This repository has been archived by the owner on Apr 5, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
marblerun.go
84 lines (70 loc) · 3 KB
/
marblerun.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
/* Copyright (c) Edgeless Systems GmbH
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA */
package db
import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
"os"
)
// EnvRootCertificate is the name of the environment variable holding the root certificate passed by Marblerun (created as a secret)
const EnvRootCertificate = "EDB_ROOT_CERT"
// EnvRootKey is the name of the environment variable holding the private key for root certificate passed by Marblerun (as a secret)
const EnvRootKey = "EDB_ROOT_KEY"
func setupCertificateFromMarblerun() ([]byte, crypto.PrivateKey, error) {
// Retrieve root certificate and private key over environment, which Marblerun should pass through
marbleSecretRootCert := os.Getenv(EnvRootCertificate)
marbleSecretPrivKey := os.Getenv(EnvRootKey)
// If some of them are empty or non-existant, abort. Secret definitions are required when running under Marblerun.
if marbleSecretRootCert == "" || marbleSecretPrivKey == "" {
return nil, nil, errors.New("edb did not retrieve secret definition for root certificate from marblerun")
}
// Decode root certificate PEM retrieved from env
block, _ := pem.Decode([]byte(marbleSecretRootCert))
if block == nil {
return nil, nil, errors.New("failed to parse root certificate PEM from marblerun secret")
}
cert := block.Bytes
// Check if we got a CA certificate
certParsed, err := x509.ParseCertificate(cert)
if err != nil {
return nil, nil, err
}
if !certParsed.IsCA {
return nil, nil, errors.New("root certificate passed from marblerun is not a CA")
}
// Decode private key PEM retrieved from env
block, _ = pem.Decode([]byte(marbleSecretPrivKey))
if block == nil {
return nil, nil, errors.New("failed to parse private key PEM from marblerun secret")
}
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, nil, err
}
// Check if a reasonable key size was chosen in the secret definiton
// For ed25519, Go enforces this whenever we use these keys and panics otherwise (though Marblerun should never allow this anyway)
switch privKey := key.(type) {
case *rsa.PrivateKey:
if privKey.N.BitLen() < 2048 {
return nil, nil, errors.New("rsa key retrieved from marblerun is too short")
}
case *ecdsa.PrivateKey:
if privKey.Curve.Params().BitSize < 256 {
return nil, nil, errors.New("ecdsa key retrieved from marblerun is too short")
}
}
return cert, key, nil
}