// EstablishCert contacts a CA to get a certificate signed by the policy key. It
// replaces the current delegation and cert on k with the new delegation and
// cert from the response.
func EstablishCert(network, addr string, k *tao.Keys, v *tao.Verifier) error {
na, err := tao.RequestAttestation(network, addr, k, v)
if err != nil {
return err
}
k.Delegation = na
pa, err := auth.UnmarshalForm(na.SerializedStatement)
if err != nil {
return err
}
// Parse the received statement.
var saysStatement *auth.Says
if ptr, ok := pa.(*auth.Says); ok {
saysStatement = ptr
} else if val, ok := pa.(auth.Says); ok {
saysStatement = &val
}
sf, ok := saysStatement.Message.(auth.Speaksfor)
if ok != true {
return errors.New("says doesn't have speaksfor message")
}
kprin, ok := sf.Delegate.(auth.Term)
if ok != true {
return errors.New("speaksfor message doesn't have Delegate")
}
newCert := auth.Bytes(kprin.(auth.Bytes))
cert, err := x509.ParseCertificate(newCert)
if err != nil {
return err
}
k.Cert["default"] = cert
return nil
}
func doServer() {
var sock net.Listener
var err error
var keys *tao.Keys
network := "tcp"
domain, err := tao.LoadDomain(configPath(), nil)
options.FailIf(err, "error: couldn't load the tao domain from %s\n", configPath())
switch *demoAuth {
case "tcp":
sock, err = net.Listen(network, serverAddr)
options.FailIf(err, "server: couldn't listen to the network")
case "tls", "tao":
// Generate a private/public key for this hosted program (hp) and
// request attestation from the host of the statement "hp speaksFor
// host". The resulting certificate, keys.Delegation, is a chain of
// "says" statements extending to the policy key. The policy is
// checked by the host before this program is executed.
keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent())
options.FailIf(err, "server: failed to generate delegated keys")
// Create a certificate for the hp.
keys.Cert, err = keys.SigningKey.CreateSelfSignedX509(&pkix.Name{
Organization: []string{"Google Tao Demo"}})
options.FailIf(err, "server: couldn't create certificate")
g := domain.Guard
if *ca != "" {
// Replace keys.Delegation with a "says" statement directly from
// the policy key.
na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey)
options.FailIf(err, "server: truncated attestation request failed")
keys.Delegation = na
g, err = newTempCAGuard(domain.Keys.VerifyingKey)
options.FailIf(err, "server: couldn't set up a new guard")
}
tlsc, err := tao.EncodeTLSCert(keys)
options.FailIf(err, "server: couldn't encode TLS certificate")
conf := &tls.Config{
RootCAs: x509.NewCertPool(),
Certificates: []tls.Certificate{*tlsc},
InsecureSkipVerify: true,
ClientAuth: tls.RequireAnyClientCert,
}
if *demoAuth == "tao" {
sock, err = tao.Listen(network, serverAddr, conf, g, domain.Keys.VerifyingKey, keys.Delegation)
options.FailIf(err, "sever: couldn't create a taonet listener")
} else {
sock, err = tls.Listen(network, serverAddr, conf)
options.FailIf(err, "server: couldn't create a tls listener")
}
}
fmt.Printf("server: listening at %s using %s authentication.\n", serverAddr, *demoAuth)
defer sock.Close()
pings := make(chan bool, 5)
connCount := 0
go func() {
for connCount = 0; connCount < *pingCount || *pingCount < 0; connCount++ { // negative means forever
conn, err := sock.Accept()
options.FailIf(err, "server: can't accept connection")
go doResponse(conn, pings)
}
}()
pingGood := 0
pingFail := 0
for {
select {
case ok := <-pings:
if ok {
pingGood++
} else {
pingFail++
}
}
}
}