github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/go/support_infrastructure/domain_service/test_server/test_server.go (about) 1 // Copyright (c) 2016, Google Inc. All rights reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // http://www.apache.org/licenses/LICENSE-2.0 7 // Unless required by applicable law or agreed to in writing, software 8 // distributed under the License is distributed on an "AS IS" BASIS, 9 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 // See the License for the specific language governing permissions and 11 // limitations under the License. 12 13 package main 14 15 import ( 16 "crypto/x509" 17 "flag" 18 "log" 19 20 "github.com/golang/protobuf/proto" 21 "github.com/jlmucb/cloudproxy/go/tao" 22 "github.com/jlmucb/cloudproxy/go/tao/auth" 23 24 "github.com/jlmucb/cloudproxy/go/support_infrastructure/domain_service" 25 ) 26 27 var hostName = &auth.Prin{ 28 Type: "program", 29 KeyHash: auth.Str("hostHash")} 30 31 var programName = &auth.Prin{ 32 Type: "program", 33 KeyHash: auth.Str("programHash")} 34 35 var network = flag.String("network", "tcp", "The network to use for connections") 36 var addr = flag.String("addr", "localhost:8124", "The address to listen on") 37 38 var domainPass = flag.String("password", "xxx", "The domain password") 39 var configPath = flag.String("config", "../server/tao.config", "The Tao domain config") 40 41 func main() { 42 domain, err := tao.LoadDomain(*configPath, []byte(*domainPass)) 43 if domain == nil { 44 log.Printf("domainserver: no domain path - %s, pass - %s, err - %s\n", 45 *configPath, *domainPass, err) 46 } else if err != nil { 47 log.Printf("domainserver: Couldn't load the config path %s: %s\n", 48 *configPath, err) 49 } 50 policyKey, policyCert := domain.Keys, domain.Keys.Cert 51 if policyCert == nil { 52 log.Fatalln("Policy cert not found") 53 } 54 hostKey, hostAtt := generateAttestation(policyKey, hostName) 55 programKey, programAtt := generateAttestation(hostKey, programName) 56 rawEnd1, err := proto.Marshal(hostAtt) 57 if err != nil { 58 log.Fatalln("Error serializing attestation.") 59 } 60 programAtt.SerializedEndorsements = [][]byte{rawEnd1} 61 cert, err := domain_service.RequestProgramCert(programAtt, programKey.VerifyingKey, 62 *network, *addr) 63 if err != nil { 64 log.Fatalln("Error:", err) 65 } 66 rootCerts := x509.NewCertPool() 67 rootCerts.AddCert(domain.Keys.Cert) 68 options := x509.VerifyOptions{Roots: rootCerts} 69 _, err = cert.Verify(options) 70 if err != nil { 71 log.Fatalln("Program cert fails verification check.", err) 72 } 73 ver, err := tao.VerifierFromX509(cert) 74 if err != nil { 75 log.Fatalln("Error getting verifier from Program cert", err) 76 } 77 if v := programKey.VerifyingKey; !v.KeyEqual(cert) { 78 log.Fatalf("Key in Program cert %v differs from expected value %v.", ver, v) 79 } 80 81 // Test Certificate Revocation. 82 serialNumber := cert.SerialNumber 83 says := auth.Says{ 84 Speaker: domain.Keys.SigningKey.ToPrincipal(), 85 Message: auth.Pred{ 86 Name: "revoke", 87 Arg: []auth.Term{auth.Bytes(serialNumber.Bytes())}}} 88 89 att, err := tao.GenerateAttestation(domain.Keys.SigningKey, nil, says) 90 if err != nil { 91 log.Fatalln("Error generating attestation for certificate revocation.") 92 } 93 err = domain_service.RequestRevokeCertificate(att, *network, *addr) 94 if err != nil { 95 log.Fatalln("Error revoking certificate: ", err) 96 } 97 crl, err := domain_service.RequestCrl(*network, *addr) 98 99 if err != nil { 100 log.Fatalln("Error getting CRL: ", err) 101 } 102 revokedCerts := crl.TBSCertList.RevokedCertificates 103 if len(revokedCerts) != 1 { 104 log.Fatalf("Revoked 1 cert and got back CRL with %v revoked certs", len(revokedCerts)) 105 } 106 if num := revokedCerts[0].SerialNumber.Int64(); num != serialNumber.Int64() { 107 log.Fatalf("Serial number %v doesnt match expected value %v", num, serialNumber) 108 } 109 log.Println("YAY!") 110 } 111 112 func generateEndorsementCertficate(policyKey *tao.Keys, policyCert *x509.Certificate) (*tao.Keys, 113 *x509.Certificate) { 114 k, err := tao.NewTemporaryKeys(tao.Signing) 115 if k == nil || err != nil { 116 log.Fatalln("Can't generate signing key") 117 } 118 us := "US" 119 google := "Google" 120 machineName := "Encoded Machine Information" 121 details := tao.X509Details{ 122 Country: &us, 123 Organization: &google, 124 CommonName: &machineName} 125 subject := tao.NewX509Name(&details) 126 pkInt := tao.PublicKeyAlgFromSignerAlg(*policyKey.SigningKey.Header.KeyType) 127 sigInt := tao.SignatureAlgFromSignerAlg(*policyKey.SigningKey.Header.KeyType) 128 cert, err := policyKey.SigningKey.CreateSignedX509( 129 policyCert, 0, k.SigningKey.GetVerifierFromSigner(), 130 pkInt, sigInt, subject) 131 if err != nil { 132 log.Fatalln(err) 133 } 134 return k, cert 135 } 136 137 func generateAttestation(signingKey *tao.Keys, delegator *auth.Prin) (*tao.Keys, *tao.Attestation) { 138 k, err := tao.NewTemporaryKeys(tao.Signing) 139 if k == nil || err != nil { 140 log.Fatalln("Can't generate signing key") 141 } 142 speaksFor := &auth.Speaksfor{ 143 Delegate: k.SigningKey.ToPrincipal(), 144 Delegator: delegator, 145 } 146 says := &auth.Says{ 147 Speaker: signingKey.SigningKey.ToPrincipal(), 148 Time: nil, 149 Expiration: nil, 150 Message: speaksFor, 151 } 152 att, err := tao.GenerateAttestation(signingKey.SigningKey, nil, *says) 153 if err != nil { 154 log.Fatalln(err) 155 } 156 return k, att 157 }