Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
smo4201 committed Feb 15, 2024
1 parent 93c7fe4 commit fe2e932
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 89 deletions.
60 changes: 22 additions & 38 deletions attestedhttp/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ package attestedhttp
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io"
"net"
"net/http"
"time"
Expand All @@ -30,7 +30,6 @@ import (
ar "github.com/Fraunhofer-AISEC/cmc/attestationreport"
atls "github.com/Fraunhofer-AISEC/cmc/attestedtls"
"github.com/Fraunhofer-AISEC/cmc/cmc"
"github.com/Fraunhofer-AISEC/cmc/internal"
)

var log = logrus.WithField("service", "ahttps")
Expand Down Expand Up @@ -77,6 +76,7 @@ type Client struct {
client *http.Client
}

// TODO find better solution
var (
timeout = 10 * time.Second
cmcConfig atls.CmcConfig
Expand All @@ -86,42 +86,6 @@ var (
// Wrapper for client.Get()
func (c *Client) Get(url string) (resp *http.Response, err error) {

// Add root CA
roots := x509.NewCertPool()
success := roots.AppendCertsFromPEM(c.Transport.Ca)
if !success {
log.Fatal("Could not add cert to root CAs")
}

// If certificates have not yet been fetched from CMC, fetch them and
// create the TLS configuration based on the given parameters
if tlsConfig == nil {
log.Debug("Creating aTLS configuration")
if c.Transport.MutualTls {
// Load own certificate
cert, err := atls.GetCert(
atls.WithCmcAddr(c.Transport.CmcAddr),
atls.WithCmcApi(c.Transport.CmcApi),
atls.WithCmcNetwork(c.Transport.CmcNetwork),
atls.WithCmc(c.Transport.Cmc))
if err != nil {
log.Fatalf("failed to get TLS Certificate: %v", err)
}
// Create TLS config with root CA and own certificate for authentication
tlsConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: roots,
}
} else {
// Create TLS config with root CA only
tlsConfig = &tls.Config{
RootCAs: roots,
Renegotiation: tls.RenegotiateNever,
}
}
internal.PrintTlsConfig(tlsConfig, c.Transport.Ca)
}

if c.client == nil {
log.Tracef("Initializing new HTTP client")
// Create http.Transport from wrapper
Expand All @@ -147,6 +111,7 @@ func (c *Client) Get(url string) (resp *http.Response, err error) {
}

// Store aTLS and CMC configuration
tlsConfig = c.Transport.TLSClientConfig
cmcConfig.Attest = atls.GetAttestMode(c.Transport.Attest)
cmcConfig.Ca = c.Transport.Ca
cmcConfig.Cmc = c.Transport.Cmc
Expand All @@ -161,6 +126,25 @@ func (c *Client) Get(url string) (resp *http.Response, err error) {
return c.client.Get(url)
}

func (c *Client) Do(req *http.Request) (*http.Response, error) {

return c.client.Do(req)
}

func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error) {

return c.client.Post(url, contentType, body)
}

func (c *Client) Head(url string) (resp *http.Response, err error) {

return c.client.Head(url)
}

func (c *Client) CloseIdleConnections() {
c.client.CloseIdleConnections()
}

func dialATlsContext(ctx context.Context, network, addr string) (net.Conn, error) {

if tlsConfig == nil {
Expand Down
53 changes: 3 additions & 50 deletions attestedhttp/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,13 @@
package attestedhttp

import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net/http"

ar "github.com/Fraunhofer-AISEC/cmc/attestationreport"
atls "github.com/Fraunhofer-AISEC/cmc/attestedtls"
"github.com/Fraunhofer-AISEC/cmc/cmc"
"github.com/Fraunhofer-AISEC/cmc/internal"
)

// Wrapper for http.Server
Expand All @@ -43,56 +41,11 @@ type Server struct {
}

func (s *Server) ListenAndServe() error {
// Add root CA
roots := x509.NewCertPool()
success := roots.AppendCertsFromPEM(s.Ca)
if !success {
log.Fatal("Could not add cert to root CAs")
}

// Load certificate
cert, err := atls.GetCert(
atls.WithCmcAddr(s.CmcAddr),
atls.WithCmcApi(s.CmcApi),
atls.WithCmcNetwork(s.CmcNetwork),
atls.WithCmc(s.Cmc))
if err != nil {
log.Fatalf("failed to get TLS Certificate: %v", err)
if s.Server.TLSConfig == nil {
return errors.New("failed to listen: no TLS config provided")
}

var clientAuth tls.ClientAuthType
if s.MutualTls {
// Mandate client authentication
clientAuth = tls.RequireAndVerifyClientCert
} else {
// Make client authentication optional
clientAuth = tls.VerifyClientCertIfGiven
}

// Overwrite specified TLS config to enforce aTLS as configured
if s.Server.TLSConfig != nil {
if s.Server.TLSConfig.Certificates != nil {
log.Warn("Overwriting TLS config: using aTLS certificates")
}
if s.Server.TLSConfig.ClientAuth != clientAuth {
log.Warnf("Overwriting TLS config: setting client auth to %v", clientAuth)
}
if s.Server.TLSConfig.ClientCAs != nil {
log.Warn("Overwriting TLS config: using aTLS CA")
}
if s.Server.TLSConfig.Renegotiation != tls.RenegotiateNever {
log.Warnf("Overwriting TLS config: setting renegotiation to %v", tls.RenegotiateNever)
}
} else {
s.Server.TLSConfig = &tls.Config{}
}
s.Server.TLSConfig.Certificates = []tls.Certificate{cert}
s.Server.TLSConfig.ClientAuth = clientAuth
s.Server.TLSConfig.ClientCAs = roots
s.Server.TLSConfig.Renegotiation = tls.RenegotiateNever

internal.PrintTlsConfig(s.Server.TLSConfig, s.Ca)

verificationResult := new(ar.VerificationResult)

// Listen: TLS connection
Expand Down
77 changes: 76 additions & 1 deletion testtool/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ package main

// Install github packages with "go get [url]"
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"net/http"
Expand All @@ -27,6 +29,7 @@ import (
ahttp "github.com/Fraunhofer-AISEC/cmc/attestedhttp"
atls "github.com/Fraunhofer-AISEC/cmc/attestedtls"
"github.com/Fraunhofer-AISEC/cmc/cmc"
"github.com/Fraunhofer-AISEC/cmc/internal"
)

// HTTP header constants
Expand All @@ -47,11 +50,46 @@ const (
// Creates an attested HTTPS connection and performs the specified requests
func requestInternal(c *config, api atls.CmcApiSelect, cmc *cmc.Cmc) error {

// Add root CA
roots := x509.NewCertPool()
success := roots.AppendCertsFromPEM(c.ca)
if !success {
log.Fatal("Could not add cert to root CAs")
}

// Load certificate from CMC if mutual TLS is activated and
// create basic TLS configuration for aTLS
var tlsConfig *tls.Config
log.Debug("Creating aTLS configuration")
if c.Mtls {
cert, err := atls.GetCert(
atls.WithCmcAddr(c.CmcAddr),
atls.WithCmcApi(api),
atls.WithCmcNetwork(c.Network),
atls.WithCmc(cmc))
if err != nil {
log.Fatalf("failed to get TLS Certificate: %v", err)
}
// Create TLS config with root CA and own certificate for authentication
tlsConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: roots,
}
} else {
// Create TLS config with root CA only
tlsConfig = &tls.Config{
RootCAs: roots,
Renegotiation: tls.RenegotiateNever,
}
}
internal.PrintTlsConfig(tlsConfig, c.ca)

// Create an attested HTTP Transport structure. This is a wrapper around http.Transport,
// look for the descriptions of the parameters there. Additionally, the aTLS parameters
// must be configured
transport := &ahttp.Transport{
IdleConnTimeout: 60 * time.Second,
TLSClientConfig: tlsConfig,

Attest: c.Attest,
MutualTls: c.Mtls,
Expand Down Expand Up @@ -94,6 +132,42 @@ func requestInternal(c *config, api atls.CmcApiSelect, cmc *cmc.Cmc) error {

func serveInternal(c *config, api atls.CmcApiSelect, cmc *cmc.Cmc) {

// Add root CA
roots := x509.NewCertPool()
success := roots.AppendCertsFromPEM(s.Ca)
if !success {
log.Fatal("Could not add cert to root CAs")
}

// Load certificate from CMC
cert, err := atls.GetCert(
atls.WithCmcAddr(c.CmcAddr),
atls.WithCmcApi(api),
atls.WithCmcNetwork(c.Network),
atls.WithCmc(cmc))
if err != nil {
log.Fatalf("failed to get TLS Certificate: %v", err)
}

var clientAuth tls.ClientAuthType
if c.Mtls {
// Mandate client authentication
clientAuth = tls.RequireAndVerifyClientCert
} else {
// Make client authentication optional
clientAuth = tls.VerifyClientCertIfGiven
}

// Overwrite specified TLS config to enforce aTLS as configured
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: clientAuth,
ClientCAs: roots,
Renegotiation: tls.RenegotiateNever,
}

internal.PrintTlsConfig(s.Server.TLSConfig, s.Ca)

// Config allows to specify more than one address for dialing,
// always use first address for listening
addr := ""
Expand All @@ -106,7 +180,8 @@ func serveInternal(c *config, api atls.CmcApiSelect, cmc *cmc.Cmc) {
// specified
server := &ahttp.Server{
Server: &http.Server{
Addr: addr,
Addr: addr,
TLSConfig: tlsConfig,
},
Attest: c.Attest,
MutualTls: c.Mtls,
Expand Down

0 comments on commit fe2e932

Please sign in to comment.