func doClient(domain *tao.Domain) { network := "tcp" keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent()) options.FailIf(err, "client: couldn't generate temporary Tao keys") g := domain.Guard if *ca != "" { na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey) options.FailIf(err, "client: couldn't get a truncated attestation from %s: %s\n", *ca) keys.Delegation = na // If we're using a CA, then use a custom guard that accepts only // programs that have talked to the CA. g, err = newTempCAGuard(domain.Keys.VerifyingKey) options.FailIf(err, "client: couldn't set up a new guard") } pingGood := 0 pingFail := 0 for i := 0; i < *pingCount || *pingCount < 0; i++ { // negative means forever if doRequest(g, domain, keys) { pingGood++ } else { pingFail++ } fmt.Printf("client: made %d connections, finished %d ok, %d bad pings\n", i+1, pingGood, pingFail) } }
// NewRouterContext generates new keys, loads a local domain configuration from // path and binds an anonymous listener socket to addr on network // network. A delegation is requested from the Tao t which is nominally // the parent of this hosted program. func NewRouterContext(path, network, addr string, batchSize int, timeout time.Duration, t tao.Tao) (hp *RouterContext, err error) { hp = new(RouterContext) hp.network = network hp.timeout = timeout // Generate keys and get attestation from parent. if hp.keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing|tao.Crypting, nil, t); err != nil { return nil, err } // Load domain from local configuration. if hp.domain, err = tao.LoadDomain(path, nil); err != nil { return nil, err } // Bind address to socket. if hp.proxyListener, err = tao.Listen(network, addr, hp.keys, nil, nil, nil); err != nil { return nil, err } // Instantiate the queues. hp.sendQueue = NewQueue(network, batchSize, timeout) hp.replyQueue = NewQueue(network, batchSize, timeout) hp.killQueue = make(chan bool) hp.killQueueErrorHandler = make(chan bool) go hp.sendQueue.DoQueue(hp.killQueue) go hp.replyQueue.DoQueue(hp.killQueue) go hp.sendQueue.DoQueueErrorHandler(hp.replyQueue, hp.killQueueErrorHandler) go hp.replyQueue.DoQueueErrorHandlerLog("reply queue", hp.killQueueErrorHandler) return hp, nil }
// NewRouterContext generates new keys, loads a local domain configuration from // path and binds an anonymous listener socket to addr on network // network. A delegation is requested from the Tao t which is nominally // the parent of this hosted program. func NewRouterContext(path, network, addr string, batchSize int, timeout time.Duration, x509Identity *pkix.Name, t tao.Tao) (hp *RouterContext, err error) { hp = new(RouterContext) hp.network = network hp.timeout = timeout // Generate keys and get attestation from parent. if hp.keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing|tao.Crypting, t); err != nil { return nil, err } // Create a certificate. if hp.keys.Cert, err = hp.keys.SigningKey.CreateSelfSignedX509(x509Identity); err != nil { return nil, err } // Load domain from local configuration. if hp.domain, err = tao.LoadDomain(path, nil); err != nil { return nil, err } // Encode TLS certificate. cert, err := tao.EncodeTLSCert(hp.keys) if err != nil { return nil, err } tlsConfig := &tls.Config{ RootCAs: x509.NewCertPool(), Certificates: []tls.Certificate{*cert}, InsecureSkipVerify: true, ClientAuth: tls.NoClientCert, } // Bind address to socket. if hp.proxyListener, err = tao.ListenAnonymous(network, addr, tlsConfig, hp.domain.Guard, hp.domain.Keys.VerifyingKey, hp.keys.Delegation); err != nil { return nil, err } // Instantiate the queues. hp.sendQueue = NewQueue(network, batchSize, timeout) hp.replyQueue = NewQueue(network, batchSize, timeout) hp.killQueue = make(chan bool) hp.killQueueErrorHandler = make(chan bool) go hp.sendQueue.DoQueue(hp.killQueue) go hp.replyQueue.DoQueue(hp.killQueue) go hp.sendQueue.DoQueueErrorHandler(hp.replyQueue, hp.killQueueErrorHandler) go hp.replyQueue.DoQueueErrorHandlerLog("reply queue", hp.killQueueErrorHandler) return hp, nil }
// Connect establishes a connection to a netlog server, if necessary. This will // be called automatically by Log() and Entries(). func (srv *Server) Connect() error { if srv.Conn != nil { return nil } keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent()) if err != nil { return err } conn, err := tao.Dial("tcp", srv.Addr, srv.Guard, srv.DomainKey, keys, nil) if err != nil { return err } srv.Conn = conn return nil }
// Connect opens a connection to the server, if not already connected. If keys // are provided, they will be used to connect. Otherwise, if running under a // Tao, new Tao-delegated keys will be created to authenticate to the rendezvous // server. func (s *Server) Connect(keys *tao.Keys) error { if s.conn != nil { return nil } var err error if keys == nil && tao.Parent() != nil { keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent()) if err != nil { return err } } addr := net.JoinHostPort(s.Host, s.Port) conn, err := tao.Dial("tcp", addr, nil /* guard */, nil /* verifier */, keys, nil) if err != nil { return err } s.conn = conn return nil }
func doClient(domain *tao.Domain) { network := "tcp" keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent()) options.FailIf(err, "client: couldn't generate temporary Tao keys") // TODO(tmroeder): fix the name cert, err := keys.SigningKey.CreateSelfSignedX509(&pkix.Name{ Organization: []string{"Google Tao Demo"}}) options.FailIf(err, "client: couldn't create a self-signed X.509 cert") // TODO(kwalsh) keys should save cert on disk if keys are on disk keys.Cert = cert g := domain.Guard if *ca != "" { na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey) options.FailIf(err, "client: couldn't get a truncated attestation from %s: %s\n", *ca) keys.Delegation = na // If we're using a CA, then use a custom guard that accepts only // programs that have talked to the CA. g, err = newTempCAGuard(domain.Keys.VerifyingKey) options.FailIf(err, "client: couldn't set up a new guard") } pingGood := 0 pingFail := 0 for i := 0; i < *pingCount || *pingCount < 0; i++ { // negative means forever if doRequest(g, domain, keys) { pingGood++ } else { pingFail++ } fmt.Printf("client: made %d connections, finished %d ok, %d bad pings\n", i+1, pingGood, pingFail) } }
func doServer() { var sock net.Listener var err error var keys *tao.Keys network := "tcp" domain, err := tao.LoadDomain(configPath(), nil) options.FailIf(err, "error: couldn't load the tao domain from %s\n", configPath()) switch *demoAuth { case "tcp": sock, err = net.Listen(network, serverAddr) options.FailIf(err, "server: couldn't listen to the network") case "tls", "tao": // Generate a private/public key for this hosted program (hp) and // request attestation from the host of the statement "hp speaksFor // host". The resulting certificate, keys.Delegation, is a chain of // "says" statements extending to the policy key. The policy is // checked by the host before this program is executed. keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent()) options.FailIf(err, "server: failed to generate delegated keys") // Create a certificate for the hp. keys.Cert, err = keys.SigningKey.CreateSelfSignedX509(&pkix.Name{ Organization: []string{"Google Tao Demo"}}) options.FailIf(err, "server: couldn't create certificate") g := domain.Guard if *ca != "" { // Replace keys.Delegation with a "says" statement directly from // the policy key. na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey) options.FailIf(err, "server: truncated attestation request failed") keys.Delegation = na g, err = newTempCAGuard(domain.Keys.VerifyingKey) options.FailIf(err, "server: couldn't set up a new guard") } tlsc, err := tao.EncodeTLSCert(keys) options.FailIf(err, "server: couldn't encode TLS certificate") conf := &tls.Config{ RootCAs: x509.NewCertPool(), Certificates: []tls.Certificate{*tlsc}, InsecureSkipVerify: true, ClientAuth: tls.RequireAnyClientCert, } if *demoAuth == "tao" { sock, err = tao.Listen(network, serverAddr, conf, g, domain.Keys.VerifyingKey, keys.Delegation) options.FailIf(err, "sever: couldn't create a taonet listener") } else { sock, err = tls.Listen(network, serverAddr, conf) options.FailIf(err, "server: couldn't create a tls listener") } } fmt.Printf("server: listening at %s using %s authentication.\n", serverAddr, *demoAuth) defer sock.Close() pings := make(chan bool, 5) connCount := 0 go func() { for connCount = 0; connCount < *pingCount || *pingCount < 0; connCount++ { // negative means forever conn, err := sock.Accept() options.FailIf(err, "server: can't accept connection") go doResponse(conn, pings) } }() pingGood := 0 pingFail := 0 for { select { case ok := <-pings: if ok { pingGood++ } else { pingFail++ } } } }