diff --git a/ta/acme.go b/ta/acme.go index bad7282..71c3edb 100644 --- a/ta/acme.go +++ b/ta/acme.go @@ -2,18 +2,19 @@ package ta import ( "crypto" - "crypto/ecdsa" - "crypto/elliptic" + "crypto/rsa" "crypto/rand" "log" - "github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/certificate" "github.com/go-acme/lego/v4/challenge/tlsalpn01" "github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/registration" ) +//var acmeURL = lego.LEDirectoryProduction +var acmeURL = lego.LEDirectoryStaging + type MyUser struct { Email string Registration *registration.Resource @@ -32,7 +33,7 @@ func (u *MyUser) GetPrivateKey() crypto.PrivateKey { func IssueCertificate(key crypto.PrivateKey, domain, email string) *certificate.Resource { // Create a user. New accounts need an email and private key to start. - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.Fatal(err) } @@ -45,8 +46,8 @@ func IssueCertificate(key crypto.PrivateKey, domain, email string) *certificate. config := lego.NewConfig(&myUser) // This CA URL is configured for a local dev instance of Boulder running in Docker in a VM. - config.CADirURL = lego.LEDirectoryStaging - config.Certificate.KeyType = certcrypto.RSA2048 + config.CADirURL = acmeURL + // config.Certificate.KeyType = certcrypto.RSA2048 // A client facilitates communication with the CA server. client, err := lego.NewClient(config) diff --git a/ta/example/enclave.json b/ta/example/enclave.json index 2c5de6d..af447df 100644 --- a/ta/example/enclave.json +++ b/ta/example/enclave.json @@ -2,7 +2,7 @@ "exe": "example", "key": "private.pem", "debug": true, - "heapSize": 512, + "heapSize": 2048, "executableHeap": false, "productID": 1, "securityVersion": 1, @@ -40,4 +40,4 @@ "target": "/etc/ssl/certs/ca-certificates.crt" } ] -} \ No newline at end of file +} diff --git a/ta/example/main.go b/ta/example/main.go index 6914ce2..4c315d0 100644 --- a/ta/example/main.go +++ b/ta/example/main.go @@ -31,6 +31,8 @@ func main() { fmt.Fprintf(w, "", config.TTP+REDIRECT_PATH) } + + fmt.Fprintln(w, "Hello from TA running on TEE :)") } tlsConfig, err := ta.TLSConfig() @@ -47,3 +49,4 @@ func main() { http.HandleFunc("/", handler) server.ListenAndServeTLS("", "") } + diff --git a/ta/tls.go b/ta/tls.go index fe78e03..8555b78 100644 --- a/ta/tls.go +++ b/ta/tls.go @@ -1,20 +1,50 @@ package ta import ( + "crypto/rsa" "crypto/tls" + "encoding/pem" + "fmt" ) const CERT_DIER_CACHE = "./tmp/ra-webs.cache" +func parsePemCertiifcate(raw []byte, privateKey *rsa.PrivateKey) (*tls.Certificate, error) { + certs := make([][]byte, 0) + + for block, rest := pem.Decode(raw); block != nil; block, rest = pem.Decode(rest) { + if block.Type != "CERTIFICATE" { + return nil, fmt.Errorf("unexpected block type %s", block.Type) + } + + certs = append(certs, block.Bytes) + } + + return &tls.Certificate{ + Certificate: certs, + PrivateKey: privateKey, + }, nil +} + func (ap *TA) TLSConfig() (*tls.Config, error) { - cert := IssueCertificate(ap.privateKey, ap.config.Domain, ap.config.Email) + res, err := ap.Register() + if err != nil { + return nil, err + } + fmt.Print(res) + + resouce := IssueCertificate(ap.privateKey, ap.config.Domain, ap.config.Email) + + cert, err := parsePemCertiifcate(resouce.Certificate, ap.privateKey) + + if err != nil { + return nil, err + } return &tls.Config{ - GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { - return &tls.Certificate{ - Certificate: [][]byte{cert.Certificate}, - PrivateKey: ap.privateKey, - }, nil + Certificates: []tls.Certificate{ + *cert, }, }, nil } +