From e583127b1a40dc470b9990925834ac2b06432908 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Mon, 3 Jun 2024 09:20:46 +0200 Subject: [PATCH] coordinator: don't share CA instance with gRPC servers --- .../authority/authority.go} | 82 +++++++++++++------ coordinator/main.go | 7 +- coordinator/meshapi.go | 71 ++++++++++------ coordinator/userapi.go | 26 +++--- coordinator/userapi_test.go | 52 ++++++------ initializer/main.go | 15 +--- internal/meshapi/meshapi.pb.go | 51 +++++------- internal/meshapi/meshapi.proto | 3 +- 8 files changed, 164 insertions(+), 143 deletions(-) rename coordinator/{mesh.go => internal/authority/authority.go} (59%) diff --git a/coordinator/mesh.go b/coordinator/internal/authority/authority.go similarity index 59% rename from coordinator/mesh.go rename to coordinator/internal/authority/authority.go index f51b57ced6..f9246dc47a 100644 --- a/coordinator/mesh.go +++ b/coordinator/internal/authority/authority.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -package main +package authority import ( "context" @@ -23,24 +23,38 @@ import ( "github.com/google/go-sev-guest/validate" ) -type meshAuthority struct { - ca *ca.CA - certs map[string][]byte - certsMux sync.RWMutex - manifests appendableList[*manifest.Manifest] - logger *slog.Logger +// Bundle is a set of PEM-encoded certificates for Contrast workloads. +type Bundle struct { + WorkloadCert []byte + MeshCA []byte + IntermediateCA []byte + RootCA []byte } -func newMeshAuthority(ca *ca.CA, log *slog.Logger) *meshAuthority { - return &meshAuthority{ - ca: ca, - certs: make(map[string][]byte), +// Authority manages the manifest state of Contrast. +type Authority struct { + ca *ca.CA + bundles map[string]Bundle + bundlesMux sync.RWMutex + manifests appendableList[*manifest.Manifest] + logger *slog.Logger +} + +// New creates a new Authority instance. +func New(caInstance *ca.CA, log *slog.Logger) *Authority { + return &Authority{ + ca: caInstance, + bundles: make(map[string]Bundle), manifests: new(appendable.Appendable[*manifest.Manifest]), logger: log.WithGroup("mesh-authority"), } } -func (m *meshAuthority) SNPValidateOpts(report *sevsnp.Report) (*validate.Options, error) { +// SNPValidateOpts returns SNP validation options from reference values. +// +// It also ensures that the policy hash in the report's HOSTDATA is allowed by the current +// manifest. +func (m *Authority) SNPValidateOpts(report *sevsnp.Report) (*validate.Options, error) { mnfst, err := m.manifests.Latest() if err != nil { return nil, fmt.Errorf("getting latest manifest: %w", err) @@ -83,13 +97,16 @@ func (m *meshAuthority) SNPValidateOpts(report *sevsnp.Report) (*validate.Option }, nil } -func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Report, +// ValidateCallback creates a certificate bundle for the verified client. +func (m *Authority) ValidateCallback(_ context.Context, report *sevsnp.Report, _ asn1.ObjectIdentifier, _, _, peerPubKeyBytes []byte, ) error { mnfst, err := m.manifests.Latest() if err != nil { return fmt.Errorf("getting latest manifest: %w", err) } + // TODO(burgerdev): The CA should be tied to the manifest. + caInstance := m.ca hostData := manifest.NewHexString(report.HostData) dnsNames, ok := mnfst.Policies[hostData] @@ -106,7 +123,7 @@ func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Repor if err != nil { return fmt.Errorf("failed to construct extensions: %w", err) } - cert, err := m.ca.NewAttestedMeshCert(dnsNames, extensions, peerPubKey) + cert, err := caInstance.NewAttestedMeshCert(dnsNames, extensions, peerPubKey) if err != nil { return fmt.Errorf("failed to issue new attested mesh cert: %w", err) } @@ -115,30 +132,40 @@ func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Repor peerPublicKeyHashStr := hex.EncodeToString(peerPubKeyHash[:]) m.logger.Info("Validated peer", "peerPublicKeyHashStr", peerPublicKeyHashStr) - m.certsMux.Lock() - defer m.certsMux.Unlock() - m.certs[peerPublicKeyHashStr] = cert + m.bundlesMux.Lock() + defer m.bundlesMux.Unlock() + m.bundles[peerPublicKeyHashStr] = Bundle{ + WorkloadCert: cert, + MeshCA: caInstance.GetMeshCACert(), + IntermediateCA: caInstance.GetIntermCACert(), + RootCA: caInstance.GetRootCACert(), + } return nil } -func (m *meshAuthority) GetCert(peerPublicKeyHashStr string) ([]byte, error) { - m.certsMux.RLock() - defer m.certsMux.RUnlock() +// GetCertBundle retrieves the certificate bundle created for the peer identified by the given public key. +func (m *Authority) GetCertBundle(peerPublicKeyHashStr string) (Bundle, error) { + m.bundlesMux.RLock() + defer m.bundlesMux.RUnlock() + + bundle, ok := m.bundles[peerPublicKeyHashStr] - cert, ok := m.certs[peerPublicKeyHashStr] if !ok { - return nil, fmt.Errorf("cert for peer public key %s not found", peerPublicKeyHashStr) + return Bundle{}, fmt.Errorf("cert for peer public key %s not found", peerPublicKeyHashStr) } - return cert, nil + return bundle, nil } -func (m *meshAuthority) GetManifests() []*manifest.Manifest { - return m.manifests.All() +// GetManifestsAndLatestCA retrieves the manifest history and the currently active CA instance. +func (m *Authority) GetManifestsAndLatestCA() ([]*manifest.Manifest, *ca.CA) { + // TODO(burgerdev): The CA should be tied to the manifest. + return m.manifests.All(), m.ca } -func (m *meshAuthority) SetManifest(mnfst *manifest.Manifest) error { +// SetManifest updates the active manifest. +func (m *Authority) SetManifest(mnfst *manifest.Manifest) error { if err := m.ca.RotateIntermCerts(); err != nil { return fmt.Errorf("rotating intermediate certificates: %w", err) } @@ -146,7 +173,8 @@ func (m *meshAuthority) SetManifest(mnfst *manifest.Manifest) error { return nil } -func (m *meshAuthority) LatestManifest() (*manifest.Manifest, error) { +// LatestManifest retrieves the active manifest. +func (m *Authority) LatestManifest() (*manifest.Manifest, error) { return m.manifests.Latest() } diff --git a/coordinator/main.go b/coordinator/main.go index 7711735493..d3b59c9063 100644 --- a/coordinator/main.go +++ b/coordinator/main.go @@ -10,6 +10,7 @@ import ( "net/http" "os" + "github.com/edgelesssys/contrast/coordinator/internal/authority" "github.com/edgelesssys/contrast/internal/ca" "github.com/edgelesssys/contrast/internal/logger" "github.com/edgelesssys/contrast/internal/meshapi" @@ -56,9 +57,9 @@ func run() (retErr error) { promRegistry := prometheus.NewRegistry() - meshAuth := newMeshAuthority(caInstance, logger) - userAPI := newUserAPIServer(meshAuth, caInstance, promRegistry, logger) - meshAPI := newMeshAPIServer(meshAuth, caInstance, promRegistry, logger) + meshAuth := authority.New(caInstance, logger) + userAPI := newUserAPIServer(meshAuth, promRegistry, logger) + meshAPI := newMeshAPIServer(meshAuth, meshAuth, promRegistry, logger) eg := errgroup.Group{} diff --git a/coordinator/meshapi.go b/coordinator/meshapi.go index 018e7cfa5e..695959b838 100644 --- a/coordinator/meshapi.go +++ b/coordinator/meshapi.go @@ -5,11 +5,15 @@ package main import ( "context" + "crypto/sha256" + "crypto/x509" + "encoding/hex" "fmt" "log/slog" "net" "time" + "github.com/edgelesssys/contrast/coordinator/internal/authority" "github.com/edgelesssys/contrast/internal/atls" "github.com/edgelesssys/contrast/internal/attestation/snp" "github.com/edgelesssys/contrast/internal/grpc/atlscredentials" @@ -20,27 +24,26 @@ import ( "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "google.golang.org/grpc" - "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/keepalive" - "google.golang.org/grpc/status" + "google.golang.org/grpc/peer" "k8s.io/utils/clock" ) type meshAPIServer struct { - grpc *grpc.Server - certGet certGetter - caChainGetter certChainGetter - ticker clock.Ticker - logger *slog.Logger + grpc *grpc.Server + bundleGetter certBundleGetter + ticker clock.Ticker + logger *slog.Logger meshapi.UnimplementedMeshAPIServer } -type certGetter interface { - GetCert(peerPublicKeyHashStr string) ([]byte, error) +type certBundleGetter interface { + GetCertBundle(peerPublicKeyHashStr string) (authority.Bundle, error) } -func newMeshAPIServer(meshAuth *meshAuthority, caGetter certChainGetter, reg *prometheus.Registry, log *slog.Logger) *meshAPIServer { +func newMeshAPIServer(meshAuth *authority.Authority, bundleGetter certBundleGetter, reg *prometheus.Registry, log *slog.Logger) *meshAPIServer { ticker := clock.RealClock{}.NewTicker(24 * time.Hour) kdsGetter := snp.NewCachedHTTPSGetter(memstore.New[string, []byte](), ticker, logger.NewNamed(log, "kds-getter")) @@ -74,11 +77,10 @@ func newMeshAPIServer(meshAuth *meshAuthority, caGetter certChainGetter, reg *pr ), ) s := &meshAPIServer{ - grpc: grpcServer, - certGet: meshAuth, - caChainGetter: caGetter, - ticker: ticker, - logger: log.WithGroup("meshapi"), + grpc: grpcServer, + bundleGetter: bundleGetter, + ticker: ticker, + logger: log.WithGroup("meshapi"), } meshapi.RegisterMeshAPIServer(s.grpc, s) @@ -98,22 +100,41 @@ func (i *meshAPIServer) Serve(endpoint string) error { return i.grpc.Serve(lis) } -func (i *meshAPIServer) NewMeshCert(_ context.Context, req *meshapi.NewMeshCertRequest, -) (*meshapi.NewMeshCertResponse, error) { +func (i *meshAPIServer) NewMeshCert(ctx context.Context, _ *meshapi.NewMeshCertRequest) (*meshapi.NewMeshCertResponse, error) { i.logger.Info("NewMeshCert called") - cert, err := i.certGet.GetCert(req.PeerPublicKeyHash) + // Fetch the peer public key from gRPC's TLS context and look up the corresponding cetificate. + + p, ok := peer.FromContext(ctx) + if !ok { + return nil, fmt.Errorf("failed to get peer from context") + } + + tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo) + if !ok { + return nil, fmt.Errorf("failed to get TLS info from peer") + } + + if len(tlsInfo.State.PeerCertificates) == 0 { + return nil, fmt.Errorf("no peer certificates found") + } + + peerCert := tlsInfo.State.PeerCertificates[0] + peerPubKeyBytes, err := x509.MarshalPKIXPublicKey(peerCert.PublicKey) if err != nil { - return nil, status.Errorf(codes.Internal, - "getting certificate with public key hash %q: %v", req.PeerPublicKeyHash, err) + return nil, fmt.Errorf("could not marshal public key: %w", err) } + peerPubKeyHash := sha256.Sum256(peerPubKeyBytes) + peerPublicKeyHashStr := hex.EncodeToString(peerPubKeyHash[:]) - meshCACert := i.caChainGetter.GetMeshCACert() - intermCert := i.caChainGetter.GetIntermCACert() + bundle, err := i.bundleGetter.GetCertBundle(peerPublicKeyHashStr) + if err != nil { + return nil, fmt.Errorf("server did not create a bundle for ") + } return &meshapi.NewMeshCertResponse{ - MeshCACert: meshCACert, - CertChain: append(cert, intermCert...), - RootCACert: i.caChainGetter.GetRootCACert(), + MeshCACert: bundle.MeshCA, + CertChain: append(bundle.WorkloadCert, bundle.IntermediateCA...), + RootCACert: bundle.RootCA, }, nil } diff --git a/coordinator/userapi.go b/coordinator/userapi.go index e492fe5ece..d6d6bd4415 100644 --- a/coordinator/userapi.go +++ b/coordinator/userapi.go @@ -18,6 +18,7 @@ import ( "github.com/edgelesssys/contrast/internal/appendable" "github.com/edgelesssys/contrast/internal/attestation/snp" + "github.com/edgelesssys/contrast/internal/ca" "github.com/edgelesssys/contrast/internal/grpc/atlscredentials" "github.com/edgelesssys/contrast/internal/logger" "github.com/edgelesssys/contrast/internal/manifest" @@ -42,7 +43,6 @@ type userAPIServer struct { grpc *grpc.Server policyTextStore store[manifest.HexString, manifest.Policy] manifSetGetter manifestSetGetter - caChainGetter certChainGetter logger *slog.Logger mux sync.RWMutex metrics userAPIMetrics @@ -50,7 +50,7 @@ type userAPIServer struct { userapi.UnimplementedUserAPIServer } -func newUserAPIServer(mSGetter manifestSetGetter, caGetter certChainGetter, reg *prometheus.Registry, log *slog.Logger) *userAPIServer { +func newUserAPIServer(mSGetter manifestSetGetter, reg *prometheus.Registry, log *slog.Logger) *userAPIServer { issuer := snp.NewIssuer(logger.NewNamed(log, "snp-issuer")) credentials := atlscredentials.New(issuer, nil) @@ -84,7 +84,6 @@ func newUserAPIServer(mSGetter manifestSetGetter, caGetter certChainGetter, reg grpc: grpcServer, policyTextStore: memstore.New[manifest.HexString, manifest.Policy](), manifSetGetter: mSGetter, - caChainGetter: caGetter, logger: log.WithGroup("userapi"), metrics: userAPIMetrics{ manifestGeneration: manifestGeneration, @@ -141,11 +140,12 @@ func (s *userAPIServer) SetManifest(ctx context.Context, req *userapi.SetManifes return nil, status.Errorf(codes.Internal, "setting manifest: %v", err) } - s.metrics.manifestGeneration.Set(float64(len(s.manifSetGetter.GetManifests()))) + manifests, ca := s.manifSetGetter.GetManifestsAndLatestCA() + s.metrics.manifestGeneration.Set(float64(len(manifests))) resp := &userapi.SetManifestResponse{ - RootCA: s.caChainGetter.GetRootCACert(), - MeshCA: s.caChainGetter.GetMeshCACert(), + RootCA: ca.GetRootCACert(), + MeshCA: ca.GetMeshCACert(), } s.logger.Info("SetManifest succeeded") @@ -158,7 +158,7 @@ func (s *userAPIServer) GetManifests(_ context.Context, _ *userapi.GetManifestsR s.mux.RLock() defer s.mux.RUnlock() - manifests := s.manifSetGetter.GetManifests() + manifests, ca := s.manifSetGetter.GetManifestsAndLatestCA() if len(manifests) == 0 { return nil, status.Errorf(codes.FailedPrecondition, "no manifests set") } @@ -176,8 +176,8 @@ func (s *userAPIServer) GetManifests(_ context.Context, _ *userapi.GetManifestsR resp := &userapi.GetManifestsResponse{ Manifests: manifestBytes, Policies: policySliceToBytesSlice(policies), - RootCA: s.caChainGetter.GetRootCACert(), - MeshCA: s.caChainGetter.GetMeshCACert(), + RootCA: ca.GetRootCACert(), + MeshCA: ca.GetMeshCACert(), } s.logger.Info("GetManifest succeeded") @@ -252,15 +252,9 @@ func manifestSliceToBytesSlice(s []*manifest.Manifest) ([][]byte, error) { return manifests, nil } -type certChainGetter interface { - GetRootCACert() []byte - GetMeshCACert() []byte - GetIntermCACert() []byte -} - type manifestSetGetter interface { SetManifest(*manifest.Manifest) error - GetManifests() []*manifest.Manifest + GetManifestsAndLatestCA() ([]*manifest.Manifest, *ca.CA) LatestManifest() (*manifest.Manifest, error) } diff --git a/coordinator/userapi_test.go b/coordinator/userapi_test.go index eef1c1d4cd..aea488504c 100644 --- a/coordinator/userapi_test.go +++ b/coordinator/userapi_test.go @@ -12,6 +12,7 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "encoding/pem" "fmt" "log/slog" "strings" @@ -19,6 +20,7 @@ import ( "testing" "github.com/edgelesssys/contrast/internal/appendable" + "github.com/edgelesssys/contrast/internal/ca" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/memstore" "github.com/edgelesssys/contrast/internal/userapi" @@ -63,7 +65,6 @@ func TestManifestSet(t *testing.T) { testCases := map[string]struct { req *userapi.SetManifestRequest mSGetter *stubManifestSetGetter - caGetter *stubCertChainGetter workloadOwnerKey *ecdsa.PrivateKey wantErr bool }{ @@ -123,7 +124,6 @@ func TestManifestSet(t *testing.T) { }, }, mSGetter: &stubManifestSetGetter{}, - caGetter: &stubCertChainGetter{}, }, "valid manifest but error when setting it": { req: &userapi.SetManifestRequest{ @@ -139,7 +139,6 @@ func TestManifestSet(t *testing.T) { }, }, mSGetter: &stubManifestSetGetter{setManifestErr: assert.AnError}, - caGetter: &stubCertChainGetter{}, wantErr: true, }, "workload owner key match": { @@ -158,7 +157,6 @@ func TestManifestSet(t *testing.T) { mSGetter: &stubManifestSetGetter{ getManifestResp: []*manifest.Manifest{manifestWithTrustedKey}, }, - caGetter: &stubCertChainGetter{}, workloadOwnerKey: trustedKey, }, "workload owner key mismatch": { @@ -177,7 +175,6 @@ func TestManifestSet(t *testing.T) { mSGetter: &stubManifestSetGetter{ getManifestResp: []*manifest.Manifest{manifestWithTrustedKey}, }, - caGetter: &stubCertChainGetter{}, workloadOwnerKey: untrustedKey, wantErr: true, }, @@ -197,8 +194,7 @@ func TestManifestSet(t *testing.T) { mSGetter: &stubManifestSetGetter{ getManifestResp: []*manifest.Manifest{manifestWithTrustedKey}, }, - caGetter: &stubCertChainGetter{}, - wantErr: true, + wantErr: true, }, "manifest not updatable": { req: &userapi.SetManifestRequest{ @@ -216,7 +212,6 @@ func TestManifestSet(t *testing.T) { mSGetter: &stubManifestSetGetter{ getManifestResp: []*manifest.Manifest{manifestWithoutTrustedKey}, }, - caGetter: &stubCertChainGetter{}, workloadOwnerKey: trustedKey, wantErr: true, }, @@ -235,7 +230,6 @@ func TestManifestSet(t *testing.T) { coordinator := userAPIServer{ manifSetGetter: tc.mSGetter, - caChainGetter: tc.caGetter, policyTextStore: memstore.New[manifest.HexString, manifest.Policy](), logger: slog.Default(), metrics: userAPIMetrics{ @@ -251,8 +245,8 @@ func TestManifestSet(t *testing.T) { return } require.NoError(err) - assert.Equal([]byte("root"), resp.RootCA) - assert.Equal([]byte("mesh"), resp.MeshCA) + assert.Equal("system:coordinator:root", parsePEMCertificate(t, resp.RootCA).Subject.CommonName) + assert.Equal("system:coordinator:intermediate", parsePEMCertificate(t, resp.MeshCA).Subject.CommonName) assert.Equal(1, tc.mSGetter.setManifestCount) expected := fmt.Sprintf(manifestGenerationExpected, 1) @@ -264,13 +258,11 @@ func TestManifestSet(t *testing.T) { func TestGetManifests(t *testing.T) { testCases := map[string]struct { mSGetter *stubManifestSetGetter - caGetter *stubCertChainGetter policyStoreContent map[manifest.HexString]manifest.Policy wantErr bool }{ "no manifest set": { mSGetter: &stubManifestSetGetter{}, - caGetter: &stubCertChainGetter{}, wantErr: true, }, "no policy in store": { @@ -307,7 +299,6 @@ func TestGetManifests(t *testing.T) { coordinator := userAPIServer{ manifSetGetter: tc.mSGetter, - caChainGetter: tc.caGetter, policyTextStore: policyStore, logger: slog.Default(), } @@ -320,8 +311,8 @@ func TestGetManifests(t *testing.T) { return } require.NoError(err) - assert.Equal([]byte("root"), resp.RootCA) - assert.Equal([]byte("mesh"), resp.MeshCA) + assert.Equal("system:coordinator:root", parsePEMCertificate(t, resp.RootCA).Subject.CommonName) + assert.Equal("system:coordinator:intermediate", parsePEMCertificate(t, resp.MeshCA).Subject.CommonName) assert.Len(resp.Policies, len(tc.policyStoreContent)) }) } @@ -351,7 +342,6 @@ func TestUserAPIConcurrent(t *testing.T) { coordinator := userAPIServer{ manifSetGetter: &stubManifestSetGetter{}, - caChainGetter: &stubCertChainGetter{}, policyTextStore: memstore.New[manifest.HexString, manifest.Policy](), logger: slog.Default(), metrics: userAPIMetrics{ @@ -416,13 +406,17 @@ func (s *stubManifestSetGetter) SetManifest(*manifest.Manifest) error { return s.setManifestErr } -func (s *stubManifestSetGetter) GetManifests() []*manifest.Manifest { +func (s *stubManifestSetGetter) GetManifestsAndLatestCA() ([]*manifest.Manifest, *ca.CA) { + ca, err := ca.New() + if err != nil { + panic(err) + } s.mux.RLock() defer s.mux.RUnlock() if s.getManifestResp == nil { - return make([]*manifest.Manifest, s.setManifestCount) + return make([]*manifest.Manifest, s.setManifestCount), ca } - return s.getManifestResp + return s.getManifestResp, ca } func (s *stubManifestSetGetter) LatestManifest() (*manifest.Manifest, error) { @@ -434,12 +428,6 @@ func (s *stubManifestSetGetter) LatestManifest() (*manifest.Manifest, error) { return s.getManifestResp[len(s.getManifestResp)-1], nil } -type stubCertChainGetter struct{} - -func (s *stubCertChainGetter) GetRootCACert() []byte { return []byte("root") } -func (s *stubCertChainGetter) GetMeshCACert() []byte { return []byte("mesh") } -func (s *stubCertChainGetter) GetIntermCACert() []byte { return []byte("inter") } - func rpcContext(key *ecdsa.PrivateKey) context.Context { var peerCertificates []*x509.Certificate if key != nil { @@ -470,6 +458,18 @@ func manifestWithWorkloadOwnerKey(key *ecdsa.PrivateKey) (*manifest.Manifest, er return &m, nil } +func parsePEMCertificate(t *testing.T, pemCert []byte) *x509.Certificate { + t.Helper() + + block, _ := pem.Decode(pemCert) + require.NotNil(t, block, "no pem-encoded certificate found") + + // Parse the certificate + cert, err := x509.ParseCertificate(block.Bytes) + require.NoError(t, err) + return cert +} + func toPtr[T any](t T) *T { return &t } diff --git a/initializer/main.go b/initializer/main.go index dfcda070b2..a1d3c3be78 100644 --- a/initializer/main.go +++ b/initializer/main.go @@ -8,9 +8,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha256" "crypto/x509" - "encoding/hex" "encoding/pem" "errors" "fmt" @@ -57,14 +55,6 @@ func run() (retErr error) { return fmt.Errorf("generating key: %w", err) } - pubKey, err := x509.MarshalPKIXPublicKey(&privKey.PublicKey) - if err != nil { - return fmt.Errorf("marshaling public key: %w", err) - } - pubKeyHash := sha256.Sum256(pubKey) - pubKeyHashStr := hex.EncodeToString(pubKeyHash[:]) - log.Info("Deriving public key", "pubKeyHash", pubKeyHashStr) - requestCert := func() (*meshapi.NewMeshCertResponse, error) { issuer := snp.NewIssuer(logger.NewNamed(log, "snp-issuer")) dial := dialer.NewWithKey(issuer, atls.NoValidator, &net.Dialer{}, privKey) @@ -76,10 +66,7 @@ func run() (retErr error) { client := meshapi.NewMeshAPIClient(conn) - req := &meshapi.NewMeshCertRequest{ - PeerPublicKeyHash: pubKeyHashStr, - } - resp, err := client.NewMeshCert(ctx, req) + resp, err := client.NewMeshCert(ctx, &meshapi.NewMeshCertRequest{}) if err != nil { return nil, fmt.Errorf("calling NewMeshCert: %w", err) } diff --git a/internal/meshapi/meshapi.pb.go b/internal/meshapi/meshapi.pb.go index b7030e407c..4c4d82994b 100644 --- a/internal/meshapi/meshapi.pb.go +++ b/internal/meshapi/meshapi.pb.go @@ -24,8 +24,6 @@ type NewMeshCertRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - - PeerPublicKeyHash string `protobuf:"bytes,1,opt,name=PeerPublicKeyHash,proto3" json:"PeerPublicKeyHash,omitempty"` } func (x *NewMeshCertRequest) Reset() { @@ -60,13 +58,6 @@ func (*NewMeshCertRequest) Descriptor() ([]byte, []int) { return file_meshapi_proto_rawDescGZIP(), []int{0} } -func (x *NewMeshCertRequest) GetPeerPublicKeyHash() string { - if x != nil { - return x.PeerPublicKeyHash - } - return "" -} - type NewMeshCertResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -137,28 +128,26 @@ var File_meshapi_proto protoreflect.FileDescriptor var file_meshapi_proto_rawDesc = []byte{ 0x0a, 0x0d, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, - 0x07, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, 0x22, 0x42, 0x0a, 0x12, 0x4e, 0x65, 0x77, 0x4d, - 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2c, - 0x0a, 0x11, 0x50, 0x65, 0x65, 0x72, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x48, - 0x61, 0x73, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x50, 0x65, 0x65, 0x72, 0x50, - 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x22, 0x73, 0x0a, 0x13, - 0x4e, 0x65, 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x41, 0x43, 0x65, 0x72, - 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x41, 0x43, - 0x65, 0x72, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x43, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x43, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, - 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x43, 0x65, 0x72, 0x74, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x43, 0x65, 0x72, - 0x74, 0x32, 0x53, 0x0a, 0x07, 0x4d, 0x65, 0x73, 0x68, 0x41, 0x50, 0x49, 0x12, 0x48, 0x0a, 0x0b, - 0x4e, 0x65, 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x12, 0x1b, 0x2e, 0x6d, 0x65, - 0x73, 0x68, 0x61, 0x70, 0x69, 0x2e, 0x4e, 0x65, 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, - 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x61, - 0x70, 0x69, 0x2e, 0x4e, 0x65, 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, - 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x61, 0x73, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, - 0x61, 0x6c, 0x2f, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x07, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, 0x22, 0x2d, 0x0a, 0x12, 0x4e, 0x65, 0x77, 0x4d, + 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4a, 0x04, + 0x08, 0x01, 0x10, 0x02, 0x52, 0x11, 0x50, 0x65, 0x65, 0x72, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x22, 0x73, 0x0a, 0x13, 0x4e, 0x65, 0x77, 0x4d, 0x65, + 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, + 0x0a, 0x0a, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x41, 0x43, 0x65, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0c, 0x52, 0x0a, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x41, 0x43, 0x65, 0x72, 0x74, 0x12, 0x1c, + 0x0a, 0x09, 0x43, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x0c, 0x52, 0x09, 0x43, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, + 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x43, 0x65, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, + 0x52, 0x0a, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x43, 0x65, 0x72, 0x74, 0x32, 0x53, 0x0a, 0x07, + 0x4d, 0x65, 0x73, 0x68, 0x41, 0x50, 0x49, 0x12, 0x48, 0x0a, 0x0b, 0x4e, 0x65, 0x77, 0x4d, 0x65, + 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x12, 0x1b, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, + 0x2e, 0x4e, 0x65, 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x61, 0x70, 0x69, 0x2e, 0x4e, 0x65, + 0x77, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x74, + 0x72, 0x61, 0x73, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x6d, 0x65, + 0x73, 0x68, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/internal/meshapi/meshapi.proto b/internal/meshapi/meshapi.proto index e07f191463..f253fb77c8 100644 --- a/internal/meshapi/meshapi.proto +++ b/internal/meshapi/meshapi.proto @@ -9,7 +9,8 @@ service MeshAPI { } message NewMeshCertRequest { - string PeerPublicKeyHash = 1; + reserved 1; + reserved "PeerPublicKeyHash"; } message NewMeshCertResponse {