mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Danko Miladinovic
67f939fc66
* manager, cli and agent vtpm support * rebase and changed atls for vtpm * deleted unused code * changed chekproto.yaml script so it find the manager proto file correctly * fixe manager proto version * fix agent tests * fix server agent test * fix attestation test * fix attestation test gofumpt * created dummy RWC for TPM * fix comment * add default PCR values * rebase main * fix rust ci and missing header * changed embedded attestation to VMPL 2 * fix unused impot * fix pkg test * address attestation type * fix agent attestation test * add prc15 check * fix comments * fix cli tests * add doc * add mock for LeveledQuoteProvider when SEV-SNP device is not found Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix manager reading attestation policy * refactor PCR value checks and update attestation policy values Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix tests for sev and grpc --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> Co-authored-by: Sammy Oina <sammyoina@gmail.com>
84 lines
1.8 KiB
Go
84 lines
1.8 KiB
Go
// Copyright (c) Ultraviolet
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
//go:build cgo
|
|
|
|
package grpc
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"net"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/absmach/magistrala/pkg/errors"
|
|
"github.com/ultravioletrs/cocos/pkg/atls"
|
|
config "github.com/ultravioletrs/cocos/pkg/attestation"
|
|
"google.golang.org/grpc/credentials"
|
|
)
|
|
|
|
func setupATLS(cfg AgentClientConfig) (credentials.TransportCredentials, error) {
|
|
err := config.ReadAttestationPolicy(cfg.AttestationPolicy, &config.AttestationPolicy)
|
|
if err != nil {
|
|
return nil, errors.Wrap(fmt.Errorf("failed to read Attestation Policy"), err)
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
VerifyPeerCertificate: verifyPeerCertificateATLS,
|
|
}
|
|
return credentials.NewTLS(tlsConfig), nil
|
|
}
|
|
|
|
func CustomDialer(ctx context.Context, addr string) (net.Conn, error) {
|
|
ip, port, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not create a custom dialer")
|
|
}
|
|
|
|
p, err := strconv.Atoi(port)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("bad format of IP address: %v", err)
|
|
}
|
|
|
|
conn, err := atls.DialTLSClient(ip, p)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not create TLS connection")
|
|
}
|
|
|
|
return conn, nil
|
|
}
|
|
|
|
func verifyPeerCertificateATLS(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
|
cert, err := x509.ParseCertificate(rawCerts[0])
|
|
if err != nil {
|
|
return errors.Wrap(errCertificateParse, err)
|
|
}
|
|
|
|
err = checkIfCertificateSelfSigned(cert)
|
|
if err != nil {
|
|
return errors.Wrap(errAttVerification, err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func checkIfCertificateSelfSigned(cert *x509.Certificate) error {
|
|
certPool := x509.NewCertPool()
|
|
certPool.AddCert(cert)
|
|
|
|
opts := x509.VerifyOptions{
|
|
Roots: certPool,
|
|
CurrentTime: time.Now(),
|
|
}
|
|
|
|
if _, err := cert.Verify(opts); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|