err := auth.UnmarshalForm(a.SerializedStatement)
if err != nil {
return err
}
var saysStatement *auth.Says
if ptr, ok := f.(*auth.Says); ok {
saysStatement = ptr
} else if val, ok := f.(auth.Says); ok {
saysStatement = &val
}
sf, ok := saysStatement.Message.(auth.Speaksfor)
if ok != true {
return fmt.Errorf("keynegoserver: says doesn't have a speaksfor message\n")
}
kprin, ok := sf.Delegate.(auth.Prin)
if ok != true {
return fmt.Errorf("keynegoserver: speaksfor Delegate is not auth.Prin\n")
}
subjectPrin, ok := sf.Delegator.(auth.Prin)
if ok != true {
return fmt.Errorf("keynegoserver: can't get subject principal\n")
}
subjectName := subjectPrin.String()
details := &tao.X509Details{
Country: proto.String("US"),
Organization: proto.String("Google"),
OrganizationalUnit: proto.String(subjectName),
CommonName: proto.String("localhost"),
}
subjectname := tao.NewX509Name(details)
SerialNumber = SerialNumber + 1
verifier, err := tao.FromPrincipal(kprin)
if err != nil {
return errors.New("can't get principal from kprin")
}
template := policyKey.SigningKey.X509Template(subjectname)
template.IsCA = false
clientCert, err := policyKey.CreateSignedX509(verifier, template, "default")
if err != nil {
return fmt.Errorf("keynegoserver: can't create client certificate: %s\n", err)
}
clientDERCert := clientCert.Raw
err = ioutil.WriteFile("ClientCert", clientDERCert, os.ModePerm)
nowTime := time.Now().UnixNano()
expireTime := time.Now().AddDate(1, 0, 0).UnixNano()
// Replace self signed cert in attest request
newSpeaksFor := &auth.Speaksfor{
Delegate: auth.Bytes(clientDERCert),
Delegator: sf.Delegator,
}
keyNegoSays := auth.Says{
Speaker: policyKey.SigningKey.ToPrincipal(),
Time: &nowTime,
Expiration: &expireTime,
Message: newSpeaksFor,
}
delegator, ok := sf.Delegator.(auth.Prin)
if !ok {
return fmt.Errorf("keynegoserver: the delegator must be a principal")
}
found := false
for _, sprin := range delegator.Ext {
if !found && (sprin.Name == "Program") {
found = true
}
if found {
kprin.Ext = append(kprin.Ext, sprin)
}
}
ra, err := tao.GenerateAttestation(policyKey.SigningKey, nil, keyNegoSays)
if err != nil {
return fmt.Errorf("Couldn't attest to the new says statement: %s", err)
}
if _, err := ms.WriteMessage(ra); err != nil {
return fmt.Errorf("Couldn't return the attestation on the channel: %s", err)
}
return nil
}
