harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 23:23:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #148 from matter-labs/cacert

Browse source 
fix: update the common `cacert` and include it in the unseal container
This commit is contained in:
Harald Hoyer 2024-07-03 11:42:45 +02:00 committed by GitHub
commit 8402eb6bd8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 38 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

6
bin/tee-vault-unseal/src/main.rs
View file

@ -61,6 +61,8 @@ pub struct UnsealServerConfig {
pub vault_auth_tee_sha: String, pub vault_auth_tee_sha: String,
/// version string of the vault_auth_tee plugin /// version string of the vault_auth_tee plugin
pub vault_auth_tee_version: String, pub vault_auth_tee_version: String,
/// the common cacert file for the vault cluster
pub ca_cert_file: PathBuf,
} }
/// Server state /// Server state
@ -101,6 +103,9 @@ struct Args {
vault_auth_tee_sha_file: Option<PathBuf>, vault_auth_tee_sha_file: Option<PathBuf>,
#[arg(long, env = "VAULT_AUTH_TEE_VERSION")] #[arg(long, env = "VAULT_AUTH_TEE_VERSION")]
vault_auth_tee_version: String, vault_auth_tee_version: String,
/// ca cert file
#[arg(long, env = "CA_CERT_FILE", default_value = "/opt/vault/cacert.pem")]
ca_cert_file: PathBuf,
#[clap(flatten)] #[clap(flatten)]
pub attestation: VaultAttestationArgs, pub attestation: VaultAttestationArgs,
} }
@ -156,6 +161,7 @@ async fn main() -> Result<()> {
allowed_tcb_levels: Some(args.allowed_tcb_levels), allowed_tcb_levels: Some(args.allowed_tcb_levels),
vault_auth_tee_sha: args.vault_auth_tee_sha, vault_auth_tee_sha: args.vault_auth_tee_sha,
vault_auth_tee_version: args.vault_auth_tee_version, vault_auth_tee_version: args.vault_auth_tee_version,
ca_cert_file: args.ca_cert_file,
}); });
let server_state = Arc::new(RwLock::new(server_state)); let server_state = Arc::new(RwLock::new(server_state));

2
bin/tee-vault-unseal/src/unseal.rs
View file

@ -130,7 +130,7 @@ pub async fn post_unseal(
info!("Vault is unsealed and hopefully configured!"); info!("Vault is unsealed and hopefully configured!");
info!("Initiating raft join"); info!("Initiating raft join");
// load TLS cert chain // load TLS cert chain
let mut cert_file = File::open("/opt/vault/tls/cacert.pem") let mut cert_file = File::open(&app.ca_cert_file)
.context("Failed to open TLS cert chain") .context("Failed to open TLS cert chain")
.status(StatusCode::INTERNAL_SERVER_ERROR)?; .status(StatusCode::INTERNAL_SERVER_ERROR)?;

14
packages/container-vault-start-config/cacert.conf Normal file
View file

@ -0,0 +1,14 @@
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
O = Test CA, Limited
CN = Test CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

32
packages/container-vault-start-config/cacert.pem
View file

@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL MIIFSzCCAzOgAwIBAgIUI3GSJC4gh0ywYnHvGadGnt6N/6EwDQYJKoZIhvcNAQEL
BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD
QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl QTAeFw0yNDA3MDMwOTExNDVaFw0zNDA3MDEwOTExNDVaMC0xGTAXBgNVBAoMEFRl
c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw
XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy
@ -14,18 +14,18 @@ dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5
PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb
b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz
ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn
kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j kwIDAQABo2MwYTAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAGkEXb0JkTTRY66Ro1JqHC1Q
D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws C1jPK9tdqAvIdCj0smgp7htKs4ib7WW6RAxwNuEU+1Ls3pizorU7y1pR/bLsqGae
d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj UykXjbJuR7Rk8DXAJScr5JOmUqzwKJVq6CQp2co9ccuJxhsPwvWhFPj7jWUXwaKT
mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv 4UzGPZnfgQ3JfBRNND8CCLfDhKgHFkEsIodCw1BmGgOW8NGuIwDeJuhslT8Cjvmg
QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51 VQ6Xxkv3TJvMOti5hdql2VnYZZDSZfBuJ2rOp1Z6L+yxiTVg0suAUsypTh9oIup3
/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci uSA2InYdHF40XB2nNYlsZZkdNowHiadGn5oG8JWe1ovSjnSaCyWt3LgWrteYciUH
PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU TL5FFmwLa8CTQvvJD6O/GnV4o4BIpUxeouRiDHHoEDvKtrOdmvSxNeChJNrFBWUs
oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw RFlZndkxI8rai3ntZrOgveb4HkGTsMkLu2fuOaD86Zt/1jigwkYSUTPZR54b0UGw
o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd 2v4OySN/lLMh0/jgU8pA7LxmuKbiTVS4mooJn5fr10neHLK/M1wpvCBfaYS0Z+C5
1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq iD1XTNksNSoE3QByFWl03uYZG6hwTTRrd7cLs1Q8cww1DXjk43GsXteUuooniF4T
TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K kqrQm/RPexGk9fHWfkMmM0PQeO0PpBU3Dnz0eZWVRMsFIU8vQzx4AS3nx1pafCHw
lweZ5hgUkLPf5EW0 VWUxQhezhtddld0pMJe+
-----END CERTIFICATE----- -----END CERTIFICATE-----

1
packages/container-vault-unseal-sgx-azure/default.nix
View file

@ -12,6 +12,7 @@ nixsgxLib.mkSGXContainer {
inherit tag isAzure; inherit tag isAzure;
packages = [ packages = [
teepot.container-vault-start-config
vat.vault-auth-tee.sha vat.vault-auth-tee.sha
teepot.teepot.tee_vault_unseal teepot.teepot.tee_vault_unseal
]; ];