Merge pull request #1 from jeremyhahn/develop

Overhaul storage layers, add PKCS8/PKCS11 abstraction layer

Author: jeremyhahn

.vscode/launch.json

@@ -22,7 +22,7 @@
  "ca",
  "install-ca-certificates",
  "--debug",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  "--server-password", "server-password",
  ],
  }, 
@@ -62,7 +62,7 @@
  "args": [
  "tpm",
  "eventlog",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  ],
  },
  {
@@ -76,9 +76,8 @@
  "tpm",
  "import-ek",
  "--file", "ECcert.bin",
- "--root-password", "ca-root-password",
- "--intermediate-password", "ca-intermediate-password",
- "--ca-password", "ca-intermediate-password",
+ "--ca-parent-password", "ca-parent-password",
+ "--ca-password", "ca-password",
  ],
  },
  {
@@ -90,17 +89,30 @@
  "program": "${workspaceRoot}/pkg",
  "args": ["webservice",
  "--debug",
+ "--platform-dir", "trusted-data",
+ "--config-dir", "trusted-data/etc",
+ "--log-dir", "trusted-data/log",
+ "--ca-dir", "trusted-data/ca",
+ "--server-password", "server-password",
+ "--ca-password", "ca-password",
  ],
  }, 
  {
  "name": "trusted-platform webservice (clean)",
  "type": "go",
  "request": "launch",
  "mode": "debug",
- "preLaunchTask": "rm_trusted_data",
+ "preLaunchTask": "debug_config_clean",
  "program": "${workspaceRoot}/pkg",
  "args": ["webservice",
  "--debug",
+ "--platform-dir", "trusted-data",
+ "--config-dir", "trusted-data/etc",
+ "--log-dir", "trusted-data/log",
+ "--ca-dir", "trusted-data/ca",
+ "--ca-parent-password", "ca-parent-password",
+ "--ca-password", "ca-password",
+ "--server-password", "server-password",
  ],
  },
  {
@@ -123,31 +135,31 @@
  "program": "${workspaceRoot}/pkg",
  "args": ["verifier",
  "--debug",
+ "--platform-dir", "../attestation/verifier/trusted-data",
  "--config-dir", "../attestation/verifier/trusted-data/etc",
- "--platform-dir", "../attestation/attestor/trusted-data",
- "--log-dir", "../attestation/verifier/trusted-data/logs",
+ "--log-dir", "../attestation/verifier/trusted-data/log",
  "--ca-dir", "../attestation/verifier/trusted-data/ca",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  "--server-password", "server-password",
- "--attestor", "attestor.example.com",
+ "--attestor", "www.attestor.example.com",
  "--ak-password", "ak-password",
  ],
  }, {
  "name": "trusted-platform verifier",
  "type": "go",
  "request": "launch",
  "mode": "debug",
- "preLaunchTask": "debug_config",
+ // "preLaunchTask": "debug_config",
  "program": "${workspaceRoot}/pkg",
  "args": ["verifier",
  "--debug",
+ "--platform-dir", "../attestation/verifier/trusted-data",
  "--config-dir", "../attestation/verifier/trusted-data/etc",
- "--platform-dir", "../attestation/attestor/trusted-data",
- "--log-dir", "../attestation/verifier/trusted-data/logs",
+ "--log-dir", "../attestation/verifier/trusted-data/log",
  "--ca-dir", "../attestation/verifier/trusted-data/ca",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  "--server-password", "server-password",
- "--attestor", "attestor.example.com",
+ "--attestor", "www.attestor.example.com",
  "--ak-password", "ak-password",
  ],
  }, {
@@ -159,11 +171,11 @@
  "program": "${workspaceRoot}/pkg",
  "args": ["attestor",
  "--debug",
- "--config-dir", "../attestation/attestor/trusted-data/etc",
  "--platform-dir", "../attestation/attestor/trusted-data",
- "--log-dir", "../attestation/attestor/trusted-data/logs",
+ "--config-dir", "../attestation/attestor/trusted-data/etc",
+ "--log-dir", "../attestation/attestor/trusted-data/log",
  "--ca-dir", "../attestation/attestor/trusted-data/ca",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  "--server-password", "server-password",
  ],
  }, {
@@ -175,11 +187,11 @@
  "program": "${workspaceRoot}/pkg",
  "args": ["attestor",
  "--debug",
- "--config-dir", "../attestation/attestor/trusted-data/etc",
  "--platform-dir", "../attestation/attestor/trusted-data",
- "--log-dir", "../attestation/attestor/trusted-data/logs",
+ "--config-dir", "../attestation/attestor/trusted-data/etc",
+ "--log-dir", "../attestation/attestor/trusted-data/log",
  "--ca-dir", "../attestation/attestor/trusted-data/ca",
- "--ca-password", "ca-intermediate-password",
+ "--ca-password", "ca-password",
  "--server-password", "server-password",
  ],
  }

.vscode/tasks.json

@@ -3,22 +3,44 @@
  "tasks": [{
  "type": "shell",
  "label": "debug_config",
+ "dependsOn": [
+ "make_trusted_data",
+ ],
  "command": "cp",
  "args": [
  "configs/platform/config.debug.yaml",
- "pkg/config.yaml",
+ "pkg/trusted-data/etc/config.yaml",
  ]
  },
  {
  "type": "shell",
- "label": "rm_trusted_data",
+ "label": "debug_config_clean",
  "dependsOn": [
- "debug_config",
+ "rm_trusted_data",
+ "make_trusted_data",
  ],
+ "command": "cp",
+ "args": [
+ "configs/platform/config.debug.yaml",
+ "pkg/trusted-data/etc/config.yaml",
+ ]
+ },
+ {
+ "type": "shell",
+ "label": "make_trusted_data",
+ "command": "mkdir",
+ "args": [
+ "-p",
+ "pkg/trusted-data/etc",
+ ]
+ },
+ {
+ "type": "shell",
+ "label": "rm_trusted_data",
  "command": "rm",
  "args": [
  "-rf",
- "trusted-data",
+ "pkg/trusted-data",
  ]
  },
  {
@@ -45,9 +67,6 @@
  },
  {
  "type": "shell",
- "dependsOn": [
- "debug_config",
- ],
  "label": "attestor_init",
  "command": "make",
  "args": [
@@ -56,9 +75,9 @@
  },
  {
  "type": "shell",
- "dependsOn": [
- "debug_config",
- ],
+ // "dependsOn": [
+ //  "debug_config",
+ // ],
  "label": "verifier_init",
  "command": "make",
  "args": [

Makefile

@@ -68,8 +68,11 @@ ROOT_CA ?= root-ca
 INTERMEDIATE_CA ?= intermediate-ca
 DOMAIN ?= example.com
 
-VERIFIER_HOSTNAME ?= verifier
-ATTESTOR_HOSTNAME ?= attestor
+VERIFIER_HOSTNAME ?= www
+VERIFIER_DOMAIN ?= verifier.example.com
+
+ATTESTOR_HOSTNAME ?= www
+ATTESTOR_DOMAIN ?= attestor.example.com
 
 CONFIG_YAML ?= config.dev.yaml
 
@@ -138,12 +141,15 @@ deps:
 
 swagger:
 swag init \
---dir webservice,webservice/v1/router,webservice/v1/response,service,model,app,config \
+--dir pkg/webservice,pkg/webservice/v1/router,pkg/webservice/v1/response,pkg/app,pkg/config \
 --generalInfo webserver_v1.go \
 --parseDependency \
 --parseInternal \
 --parseDepth 1 \
---output public_html/swagger
+--output pkg/public_html/swagger
+
+swagger-ui:
+git clone --depth=1 https://github.com/swagger-api/swagger-ui.git public_html/swagger
 
 
 # x86_64
@@ -234,13 +240,18 @@ clean:
 /usr/local/bin/$(APPNAME) \
 $(PLATFORM_DIR) \
 $(ATTESTATION_DIR) \
-pkg/ca/certs \
-pkg/tpm2/certs \
+pkg/$(PLATFORM_DIR) \
+pkg/store/testdata \
+pkg/store/keystore/testdata \
+pkg/store/pkcs8/testdata \
+pkg/ca/testdata \
+pkg/tpm2/testdata \
 pkg/tpm2/$(EK_CERT_NAME) \
-pkg/$(EK_CERT_NAME)
+pkg/$(EK_CERT_NAME) \
+config.yaml
 
 
-test: test-ca test-tpm test-hash
+test: test-ca test-tpm test-crypto test-store
 
 test-ca:
 cd pkg/ca && go test -v
@@ -252,8 +263,14 @@ test-tpm:
 test-pkcs11:
 cd pkg/pkcs11 && go test -v
 
-test-hash:
-cd pkg/hash && go test -v
+test-crypto:
+cd pkg/crypto/aesgcm && go test -v
+cd pkg/crypto/argon2 && go test -v
+
+test-store:
+cd pkg/store && go test -v
+cd pkg/store/keystore && go test -v
+cd pkg/store/keystore/pkcs8 && go test -v
 
 proto:
 cd pkg/$(ATTESTATION_DIR) && $(PROTOC) \
@@ -268,15 +285,15 @@ uninstall: uninstall-ansible
 
 
 # Certificate Authority
-ca-verify-all: ca-root-verify ca-intermediate-verify ca-server-=verify
+ca-verify-all: ca-parent-verify ca-intermediate-verify ca-server-=verify
 
-ca-show-all: ca-root-show ca-intermediate-show ca-server-show
+ca-show-all: ca-parent-show ca-intermediate-show ca-server-show
 
-ca-root-verify:
+ca-parent-verify:
 cd $(CA_DIR) && \
 openssl verify -CAfile $(ROOT_CA)/$(ROOT_CA).crt $(ROOT_CA)/$(ROOT_CA).crt
 
-ca-root-show:
+ca-parent-show:
 cd $(CA_DIR) && \
 openssl x509 -in $(ROOT_CA)/$(ROOT_CA).crt -text -noout
 
@@ -312,8 +329,8 @@ ca-decrypt-intermediate-key:
 verifier-init:
 mkdir -p $(VERIFIER_DIR)/$(CONFIG_DIR)
 cp configs/platform/$(CONFIG_YAML) $(VERIFIER_CONF)
-sed -i 's/domain: $(DOMAIN)/domain: $(VERIFIER_HOSTNAME).$(DOMAIN)/' $(VERIFIER_CONF)
-sed -i 's/- $(DOMAIN)/- $(VERIFIER_HOSTNAME).$(DOMAIN)/' $(VERIFIER_CONF)
+sed -i 's/$(DOMAIN)/$(VERIFIER_DOMAIN)/' $(VERIFIER_CONF)
+sed -i 's/- $(VERIFIER_HOSTNAME).$(DOMAIN)/- $(VERIFIER_DOMAIN)/' $(VERIFIER_CONF)
 
 verifier-no-clean: build verifier-init
 cd $(VERIFIER_DIR) && \
@@ -335,7 +352,7 @@ verifier: verifier-clean verifier-init build
 --server-password server-password \
 --ek-cert $(ATTESTATION_ECCERT) \
 --ak-password ak-password \
---attestor $(ATTESTOR_HOSTNAME).$(DOMAIN)
+--attestor $(ATTESTOR_HOSTNAME).$(ATTESTOR_DOMAIN)
 
 verifier-clean: 
 rm -rf \
@@ -353,8 +370,9 @@ verifier-cert-chain:
 attestor-init:
 mkdir -p $(ATTESTOR_DIR)/$(CONFIG_DIR)
 cp configs/platform/$(CONFIG_YAML) $(ATTESTOR_CONF)
-sed -i 's/domain: $(DOMAIN)/domain: $(ATTESTOR_HOSTNAME).$(DOMAIN)/' $(ATTESTOR_CONF)
-sed -i 's/- $(DOMAIN)/- $(ATTESTOR_HOSTNAME).$(DOMAIN)/' $(ATTESTOR_CONF)
+sed -i 's/$(DOMAIN)/$(ATTESTOR_DOMAIN)/' $(ATTESTOR_CONF)
+sed -i 's/- __VERIFIER_CA__/- $(INTERMEDIATE_CA).$(VERIFIER_DOMAIN)/' $(ATTESTOR_CONF)
+cp $(EK_CERT_NAME) $(ATTESTOR_DIR)/$(EK_CERT_NAME)
 
 attestor-clean: 
 rm -rf \