diff --git a/.dockerignore b/.dockerignore index 567609b12..69ca821b4 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +1,2 @@ build/ +Dockerfile diff --git a/coordinator/manifest/manifest.go b/coordinator/manifest/manifest.go index 18644f9f6..56c646540 100644 --- a/coordinator/manifest/manifest.go +++ b/coordinator/manifest/manifest.go @@ -7,6 +7,7 @@ package manifest import ( + "bytes" "context" "crypto/x509" "encoding/base64" @@ -15,8 +16,10 @@ import ( "encoding/pem" "errors" "fmt" + "github.com/pavlo-v-chernykh/keystore-go/v4" "strings" "text/template" + "time" "github.com/edgelesssys/marblerun/coordinator/quote" "github.com/edgelesssys/marblerun/coordinator/user" @@ -477,12 +480,89 @@ func EncodeSecretDataToString(data interface{}) (string, error) { } } +// EncodeSecretDataToPem encodes triplets of alias+key+cert as java keystore. A nil value for cert or key is allowed. +func EncodeSecretDataToJavaKeyStore(password string, data ...interface{}) (string, error) { + var ks = keystore.New() + + if len(data)%3 != 0 { + return "", errors.New("can only encode triplet of alias+key+cert as JavaKeyStore. use nil to indicate lack of key or cert.") + } + + for i := 0; i < len(data); i += 3 { + + alias, ok := data[i].(string) + if !ok { + return "", errors.New("first value in triplet must be a string alias") + } + + if data[i+1] == nil { + + cert, ok := data[i+2].(Certificate) + if !ok { + return "", errors.New("third value in triplet must be a certificate") + } + + err := ks.SetTrustedCertificateEntry(alias, keystore.TrustedCertificateEntry{ + Certificate: keystore.Certificate{ + Type: "X509", + Content: cert.Raw, + }, + }) + if err != nil { + return "", err + } + } else { + + priv, ok := data[i+1].(PrivateKey) + if !ok { + return "", errors.New("second value in triplet must be private key or nil") + } + + privPKCS8, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + return "", err + } + + var chain = []keystore.Certificate{} + if data[i+2] != nil { + + cert, ok := data[i+2].(Certificate) + if !ok { + return "", errors.New("third value in triplet must be a certificate or nil") + } + chain = append(chain, keystore.Certificate{ + Type: "X509", + Content: cert.Raw, + }) + } + + pkeIn := keystore.PrivateKeyEntry{ + CreationTime: time.Now(), + PrivateKey: privPKCS8, + CertificateChain: chain, + } + + if err := ks.SetPrivateKeyEntry(alias, pkeIn, []byte(password)); err != nil { + return "", err + } + } + } + + var f bytes.Buffer + err := ks.Store(&f, []byte(password)) + if err != nil { + return "", err + } + return f.String(), nil +} + // ManifestTemplateFuncMap defines the functions which can be specified for secret injections into files in the in Go template format. var ManifestFileTemplateFuncMap = template.FuncMap{ "pem": EncodeSecretDataToPem, "hex": EncodeSecretDataToHex, "raw": EncodeSecretDataToRaw, "base64": EncodeSecretDataToBase64, + "jks": EncodeSecretDataToJavaKeyStore, } // ManifestEnvTemplateFuncMap defines the functions which can be specified for secret injections into Env variables in the Go template format. diff --git a/go.mod b/go.mod index d24e2dd4f..92fbe0928 100644 --- a/go.mod +++ b/go.mod @@ -109,6 +109,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect + github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect diff --git a/go.sum b/go.sum index fac2ed4ca..1ff4622a7 100644 --- a/go.sum +++ b/go.sum @@ -921,6 +921,8 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 h1:y9azNmMzvkNBPyczpNRwaV4bm0U6e7Oyrj7gi2/SNFI= +github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0/go.mod h1:lAVhWwbNaveeJmxrxuSTxMgKpF6DjnuVpn6T8WiBwYQ= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=