tpm-helpers/get.go

package tpm

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"strings"
	"time"

	"github.com/google/go-attestation/attest"
	"github.com/gorilla/websocket"
	"github.com/pkg/errors"
)

// GetAuthToken generates an authentication token from the host TPM.
// It will return the token as a string and the generated AK that should
// be saved by the caller for later Authentication.
func GetAuthToken(opts ...Option) (string, []byte, error) {
	c := newConfig()
	c.apply(opts...)

	attestationData, akBytes, err := getAttestationData(c)
	if err != nil {
		return "", nil, err
	}

	token, err := getToken(attestationData)
	if err != nil {
		return "", nil, err
	}

	return token, akBytes, err
}

// Authenticate will read from the passed channel, expecting a challenge from the
// attestation server, will compute a challenge response via the TPM using the passed
// Attestation Key (AK) and will send it back to the attestation server.
func Authenticate(akBytes []byte, channel io.ReadWriter, opts ...Option) error {
	c := newConfig()
	c.apply(opts...)

	var challenge Challenge
	if err := json.NewDecoder(channel).Decode(&challenge); err != nil {
		return fmt.Errorf("unmarshalling Challenge: %w", err)
	}

	challengeResp, err := getChallengeResponse(c, challenge.EC, akBytes)
	if err != nil {
		return err
	}

	if err := json.NewEncoder(channel).Encode(challengeResp); err != nil {
		return fmt.Errorf("encoding ChallengeResponse: %w", err)
	}

	return nil
}

func AuthRequest(r *http.Request, conn *websocket.Conn) error {
	token := r.Header.Get("Authorization")
	ek, at, err := GetAttestationData(token)
	if err != nil {
		return err
	}
	secret, challenge, err := GenerateChallenge(ek, at)
	if err != nil {
		return err
	}

	resp, err := writeRead(conn, challenge)
	if err != nil {
		return err
	}

	if err := ValidateChallenge(secret, resp); err != nil {
		return fmt.Errorf("error validating challenge: %w (response: %s)", err, string(resp))
	}

	return nil
}

func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
	writer, err := conn.NextWriter(websocket.BinaryMessage)
	if err != nil {
		return nil, err
	}

	if _, err := writer.Write(input); err != nil {
		return nil, err
	}
	writer.Close()
	_, reader, err := conn.NextReader()
	if err != nil {
		return nil, err
	}

	return ioutil.ReadAll(reader)
}

// Get retrieves a message from a remote ws server after
// a successfully process of the TPM challenge
func Get(url string, opts ...Option) ([]byte, error) {
	conn, err := Connection(url, opts...)
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	_, msg, err := conn.NextReader()
	if err != nil {
		return nil, fmt.Errorf("reading payload from tpm get: %w", err)
	}

	return ioutil.ReadAll(msg)
}

// Connection returns a connection to the endpoint which suathenticated already.
// The server side needs to call AuthRequest on the http request in order to authenticate and refuse connections
func Connection(url string, opts ...Option) (*websocket.Conn, error) {
	c := newConfig()
	c.apply(opts...)

	header := c.header
	if c.header == nil {
		header = http.Header{}
	}

	dialer := websocket.DefaultDialer
	if len(c.cacerts) > 0 {
		pool := x509.NewCertPool()
		if c.systemfallback {
			systemPool, err := x509.SystemCertPool()
			if err != nil {
				return nil, err
			}
			pool = systemPool
		}

		pool.AppendCertsFromPEM(c.cacerts)
		dialer = &websocket.Dialer{
			Proxy:            http.ProxyFromEnvironment,
			HandshakeTimeout: 45 * time.Second,
			TLSClientConfig: &tls.Config{
				RootCAs: pool,
			},
		}
	}

	attestationData, aikBytes, err := getAttestationData(c)
	if err != nil {
		return nil, err
	}

	// hash, err := GetPubHash(opts...)
	// if err != nil {
	// 	return nil, err
	// }

	token, err := getToken(attestationData)
	if err != nil {
		return nil, err
	}

	header.Add("Authorization", token)
	for k, v := range c.headers {
		header.Add(k, v)
	}

	wsURL := strings.Replace(url, "http", "ws", 1)
	//logrus.Infof("Using TPMHash %s to dial %s", hash, wsURL)
	conn, resp, err := dialer.Dial(wsURL, header)
	if err != nil {
		if resp != nil {
			if resp.StatusCode == http.StatusUnauthorized {
				data, err := ioutil.ReadAll(resp.Body)
				if err == nil {
					return nil, errors.New(string(data))
				}
			} else {
				return nil, fmt.Errorf("%w (Status: %s)", err, resp.Status)
			}
		}
		return nil, err
	}

	_, msg, err := conn.NextReader()
	if err != nil {
		return nil, fmt.Errorf("reading challenge: %w", err)
	}

	var challenge Challenge
	if err := json.NewDecoder(msg).Decode(&challenge); err != nil {
		return nil, fmt.Errorf("unmarshaling Challenge: %w", err)
	}

	challengeResp, err := getChallengeResponse(c, challenge.EC, aikBytes)
	if err != nil {
		return nil, err
	}

	writer, err := conn.NextWriter(websocket.BinaryMessage)
	if err != nil {
		return nil, err
	}

	if err := json.NewEncoder(writer).Encode(challengeResp); err != nil {
		return nil, fmt.Errorf("encoding ChallengeResponse: %w", err)
	}

	writer.Close()

	return conn, nil
}

func getChallengeResponse(c *config, ec *attest.EncryptedCredential, aikBytes []byte) (*ChallengeResponse, error) {
	tpm, err := getTPM(c)
	if err != nil {
		return nil, fmt.Errorf("opening tpm: %w", err)
	}
	defer tpm.Close()

	aik, err := tpm.LoadAK(aikBytes)
	if err != nil {
		return nil, err
	}
	defer aik.Close(tpm)

	secret, err := aik.ActivateCredential(tpm, *ec)
	if err != nil {
		return nil, fmt.Errorf("failed to activate credential: %w", err)
	}
	return &ChallengeResponse{
		Secret: secret,
	}, nil
}
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`package tpm`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/json"`
			`"fmt"`
tpm: add single step functions to perform attestation Split generation of the token based on the AK and the EK and the client authentication. In particular, make the new funcions agnostic on the channel making use of a io.ReadWriter interface. This way, the library could be used for the TPM attestation related tasks, with no assumptions on the channel or the (extra) data not related to the TPM attestation exchanged between the client and the server. Signed-off-by: Francesco Giudici <francesco.giudici@suse.com> 2022-08-19 14:04:28 +00:00			`"io"`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`"io/ioutil"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/google/go-attestation/attest"`
			`"github.com/gorilla/websocket"`
			`"github.com/pkg/errors"`
			`)`

tpm: add single step functions to perform attestation Split generation of the token based on the AK and the EK and the client authentication. In particular, make the new funcions agnostic on the channel making use of a io.ReadWriter interface. This way, the library could be used for the TPM attestation related tasks, with no assumptions on the channel or the (extra) data not related to the TPM attestation exchanged between the client and the server. Signed-off-by: Francesco Giudici <francesco.giudici@suse.com> 2022-08-19 14:04:28 +00:00			`// GetAuthToken generates an authentication token from the host TPM.`
			`// It will return the token as a string and the generated AK that should`
			`// be saved by the caller for later Authentication.`
			`func GetAuthToken(opts ...Option) (string, []byte, error) {`
Allow to pass additional headers on Get() 2022-10-07 21:27:48 +00:00			`c := newConfig()`
tpm: add single step functions to perform attestation Split generation of the token based on the AK and the EK and the client authentication. In particular, make the new funcions agnostic on the channel making use of a io.ReadWriter interface. This way, the library could be used for the TPM attestation related tasks, with no assumptions on the channel or the (extra) data not related to the TPM attestation exchanged between the client and the server. Signed-off-by: Francesco Giudici <francesco.giudici@suse.com> 2022-08-19 14:04:28 +00:00			`c.apply(opts...)`

			`attestationData, akBytes, err := getAttestationData(c)`
			`if err != nil {`
			`return "", nil, err`
			`}`

			`token, err := getToken(attestationData)`
			`if err != nil {`
			`return "", nil, err`
			`}`

			`return token, akBytes, err`
			`}`

			`// Authenticate will read from the passed channel, expecting a challenge from the`
			`// attestation server, will compute a challenge response via the TPM using the passed`
			`// Attestation Key (AK) and will send it back to the attestation server.`
			`func Authenticate(akBytes []byte, channel io.ReadWriter, opts ...Option) error {`
Allow to pass additional headers on Get() 2022-10-07 21:27:48 +00:00			`c := newConfig()`
tpm: add single step functions to perform attestation Split generation of the token based on the AK and the EK and the client authentication. In particular, make the new funcions agnostic on the channel making use of a io.ReadWriter interface. This way, the library could be used for the TPM attestation related tasks, with no assumptions on the channel or the (extra) data not related to the TPM attestation exchanged between the client and the server. Signed-off-by: Francesco Giudici <francesco.giudici@suse.com> 2022-08-19 14:04:28 +00:00			`c.apply(opts...)`

			`var challenge Challenge`
			`if err := json.NewDecoder(channel).Decode(&challenge); err != nil {`
			`return fmt.Errorf("unmarshalling Challenge: %w", err)`
			`}`

			`challengeResp, err := getChallengeResponse(c, challenge.EC, akBytes)`
			`if err != nil {`
			`return err`
			`}`

			`if err := json.NewEncoder(channel).Encode(challengeResp); err != nil {`
			`return fmt.Errorf("encoding ChallengeResponse: %w", err)`
			`}`

			`return nil`
			`}`

Refactor logic, split such as can be re-used for posting data too 2023-01-18 14:46:03 +00:00			`func AuthRequest(r http.Request, conn websocket.Conn) error {`
			`token := r.Header.Get("Authorization")`
			`ek, at, err := GetAttestationData(token)`
			`if err != nil {`
			`return err`
			`}`
			`secret, challenge, err := GenerateChallenge(ek, at)`
			`if err != nil {`
			`return err`
			`}`

			`resp, err := writeRead(conn, challenge)`
			`if err != nil {`
			`return err`
			`}`

			`if err := ValidateChallenge(secret, resp); err != nil {`
Enhance error return from AuthRequest Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 15:08:16 +00:00			`return fmt.Errorf("error validating challenge: %w (response: %s)", err, string(resp))`
Refactor logic, split such as can be re-used for posting data too 2023-01-18 14:46:03 +00:00			`}`

			`return nil`
			`}`

			`func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {`
			`writer, err := conn.NextWriter(websocket.BinaryMessage)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if _, err := writer.Write(input); err != nil {`
			`return nil, err`
			`}`
			`writer.Close()`
			`_, reader, err := conn.NextReader()`
			`if err != nil {`
			`return nil, err`
			`}`

			`return ioutil.ReadAll(reader)`
			`}`

Fixup tests, add testing pipelines and small refactors Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 09:10:04 +00:00			`// Get retrieves a message from a remote ws server after`
			`// a successfully process of the TPM challenge`
			`func Get(url string, opts ...Option) ([]byte, error) {`
Refactor logic, split such as can be re-used for posting data too 2023-01-18 14:46:03 +00:00			`conn, err := Connection(url, opts...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer conn.Close()`

			`_, msg, err := conn.NextReader()`
			`if err != nil {`
			`return nil, fmt.Errorf("reading payload from tpm get: %w", err)`
			`}`

			`return ioutil.ReadAll(msg)`
			`}`

			`// Connection returns a connection to the endpoint which suathenticated already.`
			`// The server side needs to call AuthRequest on the http request in order to authenticate and refuse connections`
			`func Connection(url string, opts ...Option) (*websocket.Conn, error) {`
Allow to pass additional headers on Get() 2022-10-07 21:27:48 +00:00			`c := newConfig()`
Fixup tests, add testing pipelines and small refactors Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 09:10:04 +00:00			`c.apply(opts...)`

			`header := c.header`
			`if c.header == nil {`
			`header = http.Header{}`
			`}`

Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`dialer := websocket.DefaultDialer`
Fixup tests, add testing pipelines and small refactors Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 09:10:04 +00:00			`if len(c.cacerts) > 0 {`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`pool := x509.NewCertPool()`
Allow to append to system CA Fixes #1 Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-05-12 09:59:24 +00:00			`if c.systemfallback {`
			`systemPool, err := x509.SystemCertPool()`
			`if err != nil {`
			`return nil, err`
			`}`
			`pool = systemPool`
			`}`

Fixup tests, add testing pipelines and small refactors Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 09:10:04 +00:00			`pool.AppendCertsFromPEM(c.cacerts)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`dialer = &websocket.Dialer{`
			`Proxy: http.ProxyFromEnvironment,`
			`HandshakeTimeout: 45 * time.Second,`
			`TLSClientConfig: &tls.Config{`
			`RootCAs: pool,`
			`},`
			`}`
			`}`

Add backends and simulated TPM device Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 11:52:30 +00:00			`attestationData, aikBytes, err := getAttestationData(c)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Do not invoke logging into Get() 2022-10-13 14:55:13 +00:00			`// hash, err := GetPubHash(opts...)`
			`// if err != nil {`
			`// return nil, err`
			`// }`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00
			`token, err := getToken(attestationData)`
			`if err != nil {`
			`return nil, err`
			`}`

			`header.Add("Authorization", token)`
Allow to pass additional headers on Get() 2022-10-07 21:27:48 +00:00			`for k, v := range c.headers {`
			`header.Add(k, v)`
			`}`

Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`wsURL := strings.Replace(url, "http", "ws", 1)`
Do not invoke logging into Get() 2022-10-13 14:55:13 +00:00			`//logrus.Infof("Using TPMHash %s to dial %s", hash, wsURL)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`conn, resp, err := dialer.Dial(wsURL, header)`
			`if err != nil {`
Include more info in the error msg on Dial() error Include the HTTP Status CODE: it could help in diagnosing the connection failure. Signed-off-by: Francesco Giudici <francesco.giudici@suse.com> 2022-08-10 07:40:14 +00:00			`if resp != nil {`
			`if resp.StatusCode == http.StatusUnauthorized {`
			`data, err := ioutil.ReadAll(resp.Body)`
			`if err == nil {`
			`return nil, errors.New(string(data))`
			`}`
			`} else {`
			`return nil, fmt.Errorf("%w (Status: %s)", err, resp.Status)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`}`
			`}`
			`return nil, err`
			`}`

			`_, msg, err := conn.NextReader()`
			`if err != nil {`
			`return nil, fmt.Errorf("reading challenge: %w", err)`
			`}`

			`var challenge Challenge`
			`if err := json.NewDecoder(msg).Decode(&challenge); err != nil {`
			`return nil, fmt.Errorf("unmarshaling Challenge: %w", err)`
			`}`

Import other required functions Also add a test for Get with the Challenges logic associated too Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 11:28:58 +00:00			`challengeResp, err := getChallengeResponse(c, challenge.EC, aikBytes)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`writer, err := conn.NextWriter(websocket.BinaryMessage)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := json.NewEncoder(writer).Encode(challengeResp); err != nil {`
			`return nil, fmt.Errorf("encoding ChallengeResponse: %w", err)`
			`}`

Refactor logic, split such as can be re-used for posting data too 2023-01-18 14:46:03 +00:00			`writer.Close()`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00
Refactor logic, split such as can be re-used for posting data too 2023-01-18 14:46:03 +00:00			`return conn, nil`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`}`

Import other required functions Also add a test for Get with the Challenges logic associated too Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-17 11:28:58 +00:00			`func getChallengeResponse(c config, ec attest.EncryptedCredential, aikBytes []byte) (*ChallengeResponse, error) {`
			`tpm, err := getTPM(c)`
Import from rancherd Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com> 2022-02-16 09:53:10 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("opening tpm: %w", err)`
			`}`
			`defer tpm.Close()`

			`aik, err := tpm.LoadAK(aikBytes)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer aik.Close(tpm)`

			`secret, err := aik.ActivateCredential(tpm, *ec)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to activate credential: %w", err)`
			`}`
			`return &ChallengeResponse{`
			`Secret: secret,`
			`}, nil`
			`}`