func RetrieveTrustedClusterInfo(s *kubeadmapi.NodeConfiguration) (*kubeadmapi.ClusterInfo, error) {
host, port := s.MasterAddresses[0], 9898
requestURL := fmt.Sprintf("http://%s:%d/cluster-info/v1/?token-id=%s", host, port, s.Secrets.TokenID)
req, err := http.NewRequest("GET", requestURL, nil)
if err != nil {
return nil, fmt.Errorf("<node/discovery> failed to consturct an HTTP request [%v]", err)
}
fmt.Printf("<node/discovery> created cluster info discovery client, requesting info from %q\n", requestURL)
var res *http.Response
wait.PollInfinite(discoveryRetryTimeout, func() (bool, error) {
res, err = http.DefaultClient.Do(req)
if err != nil {
fmt.Printf("<node/discovery> failed to request cluster info, will try again: [%s]\n", err)
return false, nil
}
return true, nil
})
buf := new(bytes.Buffer)
io.Copy(buf, res.Body)
res.Body.Close()
object, err := jose.ParseSigned(buf.String())
if err != nil {
return nil, fmt.Errorf("<node/discovery> failed to parse response as JWS object [%v]", err)
}
fmt.Println("<node/discovery> cluster info object received, verifying signature using given token")
output, err := object.Verify(s.Secrets.Token)
if err != nil {
return nil, fmt.Errorf("<node/discovery> failed to verify JWS signature of received cluster info object [%v]", err)
}
clusterInfo := kubeadmapi.ClusterInfo{}
if err := json.Unmarshal(output, &clusterInfo); err != nil {
return nil, fmt.Errorf("<node/discovery> failed to decode received cluster info object [%v]", err)
}
if len(clusterInfo.CertificateAuthorities) == 0 || len(clusterInfo.Endpoints) == 0 {
return nil, fmt.Errorf("<node/discovery> cluster info object is invalid - no endpoint(s) and/or root CA certificate(s) found")
}
// TODO(phase1+) print summary info about the CA certificate, along with the the checksum signature
// we also need an ability for the user to configure the client to validate received CA cert against a checksum
fmt.Printf("<node/discovery> cluster info signature and contents are valid, will use API endpoints %v\n", clusterInfo.Endpoints)
return &clusterInfo, nil
}
// Verify checks that a token's signature is valid, and that the
// protobuf is syntactically valid as a token.
func (v *Verifier) Verify(s string) (token *pb.Token, err error) {
jws, err := jose.ParseSigned(s)
if err != nil {
return
}
payload, err := jws.Verify(v.publicKey)
if err != nil {
return
}
token := &pb.Token{}
err := proto.Unmarshal(payload, token)
if err != nil {
token = nil
return
}
}
// verifyPOST reads and parses the request body, looks up the Registration
// corresponding to its JWK, verifies the JWS signature, checks that the
// resource field is present and correct in the JWS protected header, and
// returns the JWS payload bytes, the key used to verify, and the corresponding
// Registration (or error). If regCheck is false, verifyPOST will still try to
// look up a registration object, and will return it if found. However, if no
// registration object is found, verifyPOST will attempt to verify the JWS using
// the key in the JWS headers, and return the key plus a dummy registration if
// successful. If a caller passes regCheck = false, it should plan on validating
// the key itself. verifyPOST also appends its errors to requestEvent.Errors so
// code calling it does not need to if they immediately return a response to the
// user.
func (wfe *WebFrontEndImpl) verifyPOST(ctx context.Context, logEvent *requestEvent, request *http.Request, regCheck bool, resource core.AcmeResource) ([]byte, *jose.JsonWebKey, core.Registration, *probs.ProblemDetails) {
// TODO: We should return a pointer to a registration, which can be nil,
// rather the a registration value with a sentinel value.
// https://github.com/letsencrypt/boulder/issues/877
reg := core.Registration{ID: 0}
if _, ok := request.Header["Content-Length"]; !ok {
wfe.stats.Inc("WFE.HTTP.ClientErrors.LengthRequiredError", 1, 1.0)
logEvent.AddError("missing Content-Length header on POST")
return nil, nil, reg, probs.ContentLengthRequired()
}
// Read body
if request.Body == nil {
wfe.stats.Inc("WFE.Errors.NoPOSTBody", 1, 1.0)
logEvent.AddError("no body on POST")
return nil, nil, reg, probs.Malformed("No body on POST")
}
bodyBytes, err := ioutil.ReadAll(request.Body)
if err != nil {
wfe.stats.Inc("WFE.Errors.UnableToReadRequestBody", 1, 1.0)
logEvent.AddError("unable to read request body")
return nil, nil, reg, probs.ServerInternal("unable to read request body")
}
body := string(bodyBytes)
// Parse as JWS
parsedJws, err := jose.ParseSigned(body)
if err != nil {
wfe.stats.Inc("WFE.Errors.UnableToParseJWS", 1, 1.0)
logEvent.AddError("could not JSON parse body into JWS: %s", err)
return nil, nil, reg, probs.Malformed("Parse error reading JWS")
}
// Verify JWS
// NOTE: It might seem insecure for the WFE to be trusted to verify
// client requests, i.e., that the verification should be done at the
// RA. However the WFE is the RA's only view of the outside world
// *anyway*, so it could always lie about what key was used by faking
// the signature itself.
if len(parsedJws.Signatures) > 1 {
wfe.stats.Inc("WFE.Errors.TooManyJWSSignaturesInPOST", 1, 1.0)
logEvent.AddError("too many signatures in POST body: %d", len(parsedJws.Signatures))
return nil, nil, reg, probs.Malformed("Too many signatures in POST body")
}
if len(parsedJws.Signatures) == 0 {
wfe.stats.Inc("WFE.Errors.JWSNotSignedInPOST", 1, 1.0)
logEvent.AddError("no signatures in POST body")
return nil, nil, reg, probs.Malformed("POST JWS not signed")
}
submittedKey := parsedJws.Signatures[0].Header.JsonWebKey
if submittedKey == nil {
wfe.stats.Inc("WFE.Errors.NoJWKInJWSSignatureHeader", 1, 1.0)
logEvent.AddError("no JWK in JWS signature header in POST body")
return nil, nil, reg, probs.Malformed("No JWK in JWS header")
}
if !submittedKey.Valid() {
wfe.stats.Inc("WFE.Errors.InvalidJWK", 1, 1.0)
logEvent.AddError("invalid JWK in JWS signature header in POST body")
return nil, nil, reg, probs.Malformed("Invalid JWK in JWS header")
}
var key *jose.JsonWebKey
reg, err = wfe.SA.GetRegistrationByKey(ctx, *submittedKey)
// Special case: If no registration was found, but regCheck is false, use an
// empty registration and the submitted key. The caller is expected to do some
// validation on the returned key.
if _, ok := err.(core.NoSuchRegistrationError); ok && !regCheck {
// When looking up keys from the registrations DB, we can be confident they
// are "good". But when we are verifying against any submitted key, we want
// to check its quality before doing the verify.
if err = wfe.keyPolicy.GoodKey(submittedKey.Key); err != nil {
wfe.stats.Inc("WFE.Errors.JWKRejectedByGoodKey", 1, 1.0)
logEvent.AddError("JWK in request was rejected by GoodKey: %s", err)
return nil, nil, reg, probs.Malformed(err.Error())
}
key = submittedKey
} else if err != nil {
// For all other errors, or if regCheck is true, return error immediately.
wfe.stats.Inc("WFE.Errors.UnableToGetRegistrationByKey", 1, 1.0)
logEvent.AddError("unable to fetch registration by the given JWK: %s", err)
if _, ok := err.(core.NoSuchRegistrationError); ok {
return nil, nil, reg, probs.Unauthorized(unknownKey)
}
return nil, nil, reg, core.ProblemDetailsForError(err, "")
} else {
// If the lookup was successful, use that key.
key = ®.Key
logEvent.Requester = reg.ID
logEvent.Contacts = reg.Contact
}
if statName, err := checkAlgorithm(key, parsedJws); err != nil {
wfe.stats.Inc(statName, 1, 1.0)
return nil, nil, reg, probs.Malformed(err.Error())
}
payload, err := parsedJws.Verify(key)
if err != nil {
wfe.stats.Inc("WFE.Errors.JWSVerificationFailed", 1, 1.0)
n := len(body)
if n > 100 {
n = 100
}
logEvent.AddError("verification of JWS with the JWK failed: %v; body: %s", err, body[:n])
return nil, nil, reg, probs.Malformed("JWS verification error")
}
// Check that the request has a known anti-replay nonce
nonce := parsedJws.Signatures[0].Header.Nonce
logEvent.RequestNonce = nonce
if len(nonce) == 0 {
wfe.stats.Inc("WFE.Errors.JWSMissingNonce", 1, 1.0)
logEvent.AddError("JWS is missing an anti-replay nonce")
return nil, nil, reg, probs.BadNonce("JWS has no anti-replay nonce")
} else if !wfe.nonceService.Valid(nonce) {
wfe.stats.Inc("WFE.Errors.JWSInvalidNonce", 1, 1.0)
logEvent.AddError("JWS has an invalid anti-replay nonce: %s", nonce)
return nil, nil, reg, probs.BadNonce(fmt.Sprintf("JWS has invalid anti-replay nonce %v", nonce))
}
// Check that the "resource" field is present and has the correct value
var parsedRequest struct {
Resource string `json:"resource"`
}
err = json.Unmarshal([]byte(payload), &parsedRequest)
if err != nil {
wfe.stats.Inc("WFE.Errors.UnparsableJWSPayload", 1, 1.0)
logEvent.AddError("unable to JSON parse resource from JWS payload: %s", err)
return nil, nil, reg, probs.Malformed("Request payload did not parse as JSON")
}
if parsedRequest.Resource == "" {
wfe.stats.Inc("WFE.Errors.NoResourceInJWSPayload", 1, 1.0)
logEvent.AddError("JWS request payload does not specify a resource")
return nil, nil, reg, probs.Malformed("Request payload does not specify a resource")
} else if resource != core.AcmeResource(parsedRequest.Resource) {
wfe.stats.Inc("WFE.Errors.MismatchedResourceInJWSPayload", 1, 1.0)
logEvent.AddError("JWS request payload does not match resource")
return nil, nil, reg, probs.Malformed("JWS resource payload does not match the HTTP resource: %s != %s", parsedRequest.Resource, resource)
}
return []byte(payload), key, reg, nil
}