RFC: emit cert as Java KeyStore

see edgelesssys#307 not done
aep · Jul 21, 2022 · b1b5b97 · b1b5b97
1 parent d32aac4
commit b1b5b97
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 0 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1 +1,2 @@
 build/
+Dockerfile
diff --git a/coordinator/manifest/manifest.go b/coordinator/manifest/manifest.go
@@ -7,6 +7,7 @@
 package manifest
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"encoding/base64"
@@ -15,8 +16,10 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"strings"
 	"text/template"
+	"time"
 
 	"github.com/edgelesssys/marblerun/coordinator/quote"
 	"github.com/edgelesssys/marblerun/coordinator/user"
@@ -477,12 +480,89 @@ func EncodeSecretDataToString(data interface{}) (string, error) {
 	}
 }
 
+// EncodeSecretDataToPem encodes triplets of alias+key+cert as java keystore. A nil value for cert or key is allowed.
+func EncodeSecretDataToJavaKeyStore(password string, data ...interface{}) (string, error) {
+	var ks = keystore.New()
+
+	if len(data)%3 != 0 {
+		return "", errors.New("can only encode triplet of alias+key+cert as JavaKeyStore. use nil to indicate lack of key or cert.")
+	}
+
+	for i := 0; i < len(data); i += 3 {
+
+		alias, ok := data[i].(string)
+		if !ok {
+			return "", errors.New("first value in triplet must be a string alias")
+		}
+
+		if data[i+1] == nil {
+
+			cert, ok := data[i+2].(Certificate)
+			if !ok {
+				return "", errors.New("third value in triplet must be a certificate")
+			}
+
+			err := ks.SetTrustedCertificateEntry(alias, keystore.TrustedCertificateEntry{
+				Certificate: keystore.Certificate{
+					Type:    "X509",
+					Content: cert.Raw,
+				},
+			})
+			if err != nil {
+				return "", err
+			}
+		} else {
+
+			priv, ok := data[i+1].(PrivateKey)
+			if !ok {
+				return "", errors.New("second value in triplet must be private key or nil")
+			}
+
+			privPKCS8, err := x509.MarshalPKCS8PrivateKey(priv)
+			if err != nil {
+				return "", err
+			}
+
+			var chain = []keystore.Certificate{}
+			if data[i+2] != nil {
+
+				cert, ok := data[i+2].(Certificate)
+				if !ok {
+					return "", errors.New("third value in triplet must be a certificate or nil")
+				}
+				chain = append(chain, keystore.Certificate{
+					Type:    "X509",
+					Content: cert.Raw,
+				})
+			}
+
+			pkeIn := keystore.PrivateKeyEntry{
+				CreationTime:     time.Now(),
+				PrivateKey:       privPKCS8,
+				CertificateChain: chain,
+			}
+
+			if err := ks.SetPrivateKeyEntry(alias, pkeIn, []byte(password)); err != nil {
+				return "", err
+			}
+		}
+	}
+
+	var f bytes.Buffer
+	err := ks.Store(&f, []byte(password))
+	if err != nil {
+		return "", err
+	}
+	return f.String(), nil
+}
+
 // ManifestTemplateFuncMap defines the functions which can be specified for secret injections into files in the in Go template format.
 var ManifestFileTemplateFuncMap = template.FuncMap{
 	"pem":    EncodeSecretDataToPem,
 	"hex":    EncodeSecretDataToHex,
 	"raw":    EncodeSecretDataToRaw,
 	"base64": EncodeSecretDataToBase64,
+	"jks":    EncodeSecretDataToJavaKeyStore,
 }
 
 // ManifestEnvTemplateFuncMap defines the functions which can be specified for secret injections into Env variables in the Go template format.

diff --git a/go.mod b/go.mod
@@ -109,6 +109,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -921,6 +921,8 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 h1:y9azNmMzvkNBPyczpNRwaV4bm0U6e7Oyrj7gi2/SNFI=
+github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0/go.mod h1:lAVhWwbNaveeJmxrxuSTxMgKpF6DjnuVpn6T8WiBwYQ=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=