// Returns key, cert and cert chain
func InitializeSealedProgramKey(filePath string, t tao.Tao, domain tao.Domain) (
*tao.Keys, []byte, [][]byte, error) {
k, derCert, err := CreateSigningKey(t)
if err != nil || derCert == nil {
log.Printf("InitializeSealedProgramKey: CreateSigningKey failed with error %s\n", err)
return nil, nil, nil, err
}
// Get program cert.
domain_response, err := RequestDomainServiceCert("tcp", *caAddr, k,
domain.Keys.VerifyingKey)
if err != nil || domain_response == nil {
log.Printf("InitializeSealedProgramKey: error from RequestDomainServiceCert\n")
return nil, nil, nil, err
}
programCert := domain_response.SignedCert
certChain := domain_response.CertChain
k.Cert, err = x509.ParseCertificate(programCert)
if err != nil {
log.Printf("InitializeSealedProgramKey: Can't parse certificate\n")
return nil, nil, nil, err
}
k.Cert.Raw = programCert
// Serialize and save key blob
programKeyBlob, err := tao.MarshalSignerDER(k.SigningKey)
if err != nil {
return nil, nil, nil, errors.New("InitializeSealedProgramKey: Can't produce signing key blob")
}
sealedProgramKey, err := t.Seal(programKeyBlob, tao.SealPolicyDefault)
if err != nil {
return nil, nil, nil, errors.New("InitializeSealedProgramKey: Can't seal signing key")
}
err = ioutil.WriteFile(path.Join(filePath, "sealedsigningKey"), sealedProgramKey, os.ModePerm)
if err != nil {
return nil, nil, nil, err
}
err = ioutil.WriteFile(path.Join(filePath, "signerCert"), programCert, os.ModePerm)
if err != nil {
return nil, nil, nil, err
}
/*
FIX
if certChain.size() > 0 {
// Save cert chain
FIX
err = ioutil.WriteFile(path.Join(filePath, "certChain"), certChain, os.ModePerm)
if err != nil {
return nil, nil, nil, err
}
}
*/
return k, programCert, certChain, nil
}
// Create a Program Public/Private key.
func CreateSigningKey(t tao.Tao) (*tao.Keys, []byte, error) {
self, err := t.GetTaoName()
k, err := tao.NewTemporaryKeys(tao.Signing)
if k == nil || err != nil {
return nil, nil, errors.New("Can't generate signing key")
}
publicString := strings.Replace(self.String(), "(", "", -1)
publicString = strings.Replace(publicString, ")", "", -1)
// publicString is now a canonicalized Tao Principal name
us := "US"
google := "Google"
details := tao.X509Details{
Country: &us,
Organization: &google,
CommonName: &publicString}
subjectname := tao.NewX509Name(&details)
derCert, err := k.SigningKey.CreateSelfSignedDER(subjectname)
if err != nil {
return nil, nil, errors.New("Can't self sign cert\n")
}
cert, err := x509.ParseCertificate(derCert)
if err != nil {
return nil, nil, err
}
// Construct statement: "ProgramKey (new key) speaksfor Principal Name"
// ToPrincipal retrieves key's Tao Principal Name.
k.Cert = cert
s := &auth.Speaksfor{
Delegate: k.SigningKey.ToPrincipal(),
Delegator: self}
if s == nil {
return nil, nil, errors.New("Can't produce speaksfor")
}
// Sign attestation statement
k.Delegation, err = t.Attest(&self, nil, nil, s)
if err != nil {
return nil, nil, err
}
_, _ = auth.UnmarshalForm(k.Delegation.SerializedStatement)
return k, derCert, nil
}