// EstablishCert contacts a CA to get a certificate signed by the policy key. It // replaces the current delegation and cert on k with the new delegation and // cert from the response. func EstablishCert(network, addr string, k *tao.Keys, v *tao.Verifier) error { na, err := tao.RequestAttestation(network, addr, k, v) if err != nil { return err } k.Delegation = na pa, err := auth.UnmarshalForm(na.SerializedStatement) if err != nil { return err } // Parse the received statement. var saysStatement *auth.Says if ptr, ok := pa.(*auth.Says); ok { saysStatement = ptr } else if val, ok := pa.(auth.Says); ok { saysStatement = &val } sf, ok := saysStatement.Message.(auth.Speaksfor) if ok != true { return errors.New("says doesn't have speaksfor message") } kprin, ok := sf.Delegate.(auth.Term) if ok != true { return errors.New("speaksfor message doesn't have Delegate") } newCert := auth.Bytes(kprin.(auth.Bytes)) cert, err := x509.ParseCertificate(newCert) if err != nil { return err } k.Cert["default"] = cert return nil }
func doServer() { var sock net.Listener var err error var keys *tao.Keys network := "tcp" domain, err := tao.LoadDomain(configPath(), nil) options.FailIf(err, "error: couldn't load the tao domain from %s\n", configPath()) switch *demoAuth { case "tcp": sock, err = net.Listen(network, serverAddr) options.FailIf(err, "server: couldn't listen to the network") case "tls", "tao": // Generate a private/public key for this hosted program (hp) and // request attestation from the host of the statement "hp speaksFor // host". The resulting certificate, keys.Delegation, is a chain of // "says" statements extending to the policy key. The policy is // checked by the host before this program is executed. keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent()) options.FailIf(err, "server: failed to generate delegated keys") // Create a certificate for the hp. keys.Cert, err = keys.SigningKey.CreateSelfSignedX509(&pkix.Name{ Organization: []string{"Google Tao Demo"}}) options.FailIf(err, "server: couldn't create certificate") g := domain.Guard if *ca != "" { // Replace keys.Delegation with a "says" statement directly from // the policy key. na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey) options.FailIf(err, "server: truncated attestation request failed") keys.Delegation = na g, err = newTempCAGuard(domain.Keys.VerifyingKey) options.FailIf(err, "server: couldn't set up a new guard") } tlsc, err := tao.EncodeTLSCert(keys) options.FailIf(err, "server: couldn't encode TLS certificate") conf := &tls.Config{ RootCAs: x509.NewCertPool(), Certificates: []tls.Certificate{*tlsc}, InsecureSkipVerify: true, ClientAuth: tls.RequireAnyClientCert, } if *demoAuth == "tao" { sock, err = tao.Listen(network, serverAddr, conf, g, domain.Keys.VerifyingKey, keys.Delegation) options.FailIf(err, "sever: couldn't create a taonet listener") } else { sock, err = tls.Listen(network, serverAddr, conf) options.FailIf(err, "server: couldn't create a tls listener") } } fmt.Printf("server: listening at %s using %s authentication.\n", serverAddr, *demoAuth) defer sock.Close() pings := make(chan bool, 5) connCount := 0 go func() { for connCount = 0; connCount < *pingCount || *pingCount < 0; connCount++ { // negative means forever conn, err := sock.Accept() options.FailIf(err, "server: can't accept connection") go doResponse(conn, pings) } }() pingGood := 0 pingFail := 0 for { select { case ok := <-pings: if ok { pingGood++ } else { pingFail++ } } } }