diff --git a/README.md b/README.md index a84a1da..1aac3d1 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Cast of characters: * `Builder`: - This project builds the trusted container image from source and optionally signs it using [cosign](https://github.com/sigstore/cosign). - Each collaborator may have access to inspect the code and build pipeline to confirm image code quality and image hash. - - Each collaborator may build an image from source to cross check the hash value. Images are built with `bazel` and will arrive at the same image hash no matter where it is built. + - Each collaborator may build an image from source to cross check the hash value. Images are built with `bazel` or `kaniko` and each will arrive at their own consistent same image hash. * `Operator` - This project runs the trusted execution environment (`TEE`) where the image the builder provides runs. @@ -53,13 +53,13 @@ At the end of this exercise, each collaborator will encrypt some data with their * [Test](#test) * [Appendix](#appendix) - [Audit Logging](#audit-logging) - - [Logging](#logging) - - [Bazel build overrides](#bazel-build-overrides) + - [Logging](#logging) + - [Inbound Traffic](#inbound-traffic) + - [Reproducible Builds](#reproducible-builds) - [VPC-SC](#vpc-sc) - [mTLS using acquired Keys](#mtls-using-acquired-keys) - [Attestation Token and JWT Bearer token](#attestation-token-and-jwt-bearer-token) - [Authenticating with other Cloud Providers](#authenticating-with-other-cloud-providers) - - [Inbound Traffic](#inbound-traffic) - [Outbound traffic via NAT](#outbound-traffic-via-nat) - [Running locally](#running-locally) - [Client-Side Encryption](#client-side-encryption) @@ -74,6 +74,7 @@ At the end of this exercise, each collaborator will encrypt some data with their - [Threshold Encryption and Signatures](#threshold-encryption-and-signatures) - [Check Cosign Signature and Attestation at Runtime](#check-cosign-signature-and-attestation-at-runtime) - [Software Bill of Materials](#software-bill-of-materials) + - [goreleaser](#goreleaser) --- @@ -132,17 +133,18 @@ It is critical that each collaborator trusts the code that is built does what it One option to do this is if each collaborator can view the code that will ultimately get deployed into the TEE. The code and container there adheres to specific constraints to _not_do the bad stuff cited above. What each code does to meet those standards is out of the scope for this article. What we will show here is how a given code will create the same container hash value (i.,e you know the code you trust is running in a given container) -The technique used in this example uses `bazel` to create reproducible container images. By that, I mean for the same code base, `bazel` will generate an image with _the same image hash value_ no matter where it's built. Using this capability, a collaborator can build a given image from a specific source repo commit, then inspect the resulting image hash value. The collaborators can then authorize that image hash access to their KMS key. +The technique used in this example uses `kaniko` (default) or `bazel` to create reproducible container images. By that, I mean for the same code base, these will generate an image with _the same image hash value_ no matter where it's built. Using this capability, a collaborator can clone the source, generate a build and then inspect the resulting image hash value. The collaborators can then authorize that image hash access to their KMS key. -You don't _have to_ use `bazel` to build an image (you can just use the `Dockerfile` provided in this example). If you don't use bazel, you'll get a different image hash though. +You don't _have to_ use `bazel` or `kaniko` to build an image (you can just use the `Dockerfile` provided in this example). However, if you don't use those, you'll get a different image hash though. -In this example using bazel, the code will always produce a hash of +In this example using `kaniko`, the code will always produce a hash of (see [reproducible Builds](#reproducible-builds)) -* `tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef` +* `tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76` For more info, see - [Building deterministic Docker images with Bazel](https://blog.bazel.build/2015/07/28/docker_build.html) +- [Deterministic container hashes and container signing using Cosign, Kaniko and Google Cloud Build](https://github.com/salrashid123/cosign_kaniko_cloud_build) - [Deterministic container hashes and container signing using Cosign, Bazel and Google Cloud Build](https://github.com/salrashid123/cosign_bazel_cloud_build) - [Deterministic builds with go + bazel + grpc + docker](https://github.com/salrashid123/go-grpc-bazel-docker) - [Deterministic builds with nodejs + bazel + docker](https://github.com/salrashid123/nodejs-bazel-docker) @@ -218,59 +220,11 @@ gsutil iam ch \ serviceAccount:cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com:objectAdmin \ gs://$BUILDER_PROJECT_ID\_cloudbuild -# create a cloud source repo to hold the source code -gcloud source repos create app-repo +gcloud beta builds submit --config=cloudbuild_kaniko.yaml +# gcloud beta builds submit --config=cloudbuild_bazel.yaml -# allow cloud build access to the source -## you can allow collaborators to view the source here too as well as allow the collaborators to see the full build pipeline -gcloud projects add-iam-policy-binding $BUILDER_PROJECT_ID \ - --member=serviceAccount:cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com \ - --role=roles/source.reader - -## clone the repo and commit the code -gcloud source repos clone app-repo -cd app-repo -cp -R ../app/* . - -git add -A -git commit -m "add" -git push - - -# optionally locally sign using [goreleaser](https://goreleaser.com/) to generate the software `sbom` and other artifacts -# use the same kms key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 -# or use a gpg key (default) -# software sbom and signatures will be in the dist/ folder -## the public key is https://keyserver.ubuntu.com/pks/lookup?search=5D8EA7261718FE5728BA937C97341836616BF511&fingerprint=on&op=index -## TODO: add to cloud build steps -## requires cosign and syft in PATH - -## for GPG -# export GPG_FINGERPRINT=5D8EA7261718FE5728BA937C97341836616BF511 # your gpg key will be different -# goreleaser release --snapshot --rm-dist -## for github; gcr does not support artifacts like this afaik -# git tag v1.0.0 -# git push origin --tags -# goreleaser release --rm-dist - - -# Create a manual trigger; you could have created trigger on push too -gcloud beta builds triggers create manual --region=global \ - --name=app-build-trigger --build-config=cloudbuild.yaml \ - --repo=https://source.developers.google.com/p/$BUILDER_PROJECT_ID/r/app-repo \ - --repo-type=CLOUD_SOURCE_REPOSITORIES --branch=main \ - --service-account=projects/$BUILDER_PROJECT_ID/serviceAccounts/cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com - -# generate the cloud build -gcloud beta builds triggers run app-build-trigger --region=global --branch=main - -# or direct -# gcloud beta builds submit . - -# then optionally stream the build logs -gcloud builds list - -## note, if you want to modify the code, use bazel to regenerate the dependencies +## for local Bazel +## if you want to modify the code, use bazel to regenerate the dependencies # to acquire bazel go dependency references # bazel run :gazelle -- update-repos -from_file=go.mod -prune=true -to_macro=repositories.bzl%go_repositories @@ -286,6 +240,7 @@ gcloud builds list # gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad \ # --output_user_root=/tmp/build_output run --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 :server + ### then tag and push...Note: the artifacts here will not include items generated through cosign...its just the image alone # docker tag us-central1-docker.pkg.dev/builder-project/repo1/tee:server us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server # docker push us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server @@ -294,20 +249,13 @@ gcloud builds list # pull the image. you should see the exact same image hash docker pull us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server | jq -r '.[].RepoDigests[]' -docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef - -docker pull docker.io/salrashid123/tee:server -docker inspect docker.io/salrashid123/tee:server +docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 ``` The cloud build step should give this specific container hash ![images/build_hash.png](images/build_hash.png) -if needed the builder can demonstrate deriving from a specific git commit hash was associated with the build. - -![images/commit_hash.png](images/commit_hash.png) - The cloud build steps also used a kms key to sign the images using [cosign](https://github.com/sigstore/cosign). Using `cosign` is a completely optional step used to add verification signatures and claims to the image. See appendix for more information. @@ -317,7 +265,7 @@ Using `cosign` is a completely optional step used to add verification signatures Once the image is built and each collaborator is in agreement that the code contained in image -- `us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef` +- `us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76` isn't going to do anything malicious like exfiltrate their precious data, they can authorize that container to run in `Confidential Space` managed by an Operator. @@ -434,7 +382,7 @@ gcloud kms keys add-iam-policy-binding key1 --keyring=kr1 --location=glob ## we've already performed corse grain authorization on the workload pool and this step ## applies fine grain control to a specific image to decrypt data gcloud kms keys add-iam-policy-binding key1 --keyring=kr1 --location=global --project $COLLABORATOR_1_PROJECT_ID \ - --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef" \ + --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76" \ --role=roles/cloudkms.cryptoKeyDecrypter ``` @@ -447,7 +395,7 @@ In other words, the use of the KMS key is now bound to the operator's project wh Access is granted to an identity bound to the image: ```bash -principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef +principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 ``` We could have configured the entire workload provider to mandate that any access to any resource must include that specific image has. This demo, however, abstracts it to the resource (KMS key) binding. This was done to allow more operational flexibility: if the image builder creates a new image hash, each collaborator can more easily replace the IAM binding on specific resources instead of redefining the entire providers constraints. @@ -489,7 +437,7 @@ gcloud kms keys add-iam-policy-binding key1 --keyring=kr1 --location=glob --member="user:$COLLABORATOR_2_GCLOUD_USER" --role=roles/cloudkms.cryptoKeyEncrypter gcloud kms keys add-iam-policy-binding key1 --keyring=kr1 --location=global --project $COLLABORATOR_2_PROJECT_ID \ - --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef" \ + --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76" \ --role=roles/cloudkms.cryptoKeyDecrypter ``` @@ -546,7 +494,7 @@ gcloud compute instances create vm1 --confidential-compute \ --image-project=confidential-space-images \ --image-family=confidential-space --network=teenetwork --no-address \ --service-account=operator-svc-account@$OPERATOR_PROJECT_ID.iam.gserviceaccount.com \ - --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef~tee-restart-policy=Never~tee-container-log-redirect=true + --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76~tee-restart-policy=Never~tee-container-log-redirect=true ## B) Using mTLS with external IP @@ -559,7 +507,7 @@ gcloud compute instances create vm1 --confidential-compute \ --image-project=confidential-space-images \ --image-family=confidential-space --network=teenetwork \ --service-account=operator-svc-account@$OPERATOR_PROJECT_ID.iam.gserviceaccount.com \ - --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef~tee-restart-policy=Never~tee-container-log-redirect=true + --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76~tee-restart-policy=Never~tee-container-log-redirect=true export EXTERNAL_IP=`gcloud compute instances describe vm1 --zone=us-central1-a --format='get(networkInterfaces[0].accessConfigs.natIP)'` echo $EXTERNAL_IP @@ -585,6 +533,7 @@ We can now test this by submitting encrypted messages to the topic gcloud config configurations activate collaborator-1 export COLLABORATOR_1_PROJECT_ID=`gcloud config get-value core/project` export COLLABORATOR_1_PROJECT_NUMBER=`gcloud projects describe $COLLABORATOR_1_PROJECT_ID --format='value(projectNumber)'` + # gcloud auth application-default login ## For pubsub @@ -599,8 +548,13 @@ go run main.go \ cd http_client/ go run client.go \ --host $EXTERNAL_IP:8081 \ - --audience="//iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier" \ --kmsKey="projects/$COLLABORATOR_1_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1" \ - --user=alice + --server_name=tee.collaborator1.com \ + --audience="//iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier" \ + --kmsKey="projects/$COLLABORATOR_1_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1" \ + --user=alice \ + --ca_files=certs/root-ca-collaborator1.crt \ + --tls_crt=certs/client-collaborator1.crt \ + --tls_key=certs/client-collaborator1.key # submit some data as collaborator2 gcloud config configurations activate collaborator-2 @@ -621,8 +575,13 @@ go run main.go \ cd http_client/ go run client.go \ --host $EXTERNAL_IP:8081 \ - --audience="//iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier" \ --kmsKey="projects/$COLLABORATOR_2_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1" \ - --user=alice + --server_name=tee.collaborator2.com \ + --audience="//iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier" \ + --kmsKey="projects/$COLLABORATOR_2_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1" \ + --user=alice \ + --ca_files=certs/root-ca-collaborator2.crt \ + --tls_crt=certs/client-collaborator2.crt \ + --tls_key=certs/client-collaborator2.key ``` If you happened to see the pubsub messages, you'll see the message data is encrypted: @@ -695,7 +654,39 @@ Describes a go struct denoting the [startup metadata](https://cloud.google.com/c (basically the specifications/signals sent during startup of the container) -### Bazel build overrides +### Reproducible Builds + +Building an container image using `docker` is not deterministic and will produce different image hash values. + +If the all participants in this tutorial need assurance that a specific, attested code is infact running in the workload, they all need to confirm the the code results in a specific container image hash (alternatively, they need assurance from a 3rd party a specific image hash does what its intended to do only) + +In the most strict scenario, the builder of the image should devise some way to create consistent image hashes that each collaborator can independently verify. + +There are several ways to do this + +* `kaniko` + + This is the default mechanism shown in this repo. Images based of kaniko can be made reproducible via flag [link](https://github.com/salrashid123/cosign_kaniko_cloud_build) + +* `bazel` + + Bazel can build these types of images too but...see the sad state of bazel's [rules_docker](https://github.com/bazelbuild/rules_docker#status) and even then, using [rules_go](https://github.com/bazelbuild/rules_go/issues/3467) is challenging. + +* `ko` + + Ko is designed for go applications and can also create reproducible images + +* `buildah` + + see [https://tensor5.dev/reproducible-container-images/](https://tensor5.dev/reproducible-container-images/) + + +Note, i've observed a build using bazel and kaniko produces the different hashes for the same code...not sure what the case is (implementation or have some small variation i didn't account for; likely the override stated below)...eitherway, i did see builds are self-consistent and reproducible using the same tool + +* Kaniko produces `tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76` +* Bazel produces `tee@sha256:0c4218b0bd841b7844389cd17b2d57d681a18761d91c70b791be5581cc5dab93` + +#### Bazel Overrides The bazel build configuration in this repo works as is (it better!)...however it required several workarounds due to the way bazel's `rules_go` works with generated google api protos. @@ -791,13 +782,21 @@ title: collaborator_1_perimeter Note, VPC-SC "ingressPolicy->ingressFrom->identity" does not support `principal://` or `principalSet://` get so we have to enable `ANY_IDENTITY`. Ideally, we could tune the identity to: ```bash -principalSet://iam.googleapis.com/projects/$COLLABORATOR1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef +principalSet://iam.googleapis.com/projects/$COLLABORATOR1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 ``` If the TEE attempts to access the STS or KMS endpoint for any collaborator who _has not_ authorized the project for ingress, they would see a VPC-SC error at the level where the API is invoked. In the following, the even the token grant fails ![images/vpc-sc.png](images/vpc-sc.png) +#### Inbound Traffic + +At the time of writing (3/29/23), Confidential Space does *not* allow inbound traffic to the container (it can only establish outbound sockets like subscribing to a pubsubtopic). + +This will change in the future so the code in this repo contains an unused snippet demonstrating mTLS listening socket. + +see section below + #### mTLS using acquired Keys The object that is decrypted within a TEE can easily be a keypair used to establish or receive an mTLS connection. @@ -806,17 +805,63 @@ For outbound, a collaborator may choose to send an mTLS keypair to the TEE which There are several ways to achieve this where a pregenerated collaborator provided TLS CA and key pair is surfaced through a collaborator's own `Secret Manager` or using `GCP Private CA` to sign a CSR. (i.,e, instead of making KMS API calls back to a collaborators KMS syste, each collaborator unseals their secret or issues their own x509 within the TEE) -You can find basic examples of seedign a generic key into secret manager or issuing a cert via private ca [here](https://gist.github.com/salrashid123/f06eacd80a25611a7c322d8e6f99942f) +You can find basic examples of seeding a generic key into secret manager or issuing a cert via private ca [here](https://gist.github.com/salrashid123/f06eacd80a25611a7c322d8e6f99942f) For inbound traffic, its the same but you can use one listener port that enforces different collaborators mtls CAs. In this mode, each collaborator seeds the TEE with its own CA for client certs and its own server certificates. A client will connect to the common listner port and perform mTLS using a client cert issued by a specific collaborators CA. The client can also validate the server certificate was issued by that CA. You can find an example of that at -* [go mTLS with multiple certificate issuers and OCSP verification](https://github.com/salrashid123/go_mtls_scratchpad#tls-config-without-client-ca) +* [go mTLS with multiple certificate issuers and OCSP verification](https://github.com/salrashid123/go_mtls_scratchpad#tls-config-without-client-ca). + +The repo here contains a basic example of this techinque: if the server TLS certificates were materialized on startup (i.,e these keys were delivered to the TEE by each individual collaborator) + +```golang + // load the server certs issued by both ca1 and ca2, pretend these should use get loaded + // from each collaborators's secret manager or private ca using the attestation token (similar to the KMS decryption) + server1_cert, err := tls.LoadX509KeyPair(*collaborator1_tls_crt, *collaborator1_tls_key) + if err != nil { + panic(err) + } + + server2_cert, err := tls.LoadX509KeyPair(*collaborator2_tls_crt, *collaborator2_tls_key) + if err != nil { + panic(err) + } +``` + +Then the TEE will startup and enforce mTLS by specifing the exact client CA that should be honored based on the SNI and reject all other inbound traffic + +```golang + tlsConfig := &tls.Config{ + GetConfigForClient: func(ci *tls.ClientHelloInfo) (*tls.Config, error) { + if ci.ServerName == "tee.collaborator1.com" { + return &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: client1_root_pool, + GetCertificate: func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &server1_cert, nil + }, + }, nil + } + if ci.ServerName == "tee.collaborator2.com" { + return &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: client2_root_pool, + GetCertificate: func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &server2_cert, nil + }, + }, nil + } + return nil, fmt.Errorf("SNI not recognized %s", ci.ServerName) + }, + } +``` + +Essentially, the client *must* present a client certificate issued exclusively the CA and client certificates associated with their collaborator. Altarnatively, the mtls connection can be used to in a 'multi-party' capability which different collaborators each holds their keysiare which is used together to create the TLS connection. This idea is explored in the following repo: --[Multiparty Consent Based Networks (MCBN)](https://github.com/salrashid123/mcbn) +- [Multiparty Consent Based Networks (MCBN)](https://github.com/salrashid123/mcbn) Finally, you can also establish an mTLS connection where the private key resides in your KMS system. @@ -841,72 +886,54 @@ Instead, you can generate a JWT token using another KMS key you have access to t ```json { "aud": "https://sts.googleapis.com", - "exp": 1680991898, - "iat": 1680988298, - "iss": "https://confidentialcomputing.googleapis.com", - "nbf": 1680988298, - "sub": "https://www.googleapis.com/compute/v1/projects/vegas-codelab-5/zones/us-central1-a/instances/vm1", - "tee": { - "version": { - "major": 0, - "minor": 0 - }, - "platform": {}, - "container": { - "image_reference": "", - "image_digest": "", - "restart_policy": "", - "image_id": "", - "env_override": null, - "cmd_override": null, - "env": null, - "args": null - }, - "gce": {} - }, - "secboot": true, - "oemid": 11129, - "hwmodel": "GCP_AMD_SEV", - "swname": "CONFIDENTIAL_SPACE", - "swversion": [ - "1" - ], "dbgstat": "disabled-since-boot", + "exp": 1682310820, "google_service_accounts": [ "operator-svc-account@vegas-codelab-5.iam.gserviceaccount.com" ], + "hwmodel": "GCP_AMD_SEV", + "iat": 1682307220, + "iss": "https://confidentialcomputing.googleapis.com", + "nbf": 1682307220, + "oemid": 11129, + "secboot": true, + "sub": "https://www.googleapis.com/compute/v1/projects/vegas-codelab-5/zones/us-central1-a/instances/vm1", "submods": { + "confidential_space": { + "support_attributes": [ + "LATEST", + "STABLE", + "USABLE" + ] + }, "container": { - "image_reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef", - "image_digest": "sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef", - "restart_policy": "Never", - "image_id": "sha256:091f555f44a605fc3dd235f25fe496dcbb6ed44bc919582fa0da274faa13a1a8", - "env_override": null, + "args": [ + "/server" + ], "cmd_override": null, "env": { "HOSTNAME": "vm1", "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt" }, - "args": [ - "/server" - ] + "env_override": null, + "image_digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76", + "image_id": "sha256:aa02ff324c8a0d8c512d8babddb679b9972d336ac5477e4f745e81213bce37c7", + "image_reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76", + "restart_policy": "Never" }, "gce": { - "zone": "us-central1-a", + "instance_id": "1165979995028866800", + "instance_name": "vm1", "project_id": "vegas-codelab-5", "project_number": "75457521745", - "instance_name": "vm1", - "instance_id": "281434138997450489" - }, - "confidential_space": { - "support_attributes": [ - "LATEST", - "STABLE", - "USABLE" - ] + "zone": "us-central1-a" } - } + }, + "swname": "CONFIDENTIAL_SPACE", + "swversion": [ + "1" + ] } ``` @@ -933,12 +960,6 @@ You maybe tempted to setup GCP Workload Federation with other cloud providers fr However, you can't use the TEE attestation oidc token (for the reason described earlier)...nor can you use the VM's [instance identity document](https://cloud.google.com/compute/docs/instances/verifying-instance-identity) since any VM (Confidential Space or otherwise) in operator's project would surface that same google OIDC token specifications. -#### Inbound Traffic - -At the time of writing (3/29/23), Confidential Space does *not* allow inbound traffic to the container (it can only establish outbound sockets like subscribing to a pubsubtopic). - -This will change in the future so the code in this repo contains an unused snippet demonstrating mTLS listening socket. - #### Outbound traffic via NAT The operator can also create a [NAT gateway](https://cloud.google.com/nat/docs/overview) which will give a predictable egress address for non-google api outbound traffic. @@ -1252,7 +1273,7 @@ vault write auth/jwt/role/my-jwt-role -<TEE traffic first needs one TEE to discovery the address res There are many ways to establish service disovery of the TEE cluster/peers depending on the topoloy. The service discovery system by itself can be hosted entirely by the operator in this case if the peer TLS is mutually trusted by bootstrapping after attestation. In other words, even if the operator injects false TEE peer addresses, a client TEE cannot establish a TLS connection with the server since the server would not have bootstrapped mTLS credentials. Anyway, the various service discovery mechanisms -* [DNS Based Service Directory with TCP Internal Load Balancer](https://gist.github.com/salrashid123/93d899503d5799f10745a9fe7c89de87) + +* [DNS Based Service Directory with HTTP and TCP Internal Load Balancer](https://gist.github.com/salrashid123/93d899503d5799f10745a9fe7c89de87) With this, the GCP Service Directory is used to specify the address of an internal load balancer for a group of TEE backends @@ -1335,16 +1357,16 @@ To check the cosign signatures and attestations, install cosign and then: ## export BUILDER_PROJECT_ID=`gcloud config get-value core/project` ## export BUILDER_PROJECT_NUMBER=`gcloud projects describe $BUILDER_PROJECT_ID --format='value(projectNumber)'` ## gcloud auth application-default login -$ cosign tree us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef - -📦 Supply Chain Security Related artifacts for an image: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef -└── 💾 Attestations for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef.att - └── 🍒 sha256:2a0120689d41f754883c1a0a8535939fb772f62326f5c3d7caeffab538803979 -└── 🔐 Signatures for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef.sig - └── 🍒 sha256:e8c2f4693333251be3fcd5211d1257397e4e5fd5b1ffcff5c5123319ddb3ed0d -└── 📦 SBOMs for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef.sbom - └── 🍒 sha256:fdef27b42f38dc1cbee98b0614a6b418a08cf03c168176c537683417a710dc51 - +$ cosign tree us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 + +📦 Supply Chain Security Related artifacts for an image: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 +└── 💾 Attestations for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.att + ├── 🍒 sha256:e7605917444a8da52c763129a67140e1bb009b6f90eb02c12b60d25055680b55 + └── 🍒 sha256:fb911e29d41e1b8e560814a989463cce1e9667770fd0f4c759e730ebb0c88c80 +└── 🔐 Signatures for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sig + └── 🍒 sha256:93e1f8142a982550ae0c2f1203bee48e4baa56cd1bdfe53afef75de7d6b4322b +└── 📦 SBOMs for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sbom + └── 🍒 sha256:93c867397e03c3b74097243a16e9512ccce82d3c5f542defb1a3a07c95ece72c ``` which will exist as additional artifacts in the registry @@ -1362,11 +1384,11 @@ gcloud kms keys versions get-public-key 1 \ # for that use --key gcpkms://projects/$BUILDER_PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 cosign verify --key /tmp/kms_pub.pem \ - us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef | jq '.' + us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 | jq '.' # the output for the verify will look like: -Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef -- +Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key @@ -1377,7 +1399,7 @@ The following checks were performed on each of these signatures: "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee" }, "image": { - "docker-manifest-digest": "sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef" + "docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76" }, "type": "cosign container image signature" }, @@ -1387,29 +1409,25 @@ The following checks were performed on each of these signatures: } ] - - # now verify the attestation that is cross checked with the rego in `policy.rego` (cosign_verify/policy.rego) # (all that this rego validates is if foo=bar is present in the predicate (which we did during the cloud build steps)) cosign verify-attestation --key /tmp/kms_pub.pem --policy cosign_verify/policy.rego \ - us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef | jq '.' + us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 | jq '.' -Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef -- +Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key { "payloadType": "application/vnd.in-toto+json", - "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6InVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjJhNzkzZmE0OTE3NDI4ZmUwYzNmZDJlNmI4MDdjNWRkYzgxMzY5MDcxYmJmNTYyNDQyNzQxMWQxM2IzMGMzZWYifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6InsgXCJwcm9qZWN0aWRcIjogXCJtaW5lcmFsLW1pbnV0aWEtODIwXCIsIFwiYnVpbGRpZFwiOiBcImE4YzE0NGE0LTJhZDYtNDliYy1iNzdlLWNlYzkzYTkwNGM1OVwiLCBcImZvb1wiOlwiYmFyXCIsIFwiY29tbWl0c2hhXCI6IFwiY2VjYWJjOTc4ZjllODJlODY3Yzg2MjU0MzhmYTEzMzY5ZDBiZjNjOFwiIH0iLCJUaW1lc3RhbXAiOiIyMDIzLTA0LTA4VDIxOjAwOjMwWiJ9fQ==", + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6InVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6InsgXCJwcm9qZWN0aWRcIjogXCJtaW5lcmFsLW1pbnV0aWEtODIwXCIsIFwiYnVpbGRpZFwiOiBcImM5MTk0NmRjLTdkNjAtNDNkNi05MDhjLTRkOThhNDdhMWY1MlwiLCBcImZvb1wiOlwiYmFyXCIsIFwiY29tbWl0c2hhXCI6IFwiXCJ9IiwiVGltZXN0YW1wIjoiMjAyMy0wNC0yNFQwMzo0Njo1OFoifX0=", "signatures": [ { "keyid": "", - "sig": "MEYCIQCS28FJoOvXI7ismNJZwYNbOpTtlaOZx/29bRowI1ZxqQIhAOXmfsX+7lYnqXgGm/lx4PuwrDwJZf1JnTiu8yiqd6hz" + "sig": "MEYCIQCnKcVkjdrvVhwEZ4Qyfw7RzF3RBhfpuujUfgrAQLfILQIhAJuNCbmLkwdpcSrrthq3OdIogPIIIU9DsuihSgz3HfE4" } ] -} - ## if you decode the payload, you'll see the predicate and image attestations (build number, commit hash, timestamp and the prediecate KV pair we sent during build (foo=bar in consign_verify/policy.rego)) @@ -1421,17 +1439,13 @@ The following checks were performed on each of these signatures: { "name": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee", "digest": { - "sha256": "2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef" + "sha256": "7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76" } } ], "predicate": { - "Data": "{ - \"projectid\": \"mineral-minutia-820\", - \"buildid\": \"a8c144a4-2ad6-49bc-b77e-cec93a904c59\", - \"foo\":\"bar\", - \"commitsha\": \"cecabc978f9e82e867c8625438fa13369d0bf3c8\" }", - "Timestamp": "2023-04-08T21:00:30Z" + "Data": "{ \"projectid\": \"mineral-minutia-820\", \"buildid\": \"c91946dc-7d60-43d6-908c-4d98a47a1f52\", \"foo\":\"bar\", \"commitsha\": \"\"}", + "Timestamp": "2023-04-24T03:46:58Z" } } ``` @@ -1491,24 +1505,75 @@ This repo also demonstrates basic [Software Bill of materials](https://www.cisa. * application code * container image -The application code sbom is generated using [syft`]() and `goreleaser` and can be found in the `Releases` section of the repo. The sbom contains all the software used by go application. +The application code sbom is created as part of the build is _also_ generated using [syft](https://github.com/anchore/syft) and `goreleaser` and can be found in the `Releases` section of the repo. The sbom contains all the software used by go application. The container `sbom` is generated at build time and saved in the container registry. ->> unfortunately, the bazel toolchain does not surface the go libraries used by the application. see +>> unfortunately, the `bazel` toolchain does not surface the go libraries used by the application. see * [syft/1725](https://github.com/anchore/syft/issues/1725) +`kaniko` based builds, however, shows + +```bash +$ syft packages us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 + + ✔ Loaded image + ✔ Parsed image + ✔ Cataloged packages [34 packages] + +NAME VERSION TYPE +base-files 10.3+deb10u9 deb +cloud.google.com/go v0.107.0 go-module +cloud.google.com/go/compute/metadata v0.2.3 go-module +cloud.google.com/go/iam v0.8.0 go-module +cloud.google.com/go/kms v1.6.0 go-module +cloud.google.com/go/logging v1.6.1 go-module +cloud.google.com/go/longrunning v0.4.1 go-module +cloud.google.com/go/pubsub v1.27.1 go-module +github.com/golang-jwt/jwt v3.2.2+incompatible go-module +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e go-module +github.com/golang/protobuf v1.5.2 go-module +github.com/google/go-cmp v0.5.9 go-module +github.com/googleapis/enterprise-certificate-proxy v0.2.3 go-module +github.com/googleapis/gax-go/v2 v2.7.0 go-module +github.com/gorilla/mux v1.8.0 go-module +github.com/lestrrat/go-jwx v0.9.1 go-module +github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 go-module +github.com/pkg/errors v0.9.1 go-module +github.com/salrashid123/confidential_space/app (devel) go-module +go.opencensus.io v0.24.0 go-module +golang.org/x/net v0.6.0 go-module +golang.org/x/oauth2 v0.5.0 go-module +golang.org/x/sync v0.1.0 go-module +golang.org/x/sys v0.5.0 go-module +golang.org/x/text v0.7.0 go-module +google.golang.org/api v0.110.0 go-module +google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc go-module +google.golang.org/grpc v1.53.0 go-module +google.golang.org/protobuf v1.28.1 go-module +libc6 2.28-10 deb +libssl1.1 1.1.1d-0+deb10u6 deb +netbase 5.6 deb +openssl 1.1.1d-0+deb10u6 deb +tzdata 2021a-0+deb10u1 deb +``` + The sboms also include signatures verfiying its authenticity. The container image is signed by the same kms based cosing key -- Verify image sbom: +#### Download and Verify image sbom: ```bash -$ cosign verify --key /tmp/kms_pub.pem --attachment=sbom us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef | jq '.' +# download the imagebom +$ cosign download sbom --output-file latest.spdx.download \ + us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 + +$ cosign verify --key /tmp/kms_pub.pem --attachment=sbom \ + us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 | jq '.' -Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef.sbom -- +Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sbom -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key @@ -1519,43 +1584,61 @@ The following checks were performed on each of these signatures: "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee" }, "image": { - "docker-manifest-digest": "sha256:9ff525d902be19f6693eab3b7fc799077f9eae76af42040c39840a6abb100b62" + "docker-manifest-digest": "sha256:298e7ad5c81959449118066fe124a9d533fc35f1dd33e3b7c999fb12947ef260" }, "type": "cosign container image signature" }, "optional": { - "commit_sha": "cecabc978f9e82e867c8625438fa13369d0bf3c8" + "commit_sha": "" } } ] - -# download the bom -cosign download sbom --output-file latest.spdx.download \ - us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef - - -wget https://github.com/salrashid123/confidential_space/releases/download/v1.0.0/kms_pub.pem . -cosign verify --key kms_pub.pem --attachment=sbom docker.io/salrashid123/tee@sha256:2a793fa4917428fe0c3fd2e6b807c5ddc81369071bbf5624427411d13b30c3ef - ``` -- Verify application sbom: +#### Download and Verify application sbom: -The application code can use the same cosign key or by default and in the git repo, using [my gpg key](https://keyserver.ubuntu.com/pks/lookup?search=5D8EA7261718FE5728BA937C97341836616BF511&fingerprint=on&op=index) +For the application, note we're asking for the `type=` field below ```bash -gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511 +cosign verify-attestation --key /tmp/kms_pub.pem --type="https://cyclonedx.org/bom/v1.4" \ + us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 | jq '.' -# get the .sbom and signature from the Release page on github -cd dist/ -$ gpg --verify confidential_space*.spdx.sbom.sig confidential_space*.spdx.sbom -gpg: Signature made Sun 09 Apr 2023 10:42:42 AM EDT -gpg: using RSA key CCAA9841EB015FA2FE711C912B8BE9E5D93A1D94 -gpg: Good signature from "Salmaan Rashid " [ultimate] +## note the payload: thats the full signed software sbom generated as part of cloud build + +Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - The signatures were verified against the specified public key +{ + "payloadType": "application/vnd.in-toto+json", + "payload": "eyJfdHlwZSI....really_long", + "signatures": [ + { + "keyid": "", + "sig": "MEQCIGiwR6fS9UzMPXh6q9Ncj7xT9g76s/iNETYLwsT2PY+TAiAWm8kf7Rzd+V6q96zEbfglk1EABJGzQfva79L+iNYnbQ==" + } + ] +} ``` -also see: +### goreleaser -- [Deterministic container hashes and container signing using Cosign, Bazel and Google Cloud Build](https://github.com/salrashid123/cosign_bazel_cloud_build) +The "Releases" section of this git repo uses my public gpg key to sign the artifacts using [goreleaser](https://goreleaser.com/) +the public key is (5D8EA7261718FE5728BA937C97341836616BF511)[https://keyserver.ubuntu.com/pks/lookup?search=5D8EA7261718FE5728BA937C97341836616BF511&fingerprint=on&op=index] + +```bash +# export GPG_FINGERPRINT=5D8EA7261718FE5728BA937C97341836616BF511 # your gpg key will be different +# goreleaser release --snapshot --rm-dist +## for github; gcr does not support artifacts like this afaik +# git tag v1.0.0 +# git push origin --tags +# goreleaser release --rm-dist + +gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511 +$ gpg --verify confidential_space*.spdx.sbom.sig confidential_space*.spdx.sbom +gpg: Signature made Sun 09 Apr 2023 10:42:42 AM EDT +gpg: using RSA key CCAA9841EB015FA2FE711C912B8BE9E5D93A1D94 +gpg: Good signature from "Salmaan Rashid " [ultimate] +``` \ No newline at end of file diff --git a/.goreleaser.yml b/app/.goreleaser.yml similarity index 99% rename from .goreleaser.yml rename to app/.goreleaser.yml index 8c6e471..b4b8597 100644 --- a/.goreleaser.yml +++ b/app/.goreleaser.yml @@ -24,7 +24,6 @@ builds: - v1 targets: - linux_amd64_v1 - dir: ./app binary: confidential_space builder: go gobinary: go diff --git a/app/BUILD.bazel b/app/BUILD.bazel index 3070b68..8dca3fa 100644 --- a/app/BUILD.bazel +++ b/app/BUILD.bazel @@ -28,9 +28,15 @@ container_image( files = [ ":main", ":config.json", - "//certs:tls-ca-chain.pem", - "//certs:tee.crt", - "//certs:tee.key", + "//certs:root-ca-operator.crt", + "//certs:tee-operator.crt", + "//certs:tee-operator.key", + "//certs:root-ca-collaborator1.crt", + "//certs:tee-collaborator1.crt", + "//certs:tee-collaborator1.key", + "//certs:root-ca-collaborator2.crt", + "//certs:tee-collaborator2.crt", + "//certs:tee-collaborator2.key", ], ports = ["8081"], repository = "us-central1-docker.pkg.dev/builder-project/repo1/tee", @@ -42,7 +48,7 @@ go_library( "main.go", "claims.go", ], - importpath = "main", + importpath = "github.com/salrashid123/confidential_space/app", visibility = ["//visibility:private"], deps = [ "@org_golang_x_oauth2//google:go_default_library", diff --git a/app/Dockerfile b/app/Dockerfile index e952ab3..8a26b3b 100644 --- a/app/Dockerfile +++ b/app/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19 as build +FROM golang@sha256:9f2dd04486e84eec72d945b077d568976981d9afed8b4e2aeb08f7ab739292b3 as build WORKDIR /go/src/app COPY . . @@ -17,9 +17,17 @@ LABEL "tee.launch_policy.log_redirect"="always" COPY --from=build /go/bin/server / COPY --from=build /go/src/app/config.json /config.json -COPY --from=build /go/src/app/certs/tls-ca-chain.pem /tls-ca-chain.pem -COPY --from=build /go/src/app/certs/tee.crt /tee.crt -COPY --from=build /go/src/app/certs/tee.key /tee.key +COPY --from=build /go/src/app/certs/root-ca-operator.crt /root-ca-operator.crt +COPY --from=build /go/src/app/certs/tee-operator.crt /tee-operator.crt +COPY --from=build /go/src/app/certs/tee-operator.key /tee-operator.key + +COPY --from=build /go/src/app/certs/root-ca-collaborator1.crt /root-ca-collaborator1.crt +COPY --from=build /go/src/app/certs/tee-collaborator1.crt /tee-collaborator1.crt +COPY --from=build /go/src/app/certs/tee-collaborator1.key /tee-collaborator1.key + +COPY --from=build /go/src/app/certs/root-ca-collaborator2.crt /root-ca-collaborator2.crt +COPY --from=build /go/src/app/certs/tee-collaborator2.crt /tee-collaborator2.crt +COPY --from=build /go/src/app/certs/tee-collaborator2.key /tee-collaborator2.key EXPOSE 8081 diff --git a/app/certs/BUILD.bazel b/app/certs/BUILD.bazel index a2578a3..a845d31 100644 --- a/app/certs/BUILD.bazel +++ b/app/certs/BUILD.bazel @@ -1,5 +1,11 @@ exports_files([ - "tls-ca-chain.pem", - "tee.crt", - "tee.key", - ]) \ No newline at end of file + "root-ca-operator.crt", + "tee-operator.crt", + "tee-operator.key", + "root-ca-collaborator1.crt", + "tee-collaborator1.crt", + "tee-collaborator1.key", + "root-ca-collaborator2.crt", + "tee-collaborator2.crt", + "tee-collaborator2.key", + ]) diff --git a/app/certs/root-ca-collaborator1.crt b/app/certs/root-ca-collaborator1.crt new file mode 100644 index 0000000..e6bcaf2 --- /dev/null +++ b/app/certs/root-ca-collaborator1.crt @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Validity + Not Before: Apr 17 12:02:50 2023 GMT + Not After : Apr 16 12:02:50 2033 GMT + Subject: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b3:3b:c1:b5:97:bb:f4:97:03:dd:71:bc:b4:83: + f3:bb:a3:62:e3:f7:b8:ed:3f:e7:ab:28:06:f4:7e: + 55:3e:6a:27:7e:4b:bf:4d:df:c2:d8:87:18:23:36: + 75:3a:0c:31:4f:96:c6:03:a8:f1:78:c8:10:f1:89: + d6:2b:89:d9:4a:0b:ae:41:d9:62:d0:37:61:e2:ef: + db:34:ab:77:82:ae:81:e2:95:cf:cc:ca:ed:e1:0d: + ae:cb:c1:01:7d:a6:af:6c:6f:bf:35:fe:1b:e1:ea: + d3:56:fa:9f:24:7f:7b:42:2a:f8:16:98:31:51:1b: + 0e:d1:f6:62:ad:28:28:ab:ab:a4:1d:20:ba:6a:11: + 13:6b:7e:c5:7d:7a:e0:8c:b4:2f:b9:81:7c:73:bf: + 37:bd:60:6d:88:9b:42:79:a7:36:e9:58:5d:93:21: + 5f:b7:8e:44:85:8b:fa:d0:70:a2:81:45:87:b2:70: + 55:08:d2:d4:dc:8f:2c:89:91:ac:4f:6c:c7:45:28: + 25:3d:67:49:27:ef:36:fc:de:e2:f1:04:15:50:34: + cd:e4:39:f2:87:bb:72:9d:e0:66:e1:e3:7b:6f:e5: + 9a:1b:b5:2b:6b:5b:28:76:c9:7f:e8:f3:9d:a9:80: + 88:55:07:58:ad:b5:13:e6:09:75:44:68:02:75:7b: + 41:1d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 Authority Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Authority Information Access: + OCSP - URI:http://localhost:9999/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 94:dc:12:a7:97:bb:2b:88:30:77:97:22:66:7c:6c:a7:ee:87: + 57:e7:71:9c:4c:3c:5e:09:7c:20:a0:39:43:cc:74:22:b0:80: + 50:f8:a2:d6:f9:8b:18:96:4b:e8:4e:97:5a:8e:e0:f7:37:b4: + 42:7e:5e:d4:bc:26:0e:b8:7e:80:b2:7d:00:5b:b4:df:75:fb: + d3:5e:cf:ab:25:95:90:75:a7:56:89:74:e5:93:b7:dd:6d:e4: + 39:6d:29:48:99:69:2a:22:40:39:57:ea:f0:c9:c1:ee:56:ab: + 0f:ac:96:a5:eb:db:b8:f6:04:45:78:da:ff:05:9d:d7:52:2a: + d6:60:6b:57:64:8c:ec:a0:76:3c:f2:95:7a:d9:bf:af:8b:2b: + fd:28:05:a1:23:75:e7:bd:a0:ff:fc:35:3a:11:89:bc:72:df: + 58:b6:7a:39:15:74:5b:d6:36:63:72:11:0b:db:e7:fe:4f:cb: + 38:84:fa:37:8b:4c:6b:2d:e9:71:54:fa:cc:1b:34:98:67:d3: + be:4a:92:f7:00:21:f3:db:39:4a:d2:eb:2c:d1:69:62:0c:13: + f3:79:94:f0:23:3f:bd:00:29:13:f7:57:f8:0f:47:b3:13:25: + 20:a7:70:55:8f:c0:1c:37:ea:66:21:ee:a4:f1:a5:e6:3c:1a: + 1e:dd:bc:97 +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAxIFJvb3QgQ0EwHhcNMjMwNDE3MTIwMjUwWhcN +MzMwNDE2MTIwMjUwWjBcMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOQ29sbGFib3Jh +dG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAdBgNVBAMMFkNvbGxhYm9yYXRv +ciAxIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzO8G1 +l7v0lwPdcby0g/O7o2Lj97jtP+erKAb0flU+aid+S79N38LYhxgjNnU6DDFPlsYD +qPF4yBDxidYridlKC65B2WLQN2Hi79s0q3eCroHilc/Myu3hDa7LwQF9pq9sb781 +/hvh6tNW+p8kf3tCKvgWmDFRGw7R9mKtKCirq6QdILpqERNrfsV9euCMtC+5gXxz +vze9YG2Im0J5pzbpWF2TIV+3jkSFi/rQcKKBRYeycFUI0tTcjyyJkaxPbMdFKCU9 +Z0kn7zb83uLxBBVQNM3kOfKHu3Kd4Gbh43tv5ZobtStrWyh2yX/o852pgIhVB1it +tRPmCXVEaAJ1e0EdAgMBAAGjgbcwgbQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFHUNEszbM+1YBoyt7Q6eLwDpb8FlMB8GA1UdIwQY +MBaAFHUNEszbM+1YBoyt7Q6eLwDpb8FlMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh +bGhvc3Q6OTk5OS8wDQYJKoZIhvcNAQELBQADggEBAJTcEqeXuyuIMHeXImZ8bKfu +h1fncZxMPF4JfCCgOUPMdCKwgFD4otb5ixiWS+hOl1qO4Pc3tEJ+XtS8Jg64foCy +fQBbtN91+9Nez6sllZB1p1aJdOWTt91t5DltKUiZaSoiQDlX6vDJwe5Wqw+slqXr +27j2BEV42v8FnddSKtZga1dkjOygdjzylXrZv6+LK/0oBaEjdee9oP/8NToRibxy +31i2ejkVdFvWNmNyEQvb5/5PyziE+jeLTGst6XFU+swbNJhn075KkvcAIfPbOUrS +6yzRaWIME/N5lPAjP70AKRP3V/gPR7MTJSCncFWPwBw36mYh7qTxpeY8Gh7dvJc= +-----END CERTIFICATE----- diff --git a/app/certs/root-ca-collaborator2.crt b/app/certs/root-ca-collaborator2.crt new file mode 100644 index 0000000..cc1f5f7 --- /dev/null +++ b/app/certs/root-ca-collaborator2.crt @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Validity + Not Before: Apr 17 12:13:03 2023 GMT + Not After : Apr 16 12:13:03 2033 GMT + Subject: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:a8:62:b9:73:8b:c7:2e:d0:fe:1e:52:90:83:94: + fe:70:61:5a:10:18:85:74:27:7c:38:eb:da:ae:31: + d6:2c:7f:7f:63:7f:af:49:a4:c6:8a:04:35:f4:c4: + c4:df:8d:6d:45:22:1c:eb:d2:18:97:a5:4f:9f:5f: + 3e:84:b6:93:ef:8a:b2:8d:1c:37:d3:30:37:68:66: + 51:81:b0:82:d1:be:ce:38:13:20:c5:dc:02:3c:8f: + 6a:f7:5b:5e:8c:16:a5:d9:30:91:21:e1:82:10:c1: + 5b:cf:57:c6:9e:90:30:5e:23:30:e2:18:89:ba:ef: + a6:09:3c:cc:eb:f2:78:1a:d0:f3:a7:ce:4e:08:6e: + f8:43:56:33:c8:c6:1d:40:f0:7a:76:a8:fc:18:1d: + 7b:09:eb:1a:8d:f5:56:6c:65:62:a8:f2:49:07:85: + f9:d9:42:df:a7:cf:f8:f1:ae:a7:ed:50:48:a5:9c: + fc:a0:ee:24:70:c2:f1:ae:f1:a9:af:c0:fa:51:f6: + 10:fe:f6:9b:a3:8a:5d:1a:4d:bb:7a:25:a1:0e:2b: + 0a:d8:ff:68:30:96:0d:5c:6e:39:1b:75:0b:ac:75: + 07:14:e6:7d:c2:6a:ce:d6:6a:c0:5d:62:fd:29:50: + 1a:e6:5a:14:80:80:37:46:7a:e4:f1:79:d1:14:d2: + f5:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 Authority Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Authority Information Access: + OCSP - URI:http://localhost:10000/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 9e:73:0b:20:a4:2c:7b:41:be:3a:8b:f2:0d:d8:4f:c2:07:b5: + a3:df:97:d2:a6:93:1a:94:a9:9e:a5:a2:24:bf:be:85:f1:9c: + 22:3c:63:42:ee:76:21:85:ac:58:fb:88:aa:3f:dd:d8:51:63: + 9d:db:5e:76:07:dc:e3:fe:27:0b:ab:d5:0e:88:64:ec:e5:c7: + e0:d1:59:d5:de:21:31:79:09:d7:91:1e:34:c2:f9:1c:db:1f: + 4b:61:a6:12:e9:ba:12:7c:b4:0d:17:5d:16:83:6f:2a:53:e5: + 58:52:50:da:73:13:d3:cd:5f:26:59:5e:af:5c:9e:83:3f:87: + 40:44:ae:66:b2:99:fc:2e:28:de:3f:47:1c:8c:f4:ad:40:a7: + 4b:65:6b:d8:82:14:4d:17:e9:20:59:21:25:47:90:1b:e0:b6: + e6:3d:b4:e5:cc:be:9c:44:97:be:84:eb:f4:c2:cd:44:8c:2f: + e9:76:9e:bc:67:4a:65:0c:14:27:83:a0:20:e8:71:46:44:80: + 1e:1a:fb:f2:2a:37:fb:30:58:6f:a7:ff:f9:30:2a:e8:fc:b9: + c4:11:b7:82:02:8d:00:51:0f:75:27:6e:01:dd:9e:73:6b:2b: + 6d:3e:82:dd:46:a0:6c:70:8f:9a:a8:61:74:67:6b:5f:96:03: + ea:1e:12:12 +-----BEGIN CERTIFICATE----- +MIID7DCCAtSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAyIFJvb3QgQ0EwHhcNMjMwNDE3MTIxMzAzWhcN +MzMwNDE2MTIxMzAzWjBcMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOQ29sbGFib3Jh +dG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAdBgNVBAMMFkNvbGxhYm9yYXRv +ciAyIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoYrlz +i8cu0P4eUpCDlP5wYVoQGIV0J3w469quMdYsf39jf69JpMaKBDX0xMTfjW1FIhzr +0hiXpU+fXz6EtpPvirKNHDfTMDdoZlGBsILRvs44EyDF3AI8j2r3W16MFqXZMJEh +4YIQwVvPV8aekDBeIzDiGIm676YJPMzr8nga0POnzk4IbvhDVjPIxh1A8Hp2qPwY +HXsJ6xqN9VZsZWKo8kkHhfnZQt+nz/jxrqftUEilnPyg7iRwwvGu8amvwPpR9hD+ +9pujil0aTbt6JaEOKwrY/2gwlg1cbjkbdQusdQcU5n3Cas7WasBdYv0pUBrmWhSA +gDdGeuTxedEU0vX/AgMBAAGjgbgwgbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFLJ3x2+OfVXogrXxrJhmhQ3fVj8xMB8GA1UdIwQY +MBaAFLJ3x2+OfVXogrXxrJhmhQ3fVj8xMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9sb2Nh +bGhvc3Q6MTAwMDAvMA0GCSqGSIb3DQEBCwUAA4IBAQCecwsgpCx7Qb46i/IN2E/C +B7Wj35fSppMalKmepaIkv76F8ZwiPGNC7nYhhaxY+4iqP93YUWOd2152B9zj/icL +q9UOiGTs5cfg0VnV3iExeQnXkR40wvkc2x9LYaYS6boSfLQNF10Wg28qU+VYUlDa +cxPTzV8mWV6vXJ6DP4dARK5mspn8LijeP0ccjPStQKdLZWvYghRNF+kgWSElR5Ab +4LbmPbTlzL6cRJe+hOv0ws1EjC/pdp68Z0plDBQng6Ag6HFGRIAeGvvyKjf7MFhv +p//5MCro/LnEEbeCAo0AUQ91J24B3Z5zayttPoLdRqBscI+aqGF0Z2tflgPqHhIS +-----END CERTIFICATE----- diff --git a/app/certs/root-ca-operator.crt b/app/certs/root-ca-operator.crt new file mode 100644 index 0000000..8077c91 --- /dev/null +++ b/app/certs/root-ca-operator.crt @@ -0,0 +1,83 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Operator, OU=Enterprise, CN=Enterprise Root CA + Validity + Not Before: Apr 15 18:27:20 2023 GMT + Not After : Apr 14 18:27:20 2033 GMT + Subject: C=US, O=Operator, OU=Enterprise, CN=Enterprise Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b8:8f:5a:f7:09:c2:23:81:ec:c4:38:25:5b:6b: + de:32:b7:b8:7d:4a:13:af:02:93:53:80:d9:7d:c8: + f4:60:e3:7f:c3:23:19:88:3d:dc:e2:56:88:73:80: + 29:e6:92:57:45:36:6c:a0:a1:5d:85:93:ef:ce:d4: + a8:d2:bd:6e:8d:79:a1:68:cb:ac:56:55:0d:d1:0e: + b5:e1:8e:8a:c7:e6:c7:8e:aa:09:ce:36:1a:a2:ce: + a6:4a:50:a6:c9:45:32:b8:b6:9f:72:14:1f:c1:87: + 3c:10:2e:db:17:e9:fa:2c:52:c3:44:43:aa:0d:4b: + 1a:75:d7:c4:6a:45:a4:44:a4:c9:e9:49:64:9e:f9: + 0e:af:79:b3:20:e7:5f:81:09:6a:eb:d0:5e:73:de: + d7:68:21:e6:0e:44:ef:b8:58:4e:12:20:b4:13:de: + c5:55:0d:ca:a6:78:e2:3f:0a:a1:9b:ec:2a:08:a4: + b2:08:22:71:55:f4:58:85:fa:de:40:13:fb:fd:99: + 2d:55:61:d9:c9:f5:8e:88:2c:5c:a8:6d:cc:03:b3: + 35:62:0a:e4:69:51:fb:19:63:2a:5b:a2:eb:f8:d1: + 97:b9:f5:f5:05:2d:29:ed:49:72:6c:b9:c5:34:96: + de:2b:e8:2a:6a:ed:44:4e:69:f2:2c:cc:54:d7:c6: + 62:b3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 58:88:29:FD:AA:3A:F0:9F:51:CA:FD:F1:6B:FC:D7:F0:8E:67:CF:80 + X509v3 Authority Key Identifier: + 58:88:29:FD:AA:3A:F0:9F:51:CA:FD:F1:6B:FC:D7:F0:8E:67:CF:80 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 40:44:4f:25:53:59:3c:24:d0:0f:67:f6:8d:a0:00:0b:f0:c3: + f5:12:f6:e8:4c:e7:43:ea:84:3c:f7:ea:ce:d4:2e:2c:62:8f: + ed:01:1f:84:7e:60:28:eb:94:3d:81:ca:1a:60:95:ac:3b:21: + c5:f4:a5:a9:44:50:8b:25:95:dc:bf:e7:32:74:18:f2:1a:4f: + 7e:46:82:3f:da:d4:ee:7f:ed:5a:54:52:a1:d4:3d:95:0e:33: + 64:ab:d5:fb:55:f3:6d:b7:43:51:4c:dc:a2:16:9f:de:31:8e: + f7:d1:7a:5b:9c:01:fa:5a:e6:b9:d5:07:a1:da:d3:a2:be:6c: + 73:d1:85:3e:b7:fb:c4:4b:76:f1:79:81:0a:9c:a3:90:21:56: + 86:d1:3b:0f:a0:85:fb:75:e7:ad:93:9f:76:6e:b1:0d:07:14: + 37:69:ca:0a:ad:52:88:9d:f7:2e:21:11:e0:bf:77:ca:43:ed: + f7:52:36:71:89:84:bd:c3:a2:56:bd:59:d0:f4:9d:e9:25:a5: + ee:83:b5:01:14:30:ec:25:34:8f:bd:f8:68:d1:1b:86:eb:c8: + 31:f9:78:7f:d6:a7:9c:96:5a:2a:cb:0a:df:73:ee:f3:5f:4d: + 4b:3b:fa:b5:af:c2:52:3c:20:85:d8:50:1c:71:a9:55:11:fc: + 49:78:9c:b0 +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzER +MA8GA1UECgwIT3BlcmF0b3IxEzARBgNVBAsMCkVudGVycHJpc2UxGzAZBgNVBAMM +EkVudGVycHJpc2UgUm9vdCBDQTAeFw0yMzA0MTUxODI3MjBaFw0zMzA0MTQxODI3 +MjBaMFIxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhPcGVyYXRvcjETMBEGA1UECwwK +RW50ZXJwcmlzZTEbMBkGA1UEAwwSRW50ZXJwcmlzZSBSb290IENBMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuI9a9wnCI4HsxDglW2veMre4fUoTrwKT +U4DZfcj0YON/wyMZiD3c4laIc4Ap5pJXRTZsoKFdhZPvztSo0r1ujXmhaMusVlUN +0Q614Y6Kx+bHjqoJzjYaos6mSlCmyUUyuLafchQfwYc8EC7bF+n6LFLDREOqDUsa +ddfEakWkRKTJ6UlknvkOr3mzIOdfgQlq69Bec97XaCHmDkTvuFhOEiC0E97FVQ3K +pnjiPwqhm+wqCKSyCCJxVfRYhfreQBP7/ZktVWHZyfWOiCxcqG3MA7M1YgrkaVH7 +GWMqW6Lr+NGXufX1BS0p7UlybLnFNJbeK+gqau1ETmnyLMxU18ZiswIDAQABo4GD +MIGAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY +iCn9qjrwn1HK/fFr/NfwjmfPgDAfBgNVHSMEGDAWgBRYiCn9qjrwn1HK/fFr/Nfw +jmfPgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEL +BQADggEBAEBETyVTWTwk0A9n9o2gAAvww/US9uhM50PqhDz36s7ULixij+0BH4R+ +YCjrlD2Byhpglaw7IcX0palEUIslldy/5zJ0GPIaT35Ggj/a1O5/7VpUUqHUPZUO +M2Sr1ftV8223Q1FM3KIWn94xjvfRelucAfpa5rnVB6Ha06K+bHPRhT63+8RLdvF5 +gQqco5AhVobROw+ghft1562Tn3ZusQ0HFDdpygqtUoid9y4hEeC/d8pD7fdSNnGJ +hL3Dola9WdD0neklpe6DtQEUMOwlNI+9+GjRG4bryDH5eH/Wp5yWWirLCt9z7vNf +TUs7+rWvwlI8IIXYUBxxqVUR/El4nLA= +-----END CERTIFICATE----- diff --git a/app/certs/tee-collaborator1.crt b/app/certs/tee-collaborator1.crt new file mode 100644 index 0000000..09b4747 --- /dev/null +++ b/app/certs/tee-collaborator1.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Validity + Not Before: Apr 17 12:06:56 2023 GMT + Not After : Apr 16 12:06:56 2033 GMT + Subject: C=US, O=Google, OU=Enterprise, CN=tee.collaborator1.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:a0:f0:62:7c:1f:94:be:e5:e4:65:1b:59:da:5a: + e4:10:00:cd:ef:46:58:29:62:fc:fd:70:86:da:86: + b4:b1:5a:8d:b6:a2:fe:6b:a6:de:bc:71:37:af:ac: + 4e:d4:72:5a:e6:f3:5c:74:ac:29:35:74:43:07:49: + a7:24:0a:15:f0:b2:15:d8:33:ce:c6:c6:5c:fe:81: + 99:95:ee:61:8c:80:cf:82:c4:ec:06:cd:74:a0:88: + 6f:a0:f3:1e:1c:40:81:cd:cc:91:de:a7:0a:36:2e: + d5:05:be:80:49:78:26:46:8a:1a:0f:4f:de:5a:32: + 44:80:aa:cf:67:f6:0e:21:ac:22:bd:2b:fc:5e:ad: + b6:d5:38:3f:47:77:90:39:61:91:1a:be:7b:02:f1: + 83:28:c1:53:49:90:2a:44:09:8e:cc:51:d7:2a:eb: + 4a:97:3f:b8:91:14:8e:50:88:67:96:71:26:69:a4: + 86:0f:f2:bb:fc:2d:b2:9e:bd:d5:a3:bf:49:0e:b2: + 31:f2:c3:1f:dd:3d:66:14:03:d9:11:44:d0:1d:90: + a1:d8:de:ee:0d:88:c7:05:8b:53:17:33:6c:b7:4f: + dc:74:03:c8:3b:aa:91:25:1d:47:54:4b:b6:31:f1: + 16:8c:9a:c4:cb:99:8e:40:e8:20:fd:3b:ba:ee:08: + 0d:ad + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: + AD:17:46:80:B0:D2:39:AA:B2:4B:3E:67:8B:88:34:96:E7:BC:45:FB + X509v3 Authority Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 CRL Distribution Points: + Full Name: + URI:http://pki.esodemoapp2.com/ca/root-ca.crl + X509v3 Subject Alternative Name: + DNS:tee.collaborator1.com + Authority Information Access: + OCSP - URI:http://localhost:9999/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + a8:8d:4e:2c:76:78:fb:13:7c:d4:cf:42:43:42:c4:3e:21:9f: + fa:17:a9:93:24:0f:41:77:16:b0:6e:45:a5:d6:dc:a4:31:7c: + 6e:1a:fe:13:46:63:04:81:24:cd:be:08:f9:93:a1:b3:17:12: + 61:de:a1:6d:8a:d6:6e:a1:4c:79:15:e6:68:9c:6d:b1:8f:06: + f4:d1:bb:c2:47:9b:08:35:1f:f0:3e:bf:66:c3:ae:85:de:d6: + c8:3b:bf:b0:e3:c9:8a:a8:23:e5:05:3a:e4:2d:c2:9d:dc:84: + 13:26:2f:94:61:ab:3b:be:66:7d:97:15:ab:74:f5:f0:dc:ad: + f7:0e:49:89:fa:cc:13:3f:b0:5d:ed:1f:31:67:9a:3f:4a:9b: + 58:0c:9e:24:c1:f5:1e:6d:a0:2d:57:92:90:d7:1e:16:1c:e5: + 58:d3:a5:0f:cd:ad:dc:e8:ea:8c:53:d2:2b:2e:ed:c8:17:1d: + a5:3d:d6:77:c4:71:4c:63:d8:07:b7:75:f7:30:59:b8:8f:6a: + fc:13:03:ec:66:07:a4:8a:33:ec:b7:cb:6f:81:b5:4d:bf:f7: + 9d:de:36:ec:0c:b4:a3:aa:e9:f6:e8:15:72:92:79:57:eb:90: + 6e:6d:24:ba:e2:b9:26:da:90:8b:0e:a1:df:64:f4:07:e2:17: + 94:c0:0b:1d +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAxIFJvb3QgQ0EwHhcNMjMwNDE3MTIwNjU2WhcN +MzMwNDE2MTIwNjU2WjBTMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMw +EQYDVQQLDApFbnRlcnByaXNlMR4wHAYDVQQDDBV0ZWUuY29sbGFib3JhdG9yMS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg8GJ8H5S+5eRlG1na +WuQQAM3vRlgpYvz9cIbahrSxWo22ov5rpt68cTevrE7Uclrm81x0rCk1dEMHSack +ChXwshXYM87Gxlz+gZmV7mGMgM+CxOwGzXSgiG+g8x4cQIHNzJHepwo2LtUFvoBJ +eCZGihoPT95aMkSAqs9n9g4hrCK9K/xerbbVOD9Hd5A5YZEavnsC8YMowVNJkCpE +CY7MUdcq60qXP7iRFI5QiGeWcSZppIYP8rv8LbKevdWjv0kOsjHywx/dPWYUA9kR +RNAdkKHY3u4NiMcFi1MXM2y3T9x0A8g7qpElHUdUS7Yx8RaMmsTLmY5A6CD9O7ru +CA2tAgMBAAGjggEGMIIBAjAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADATBgNV +HSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUrRdGgLDSOaqySz5ni4g0lue8Rfsw +HwYDVR0jBBgwFoAUdQ0SzNsz7VgGjK3tDp4vAOlvwWUwOgYDVR0fBDMwMTAvoC2g +K4YpaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2Evcm9vdC1jYS5jcmwwIAYD +VR0RBBkwF4IVdGVlLmNvbGxhYm9yYXRvcjEuY29tMDIGCCsGAQUFBwEBBCYwJDAi +BggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo5OTk5LzANBgkqhkiG9w0BAQsF +AAOCAQEAqI1OLHZ4+xN81M9CQ0LEPiGf+hepkyQPQXcWsG5FpdbcpDF8bhr+E0Zj +BIEkzb4I+ZOhsxcSYd6hbYrWbqFMeRXmaJxtsY8G9NG7wkebCDUf8D6/ZsOuhd7W +yDu/sOPJiqgj5QU65C3CndyEEyYvlGGrO75mfZcVq3T18Nyt9w5JifrMEz+wXe0f +MWeaP0qbWAyeJMH1Hm2gLVeSkNceFhzlWNOlD82t3OjqjFPSKy7tyBcdpT3Wd8Rx +TGPYB7d19zBZuI9q/BMD7GYHpIoz7LfLb4G1Tb/3nd427Ay0o6rp9ugVcpJ5V+uQ +bm0kuuK5JtqQiw6h32T0B+IXlMALHQ== +-----END CERTIFICATE----- diff --git a/app/certs/tee-collaborator1.key b/app/certs/tee-collaborator1.key new file mode 100644 index 0000000..d6c7c44 --- /dev/null +++ b/app/certs/tee-collaborator1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCg8GJ8H5S+5eRl +G1naWuQQAM3vRlgpYvz9cIbahrSxWo22ov5rpt68cTevrE7Uclrm81x0rCk1dEMH +SackChXwshXYM87Gxlz+gZmV7mGMgM+CxOwGzXSgiG+g8x4cQIHNzJHepwo2LtUF +voBJeCZGihoPT95aMkSAqs9n9g4hrCK9K/xerbbVOD9Hd5A5YZEavnsC8YMowVNJ +kCpECY7MUdcq60qXP7iRFI5QiGeWcSZppIYP8rv8LbKevdWjv0kOsjHywx/dPWYU +A9kRRNAdkKHY3u4NiMcFi1MXM2y3T9x0A8g7qpElHUdUS7Yx8RaMmsTLmY5A6CD9 +O7ruCA2tAgMBAAECggEAAvfvBjKIvqc1+eTmQXjlWIxm4utpJuJGFCZJGtl9xQDG +rUvQiKLiIiMips/d/6LMtMyOs+w369JlQEqGT+MLvLyKt+Etex5lXCwKhOjPtolH +4djI6s+RVt3HjyS1knhgrIykyCU1J0iyCV3ntvM0HeUmCESiOwd9bChRq/NRdFGy +jVTuDFgIUBlP9iOkjH9j+iZSv0oDxd/BFTDEYA4PI9R07ACk/Vup/TYsl12cQMik +mfPSkH28yAl3fASMs4F7C8SxafqwEi67AqBuy/ZQPnWCnKs+2ULxP6E4GgBOobH/ +ADjmD8NbFOrrgtPmbEAWSnHpGzT2GIKLZUtbG6nKoQKBgQDPebgHdMfyZ4NRXFF/ +Tud/VhQ8wIzLvjK2lrMsDDq6CGIFkIKfzQfODEFaeNrrDv3/P4PrNdvWH/Bz8DKP +JfMVXv5zh8DPltXKisqifvgULPhajiA4Egqaj/ev045v3Izchn+zTuIt18pLQyGJ +rw6z90nru723CJziOZexcP9jmQKBgQDGlF2BPqE5Zd+UfdIdSOdcgeRA4f0uzhif +dqdymSwCoQVvIDWD13XfvpsG7XyM6A+6jQO2hz1sDyrOW0oH0BoYlXpQSUuxfSmJ +CSiV7BvAL18VaM8Zwb3At4N77F0PrtRVYbnQIWhZ2VPlHSE0+EE+LgDBpTR98VQa +H1XJbnFHNQKBgQC+jrwQ1RjEMoCxHIqZ1D3ZfZUuy2dFxpZLj5RW85CIxyRImhbv +cOAnRqhL0U64sFdntc2THi+gtksiIU4+ngtq6InqUJgt0grgcaN1pgpydW9RtNIw +zZlBptNGgZeEdFxIO5xUczJYCqd5gtnt3IQzlQAm7JNt5hI50c3aor9emQKBgBO5 +vSgPfphjBDiN3wdFrKXFyVSgnjO+CTgd4zhA+twv/ogxXN+B0ZWuK1wezxZ4Hsfb +JhlFidZoE0p4SvxHsa/reUDsZvZ0hmG0ZTGvSHpoujs4NApM8npoQElZC015gmIQ +2RJRnzn9mpXRtPC8EE8K5sxVisdP55jIsA7YR6xZAoGAAs+s8wkp/1jh+bJ4OuH3 +PiPJHWizRhr670pZvVZZ0WP/tABY8DBNIawGm9AxJ3MJgZ2DQkaiBSEg73xlfAYY +9FJKYbE1QuO43vL6SVBJhcrv1Q9rETyxXFbRRMoA3f0BhhQgSJSbA4y9fzB7JwS7 +rESRPMSW1pcPR41gnqGSzKs= +-----END PRIVATE KEY----- diff --git a/app/certs/tee-collaborator2.crt b/app/certs/tee-collaborator2.crt new file mode 100644 index 0000000..8308bd4 --- /dev/null +++ b/app/certs/tee-collaborator2.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Validity + Not Before: Apr 17 12:14:06 2023 GMT + Not After : Apr 16 12:14:06 2033 GMT + Subject: C=US, O=Google, OU=Enterprise, CN=tee.collaborator2.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9d:77:9d:68:a2:0f:46:20:64:c0:38:fe:6d:6e: + 11:aa:77:4e:ef:23:2d:5d:6c:71:30:00:ab:cd:0a: + 12:f8:ed:b4:a6:dc:9a:4f:a0:ca:a9:dd:2e:b7:e7: + 5d:61:4b:9c:89:e2:a8:51:a4:45:c2:f8:a3:41:1a: + 28:9e:5b:6e:b1:9c:6e:a0:3d:60:1f:44:15:99:91: + 8c:32:98:5c:a7:ee:af:19:fa:25:10:a5:e1:b2:ae: + 66:1d:67:66:93:3d:26:83:6f:cc:78:68:71:8d:1c: + 0b:55:3b:99:cc:f3:c2:bd:9b:db:8d:93:1e:e7:4b: + 41:53:91:5f:62:68:d0:f1:a3:95:b4:29:3d:39:e4: + 67:28:09:83:d8:d3:08:99:90:a1:3f:d4:bb:04:a5: + b0:fc:63:db:c3:b4:f2:02:72:43:a0:d9:ab:ee:ae: + a7:c4:29:f7:46:bd:2a:40:3d:0a:8b:d8:6d:40:73: + 5a:8e:eb:73:da:22:6f:e1:d2:fe:b8:fa:db:a9:19: + 03:c5:86:8c:3a:ca:75:20:5c:b7:85:39:ac:2a:83: + 40:b8:f3:60:9b:b4:f9:3e:d4:f9:ef:41:93:68:bf: + d1:f2:6b:9a:be:a1:f5:f0:2f:c1:f7:02:b6:b6:45: + e3:33:95:28:ef:75:b9:81:3f:49:be:c6:51:2d:bd: + 2c:fb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: + 31:1B:E7:18:93:C0:31:45:CF:07:9A:89:7B:1D:1E:79:67:55:48:93 + X509v3 Authority Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 CRL Distribution Points: + Full Name: + URI:http://pki.esodemoapp2.com/ca/root-ca.crl + X509v3 Subject Alternative Name: + DNS:tee.collaborator2.com + Authority Information Access: + OCSP - URI:http://localhost:10000/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 37:33:97:f2:f0:97:a0:6b:5b:5d:9a:b4:f4:67:d4:4e:4c:1c: + 7d:61:7c:00:25:d3:4c:17:9f:03:0d:08:c0:8d:ad:30:62:56: + 10:f5:95:4c:e6:c5:76:57:0b:98:d5:b6:a3:b8:8f:e5:05:e3: + 20:36:f0:7f:df:5f:cb:5a:47:61:13:93:14:45:b4:2a:25:28: + 03:a4:87:dd:10:92:e3:49:4f:9a:72:3b:de:3b:77:fc:82:7f: + f1:1e:2c:99:8d:0c:1d:17:74:e5:10:5b:b9:51:83:87:85:46: + e9:b8:10:1f:06:6d:66:cb:ce:92:9f:8f:1f:c2:af:d3:7f:7e: + 22:12:44:93:e7:68:af:74:5b:e1:ef:4f:89:e7:68:70:31:0c: + 40:97:5d:b8:62:6b:aa:85:e8:43:2b:79:f7:9e:91:98:8a:9f: + ec:d8:d6:11:53:5a:8e:f9:14:93:1f:7b:84:1b:26:ed:e6:33: + 0d:3e:09:07:06:c2:55:d0:21:4e:d0:41:40:89:53:d1:a5:38: + 23:46:45:64:79:84:fb:a9:72:2e:b7:e9:77:e9:6e:61:21:c1: + 4d:7f:e5:d3:12:96:14:84:de:d7:33:4a:28:4e:25:7e:09:8f: + fd:44:59:b4:d3:1a:9d:fd:b5:4f:44:79:80:27:4c:f6:c1:c7: + df:b8:f1:ee +-----BEGIN CERTIFICATE----- +MIIEMzCCAxugAwIBAgIBAjANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAyIFJvb3QgQ0EwHhcNMjMwNDE3MTIxNDA2WhcN +MzMwNDE2MTIxNDA2WjBTMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMw +EQYDVQQLDApFbnRlcnByaXNlMR4wHAYDVQQDDBV0ZWUuY29sbGFib3JhdG9yMi5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdd51oog9GIGTAOP5t +bhGqd07vIy1dbHEwAKvNChL47bSm3JpPoMqp3S63511hS5yJ4qhRpEXC+KNBGiie +W26xnG6gPWAfRBWZkYwymFyn7q8Z+iUQpeGyrmYdZ2aTPSaDb8x4aHGNHAtVO5nM +88K9m9uNkx7nS0FTkV9iaNDxo5W0KT055GcoCYPY0wiZkKE/1LsEpbD8Y9vDtPIC +ckOg2avurqfEKfdGvSpAPQqL2G1Ac1qO63PaIm/h0v64+tupGQPFhow6ynUgXLeF +Oawqg0C482CbtPk+1PnvQZNov9Hya5q+ofXwL8H3Ara2ReMzlSjvdbmBP0m+xlEt +vSz7AgMBAAGjggEHMIIBAzAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADATBgNV +HSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUMRvnGJPAMUXPB5qJex0eeWdVSJMw +HwYDVR0jBBgwFoAUsnfHb459VeiCtfGsmGaFDd9WPzEwOgYDVR0fBDMwMTAvoC2g +K4YpaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2Evcm9vdC1jYS5jcmwwIAYD +VR0RBBkwF4IVdGVlLmNvbGxhYm9yYXRvcjIuY29tMDMGCCsGAQUFBwEBBCcwJTAj +BggrBgEFBQcwAYYXaHR0cDovL2xvY2FsaG9zdDoxMDAwMC8wDQYJKoZIhvcNAQEL +BQADggEBADczl/Lwl6BrW12atPRn1E5MHH1hfAAl00wXnwMNCMCNrTBiVhD1lUzm +xXZXC5jVtqO4j+UF4yA28H/fX8taR2ETkxRFtColKAOkh90QkuNJT5pyO947d/yC +f/EeLJmNDB0XdOUQW7lRg4eFRum4EB8GbWbLzpKfjx/Cr9N/fiISRJPnaK90W+Hv +T4nnaHAxDECXXbhia6qF6EMrefeekZiKn+zY1hFTWo75FJMfe4QbJu3mMw0+CQcG +wlXQIU7QQUCJU9GlOCNGRWR5hPupci636XfpbmEhwU1/5dMSlhSE3tczSihOJX4J +j/1EWbTTGp39tU9EeYAnTPbBx9+48e4= +-----END CERTIFICATE----- diff --git a/app/certs/tee-collaborator2.key b/app/certs/tee-collaborator2.key new file mode 100644 index 0000000..18c45dd --- /dev/null +++ b/app/certs/tee-collaborator2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCdd51oog9GIGTA +OP5tbhGqd07vIy1dbHEwAKvNChL47bSm3JpPoMqp3S63511hS5yJ4qhRpEXC+KNB +GiieW26xnG6gPWAfRBWZkYwymFyn7q8Z+iUQpeGyrmYdZ2aTPSaDb8x4aHGNHAtV +O5nM88K9m9uNkx7nS0FTkV9iaNDxo5W0KT055GcoCYPY0wiZkKE/1LsEpbD8Y9vD +tPICckOg2avurqfEKfdGvSpAPQqL2G1Ac1qO63PaIm/h0v64+tupGQPFhow6ynUg +XLeFOawqg0C482CbtPk+1PnvQZNov9Hya5q+ofXwL8H3Ara2ReMzlSjvdbmBP0m+ +xlEtvSz7AgMBAAECggEAOT3Dr0cGFWBuL4AoYQA7lMOVIpIfihADH0eHLFxmpC3I +10VnJN4W/eOk+X418EnrqCYIONFl+KeotOA89r/W/+KVRlO5TvRRg8codzXyrKsz +5NYNRj1+y5ThEvxFCe4XQ31PD1AsQvb4Wa32TU4pMwLmr1LVT5AIOcglK+FdXxEd +v6FDrlLT3mfoS1WX1Ye9HZeSodI7o7vGzWO1wS75V7myXdf4D/QMlwMWiapJPHN3 +k3rsIUZJ65wUcHv12+oAglWHH1oO94NCDPOzjJWgYtJMPsFNpbBcU0Apx3sTgy83 +yolzfvEx14SUzgKV+kvEPFAwkTQ77mX8s/GJP1fLOQKBgQDH7hDE/FqtLhUrxdMx +hFbgA64IHgqw2CE/FdGmQlp+22sdO863C4BkhMET7iNOVr3G3czLlaVNztGObdg4 +RsIbfyMTIZt6LymIhx0UKpF9oLc20GP+A+PeMslUb9KDB4eLkI4VfEdYQ0GeO1gf +Rt0LVwfvtg889rvSfBCVQCKoIwKBgQDJoPKVGNSjU8vWBDmqkquHVWgqIBoMG3n7 +9ELjVermU+949bLY1wHM4WtY+TgsZTG7POlpYLfiYTIM/nBckfoIw3kn9z5nwJbK +VA9LEH/BvnsumVpjb8idzKgiu16XReQcDAEvZZpo+JHqpUYF0lOOP0+Mx0tBZTXz +YoO7emYJSQKBgEIS6JHhgKo5T5/eyjRUM03niW1/WDMnyp0Jvfa/eR7xrw3DRUbz +UyRlR1Yp3ps2SZPem58wvqffURxMKyg2IlJqCxJ4ieSwj35igPa4NssZAVPpPRKn +AHjfue/g4OaS53X1eS+amg2OdLIxlKcJiWYFBkdvmMuiE2K1w9k/j/SXAoGARhAE +W2TedsamfP7I3wnKSuOVp5WyF2Tw1WlCWObBEjo2a4zNEeZcfMoT2D35lAux5UM8 +RF7UZvipQLSlbLVY8fSixA15BOp6O2JMUiQwkK1U9pNZQlZUmujDwBXlv6EMq+ZL +/yFKL5G4epXlqB425KYBSYTzFI1L2v/vkJTuoekCgYBuEK2cxgdQXWFLqzX2Lyha +M6Gpyc0yoFoxrq1c8uSvJoRZCY3iWsceo5+I5nzl4H6E5w2jIuDAfrSp3m7kseQc +552hT4LvudnAk6N2QizsAfJhXRpawlVjjZ+VF/1wDfm7lIQSiczbaAFieggBllbH +QWacduFld8xJeCXjUxpKew== +-----END PRIVATE KEY----- diff --git a/app/certs/tee-operator.crt b/app/certs/tee-operator.crt new file mode 100644 index 0000000..6775f7c --- /dev/null +++ b/app/certs/tee-operator.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Operator, OU=Enterprise, CN=Enterprise Root CA + Validity + Not Before: Apr 15 19:02:45 2023 GMT + Not After : Apr 14 19:02:45 2033 GMT + Subject: C=US, O=Google, OU=Enterprise, CN=tee.operator.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:84:04:be:a2:7d:3d:42:e3:06:c4:45:c0:3f:bc: + c6:ca:f2:a8:ab:3e:b3:0a:15:de:cf:f9:c1:f6:f9: + 65:c1:bb:77:13:6f:b1:59:b0:84:e3:27:c4:cf:a4: + 8a:3a:68:09:e9:6a:7b:cd:73:02:dd:60:4d:e1:09: + b4:07:d7:31:3b:db:30:e8:be:23:68:20:db:86:3d: + 8a:37:84:28:cf:73:21:d6:4f:db:c5:24:d4:95:5d: + c3:ed:cf:6a:64:ac:18:e6:9e:c9:78:2d:20:6c:b7: + 46:57:85:ac:29:03:4c:b0:6f:01:d4:c5:64:2e:29: + 8e:76:d6:c2:06:4e:90:6f:eb:ce:ce:c9:37:5c:e8: + 0f:2b:55:22:1d:f4:5c:81:bd:ed:db:8f:65:a5:6e: + 41:0f:b3:d8:9f:5c:4f:3b:83:5a:80:40:6b:26:9a: + 91:01:ed:ac:84:e2:59:a5:4c:93:8c:39:e6:c7:e3: + e6:31:b1:46:12:05:eb:77:2a:bc:79:dc:49:e2:df: + ff:58:f8:00:7d:8c:ac:0e:bc:d3:28:aa:57:be:be: + 7b:69:e2:16:7d:a7:25:54:89:23:b6:8b:7a:e4:55: + 36:e4:72:e2:3b:bd:0f:c6:62:c5:24:5e:58:34:1f: + 6a:8c:d5:de:b6:71:fc:97:26:00:46:66:23:ed:f9: + ab:f5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Key Identifier: + 88:BC:1D:5A:E3:B2:1E:3C:3E:47:57:7C:E2:42:1A:6D:FA:7C:40:64 + X509v3 Authority Key Identifier: + 58:88:29:FD:AA:3A:F0:9F:51:CA:FD:F1:6B:FC:D7:F0:8E:67:CF:80 + Authority Information Access: + CA Issuers - URI:http://pki.esodemoapp2.com/ca/root-ca.cer + X509v3 CRL Distribution Points: + Full Name: + URI:http://pki.esodemoapp2.com/ca/root-ca.crl + X509v3 Subject Alternative Name: + DNS:tee.operator.com + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 0b:c2:99:e1:00:c8:16:df:41:1a:6e:bc:65:78:4a:08:fb:6b: + 34:78:f4:be:af:b7:16:fd:37:62:69:41:24:85:0c:50:90:3a: + ce:f3:32:80:43:65:fe:36:03:d7:76:e7:03:ef:cb:ee:5a:35: + bf:5b:ce:b9:96:e8:43:f4:f0:0a:c8:a3:73:b8:45:eb:83:c1: + 48:d3:25:29:e6:e8:5a:1c:2a:e1:bb:b7:0a:f2:00:a8:f3:04: + d6:b7:61:1f:f2:09:3a:18:9d:d4:f9:03:f2:3c:b3:a5:fc:3c: + a1:74:5a:0f:94:cd:90:53:13:8d:a1:c1:f9:ea:fc:f9:cf:49: + 68:33:82:d6:77:0c:0d:69:0a:f1:07:57:bb:04:29:1e:f1:fc: + d2:7b:7d:06:c7:31:c4:af:b9:36:fe:08:33:0f:5c:ab:80:7a: + 57:c1:d5:e0:e0:6e:a7:aa:e6:50:aa:40:01:a2:25:7a:f2:44: + 82:61:3c:82:fd:28:e9:9c:2a:2e:dd:4c:a4:03:b3:09:91:df: + e0:b9:94:03:67:8e:b6:6c:27:d9:0f:ca:3a:a2:c8:8a:74:13: + 7f:14:7a:a6:f8:44:a8:38:af:ae:8d:f5:7e:c4:af:b1:3c:d6: + 47:34:a3:15:18:84:db:84:e3:aa:e8:d6:a3:28:3c:a9:ed:a5: + 14:1b:c1:aa +-----BEGIN CERTIFICATE----- +MIIEMTCCAxmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzER +MA8GA1UECgwIT3BlcmF0b3IxEzARBgNVBAsMCkVudGVycHJpc2UxGzAZBgNVBAMM +EkVudGVycHJpc2UgUm9vdCBDQTAeFw0yMzA0MTUxOTAyNDVaFw0zMzA0MTQxOTAy +NDVaME4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZHb29nbGUxEzARBgNVBAsMCkVu +dGVycHJpc2UxGTAXBgNVBAMMEHRlZS5vcGVyYXRvci5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCEBL6ifT1C4wbERcA/vMbK8qirPrMKFd7P+cH2 ++WXBu3cTb7FZsITjJ8TPpIo6aAnpanvNcwLdYE3hCbQH1zE72zDoviNoINuGPYo3 +hCjPcyHWT9vFJNSVXcPtz2pkrBjmnsl4LSBst0ZXhawpA0ywbwHUxWQuKY521sIG +TpBv687OyTdc6A8rVSId9FyBve3bj2WlbkEPs9ifXE87g1qAQGsmmpEB7ayE4lml +TJOMOebH4+YxsUYSBet3Krx53Eni3/9Y+AB9jKwOvNMoqle+vntp4hZ9pyVUiSO2 +i3rkVTbkcuI7vQ/GYsUkXlg0H2qM1d62cfyXJgBGZiPt+av1AgMBAAGjggEUMIIB +EDAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD +ATAdBgNVHQ4EFgQUiLwdWuOyHjw+R1d84kIabfp8QGQwHwYDVR0jBBgwFoAUWIgp +/ao68J9Ryv3xa/zX8I5nz4AwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzAChilo +dHRwOi8vcGtpLmVzb2RlbW9hcHAyLmNvbS9jYS9yb290LWNhLmNlcjA6BgNVHR8E +MzAxMC+gLaArhilodHRwOi8vcGtpLmVzb2RlbW9hcHAyLmNvbS9jYS9yb290LWNh +LmNybDAbBgNVHREEFDASghB0ZWUub3BlcmF0b3IuY29tMA0GCSqGSIb3DQEBCwUA +A4IBAQALwpnhAMgW30EabrxleEoI+2s0ePS+r7cW/TdiaUEkhQxQkDrO8zKAQ2X+ +NgPXducD78vuWjW/W865luhD9PAKyKNzuEXrg8FI0yUp5uhaHCrhu7cK8gCo8wTW +t2Ef8gk6GJ3U+QPyPLOl/DyhdFoPlM2QUxONocH56vz5z0loM4LWdwwNaQrxB1e7 +BCke8fzSe30GxzHEr7k2/ggzD1yrgHpXwdXg4G6nquZQqkABoiV68kSCYTyC/Sjp +nCou3UykA7MJkd/guZQDZ462bCfZD8o6osiKdBN/FHqm+ESoOK+ujfV+xK+xPNZH +NKMVGITbhOOq6NajKDyp7aUUG8Gq +-----END CERTIFICATE----- diff --git a/app/certs/tee-operator.key b/app/certs/tee-operator.key new file mode 100644 index 0000000..6eaec37 --- /dev/null +++ b/app/certs/tee-operator.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCEBL6ifT1C4wbE +RcA/vMbK8qirPrMKFd7P+cH2+WXBu3cTb7FZsITjJ8TPpIo6aAnpanvNcwLdYE3h +CbQH1zE72zDoviNoINuGPYo3hCjPcyHWT9vFJNSVXcPtz2pkrBjmnsl4LSBst0ZX +hawpA0ywbwHUxWQuKY521sIGTpBv687OyTdc6A8rVSId9FyBve3bj2WlbkEPs9if +XE87g1qAQGsmmpEB7ayE4lmlTJOMOebH4+YxsUYSBet3Krx53Eni3/9Y+AB9jKwO +vNMoqle+vntp4hZ9pyVUiSO2i3rkVTbkcuI7vQ/GYsUkXlg0H2qM1d62cfyXJgBG +ZiPt+av1AgMBAAECggEAFOSaVeVboV8EBmJijUO/M0Wpd2Z2F8HD0Ca+8WrhVYJp +UyhhSSg0M63qyhDIdntaHDhnrOlHegkAcj2iof4GsuoayK60tElE7K8HFYejHMek +AoKDbaUJRrU+6X8in5mT3EWjbVM49zOfHIFRcHEu/RooUEfH9b1KaFjO/ogG+Es/ +cCZWNRNdM+HotquXKknLUMCdYSnGuIZFbxc6Q60UhUvQ8ex4sTyl+jQ4dQfKOcVG +M2L6OeS7h3sG0TrYCrUMdmWyKj0qgWJU1K6nRzwD1G4dmk4bH7bjvlSyMueTs4V0 +Emyzb6JRJ6LmikE9rudr/Slixb/fyBf1/3XYb4jRqQKBgQC2wlaG6HTT1c/U7h28 +0hOuu/SOmnT7ggbrDLtqE2uL05xh+keze4ETcqB1alEKOpw+/NxFukdl5Yce7aC9 +omSHbdeaRtZS4lxfAybXOxdb3xXdX5NmT1HHqBEir9+obIUs2oET8VsZlCxzwn5p +YaBmg9rcOkD2XUZLuJaj3nduyQKBgQC47NEdjarqJcBTwbES0gSOmYgXJ6BM8c5f +rUgSpH14Kl70wtIZs67x9/8fH2Znrmv6AZxPnb2AbOcZfaHIWpwITCR2nyPpfAsh +TS4I9o636XV8pAY/PRZI6qB1MQHQKGSjMkNC42UoOO/QeXhqk42pSCoZZ9S/j6IV +VfCHJCfNzQKBgEQtOxoYnXxoxp8oNO+7bpxAgXqxI/KvDuWgWkm39Oa0iiICu7y4 +1e3rVPB4OMMYGjFlIsbgNsJMXZusCcq0Scw7rbJfupQw3USUaGjiIlSjZASxIsuH +y3ovuDS4ZzbtRMD2wjAuWU2xeOO2KnIleTDE/2AoWxOMuCyHL6rx0pwBAoGBALQc +e8RUEg7CPCOXuHbDNQsKwIEE6F1o+n83j8YQjd/3LMsp4WaFGrSzvbk7ZQtA2AwF +e5AT69lkuGWcdnFkxypRtwYOE/U6CsEhod+6/OBlszd1rlvzjHvygdwComhynypQ +LzC7t+/IHNMpLD5pfoVNMyvRdGYraEtti7qkXVxVAoGAXCGR+RHppevT1mDc09k5 +jVakyJK2McbgLgMTnBDRl+NudbPq8zo4SyRTlIeD7f/wY5UDQnFgm5YrgtkmOJA0 +3D8J7Xu3QHYqvNIhG2Iabkw/qzfs1XhLHHBtKXwJILDI7r/8y2Y7MUOwU0MkfuFV +MCf6tdw1pUkN6qNMN+JcR1U= +-----END PRIVATE KEY----- diff --git a/app/certs/tee.crt b/app/certs/tee.crt deleted file mode 100644 index 8b7fd7b..0000000 --- a/app/certs/tee.crt +++ /dev/null @@ -1,93 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 53 (0x35) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA - Validity - Not Before: Mar 26 20:52:30 2023 GMT - Not After : Jul 3 20:52:30 2025 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=tee.operatordomain.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:b0:c8:9c:d1:19:3a:ed:9d:86:cb:82:06:49:70: - f2:d8:ea:5f:f5:3e:f0:b1:ee:8b:e1:b7:67:fd:f8: - 3f:1b:ba:41:12:8c:0a:eb:f2:27:6e:7d:cf:0a:5a: - 76:3c:dd:a7:67:f8:cb:9c:62:78:d2:43:97:db:50: - ab:0a:4a:a5:b7:d4:ee:4d:20:63:dd:a4:98:58:24: - 55:5a:a4:da:1c:f9:73:9f:39:d1:fb:e9:35:3f:cb: - 97:9a:d4:9d:9a:1f:f0:d5:d0:1c:cd:aa:c8:b2:2e: - d0:ee:e2:ae:cc:8b:de:c4:05:02:81:0e:6c:c6:40: - f8:ec:40:cf:27:60:44:76:b7:74:07:3d:fc:70:f8: - 58:ec:ce:49:3d:7d:12:ce:68:eb:aa:eb:b9:ac:95: - 3a:8c:92:3a:53:2a:3c:1b:ce:56:57:90:a8:cb:47: - 51:1a:a2:a9:a5:3a:4d:da:74:7d:e2:50:c2:d8:0e: - dd:ab:87:13:bd:3c:89:1e:e3:af:da:5c:74:cf:30: - 47:62:62:9a:be:92:10:00:e6:1f:9e:ae:ad:aa:d0: - df:8b:f0:14:29:28:32:43:7a:cb:6e:1d:05:65:b2: - b5:c4:26:85:77:98:c8:18:8d:9c:28:6b:0f:b3:e5: - 23:e0:85:51:2f:3d:80:15:45:48:bf:ce:0b:42:e3: - 3e:8b - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature - X509v3 Basic Constraints: - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Subject Key Identifier: - 0F:FB:C6:13:F0:36:5F:76:1F:A7:FB:F0:0E:06:15:77:0E:C4:F4:73 - X509v3 Authority Key Identifier: - B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54 - Authority Information Access: - CA Issuers - URI:http://pki.esodemoapp2.com/ca/tls-ca.cer - X509v3 CRL Distribution Points: - Full Name: - URI:http://pki.esodemoapp2.com/ca/tls-ca.crl - X509v3 Subject Alternative Name: - DNS:tee.operatordomain.com - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - a6:aa:a5:a5:b8:5e:97:58:06:b1:49:8b:5b:b9:ca:ba:27:c5: - 75:d5:e2:fe:6a:3d:34:59:a0:77:57:90:02:97:b0:0a:e6:5b: - 88:6f:07:66:3e:ca:71:90:a4:c6:01:3b:53:52:9a:f8:1b:c7: - a1:c6:ec:fe:b3:57:9c:9c:c0:54:1a:17:69:15:42:06:cf:62: - 6e:d7:5c:39:93:cb:b6:e2:b1:15:df:13:2a:08:6c:f9:1a:4a: - 46:3a:32:4e:6c:99:49:c4:28:01:b9:23:ad:34:a5:24:f3:ec: - be:af:7c:3c:7e:20:f1:b0:ae:5c:43:3f:d8:d0:07:e7:25:43: - 5e:8d:33:bd:e3:e8:07:e4:05:e6:05:ea:2a:75:ba:1b:53:3f: - 29:97:b7:18:13:21:e8:c8:7c:b3:cb:2b:64:1b:6e:ef:79:fe: - 48:2d:4a:ef:0c:ce:a8:e7:27:9d:56:9d:47:38:e2:c5:f9:97: - 42:5d:97:a6:11:5f:41:a7:e8:1b:9a:5d:ce:b1:e1:0e:d5:57: - 4e:cd:b4:5b:86:09:9f:27:5c:fa:5d:f8:b5:e7:d8:8a:55:d8: - 04:33:8f:31:98:5c:79:33:fa:ec:79:b2:b0:89:b2:fc:74:c8: - 63:c8:68:ed:08:d1:ff:f8:18:0a:d6:58:15:c6:29:a0:ec:15: - 85:c8:0f:1f ------BEGIN CERTIFICATE----- -MIIEQDCCAyigAwIBAgIBNTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlF -bnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDMyNjIwNTIzMFoXDTI1MDcw -MzIwNTIzMFowVDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UE -CwwKRW50ZXJwcmlzZTEfMB0GA1UEAwwWdGVlLm9wZXJhdG9yZG9tYWluLmNvbTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDInNEZOu2dhsuCBklw8tjq -X/U+8LHui+G3Z/34Pxu6QRKMCuvyJ259zwpadjzdp2f4y5xieNJDl9tQqwpKpbfU -7k0gY92kmFgkVVqk2hz5c5850fvpNT/Ll5rUnZof8NXQHM2qyLIu0O7irsyL3sQF -AoEObMZA+OxAzydgRHa3dAc9/HD4WOzOST19Es5o66rruayVOoySOlMqPBvOVleQ -qMtHURqiqaU6Tdp0feJQwtgO3auHE708iR7jr9pcdM8wR2Jimr6SEADmH56urarQ -34vwFCkoMkN6y24dBWWytcQmhXeYyBiNnChrD7PlI+CFUS89gBVFSL/OC0LjPosC -AwEAAaOCARgwggEUMA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQM -MAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQP+8YT8DZfdh+n+/AOBhV3DsT0czAfBgNV -HSMEGDAWgBS3urACoee+NMbBBVxmeOW7U12hVDBEBggrBgEFBQcBAQQ4MDYwNAYI -KwYBBQUHMAKGKGh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Rscy1jYS5j -ZXIwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20v -Y2EvdGxzLWNhLmNybDAhBgNVHREEGjAYghZ0ZWUub3BlcmF0b3Jkb21haW4uY29t -MA0GCSqGSIb3DQEBCwUAA4IBAQCmqqWluF6XWAaxSYtbucq6J8V11eL+aj00WaB3 -V5ACl7AK5luIbwdmPspxkKTGATtTUpr4G8ehxuz+s1ecnMBUGhdpFUIGz2Ju11w5 -k8u24rEV3xMqCGz5GkpGOjJObJlJxCgBuSOtNKUk8+y+r3w8fiDxsK5cQz/Y0Afn -JUNejTO94+gH5AXmBeoqdbobUz8pl7cYEyHoyHyzyytkG27vef5ILUrvDM6o5yed -Vp1HOOLF+ZdCXZemEV9Bp+gbml3OseEO1VdOzbRbhgmfJ1z6Xfi159iKVdgEM48x -mFx5M/rsebKwibL8dMhjyGjtCNH/+BgK1lgVximg7BWFyA8f ------END CERTIFICATE----- diff --git a/app/certs/tee.key b/app/certs/tee.key deleted file mode 100644 index 3f3c22a..0000000 --- a/app/certs/tee.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwyJzRGTrtnYbL -ggZJcPLY6l/1PvCx7ovht2f9+D8bukESjArr8idufc8KWnY83adn+MucYnjSQ5fb -UKsKSqW31O5NIGPdpJhYJFVapNoc+XOfOdH76TU/y5ea1J2aH/DV0BzNqsiyLtDu -4q7Mi97EBQKBDmzGQPjsQM8nYER2t3QHPfxw+Fjszkk9fRLOaOuq67mslTqMkjpT -KjwbzlZXkKjLR1EaoqmlOk3adH3iUMLYDt2rhxO9PIke46/aXHTPMEdiYpq+khAA -5h+erq2q0N+L8BQpKDJDestuHQVlsrXEJoV3mMgYjZwoaw+z5SPghVEvPYAVRUi/ -zgtC4z6LAgMBAAECggEAB9NJhcP9JMmFTvrZdmTGiy2Mw9leZDHwBTTOKKLVgE+1 -U7HZRep5Ll3pTUcF1tnk8ChGMwz01jHhxfaDK7h0L3gAeG+HnCcOC1DIanPDp+au -5Ix1rBX9om5LrrHcrBbf3UcSD1SQ/7osy3ZDUJCccsbZ/oZ58CiuHB8eTFrpjOus -851+2Tus5VcNMaearSxOGKYz4qsRrLpUXz05ln+f4xRtwYo6VnZocktR8p9H4qhz -lcHvieEnKGvhyxSkSicEe8o2s4S9Ovgog3aQGf8pS+94UC6Kh1t0JpPX8aFUAISV -GOvvumR8hZ5mWiia61ierhy0O8nSIpmL4G6u5AZ9KQKBgQD1VYCepeD29Q+tdQyM -COCKEKogIiKA8+Yd1cUmOD+T/zWCpWhUctqAoSlVNN/701M2fgf6mbASf+otaY/T -eOicbCs8l5SovRPJ3O9Fa8W53/sbGVjZqCyFopk99697RjVC0qDcsAl/fzZvITfT -Rj6p3AApmwGlgkLzNLse0YsPdwKBgQC4eCoLODRncAcZYdPzKBrBtLQYXGNXC02A -3Ol4Cs7hKzwZ4nP0vZnW4rrpHuW8v0Zq42EMNVd8pOsXlgzg/NNb47VQLT9c5ZLK -5SB0UHLxOYPxIWr0cijPqLxEWoSxOrTQFg1/+yoS2SYdLtN7ncjj2PsyTTEBoT6m -6EzIuqSWjQKBgQDnAvcU7F+US5fSnogNCILenuiDT4Er6f4Ck/uLjKWZZ1PszHIc -KvZC7v5rpFlQ2GHfyvcaa0NXeCl7T45F8/Ec8eIYsScjaL9McoS/2saZyyW5E7oN -YgViZIRlzGfp7WdTn+AnTn/zFUedhyr4/4kcCvQAOVxoi+sc9cdJMsj96wKBgQCN -tIFXrQ1UiFJrxSK0H5KuSsouDIqjSyN2Yj1W4baackPw/mxlDWEoGXPLsNh6bdUC -NzlNz4wtS+Lsc2/hRVZ3uCyIMroB+rkQ84JC16n0dGJO0YT/0tJW8x/swjw8iQRs -9QPZ1G81m2oT8Oy0gTjZDs2ojnOe9ObUAI87g2T74QKBgG5ifvIzH/5FV+U7A50N -SUGaRBv7E3s9ay1ye0N/cKe7hSrugvAwgrv6Y0IUYidb3ktvk8X6e9Q4MUgR6vHy -2Jg+wTcpLbRsQIpMYV2O6ofvLYF3qrL6Z3xKEg+KdikuJJ+NrfyAQwCn5taQvfYL -2Nh7hBK2U8/Fv66L7FgFW8Ie ------END PRIVATE KEY----- diff --git a/app/certs/tls-ca-chain.pem b/app/certs/tls-ca-chain.pem deleted file mode 100644 index fca78dc..0000000 --- a/app/certs/tls-ca-chain.pem +++ /dev/null @@ -1,171 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Validity - Not Before: Jan 9 22:05:43 2022 GMT - Not After : Jan 9 22:05:43 2032 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:cd:01:12:b9:8a:c9:e5:4b:d5:cc:d9:7a:2b:d1: - cb:db:02:23:2a:98:b5:66:65:0d:36:50:e8:9f:02: - 06:ff:c3:aa:a6:9b:fc:2e:5e:79:b8:ae:4b:b1:09: - cf:10:f8:e2:bb:a7:71:78:ee:cb:1f:f6:0c:64:32: - 19:31:84:a7:eb:6e:90:29:2e:9c:05:0e:bb:59:61: - e9:db:1b:db:e3:35:c8:a6:39:f0:2e:de:85:5f:ef: - a9:b3:cc:99:37:03:e7:4f:ac:a4:cd:45:1d:4e:0b: - c3:3c:7c:e2:b1:ca:af:f2:20:62:34:9b:f4:ce:c9: - 93:f6:cc:99:35:f5:f2:14:c3:10:54:fb:c8:94:4e: - e1:07:8e:71:8c:61:a7:27:9c:c7:49:6a:c8:5f:3d: - 22:93:82:61:ec:80:51:84:ce:0b:33:b9:22:ee:e5: - 4f:ab:ad:7d:e5:c0:7a:dc:bf:47:1f:04:73:7e:96: - 86:6e:eb:29:b4:4c:a6:45:b9:e3:4d:81:2b:bb:fc: - 48:1c:7e:f5:25:19:41:24:a2:3a:b3:97:f1:d6:26: - 80:cc:e1:f0:e3:e6:d0:3a:cb:df:73:79:6b:e6:7b: - 32:0c:e3:ee:92:f9:de:de:b2:d2:50:f9:20:49:82: - ed:94:4b:cf:7b:0a:77:e7:01:e2:5e:50:ec:12:03: - 2c:ef - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Subject Key Identifier: - B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54 - X509v3 Authority Key Identifier: - keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - - Authority Information Access: - CA Issuers - URI:http://pki.esodemoapp2.com/ca/root-ca.cer - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://pki.esodemoapp2.com/ca/root-ca.crl - - Signature Algorithm: sha256WithRSAEncryption - c2:ae:b0:30:75:e4:50:32:8b:ee:d3:4c:2c:f0:8d:eb:79:42: - 0c:11:db:6c:17:02:d1:4a:1b:b4:82:05:61:18:73:07:d6:f1: - 83:a5:d4:49:a1:a4:a9:08:67:42:70:fb:f5:20:0d:01:90:be: - bd:eb:d7:5f:d4:60:d4:c5:03:96:6e:22:da:8f:24:39:4b:a7: - d5:16:06:7f:c8:86:e7:dd:2c:cc:c3:b0:ee:6e:28:36:8b:dc: - 49:a3:d9:5a:3e:98:e3:8c:cf:e0:17:a6:c1:4b:17:61:a0:b5: - 0a:2c:57:f4:7b:cd:85:0a:e0:0f:5e:c9:1e:89:6e:c1:73:55: - c1:de:e8:b8:c6:03:cd:57:3d:d3:1e:ef:0c:6b:dc:ff:7d:32: - 51:a2:1a:c2:f2:dd:42:fe:96:9b:ed:34:29:71:04:7a:5e:44: - 6b:5f:94:9b:fc:c3:3a:4e:71:5e:c3:bb:03:e5:cb:85:4f:ba: - 3f:0e:f6:d6:4f:8d:bf:50:fd:a7:b8:d8:b9:f7:54:c8:19:80: - c9:04:22:81:aa:77:74:00:7e:91:cf:e5:53:c9:e4:54:56:9e: - 23:db:51:31:b7:32:f4:24:a9:8d:d5:2f:9d:98:fe:56:e8:fd: - 44:57:ec:ed:12:59:4a:11:5d:cd:fd:ee:ab:eb:9e:70:94:31: - bf:d3:2e:c6 ------BEGIN CERTIFICATE----- -MIIEDTCCAvWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF -bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTQzWhcNMzIwMTA5MjIwNTQz -WjBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl -cnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQESuYrJ5UvVzNl6K9HL2wIjKpi1 -ZmUNNlDonwIG/8Oqppv8Ll55uK5LsQnPEPjiu6dxeO7LH/YMZDIZMYSn626QKS6c -BQ67WWHp2xvb4zXIpjnwLt6FX++ps8yZNwPnT6ykzUUdTgvDPHziscqv8iBiNJv0 -zsmT9syZNfXyFMMQVPvIlE7hB45xjGGnJ5zHSWrIXz0ik4Jh7IBRhM4LM7ki7uVP -q6195cB63L9HHwRzfpaGbusptEymRbnjTYEru/xIHH71JRlBJKI6s5fx1iaAzOHw -4+bQOsvfc3lr5nsyDOPukvne3rLSUPkgSYLtlEvPewp35wHiXlDsEgMs7wIDAQAB -o4HqMIHnMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud -DgQWBBS3urACoee+NMbBBVxmeOW7U12hVDAfBgNVHSMEGDAWgBR8HFvoPrMzCZaS -Mth/RL/MjJOckjBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAKGKWh0dHA6Ly9w -a2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY2VyMDoGA1UdHwQzMDEwL6At -oCuGKWh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY3JsMA0G -CSqGSIb3DQEBCwUAA4IBAQDCrrAwdeRQMovu00ws8I3reUIMEdtsFwLRShu0ggVh -GHMH1vGDpdRJoaSpCGdCcPv1IA0BkL6969df1GDUxQOWbiLajyQ5S6fVFgZ/yIbn -3SzMw7Dubig2i9xJo9laPpjjjM/gF6bBSxdhoLUKLFf0e82FCuAPXskeiW7Bc1XB -3ui4xgPNVz3THu8Ma9z/fTJRohrC8t1C/pab7TQpcQR6XkRrX5Sb/MM6TnFew7sD -5cuFT7o/DvbWT42/UP2nuNi591TIGYDJBCKBqnd0AH6Rz+VTyeRUVp4j21ExtzL0 -JKmN1S+dmP5W6P1EV+ztEllKEV3N/e6r655wlDG/0y7G ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Validity - Not Before: Jan 9 22:05:07 2022 GMT - Not After : Jan 9 22:05:07 2032 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:de:ee:86:98:a4:6c:92:71:85:aa:76:16:13:85: - bb:d7:49:37:e5:11:03:49:73:a6:31:c6:d0:fb:27: - ca:70:ec:c2:d0:db:88:d7:3a:97:20:49:fd:7b:4a: - 76:72:d0:c9:16:31:07:14:86:3b:99:67:6f:88:70: - fc:a7:a4:60:81:af:35:68:88:14:75:d3:cf:66:8a: - 28:55:ac:63:98:56:91:2c:55:59:0e:ed:fe:37:2a: - 6f:79:11:08:ca:41:c4:78:d1:d6:83:c1:35:7c:a0: - f4:72:db:5f:16:4f:f7:04:30:26:4b:58:99:cd:52: - 7d:0a:91:e1:29:3d:11:3d:2f:11:1f:6b:0f:e7:95: - 63:ef:e0:4d:c7:d6:b9:15:3a:3c:6b:51:36:eb:df: - 55:e2:a2:e0:e2:24:a9:3e:30:3f:76:15:a8:1a:13: - e1:e3:b2:b5:ae:e6:59:62:a4:2b:64:74:df:82:e5: - a3:ac:c9:6f:c6:39:28:ec:93:57:be:17:c5:71:14: - 85:d8:ae:1c:f7:29:94:10:6d:ad:fe:fb:ea:33:5e: - 6e:e5:f3:8c:73:1c:50:5e:0f:57:55:c7:43:73:cc: - 2a:56:91:35:2b:c1:c8:6e:a6:8e:c9:4b:7b:75:68: - 87:17:3a:7a:ed:6d:54:f6:76:3c:ad:03:e0:e3:b5: - 78:fd - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - 7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - X509v3 Authority Key Identifier: - keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - - Signature Algorithm: sha256WithRSAEncryption - c4:50:d2:b2:ec:3b:c9:1b:16:42:f0:a1:c5:97:26:ce:11:e4: - d3:4e:b3:32:36:f5:9b:15:4f:3d:80:b8:07:20:89:26:43:e5: - b7:9b:b7:37:be:a5:7c:5a:92:2e:36:b1:73:a2:35:b7:2e:d1: - a3:55:8c:7d:99:19:43:08:8d:3a:88:78:7e:01:e3:ce:19:5d: - 7c:af:b2:4d:0b:93:08:f3:d4:b3:75:f5:d3:b5:18:9a:b0:cb: - 55:2f:b3:27:6c:38:b1:a1:75:b5:6d:c2:53:c5:91:9e:09:c7: - b3:81:fe:2c:a8:09:0a:ec:dd:ed:d6:10:78:64:ce:c9:bd:25: - ae:de:d8:86:68:d0:0f:ee:db:73:b6:c0:bc:7a:e4:a5:fa:30: - b3:6c:7a:3f:e3:87:20:5c:d0:8e:78:fa:ec:ec:85:81:03:a6: - 58:c4:c8:4d:ee:cc:03:22:68:ed:a4:bb:77:a9:56:c7:9c:33: - 6a:30:c7:50:75:eb:67:3b:40:52:01:d4:67:b5:19:cd:42:d0: - ea:f5:c3:fd:e7:a1:3a:6d:2b:22:6b:2f:61:85:9b:8e:50:8e: - 34:b9:4e:00:5d:d2:89:96:47:b3:d7:ac:eb:9a:fa:76:07:34: - 61:51:a0:2f:20:69:5e:f6:dd:06:2b:1e:c8:82:7f:ce:f0:ba: - 5c:12:ff:f2 ------BEGIN CERTIFICATE----- -MIIDfjCCAmagAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF -bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTA3WhcNMzIwMTA5MjIwNTA3 -WjBQMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl -cnByaXNlMRswGQYDVQQDDBJFbnRlcnByaXNlIFJvb3QgQ0EwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDe7oaYpGyScYWqdhYThbvXSTflEQNJc6YxxtD7 -J8pw7MLQ24jXOpcgSf17SnZy0MkWMQcUhjuZZ2+IcPynpGCBrzVoiBR1089miihV -rGOYVpEsVVkO7f43Km95EQjKQcR40daDwTV8oPRy218WT/cEMCZLWJnNUn0KkeEp -PRE9LxEfaw/nlWPv4E3H1rkVOjxrUTbr31XiouDiJKk+MD92FagaE+HjsrWu5lli -pCtkdN+C5aOsyW/GOSjsk1e+F8VxFIXYrhz3KZQQba3+++ozXm7l84xzHFBeD1dV -x0NzzCpWkTUrwchupo7JS3t1aIcXOnrtbVT2djytA+DjtXj9AgMBAAGjYzBhMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR8HFvoPrMz -CZaSMth/RL/MjJOckjAfBgNVHSMEGDAWgBR8HFvoPrMzCZaSMth/RL/MjJOckjAN -BgkqhkiG9w0BAQsFAAOCAQEAxFDSsuw7yRsWQvChxZcmzhHk006zMjb1mxVPPYC4 -ByCJJkPlt5u3N76lfFqSLjaxc6I1ty7Ro1WMfZkZQwiNOoh4fgHjzhldfK+yTQuT -CPPUs3X107UYmrDLVS+zJ2w4saF1tW3CU8WRngnHs4H+LKgJCuzd7dYQeGTOyb0l -rt7YhmjQD+7bc7bAvHrkpfows2x6P+OHIFzQjnj67OyFgQOmWMTITe7MAyJo7aS7 -d6lWx5wzajDHUHXrZztAUgHUZ7UZzULQ6vXD/eehOm0rImsvYYWbjlCONLlOAF3S -iZZHs9es65r6dgc0YVGgLyBpXvbdBiseyIJ/zvC6XBL/8g== ------END CERTIFICATE----- diff --git a/app/cloudbuild.yaml b/app/cloudbuild.yaml deleted file mode 100644 index b254846..0000000 --- a/app/cloudbuild.yaml +++ /dev/null @@ -1,81 +0,0 @@ -steps: - - - name: gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad - id: build - args: ['run', '--platforms=@io_bazel_rules_go//go/toolchain:linux_amd64', ':server'] - - - name: gcr.io/cloud-builders/docker - id: tag - args: ['tag', 'us-central1-docker.pkg.dev/builder-project/repo1/tee:server', 'us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server'] - waitFor: ['build'] - - - name: 'gcr.io/cloud-builders/docker' - id: push - args: ['push', 'us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server'] - waitFor: ['tag'] - - - id: attestations - name: ubuntu - entrypoint: bash - args: - - -c - - | - - echo -n '{ "projectid": "$PROJECT_ID", "buildid": "$BUILD_ID", "foo":"bar", "commitsha": "$COMMIT_SHA" }' > /workspace/predicates.json - - - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d - id: sign_kms - args: - - sign - - --annotations=key1=value1 - - --key - - gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 - - us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server - waitFor: ['push'] - - - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d - id: attest_kms - args: - - attest - - --key - - gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 - - --predicate=/workspace/predicates.json - - -y - - us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server - waitFor: ['push','sign_kms'] - - - - name: docker.io/anchore/syft@sha256:0f36bf87fcc63ffdbc64cec6c74d855941351dfeeb38fcc5cef46a2aa8302ceb - id: generate_sbom - args: - - packages - - us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server - - -o=spdx - - --file=/workspace/latest.spdx - waitFor: ['push'] - - - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d - id: attach_sbom - args: - - attach - - sbom - - --sbom=/workspace/latest.spdx - - us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server - waitFor: ['generate_sbom'] - - - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d - id: sign_sbom - args: - - sign - - --annotations=commit_sha=$COMMIT_SHA - - --attachment=sbom - - --key - - gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 - - us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server - waitFor: ['attach_sbom'] - -serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com' -options: - logging: CLOUD_LOGGING_ONLY - machineType: 'N1_HIGHCPU_32' - diff --git a/app/cloudbuild_bazel.yaml b/app/cloudbuild_bazel.yaml new file mode 100644 index 0000000..de8ba4d --- /dev/null +++ b/app/cloudbuild_bazel.yaml @@ -0,0 +1,108 @@ +steps: + + - name: gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad + id: build + args: ['run', '--platforms=@io_bazel_rules_go//go/toolchain:linux_amd64', ':server'] + + - name: gcr.io/cloud-builders/docker@sha256:885aba69c8f1c69cd0a4d60b195df6fed32519c204cf3ebd6e63db50d6806a7d + id: tag + args: ['tag', 'us-central1-docker.pkg.dev/builder-project/repo1/tee:server', 'us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server'] + waitFor: ['build'] + + - name: gcr.io/cloud-builders/docker@sha256:885aba69c8f1c69cd0a4d60b195df6fed32519c204cf3ebd6e63db50d6806a7d + id: push + entrypoint: '/bin/bash' + args: + - '-c' + - | + /usr/bin/docker push us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server > /tmp/push_output.txt && tail -1 /tmp/push_output.txt | awk '{printf("us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee@") $3}' > /workspace/name_hash.txt + waitFor: ['tag'] + + - id: attestations + name: docker.io/library/ubuntu@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21 + entrypoint: bash + args: + - -c + - | + echo -n '{ "projectid": "$PROJECT_ID", "buildid": "$BUILD_ID", "foo":"bar", "commitsha": "$COMMIT_SHA"}' > /workspace/predicates.json + waitFor: ['build'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: sign_kms + entrypoint: 'sh' + args: + - '-c' + - | + cosign sign --annotations=key1=value1 --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 $(cat /workspace/name_hash.txt) + waitFor: ['push'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: attest_kms + entrypoint: 'sh' + args: + - '-c' + - | + cosign attest --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 --predicate=/workspace/predicates.json -y $(cat /workspace/name_hash.txt) + waitFor: ['push','sign_kms'] + + # - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + # id: sign_oidc + # env: + # - REGISTRY=us-central1-docker.pkg.dev + # - TUF_ROOT=/tmp + # - COSIGN_EXPERIMENTAL=1 + # - GOOGLE_SERVICE_ACCOUNT_NAME=cosign@$PROJECT_ID.iam.gserviceaccount.com + # entrypoint: 'sh' + # args: + # - '-c' + # - | + # cosign sign --annotations=key1=value1 -f -y $(cat /workspace/name_hash.txt) + # waitFor: ['attestations'] + + # - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + # id: attest_oidc + # env: + # - REGISTRY=us-central1-docker.pkg.dev + # - TUF_ROOT=/tmp + # - COSIGN_EXPERIMENTAL=1 + # - GOOGLE_SERVICE_ACCOUNT_NAME=cosign@$PROJECT_ID.iam.gserviceaccount.com + # entrypoint: 'sh' + # args: + # - '-c' + # - | + # cosign attest -f --predicate=/workspace/predicates.json -y $(cat /workspace/name_hash.txt) + # waitFor: ['sign_oidc'] + + # note, syft@sha256:7a0f80ba92423d6771da80c4b7d3d051759ed2b3f66a85a9922d448ea6eff60b is the *debug* image because it provides a shell + - name: docker.io/anchore/syft@sha256:7a0f80ba92423d6771da80c4b7d3d051759ed2b3f66a85a9922d448ea6eff60b + id: generate_sbom + entrypoint: 'sh' + args: + - '-c' + - | + /syft packages $(/busybox/cat /workspace/name_hash.txt) -o=spdx --file=/workspace/latest.spdx + waitFor: ['push'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: attach_sbom + entrypoint: 'sh' + args: + - '-c' + - | + cosign attach sbom --sbom=/workspace/latest.spdx $(cat /workspace/name_hash.txt) + waitFor: ['generate_sbom'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: sign_sbom + entrypoint: 'sh' + args: + - '-c' + - | + cosign sign --annotations=commit_sha=$COMMIT_SHA --attachment=sbom --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 $(cat /workspace/name_hash.txt) + waitFor: ['attach_sbom'] + +serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com' +options: + logging: CLOUD_LOGGING_ONLY + machineType: 'N1_HIGHCPU_32' + diff --git a/app/cloudbuild_kaniko.yaml b/app/cloudbuild_kaniko.yaml new file mode 100644 index 0000000..763f5f4 --- /dev/null +++ b/app/cloudbuild_kaniko.yaml @@ -0,0 +1,134 @@ +steps: + - name: gcr.io/kaniko-project/executor@sha256:034f15e6fe235490e64a4173d02d0a41f61382450c314fffed9b8ca96dff66b2 + id: build + args: + [ + "--dockerfile=Dockerfile", + "--context=dir:///workspace", + "--reproducible", + "--image-name-with-digest-file=/workspace/name_hash.txt", + "--destination=us-central1-docker.pkg.dev/$PROJECT_ID/repo1/tee:server", + ] + + - id: attestations + name: docker.io/library/ubuntu@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21 + entrypoint: bash + args: + - -c + - | + echo -n '{ "projectid": "$PROJECT_ID", "buildid": "$BUILD_ID", "foo":"bar", "commitsha": "$COMMIT_SHA"}' > /workspace/predicates.json + waitFor: ['build'] + + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: sign_kms + entrypoint: 'sh' + args: + - '-c' + - | + cosign sign --annotations=key1=value1 --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 $(cat /workspace/name_hash.txt) + waitFor: ['build'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: attest_kms + entrypoint: 'sh' + args: + - '-c' + - | + cosign attest --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 --predicate=/workspace/predicates.json -y $(cat /workspace/name_hash.txt) + waitFor: ['build','sign_kms'] + + - name: docker.io/anchore/syft@sha256:7a0f80ba92423d6771da80c4b7d3d051759ed2b3f66a85a9922d448ea6eff60b + id: generate_packages_attestation + entrypoint: 'sh' + args: + - '-c' + - | + /syft packages -o cyclonedx-json --file=/workspace/packages.json $(/busybox/cat /workspace/name_hash.txt) + waitFor: ['build','sign_kms'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: attest_packages_kms + entrypoint: 'sh' + args: + - '-c' + - | + cosign attest --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 --predicate=/workspace/packages.json --type="https://cyclonedx.org/bom/v1.4" -y $(cat /workspace/name_hash.txt) + waitFor: ['generate_packages_attestation'] + + # - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + # id: sign_oidc + # env: + # - REGISTRY=us-central1-docker.pkg.dev + # - TUF_ROOT=/tmp + # - COSIGN_EXPERIMENTAL=1 + # - GOOGLE_SERVICE_ACCOUNT_NAME=cosign@$PROJECT_ID.iam.gserviceaccount.com + # entrypoint: 'sh' + # args: + # - '-c' + # - | + # cosign sign --annotations=key1=value1 -f -y $(cat /workspace/name_hash.txt) + # waitFor: ['attestations'] + + # - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + # id: attest_oidc + # env: + # - REGISTRY=us-central1-docker.pkg.dev + # - TUF_ROOT=/tmp + # - COSIGN_EXPERIMENTAL=1 + # - GOOGLE_SERVICE_ACCOUNT_NAME=cosign@$PROJECT_ID.iam.gserviceaccount.com + # entrypoint: 'sh' + # args: + # - '-c' + # - | + # cosign attest -f --predicate=/workspace/predicates.json -y $(cat /workspace/name_hash.txt) + # waitFor: ['sign_oidc'] + + # - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + # id: attest_packages_oidc + # env: + # - REGISTRY=us-central1-docker.pkg.dev + # - TUF_ROOT=/tmp + # - COSIGN_EXPERIMENTAL=1 + # - GOOGLE_SERVICE_ACCOUNT_NAME=cosign@$PROJECT_ID.iam.gserviceaccount.com + # entrypoint: 'sh' + # args: + # - '-c' + # - | + # cosign attest -f --predicate=/workspace/packages.json --type="https://cyclonedx.org/bom/v1.4" -y $(cat /workspace/name_hash.txt) + # waitFor: ['generate_packages_attestation'] + + + # note, syft@sha256:7a0f80ba92423d6771da80c4b7d3d051759ed2b3f66a85a9922d448ea6eff60b is the *debug* image because it provides a shell + - name: docker.io/anchore/syft@sha256:7a0f80ba92423d6771da80c4b7d3d051759ed2b3f66a85a9922d448ea6eff60b + id: generate_sbom + entrypoint: 'sh' + args: + - '-c' + - | + /syft packages $(/busybox/cat /workspace/name_hash.txt) -o=spdx --file=/workspace/latest.spdx + waitFor: ['build'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: attach_sbom + entrypoint: 'sh' + args: + - '-c' + - | + cosign attach sbom --sbom=/workspace/latest.spdx $(cat /workspace/name_hash.txt) + waitFor: ['generate_sbom'] + + - name: gcr.io/projectsigstore/cosign@sha256:ac8e08a2141e093f4fd7d1d0b05448804eb3771b66574b13ad73e31b460af64d + id: sign_sbom + entrypoint: 'sh' + args: + - '-c' + - | + cosign sign --annotations=commit_sha=$COMMIT_SHA --attachment=sbom --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 $(cat /workspace/name_hash.txt) + waitFor: ['attach_sbom'] + + +serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com' +options: + logging: CLOUD_LOGGING_ONLY + machineType: 'N1_HIGHCPU_32' diff --git a/app/config.json b/app/config.json index 5fdd33a..5c2c67c 100644 --- a/app/config.json +++ b/app/config.json @@ -1,6 +1,4 @@ { - "collaborator_1_audience": "//iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier", - "collaborator_1_kms": "projects/$COLLABORATOR_1_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1", - "collaborator_2_audience": "//iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier", - "collaborator_2_kms": "projects/$COLLABORATOR_2_PROJECT_ID/locations/global/keyRings/kr1/cryptoKeys/key1" + "foo": "bar", + "bar": "bar" } \ No newline at end of file diff --git a/app/go.mod b/app/go.mod index 6197802..03620c9 100644 --- a/app/go.mod +++ b/app/go.mod @@ -1,4 +1,4 @@ -module github.com/salrashid123/gcp-confidential-space/app +module github.com/salrashid123/confidential_space/app go 1.19 diff --git a/app/main.go b/app/main.go index 8baaeeb..a29c8b5 100644 --- a/app/main.go +++ b/app/main.go @@ -2,6 +2,7 @@ package main import ( "context" + "crypto/sha256" "crypto/tls" "crypto/x509" "encoding/base64" @@ -10,6 +11,7 @@ import ( "flag" "fmt" "io/ioutil" + "net" "net/http" "os" "runtime" @@ -38,9 +40,20 @@ var ( config = flag.String("config", "config.json", "Arbitrary config file") attestation_token_path = flag.String("attestation_token_path", "/run/container_launcher/attestation_verifier_claims_token", "Path to Attestation Token file") project_id = flag.String("project_id", "", "ProjectID for pubsub subscription and logging") - ca_files = flag.String("ca_files", "tls-ca-chain.pem", "RootCA Chain (PEM)") - tls_crt = flag.String("tls_crt", "tee.crt", "TLS Certificate (PEM)") - tls_key = flag.String("tls_key", "tee.key", "TLS KEY (PEM)") + + // for mtls certificates + default_ca = flag.String("default_ca", "root-ca-operator.crt", "Operator RootCA Chain (PEM)") + default_tls_crt = flag.String("default_tls_crt", "tee-operator.crt", "Operator TLS Certificate (PEM)") + default_tls_key = flag.String("default_tls_key", "tee-operator.key", "Operator TLS KEY (PEM)") + + // collaborator mtls certs and keys materialized within the TEE + collaborator1_ca = flag.String("collaborator1_ca", "root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)") + collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)") + collaborator1_tls_key = flag.String("collaborator1_tls_key", "tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)") + + collaborator2_ca = flag.String("collaborator2_ca", "root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)") + collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)") + collaborator2_tls_key = flag.String("collaborator2_tls_key", "tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)") // map to hold all the users currently found and the number of times // they've been sent @@ -71,9 +84,58 @@ type event struct { PeerCertificates []*x509.Certificate } -// middleware to extract the mtls client certificate subject func eventsMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ip, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + http.Error(w, "Userip is not host:port", http.StatusBadGateway) + return + } + userIP := net.ParseIP(ip) + if userIP == nil { + http.Error(w, "error parsing remote IP", http.StatusBadGateway) + return + } + logger.Printf("Request client IP: %s\n", ip) + + // cert verification was already done during tls.Config.GetConfigForClient earlier + // where we only allow client certs and cas from the collaborators specifically. + // this is just a recheck + if len(r.TLS.VerifiedChains) == 0 { + logger.Printf("Unverified client certificate from: %s\n", ip) + http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + return + } + // for gcp healthchecks if we allow mtls bypass only for /healthz endpoint + // if r.URL.Path == "/healthz" { + // // https://cloud.google.com/load-balancing/docs/l7-internal#firewall_rules + // lbSubnetA := "35.191.0.0/16" + // lbSubnetB := "130.211.0.0/22" + // _, ipnetA, err := net.ParseCIDR(lbSubnetA) + // if err != nil { + // logger.Printf("Error checking remote IP Subnet: %s\n", ip) + // http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + // return + // } + // _, ipnetB, err := net.ParseCIDR(lbSubnetB) + // if err != nil { + // logger.Printf("Error checking remote IP Subnet: %s\n", ip) + // http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + // return + // } + // c1 := net.ParseIP(ip) + + // if !(ipnetA.Contains(c1) || ipnetB.Contains(c1)) { + // logger.Printf("Error Healthcheck request not from LB Subnet: %s\n", ip) + // http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + // return + // } + // } else if len(r.TLS.VerifiedChains) == 0 { + // logger.Printf("Error: only /healthz endpoint is allowed without client certificates: %s\n", ip) + // http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + // return + // } + event := &event{ PeerCertificates: r.TLS.PeerCertificates, } @@ -82,6 +144,10 @@ func eventsMiddleware(h http.Handler) http.Handler { }) } +func healthhandler(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, "ok") +} + func incrementCounter(ctx context.Context, audience, key string, data []byte) (string, int32, error) { // bootstrap Collaborator credentials; decrypt with KMS key // note, we're creating a new kmsclient on demand based on what is sent in the message alone. @@ -120,7 +186,12 @@ func incrementCounter(ctx context.Context, audience, key string, data []byte) (s func posthandler(w http.ResponseWriter, r *http.Request) { val := r.Context().Value(contextKey("event")).(event) - logger.Printf("PeerCertificates count %d\n", len(val.PeerCertificates)) + // note val.PeerCertificates[0] is the leaf + for _, c := range val.PeerCertificates { + h := sha256.New() + h.Write(c.Raw) + fmt.Printf("Client Certificate hash %s\n", base64.RawURLEncoding.EncodeToString(h.Sum(nil))) + } var post PostData err := json.NewDecoder(r.Body).Decode(&post) @@ -304,20 +375,101 @@ func main() { } }(ctx) - // // start http server on main + // start http server on main router := mux.NewRouter() router.Methods(http.MethodPost).Path("/").HandlerFunc(posthandler) - clientCaCert, err := ioutil.ReadFile(*ca_files) + router.Methods(http.MethodGet).Path("/healthz").HandlerFunc(healthhandler) + + // load default server certs + default_server_certs, err := tls.LoadX509KeyPair(*default_tls_crt, *default_tls_key) + if err != nil { + logger.Printf("Error loading default certificates %v\n", err) + runtime.Goexit() + } + + // load the CA client cert and server certificates + // load rootCA for CA_1 + client1_root, err := ioutil.ReadFile(*collaborator1_ca) + if err != nil { + logger.Printf("Error loading collaborator1 ca certificate %v\n", err) + runtime.Goexit() + } + + client1_root_pool := x509.NewCertPool() + client1_root_pool.AppendCertsFromPEM(client1_root) + + // load rootCA for CA_2 + client2_root, err := ioutil.ReadFile(*collaborator2_ca) + if err != nil { + logger.Printf("Error loading collaborator2 ca certificate %v\n", err) + runtime.Goexit() + } + + client2_root_pool := x509.NewCertPool() + client2_root_pool.AppendCertsFromPEM(client2_root) + + // load the server certs issued by both ca1 and ca2, pretend these should use get loaded + // from each collaborators's secret manager or private ca using the attestation token (similar to the KMS decryption) + server1_cert, err := tls.LoadX509KeyPair(*collaborator1_tls_crt, *collaborator1_tls_key) if err != nil { - logger.Printf("Error reading ca_file %v\n", err) + logger.Printf("Error loading collaborator1 server certificates %v\n", err) runtime.Goexit() } - clientCaCertPool := x509.NewCertPool() - clientCaCertPool.AppendCertsFromPEM(clientCaCert) + server2_cert, err := tls.LoadX509KeyPair(*collaborator2_tls_crt, *collaborator2_tls_key) + if err != nil { + logger.Printf("Error loading collaborator2 server certificates %v\n", err) + runtime.Goexit() + } + + // ***************************************** + + // set TLS configs based on the SNI of the requestor. + // the following sets custom TLS enforcements where both client and server cert enforcement is controlled + // by each collaborator (i.,e a client for collaborator can set client and server certs for their own use) + // basically, if the certificates are materialized by each collaborator using workload federation, then each + // client that connects _to_ the TEE using mTLS must be authorized by each individual collaborator by issuing them client certificates + // the only SNI that does not require client certs is the /healthz healthcheck path which is checked within eventsMiddleware(). That capability is current commented out tlsConfig := &tls.Config{ - ClientCAs: clientCaCertPool, - ClientAuth: tls.RequireAndVerifyClientCert, + NextProtos: []string{"h2", "http/1.1"}, + Certificates: []tls.Certificate{default_server_certs}, // have to specify something here though its not used + MinVersion: tls.VersionTLS13, + GetConfigForClient: func(ci *tls.ClientHelloInfo) (*tls.Config, error) { + if ci.ServerName == "tee.collaborator1.com" { + return &tls.Config{ + NextProtos: []string{"h2", "http/1.1"}, + MinVersion: tls.VersionTLS13, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: client1_root_pool, + GetCertificate: func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &server1_cert, nil + }, + }, nil + } + if ci.ServerName == "tee.collaborator2.com" { + return &tls.Config{ + NextProtos: []string{"h2", "http/1.1"}, + MinVersion: tls.VersionTLS13, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: client2_root_pool, + GetCertificate: func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &server2_cert, nil + }, + }, nil + } + + // if you want to handle a bypass for healthchecks without mtls, verify the gcp loadbalancer ip here using + // ip = net.ParseIP(ci.Conn.RemoteAddr().String()) in ["35.191.0.0/16","130.211.0.0/22"] + + // return &tls.Config{ + // NextProtos: []string{"h2", "http/1.1"}, + // MinVersion: tls.VersionTLS13, + // GetCertificate: func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) { + // return &default_server_certs, nil + // }, + // }, nil + return nil, fmt.Errorf("SNI not recognized %s", ci.ServerName) + }, } var server *http.Server @@ -329,7 +481,7 @@ func main() { http2.ConfigureServer(server, &http2.Server{}) logger.Println("Starting HTTP Server..") - err = server.ListenAndServeTLS(*tls_crt, *tls_key) + err = server.ListenAndServeTLS("", "") if err != nil { logger.Printf("Error Starting TLS Server %v\n", err) runtime.Goexit() diff --git a/http_client/certs/client-collaborator1.crt b/http_client/certs/client-collaborator1.crt new file mode 100644 index 0000000..8f655bf --- /dev/null +++ b/http_client/certs/client-collaborator1.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Validity + Not Before: Apr 17 12:09:01 2023 GMT + Not After : Apr 16 12:09:01 2033 GMT + Subject: L=US, O=Google, OU=Enterprise, CN=client.collaborator1.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c5:a9:1d:81:57:2a:5f:3d:af:4c:7a:94:1a:27: + 53:14:25:8e:00:20:cb:59:b8:c8:67:12:d6:d9:7d: + b8:26:0d:83:d2:87:e0:ff:cd:e6:b1:02:7c:85:d9: + 57:b6:dc:6a:cc:09:0c:5e:30:54:e1:1c:f2:f2:47: + 45:ec:25:1d:e2:39:8a:7a:41:17:36:3a:28:a9:d2: + 71:fe:13:34:88:5f:11:40:7d:4e:8b:f4:ca:2e:a8: + 2b:5b:4b:02:40:87:32:a4:24:ba:67:80:34:6d:3d: + 0c:57:e5:41:9c:43:44:46:1f:23:37:f3:06:9f:78: + 4a:5c:92:8d:7d:7c:39:74:b9:1f:28:13:5e:e1:fd: + a1:a3:78:92:b5:8c:d1:60:97:ad:4d:c0:45:c1:57: + a4:d8:47:93:91:dd:4c:49:fd:47:c5:98:27:a8:c6: + ec:93:35:3c:b0:c7:71:58:2b:31:53:2e:b4:c3:32: + e9:86:56:3d:fb:aa:a2:a1:44:47:5d:42:81:8f:9a: + 97:99:d3:93:3f:59:94:3c:6c:c6:a0:85:69:9a:f7: + de:f6:99:18:9a:cb:f2:42:0d:9d:af:a3:76:4c:78: + 78:3e:cd:a4:cc:5c:6c:3e:c6:39:d4:05:58:eb:2b: + c0:f7:68:00:1d:87:11:00:f0:1c:15:7e:54:3c:ed: + 91:c3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Subject Key Identifier: + F0:51:96:B5:D1:D5:F6:BF:6A:99:20:88:DC:6F:D9:B9:FD:91:D8:60 + X509v3 Authority Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 CRL Distribution Points: + Full Name: + URI:http://pki.esodemoapp2.com/ca/root-ca.crl + X509v3 Subject Alternative Name: + DNS:client.collaborator1.com + Authority Information Access: + OCSP - URI:http://localhost:9999/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + a8:96:f9:0e:f4:9b:36:ab:56:4f:95:1f:79:2f:0f:a7:04:02: + d6:5c:d3:c5:fe:72:17:a8:cf:37:15:c5:98:8b:82:36:c3:67: + cd:11:6a:31:63:a7:e2:9d:bb:19:2b:19:00:df:fb:a6:ac:5a: + 4f:ec:00:4e:90:2a:64:e0:fc:f7:a2:7b:c4:db:99:a0:42:0a: + 1d:b2:0c:16:db:e6:de:21:20:98:2d:8e:dc:45:38:45:f0:04: + d7:b4:d4:52:95:64:ed:29:e4:71:a0:c9:1c:a1:39:a8:b4:a1: + 3f:7d:f7:53:b4:70:03:92:d6:76:f7:3f:db:ff:e3:77:06:bf: + 07:4e:6f:5f:0b:dc:fc:66:51:2a:0e:02:2c:43:df:8a:73:a3: + 3f:c3:78:9a:34:3b:c3:4c:77:26:2e:9a:d9:87:42:cf:df:98: + 29:c5:57:c3:d1:94:1c:10:4b:14:c1:01:5a:ce:51:cc:87:de: + f6:2a:c9:9a:01:3b:a9:90:d8:35:9c:c6:3e:b3:ed:72:f3:c5: + 3d:e1:f8:7b:2d:dc:d9:19:21:24:54:ef:9b:5c:aa:96:b7:68: + b4:83:fb:df:fb:66:83:fa:23:72:64:fe:bb:40:a5:f3:0d:21: + 5d:6c:eb:58:02:1a:d2:76:16:26:e3:91:bd:b5:c1:1b:68:2f: + 18:26:ff:31 +-----BEGIN CERTIFICATE----- +MIIEODCCAyCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAxIFJvb3QgQ0EwHhcNMjMwNDE3MTIwOTAxWhcN +MzMwNDE2MTIwOTAxWjBWMQswCQYDVQQHDAJVUzEPMA0GA1UECgwGR29vZ2xlMRMw +EQYDVQQLDApFbnRlcnByaXNlMSEwHwYDVQQDDBhjbGllbnQuY29sbGFib3JhdG9y +MS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFqR2BVypfPa9M +epQaJ1MUJY4AIMtZuMhnEtbZfbgmDYPSh+D/zeaxAnyF2Ve23GrMCQxeMFThHPLy +R0XsJR3iOYp6QRc2Oiip0nH+EzSIXxFAfU6L9MouqCtbSwJAhzKkJLpngDRtPQxX +5UGcQ0RGHyM38wafeEpcko19fDl0uR8oE17h/aGjeJK1jNFgl61NwEXBV6TYR5OR +3UxJ/UfFmCeoxuyTNTywx3FYKzFTLrTDMumGVj37qqKhREddQoGPmpeZ05M/WZQ8 +bMaghWma9972mRiay/JCDZ2vo3ZMeHg+zaTMXGw+xjnUBVjrK8D3aAAdhxEA8BwV +flQ87ZHDAgMBAAGjggEJMIIBBTAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADAT +BgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU8FGWtdHV9r9qmSCI3G/Zuf2R +2GAwHwYDVR0jBBgwFoAUdQ0SzNsz7VgGjK3tDp4vAOlvwWUwOgYDVR0fBDMwMTAv +oC2gK4YpaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2Evcm9vdC1jYS5jcmww +IwYDVR0RBBwwGoIYY2xpZW50LmNvbGxhYm9yYXRvcjEuY29tMDIGCCsGAQUFBwEB +BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo5OTk5LzANBgkqhkiG +9w0BAQsFAAOCAQEAqJb5DvSbNqtWT5UfeS8PpwQC1lzTxf5yF6jPNxXFmIuCNsNn +zRFqMWOn4p27GSsZAN/7pqxaT+wATpAqZOD896J7xNuZoEIKHbIMFtvm3iEgmC2O +3EU4RfAE17TUUpVk7SnkcaDJHKE5qLShP333U7RwA5LWdvc/2//jdwa/B05vXwvc +/GZRKg4CLEPfinOjP8N4mjQ7w0x3Ji6a2YdCz9+YKcVXw9GUHBBLFMEBWs5RzIfe +9irJmgE7qZDYNZzGPrPtcvPFPeH4ey3c2RkhJFTvm1yqlrdotIP73/tmg/ojcmT+ +u0Cl8w0hXWzrWAIa0nYWJuORvbXBG2gvGCb/MQ== +-----END CERTIFICATE----- diff --git a/http_client/certs/client-collaborator1.key b/http_client/certs/client-collaborator1.key new file mode 100644 index 0000000..8048639 --- /dev/null +++ b/http_client/certs/client-collaborator1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFqR2BVypfPa9M +epQaJ1MUJY4AIMtZuMhnEtbZfbgmDYPSh+D/zeaxAnyF2Ve23GrMCQxeMFThHPLy +R0XsJR3iOYp6QRc2Oiip0nH+EzSIXxFAfU6L9MouqCtbSwJAhzKkJLpngDRtPQxX +5UGcQ0RGHyM38wafeEpcko19fDl0uR8oE17h/aGjeJK1jNFgl61NwEXBV6TYR5OR +3UxJ/UfFmCeoxuyTNTywx3FYKzFTLrTDMumGVj37qqKhREddQoGPmpeZ05M/WZQ8 +bMaghWma9972mRiay/JCDZ2vo3ZMeHg+zaTMXGw+xjnUBVjrK8D3aAAdhxEA8BwV +flQ87ZHDAgMBAAECggEAAnmplaCQHPnQ4HeagJdXrX8Cf7lPz2a5r7zAwjl8tsR6 +XAasLr5KPyyfGMgBFrIJuyNgq19JXzmCSCSg8tUy9U3JXUDEBL+Gs29TH4Tn2ZtW +Xat6cjs71Ii+ywzHhIpZr0xWDAzDDoK/Geyt8Fu3sHWCw36ztjrtGqqrj4cHBMSo +RVrcZ66ICf7HazH7Op25uI2JoKSg+FP6xZHIDl7K6OXJkUaCnSoY9f+hf5Jb+8iG +CZFUotFhPx4wY9LU+z+PYebuEEyb9ApniJY2kvRsQup2GjcpnFEV1jORuGWcGxXv +ENdK5IgU2YBrWLJuVXlyhZH4r65NF6mFIE2SeP11jQKBgQDcmPwXJEMKM2Y4cntL +Fc4/dFTNXDtvYtbUn00S+hjN0XVzueGsM2MLFFt+bf6Mm0uf22HhRKA30PZLNUO6 +Tn9n7E/szw7C+V2Loo6Z5aqdJVzPbUZf+G+Y2oBX5fyeCSiGDjeYVsCjYfOwBnWc +kxGt5GeBTyEdsuX99cHaSAft/QKBgQDlYcn3MBIUwzHyVdi2/Cntpz5PIf8qBkDl +ZJ6Akllsux2pFvRCMP86eJVnuzYL5B3HvK/PiGub5LJPvpgVoFOLePWFcfCfiNgT +hXQBoZ7fQbGThU9oGcS0NgwApMW5kg/cHPKWYwaQUK62vzBGntppOTcgrlX87Hbc +FNm2M62qvwKBgQCrdDhS4Ds+3W4wp0IOvNb92LPknTAQxbiFr37fJgVLSuZH2Qx+ +o73yKZNnM6SpsjXX/FIaHRWN7FrRX4fRcRtzMWd5fgFSJzC+y8yb7rZpx1VYXu1Y +wCY0nncsWjO6vRGDB9/MBnlZQ1N817hnxqLyDdko1tC9XYOGnJFbz6piHQKBgEOy +nrbTeyKhkUYiS/mFZqJ7L4qPUA2JFvIcxiLQDpBmkRRsb95xM4KAQCgDOqo7wwZG +C+VGL+wsjOu4Jo6LaNzK8DtYK1oKOytXwasRlh/x9YTCXXMt174QDW7LMofYMdIW +wQndY/yHs2i/+HF/RJq1hi2hBkPFTjcZ+D8r9V9lAoGBALFKPDJkqUZWKsgkG9AW +u7tYVZHUtHxVL3FpJBharIoG5lv5z8AAWImBFRbdmT/aR2HxM4830M3PhZMsqx6X +dfPGaKbmsOfloM63sIajT1op5VeTpaxmhtAunHy255FquvQ4uDFNQlLLoHTZUg8o +BOEkhQVVuAdryzyuh8kqC00d +-----END PRIVATE KEY----- diff --git a/http_client/certs/client-collaborator2.crt b/http_client/certs/client-collaborator2.crt new file mode 100644 index 0000000..91cd990 --- /dev/null +++ b/http_client/certs/client-collaborator2.crt @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Validity + Not Before: Apr 17 12:15:13 2023 GMT + Not After : Apr 16 12:15:13 2033 GMT + Subject: C=US, O=Google, OU=Enterprise, CN=client.collaborator2.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ba:b1:72:61:ab:d1:47:04:32:7e:d8:31:81:cc: + f0:78:9a:fa:0a:4c:8b:a5:c4:7a:f8:da:f0:34:cb: + b3:d6:87:91:9b:60:0c:00:17:a8:b8:75:58:c8:c2: + 5f:04:7c:38:ba:42:cf:8d:3c:ae:3e:1b:34:56:22: + 9e:a8:aa:be:e7:76:35:85:f9:61:6f:66:2d:0b:f1: + 7b:22:98:3e:f9:c9:76:75:ba:68:cc:3d:bb:56:3b: + 4e:33:ca:8c:e3:bb:ab:66:ad:a6:d0:6e:8e:aa:d2: + 53:d7:30:ed:cf:8e:33:db:d0:e2:66:4c:6f:8f:8f: + 87:a7:98:24:f2:82:55:07:2f:0a:ea:5b:57:26:94: + 3c:e4:dd:fa:7e:2b:5b:a7:b1:af:37:fc:aa:2b:dd: + 08:26:80:2b:b2:7f:91:1b:14:36:6b:7e:c4:06:81: + 97:54:d6:e8:df:2c:a7:e4:09:17:ef:f1:93:89:87: + 49:17:aa:a7:36:7d:96:06:3d:4d:2f:c4:60:f6:63: + d2:56:ad:53:aa:1c:38:99:6b:c0:59:94:b0:1a:e5: + 8b:51:43:ce:25:3f:de:25:aa:5b:3a:a2:36:ef:ce: + 45:14:a0:d0:cc:31:6f:61:2c:34:4b:5e:14:f7:34: + 51:61:63:6d:0a:00:bc:5f:85:51:f0:5e:a9:65:07: + fb:91 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Subject Key Identifier: + 1A:78:91:18:6B:3C:38:4C:28:16:40:2B:79:AC:B8:51:EF:F9:6D:DE + X509v3 Authority Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 CRL Distribution Points: + Full Name: + URI:http://pki.esodemoapp2.com/ca/root-ca.crl + X509v3 Subject Alternative Name: + DNS:client.collaborator2.com + Authority Information Access: + OCSP - URI:http://localhost:10000/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 47:8c:1d:bb:f0:0f:c8:3d:9b:57:62:e5:1b:70:3b:48:e9:91: + 2d:0d:b2:12:ea:93:43:ab:4f:6a:d3:1b:44:d3:f2:e1:89:5b: + 83:e3:63:e6:22:46:7b:0a:9d:b1:b2:4b:95:c2:1f:a2:5d:5d: + b3:3b:27:a5:8d:2e:60:2d:8f:65:ef:38:72:6c:c5:f0:e0:01: + a6:16:47:5c:25:92:c6:41:df:82:96:5e:a3:3e:7e:12:7e:f8: + 91:b5:b1:52:ae:72:05:20:3c:d3:7f:74:86:06:63:8f:af:88: + 5c:27:84:9e:ea:a6:ef:97:c4:b3:08:87:12:72:e7:50:04:43: + 7f:22:b2:81:7f:49:4e:15:5f:24:55:a0:50:03:63:e0:cf:3b: + 78:f2:ae:83:2f:c5:37:fe:6a:e2:29:47:cf:53:6e:1d:02:74: + d2:27:33:7c:e8:26:7f:27:55:b4:13:a0:36:53:e0:fe:87:22: + ed:41:28:98:f1:77:e5:cc:4b:31:dc:bb:16:40:d0:d5:4b:43: + b1:78:4d:b9:1a:55:9b:2e:e8:1e:9f:b2:4e:56:aa:1c:16:11: + 31:02:ec:75:28:eb:91:88:81:ad:b3:07:1d:ab:c0:ea:d8:ad: + 95:68:c4:fa:15:82:77:e2:3b:93:50:92:89:93:80:37:75:0d: + 76:f6:bd:16 +-----BEGIN CERTIFICATE----- +MIIEOTCCAyGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAyIFJvb3QgQ0EwHhcNMjMwNDE3MTIxNTEzWhcN +MzMwNDE2MTIxNTEzWjBWMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMw +EQYDVQQLDApFbnRlcnByaXNlMSEwHwYDVQQDDBhjbGllbnQuY29sbGFib3JhdG9y +Mi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6sXJhq9FHBDJ+ +2DGBzPB4mvoKTIulxHr42vA0y7PWh5GbYAwAF6i4dVjIwl8EfDi6Qs+NPK4+GzRW +Ip6oqr7ndjWF+WFvZi0L8XsimD75yXZ1umjMPbtWO04zyozju6tmrabQbo6q0lPX +MO3PjjPb0OJmTG+Pj4enmCTyglUHLwrqW1cmlDzk3fp+K1unsa83/Kor3QgmgCuy +f5EbFDZrfsQGgZdU1ujfLKfkCRfv8ZOJh0kXqqc2fZYGPU0vxGD2Y9JWrVOqHDiZ +a8BZlLAa5YtRQ84lP94lqls6ojbvzkUUoNDMMW9hLDRLXhT3NFFhY20KALxfhVHw +XqllB/uRAgMBAAGjggEKMIIBBjAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADAT +BgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUGniRGGs8OEwoFkAreay4Ue/5 +bd4wHwYDVR0jBBgwFoAUsnfHb459VeiCtfGsmGaFDd9WPzEwOgYDVR0fBDMwMTAv +oC2gK4YpaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2Evcm9vdC1jYS5jcmww +IwYDVR0RBBwwGoIYY2xpZW50LmNvbGxhYm9yYXRvcjIuY29tMDMGCCsGAQUFBwEB +BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL2xvY2FsaG9zdDoxMDAwMC8wDQYJKoZI +hvcNAQELBQADggEBAEeMHbvwD8g9m1di5RtwO0jpkS0NshLqk0OrT2rTG0TT8uGJ +W4PjY+YiRnsKnbGyS5XCH6JdXbM7J6WNLmAtj2XvOHJsxfDgAaYWR1wlksZB34KW +XqM+fhJ++JG1sVKucgUgPNN/dIYGY4+viFwnhJ7qpu+XxLMIhxJy51AEQ38isoF/ +SU4VXyRVoFADY+DPO3jyroMvxTf+auIpR89Tbh0CdNInM3zoJn8nVbQToDZT4P6H +Iu1BKJjxd+XMSzHcuxZA0NVLQ7F4TbkaVZsu6B6fsk5WqhwWETEC7HUo65GIga2z +Bx2rwOrYrZVoxPoVgnfiO5NQkomTgDd1DXb2vRY= +-----END CERTIFICATE----- diff --git a/http_client/certs/client-collaborator2.key b/http_client/certs/client-collaborator2.key new file mode 100644 index 0000000..7465199 --- /dev/null +++ b/http_client/certs/client-collaborator2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6sXJhq9FHBDJ+ +2DGBzPB4mvoKTIulxHr42vA0y7PWh5GbYAwAF6i4dVjIwl8EfDi6Qs+NPK4+GzRW +Ip6oqr7ndjWF+WFvZi0L8XsimD75yXZ1umjMPbtWO04zyozju6tmrabQbo6q0lPX +MO3PjjPb0OJmTG+Pj4enmCTyglUHLwrqW1cmlDzk3fp+K1unsa83/Kor3QgmgCuy +f5EbFDZrfsQGgZdU1ujfLKfkCRfv8ZOJh0kXqqc2fZYGPU0vxGD2Y9JWrVOqHDiZ +a8BZlLAa5YtRQ84lP94lqls6ojbvzkUUoNDMMW9hLDRLXhT3NFFhY20KALxfhVHw +XqllB/uRAgMBAAECggEABta5E5k6Vt9RTPaVDi3cXXOiXwoVp7xsO4VUHR/84gn4 +aExW9jInq92fE2gU2FaHUrHftdsUICnpk3HsVU3/ZR3OOT6UzlKMKgLGFaLldCuY +RXjfDcPBYvfUThcAbRdu4HmSGbKiEuF2YSStgm/RaB8FSxVn1Qa/Q7Ex4ckKzbLw +K5rLzmRRCEYHXcQUsz1WtkKdX1SKiu3WjNgSPJS6wcnXLAAwVz+5xeRRQVQ6839H +pPqHd70fUf/wKLONZICXDSYzAONCe/iiLjtrxQJd+vUYXo4eISG1dzduDHArnCJX +0nu0/2L8f/Z9F4TWX0zbulAgzi+LuBR4zpAv+x7+IQKBgQDxPBf51fyknZc/5vfM +CaiJJzwjQsclqN4m6aiLdq4yb9y9QEpe3TfbJRNN2uvp9RSyKJL/AtD/PAHGSG+1 +hv18rnR9kZBIMggm3jSmh1psiHblOx5oNnmF5VD7pggevP5PdPuTilMmKGGKF26y +KjBkooGC9+vzmMudWi1RwodJoQKBgQDGHr29LIk71CEhoudYsTTC6PLYWKteaWlR +MJxPbMBah5GwTy9F6PmeYTAtF8V2Jfj1DVwUJfgTEW3zrR5hFs6oOCcV5hG8Ksm4 +laKabNXcSXcO5M7qpem0R5W4m+qeolhsztlMvHfeEkAm62/Os7D6mMMY4jzIcWVq +OxzewanL8QKBgQDfiIfPAfKxtzXICQXlE64QKUMYiXBv/SKdfDapxLd2FSG+XCyN +6v8vGhPhONMSX/9ldyN/GeUAHWKnkcextfx95EodcRz5SSM0oQK4rQOlPm6tyzJJ +7vB8mhmIljlAAnDEv+m+tZaG7TQ0+bGhdmaRWeQYsBL8DsHedQk5kcA7AQKBgQCQ +nloEYCEg4hz5L6/ORzRrXp3+HOOi/DFbia9gLtNOgg1v9K1eS80CtpDzKZoDP362 +anUfZAPs71kieelmF77sfmjRjGq/v0AWlGvoa6/EqH/XCGCeWlP5PBPneTDPcVQ4 +wNlQMXcSTKI1hsDL0tFKa/5mCKcz7cqIu/O8CwQGEQKBgBYYebZBKk0b2bI0FOah +ti6VGK1JiJXMyESMRIRs1SKxPRcqTjgQ5SqeI/cx7HkOYJKvh0QwWE/lx8BaoJJ5 +VPo6S7tApc9mkCkPUHY/Le9dOguyx4HGaEKLhyrnwZYetOsLpaZKhxVHhmlw6Vwa +g8iRMl+UY9YKlKXSVdOYAI4x +-----END PRIVATE KEY----- diff --git a/http_client/certs/client.crt b/http_client/certs/client.crt deleted file mode 100644 index d79886e..0000000 --- a/http_client/certs/client.crt +++ /dev/null @@ -1,96 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 5 (0x5) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA - Validity - Not Before: Mar 7 13:04:16 2022 GMT - Not After : Jun 14 13:04:16 2024 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=client - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:c5:df:b2:5c:53:63:45:9c:06:31:a8:2c:d7:54: - b0:81:6c:51:e0:04:f2:ae:c4:2c:67:fa:cc:1f:49: - 10:68:ee:d5:7f:c3:95:23:2c:b0:75:d0:38:8b:a3: - 91:c0:dc:d9:61:dd:ec:ab:db:ed:68:1a:0b:12:e9: - f1:06:9c:a6:71:06:de:7e:39:4f:91:33:8b:2f:60: - 36:f2:5e:06:06:ed:2f:70:b5:f6:c7:e9:50:d7:5b: - 20:2a:aa:ad:25:1e:a2:fa:52:75:43:40:cf:c9:a7: - 6e:9e:f7:97:58:97:16:d8:cd:08:2c:0d:02:2c:e1: - 2e:0e:a0:c6:a3:4d:d4:50:7d:2c:f9:b6:fe:f6:9a: - 1e:1f:f2:2d:22:cd:29:55:d0:7b:33:f9:99:29:c9: - 28:d6:bb:de:1f:3a:92:1f:0c:3a:4c:86:49:58:55: - 6f:3b:1f:92:83:4a:b4:82:bb:78:cc:98:d0:b7:ac: - a0:a9:72:0e:33:83:c2:e2:7d:5e:c6:ba:ea:ad:70: - 82:2c:18:8c:77:f2:5c:88:54:09:11:69:43:65:14: - 85:db:8a:2a:0d:98:74:27:db:94:10:ae:c2:4a:12: - 85:86:c5:2d:14:eb:ce:18:fa:a9:d3:06:d9:72:b5: - 6d:8d:d1:ed:c6:2c:44:ff:00:29:12:44:d0:6a:0a: - 10:11 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature - X509v3 Basic Constraints: - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Client Authentication - X509v3 Subject Key Identifier: - 7D:8B:C1:2B:68:55:8D:5E:CF:C6:E4:90:25:F7:9E:7E:29:8D:66:74 - X509v3 Authority Key Identifier: - keyid:B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54 - - Authority Information Access: - CA Issuers - URI:http://pki.esodemoapp2.com/ca/tls-ca.cer - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://pki.esodemoapp2.com/ca/tls-ca.crl - - X509v3 Subject Alternative Name: - - - Signature Algorithm: sha256WithRSAEncryption - bf:59:44:90:87:b5:68:a1:c7:44:23:8e:78:f6:b8:7a:1e:04: - d1:7c:41:73:b5:1b:ad:0a:04:0e:ba:9e:00:09:9f:e1:9a:4f: - 7c:54:69:d6:c2:e6:3c:80:2c:88:10:6d:2e:73:f8:9c:0b:28: - 25:17:9b:ac:c7:ab:96:7d:6f:03:85:57:7e:82:3f:49:c8:c9: - 2c:c2:4c:bd:bb:c1:cf:52:b4:8e:4d:87:48:e9:03:1c:7b:7e: - 85:71:30:7e:34:4b:d8:e5:2a:ae:d2:84:e2:68:00:d2:ad:ee: - 1c:ff:21:7b:f3:b3:6c:5b:ed:f9:ca:ea:92:dc:24:5d:8c:e2: - b4:be:41:ba:11:2b:95:05:55:5c:e6:d4:50:42:82:73:d6:7d: - dc:9b:5a:1d:f7:bc:3c:66:2e:53:b4:21:42:a7:f1:0c:9e:57: - 9f:7b:8d:27:9d:d4:3b:d9:99:89:1c:97:5e:c9:a1:fa:db:aa: - 95:49:5a:e5:a5:80:1e:4c:3e:22:bf:f5:b4:45:a3:e0:15:5a: - 65:34:50:8e:e2:60:3e:ac:ab:bb:ab:e1:ec:24:31:a3:eb:a2: - b6:4c:d2:7e:d3:69:40:d5:8e:06:30:36:ca:5b:7b:61:fa:93: - f6:38:c2:dd:84:94:74:39:11:84:82:d1:03:de:52:e7:91:7c: - d0:31:1a:c7 ------BEGIN CERTIFICATE----- -MIIEFjCCAv6gAwIBAgIBBTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlF -bnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIyMDMwNzEzMDQxNloXDTI0MDYx -NDEzMDQxNlowRDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UE -CwwKRW50ZXJwcmlzZTEPMA0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAxd+yXFNjRZwGMags11SwgWxR4ATyrsQsZ/rMH0kQaO7V -f8OVIyywddA4i6ORwNzZYd3sq9vtaBoLEunxBpymcQbefjlPkTOLL2A28l4GBu0v -cLX2x+lQ11sgKqqtJR6i+lJ1Q0DPyadunveXWJcW2M0ILA0CLOEuDqDGo03UUH0s -+bb+9poeH/ItIs0pVdB7M/mZKcko1rveHzqSHww6TIZJWFVvOx+Sg0q0grt4zJjQ -t6ygqXIOM4PC4n1exrrqrXCCLBiMd/JciFQJEWlDZRSF24oqDZh0J9uUEK7CShKF -hsUtFOvOGPqp0wbZcrVtjdHtxixE/wApEkTQagoQEQIDAQABo4H/MIH8MA4GA1Ud -DwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1Ud -DgQWBBR9i8EraFWNXs/G5JAl955+KY1mdDAfBgNVHSMEGDAWgBS3urACoee+NMbB -BVxmeOW7U12hVDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAKGKGh0dHA6Ly9w -a2kuZXNvZGVtb2FwcDIuY29tL2NhL3Rscy1jYS5jZXIwOQYDVR0fBDIwMDAuoCyg -KoYoaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2EvdGxzLWNhLmNybDAJBgNV -HREEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQC/WUSQh7VoocdEI4549rh6HgTRfEFz -tRutCgQOup4ACZ/hmk98VGnWwuY8gCyIEG0uc/icCyglF5usx6uWfW8DhVd+gj9J -yMkswky9u8HPUrSOTYdI6QMce36FcTB+NEvY5Squ0oTiaADSre4c/yF787NsW+35 -yuqS3CRdjOK0vkG6ESuVBVVc5tRQQoJz1n3cm1od97w8Zi5TtCFCp/EMnlefe40n -ndQ72ZmJHJdeyaH626qVSVrlpYAeTD4iv/W0RaPgFVplNFCO4mA+rKu7q+HsJDGj -66K2TNJ+02lA1Y4GMDbKW3th+pP2OMLdhJR0ORGEgtED3lLnkXzQMRrH ------END CERTIFICATE----- diff --git a/http_client/certs/client.key b/http_client/certs/client.key deleted file mode 100644 index 0962cfc..0000000 --- a/http_client/certs/client.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDF37JcU2NFnAYx -qCzXVLCBbFHgBPKuxCxn+swfSRBo7tV/w5UjLLB10DiLo5HA3Nlh3eyr2+1oGgsS -6fEGnKZxBt5+OU+RM4svYDbyXgYG7S9wtfbH6VDXWyAqqq0lHqL6UnVDQM/Jp26e -95dYlxbYzQgsDQIs4S4OoMajTdRQfSz5tv72mh4f8i0izSlV0Hsz+ZkpySjWu94f -OpIfDDpMhklYVW87H5KDSrSCu3jMmNC3rKCpcg4zg8LifV7GuuqtcIIsGIx38lyI -VAkRaUNlFIXbiioNmHQn25QQrsJKEoWGxS0U684Y+qnTBtlytW2N0e3GLET/ACkS -RNBqChARAgMBAAECggEALMmvY3p0c+MW+9JnI+5FbWYJOj2keK5qprZ70XEGR9oX -dS3d6fJJlsEkq2bArPjQM3i6A0Rqfi+25fcR2T9H5Tl6zvNF8UXLcVPD3CQwFQ1G -uapWS3WiGLzFkSLEwiwnE6XqaOiYn7pILa85EJJSV4xBF0dygJoPhLwbegc50WW9 -1QzsZyiziSbtVF+BZ8BgVzm0AGxstNE+uBRZSMdNngPLIqSLWs23DLWkYS495Jzn -hbkV6KedQWpcGF28pIyhGYUPzDDOnTAqQiSmByVyQdH6DXGnL4lqODsqPBxq6Uku -gkVXZ7youhXVidTPVWgZBGHH0mMDz2oieXOwNClOgQKBgQDwlyeTtTMAiMEghzHj -i8LAhmm99+GPyrZ/K48FwwL43hh2nQxMX7YnF5wdcTBq02B8up5GmGK3R2+9W+/K -F5K6sdqLMUBaVqBMeuMiVnUkP/Gp7izueAmPsmTnfwXlhMRjNtn0XkXLlQjUH9yi -j0PseRC/1VBpa3vy5zMO/AlaOQKBgQDSjCNcaZgUsCw1c5bBQ2nHqaBeLabli8NR -DceexW+NV5/ikQtjaXVUdevNLKCBK7yWoHDmPN45ztmy/KrVFbbqDVu/zYP2774+ -Q19vAA/zh8bgxPOskRhn1IeCcDP51nUspEbdgWPnryXswwkymtU/ArB4dN2LqnhX -Glxz4FxEmQKBgQCo7XkcfV4SQfNYo5Sj8L4N8FLOz/3QuMTrBeqmYQb1Nvx2TE8W -UR3U1P8IrTER0NkuutnnN5gYmFAc5TC49VRRQg/xK+PDio+DI8XXll0p1rwYVOO3 -jREplFjFMqsxPMen4hunOYpIJ5zLVJPWkEFhCKB6EY0keBPPugZfvxfSAQKBgBAK -bzM+NED3Pxb/bG/i8+8rRDWIotuAL2xAcYHuJtaM43h+dnCnezHpHgLusHfG3kJX -jOJtpryevsU9LMK5OctRIzlUrgYlM8hIl7+8MHrsUEGVn774+vQGJCDS7ZLOPPUe -uutrTTI8jNYh8dRyKWb4jHtQ5AQdA7gXIQ4O/NiZAoGBAKXUtvnNh+ZAb4ppx/FT -r1UwTJHeUwQb4cwX1Wsjovmth9AAZUpKFzLd54lTXiePAmTjRklPsOcO37opMX7O -M7Bh6b0NGJY9XZDRjFsBYiJ0uYVY+C6MpOh4jC8cuHbQLoMeLAwJnPuNbCU/iK06 -4YkAcR677qlN0YUfj8PfPYLg ------END PRIVATE KEY----- diff --git a/http_client/certs/root-ca-collaborator1.crt b/http_client/certs/root-ca-collaborator1.crt new file mode 100644 index 0000000..e6bcaf2 --- /dev/null +++ b/http_client/certs/root-ca-collaborator1.crt @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Validity + Not Before: Apr 17 12:02:50 2023 GMT + Not After : Apr 16 12:02:50 2033 GMT + Subject: C=US, O=Collaborator 1, OU=Enterprise, CN=Collaborator 1 Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b3:3b:c1:b5:97:bb:f4:97:03:dd:71:bc:b4:83: + f3:bb:a3:62:e3:f7:b8:ed:3f:e7:ab:28:06:f4:7e: + 55:3e:6a:27:7e:4b:bf:4d:df:c2:d8:87:18:23:36: + 75:3a:0c:31:4f:96:c6:03:a8:f1:78:c8:10:f1:89: + d6:2b:89:d9:4a:0b:ae:41:d9:62:d0:37:61:e2:ef: + db:34:ab:77:82:ae:81:e2:95:cf:cc:ca:ed:e1:0d: + ae:cb:c1:01:7d:a6:af:6c:6f:bf:35:fe:1b:e1:ea: + d3:56:fa:9f:24:7f:7b:42:2a:f8:16:98:31:51:1b: + 0e:d1:f6:62:ad:28:28:ab:ab:a4:1d:20:ba:6a:11: + 13:6b:7e:c5:7d:7a:e0:8c:b4:2f:b9:81:7c:73:bf: + 37:bd:60:6d:88:9b:42:79:a7:36:e9:58:5d:93:21: + 5f:b7:8e:44:85:8b:fa:d0:70:a2:81:45:87:b2:70: + 55:08:d2:d4:dc:8f:2c:89:91:ac:4f:6c:c7:45:28: + 25:3d:67:49:27:ef:36:fc:de:e2:f1:04:15:50:34: + cd:e4:39:f2:87:bb:72:9d:e0:66:e1:e3:7b:6f:e5: + 9a:1b:b5:2b:6b:5b:28:76:c9:7f:e8:f3:9d:a9:80: + 88:55:07:58:ad:b5:13:e6:09:75:44:68:02:75:7b: + 41:1d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 Authority Key Identifier: + 75:0D:12:CC:DB:33:ED:58:06:8C:AD:ED:0E:9E:2F:00:E9:6F:C1:65 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Authority Information Access: + OCSP - URI:http://localhost:9999/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 94:dc:12:a7:97:bb:2b:88:30:77:97:22:66:7c:6c:a7:ee:87: + 57:e7:71:9c:4c:3c:5e:09:7c:20:a0:39:43:cc:74:22:b0:80: + 50:f8:a2:d6:f9:8b:18:96:4b:e8:4e:97:5a:8e:e0:f7:37:b4: + 42:7e:5e:d4:bc:26:0e:b8:7e:80:b2:7d:00:5b:b4:df:75:fb: + d3:5e:cf:ab:25:95:90:75:a7:56:89:74:e5:93:b7:dd:6d:e4: + 39:6d:29:48:99:69:2a:22:40:39:57:ea:f0:c9:c1:ee:56:ab: + 0f:ac:96:a5:eb:db:b8:f6:04:45:78:da:ff:05:9d:d7:52:2a: + d6:60:6b:57:64:8c:ec:a0:76:3c:f2:95:7a:d9:bf:af:8b:2b: + fd:28:05:a1:23:75:e7:bd:a0:ff:fc:35:3a:11:89:bc:72:df: + 58:b6:7a:39:15:74:5b:d6:36:63:72:11:0b:db:e7:fe:4f:cb: + 38:84:fa:37:8b:4c:6b:2d:e9:71:54:fa:cc:1b:34:98:67:d3: + be:4a:92:f7:00:21:f3:db:39:4a:d2:eb:2c:d1:69:62:0c:13: + f3:79:94:f0:23:3f:bd:00:29:13:f7:57:f8:0f:47:b3:13:25: + 20:a7:70:55:8f:c0:1c:37:ea:66:21:ee:a4:f1:a5:e6:3c:1a: + 1e:dd:bc:97 +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAxIFJvb3QgQ0EwHhcNMjMwNDE3MTIwMjUwWhcN +MzMwNDE2MTIwMjUwWjBcMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOQ29sbGFib3Jh +dG9yIDExEzARBgNVBAsMCkVudGVycHJpc2UxHzAdBgNVBAMMFkNvbGxhYm9yYXRv +ciAxIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzO8G1 +l7v0lwPdcby0g/O7o2Lj97jtP+erKAb0flU+aid+S79N38LYhxgjNnU6DDFPlsYD +qPF4yBDxidYridlKC65B2WLQN2Hi79s0q3eCroHilc/Myu3hDa7LwQF9pq9sb781 +/hvh6tNW+p8kf3tCKvgWmDFRGw7R9mKtKCirq6QdILpqERNrfsV9euCMtC+5gXxz +vze9YG2Im0J5pzbpWF2TIV+3jkSFi/rQcKKBRYeycFUI0tTcjyyJkaxPbMdFKCU9 +Z0kn7zb83uLxBBVQNM3kOfKHu3Kd4Gbh43tv5ZobtStrWyh2yX/o852pgIhVB1it +tRPmCXVEaAJ1e0EdAgMBAAGjgbcwgbQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFHUNEszbM+1YBoyt7Q6eLwDpb8FlMB8GA1UdIwQY +MBaAFHUNEszbM+1YBoyt7Q6eLwDpb8FlMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh +bGhvc3Q6OTk5OS8wDQYJKoZIhvcNAQELBQADggEBAJTcEqeXuyuIMHeXImZ8bKfu +h1fncZxMPF4JfCCgOUPMdCKwgFD4otb5ixiWS+hOl1qO4Pc3tEJ+XtS8Jg64foCy +fQBbtN91+9Nez6sllZB1p1aJdOWTt91t5DltKUiZaSoiQDlX6vDJwe5Wqw+slqXr +27j2BEV42v8FnddSKtZga1dkjOygdjzylXrZv6+LK/0oBaEjdee9oP/8NToRibxy +31i2ejkVdFvWNmNyEQvb5/5PyziE+jeLTGst6XFU+swbNJhn075KkvcAIfPbOUrS +6yzRaWIME/N5lPAjP70AKRP3V/gPR7MTJSCncFWPwBw36mYh7qTxpeY8Gh7dvJc= +-----END CERTIFICATE----- diff --git a/http_client/certs/root-ca-collaborator2.crt b/http_client/certs/root-ca-collaborator2.crt new file mode 100644 index 0000000..cc1f5f7 --- /dev/null +++ b/http_client/certs/root-ca-collaborator2.crt @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Validity + Not Before: Apr 17 12:13:03 2023 GMT + Not After : Apr 16 12:13:03 2033 GMT + Subject: C=US, O=Collaborator 2, OU=Enterprise, CN=Collaborator 2 Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:a8:62:b9:73:8b:c7:2e:d0:fe:1e:52:90:83:94: + fe:70:61:5a:10:18:85:74:27:7c:38:eb:da:ae:31: + d6:2c:7f:7f:63:7f:af:49:a4:c6:8a:04:35:f4:c4: + c4:df:8d:6d:45:22:1c:eb:d2:18:97:a5:4f:9f:5f: + 3e:84:b6:93:ef:8a:b2:8d:1c:37:d3:30:37:68:66: + 51:81:b0:82:d1:be:ce:38:13:20:c5:dc:02:3c:8f: + 6a:f7:5b:5e:8c:16:a5:d9:30:91:21:e1:82:10:c1: + 5b:cf:57:c6:9e:90:30:5e:23:30:e2:18:89:ba:ef: + a6:09:3c:cc:eb:f2:78:1a:d0:f3:a7:ce:4e:08:6e: + f8:43:56:33:c8:c6:1d:40:f0:7a:76:a8:fc:18:1d: + 7b:09:eb:1a:8d:f5:56:6c:65:62:a8:f2:49:07:85: + f9:d9:42:df:a7:cf:f8:f1:ae:a7:ed:50:48:a5:9c: + fc:a0:ee:24:70:c2:f1:ae:f1:a9:af:c0:fa:51:f6: + 10:fe:f6:9b:a3:8a:5d:1a:4d:bb:7a:25:a1:0e:2b: + 0a:d8:ff:68:30:96:0d:5c:6e:39:1b:75:0b:ac:75: + 07:14:e6:7d:c2:6a:ce:d6:6a:c0:5d:62:fd:29:50: + 1a:e6:5a:14:80:80:37:46:7a:e4:f1:79:d1:14:d2: + f5:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 Authority Key Identifier: + B2:77:C7:6F:8E:7D:55:E8:82:B5:F1:AC:98:66:85:0D:DF:56:3F:31 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Authority Information Access: + OCSP - URI:http://localhost:10000/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 9e:73:0b:20:a4:2c:7b:41:be:3a:8b:f2:0d:d8:4f:c2:07:b5: + a3:df:97:d2:a6:93:1a:94:a9:9e:a5:a2:24:bf:be:85:f1:9c: + 22:3c:63:42:ee:76:21:85:ac:58:fb:88:aa:3f:dd:d8:51:63: + 9d:db:5e:76:07:dc:e3:fe:27:0b:ab:d5:0e:88:64:ec:e5:c7: + e0:d1:59:d5:de:21:31:79:09:d7:91:1e:34:c2:f9:1c:db:1f: + 4b:61:a6:12:e9:ba:12:7c:b4:0d:17:5d:16:83:6f:2a:53:e5: + 58:52:50:da:73:13:d3:cd:5f:26:59:5e:af:5c:9e:83:3f:87: + 40:44:ae:66:b2:99:fc:2e:28:de:3f:47:1c:8c:f4:ad:40:a7: + 4b:65:6b:d8:82:14:4d:17:e9:20:59:21:25:47:90:1b:e0:b6: + e6:3d:b4:e5:cc:be:9c:44:97:be:84:eb:f4:c2:cd:44:8c:2f: + e9:76:9e:bc:67:4a:65:0c:14:27:83:a0:20:e8:71:46:44:80: + 1e:1a:fb:f2:2a:37:fb:30:58:6f:a7:ff:f9:30:2a:e8:fc:b9: + c4:11:b7:82:02:8d:00:51:0f:75:27:6e:01:dd:9e:73:6b:2b: + 6d:3e:82:dd:46:a0:6c:70:8f:9a:a8:61:74:67:6b:5f:96:03: + ea:1e:12:12 +-----BEGIN CERTIFICATE----- +MIID7DCCAtSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEX +MBUGA1UECgwOQ29sbGFib3JhdG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAd +BgNVBAMMFkNvbGxhYm9yYXRvciAyIFJvb3QgQ0EwHhcNMjMwNDE3MTIxMzAzWhcN +MzMwNDE2MTIxMzAzWjBcMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOQ29sbGFib3Jh +dG9yIDIxEzARBgNVBAsMCkVudGVycHJpc2UxHzAdBgNVBAMMFkNvbGxhYm9yYXRv +ciAyIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoYrlz +i8cu0P4eUpCDlP5wYVoQGIV0J3w469quMdYsf39jf69JpMaKBDX0xMTfjW1FIhzr +0hiXpU+fXz6EtpPvirKNHDfTMDdoZlGBsILRvs44EyDF3AI8j2r3W16MFqXZMJEh +4YIQwVvPV8aekDBeIzDiGIm676YJPMzr8nga0POnzk4IbvhDVjPIxh1A8Hp2qPwY +HXsJ6xqN9VZsZWKo8kkHhfnZQt+nz/jxrqftUEilnPyg7iRwwvGu8amvwPpR9hD+ +9pujil0aTbt6JaEOKwrY/2gwlg1cbjkbdQusdQcU5n3Cas7WasBdYv0pUBrmWhSA +gDdGeuTxedEU0vX/AgMBAAGjgbgwgbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFLJ3x2+OfVXogrXxrJhmhQ3fVj8xMB8GA1UdIwQY +MBaAFLJ3x2+OfVXogrXxrJhmhQ3fVj8xMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9sb2Nh +bGhvc3Q6MTAwMDAvMA0GCSqGSIb3DQEBCwUAA4IBAQCecwsgpCx7Qb46i/IN2E/C +B7Wj35fSppMalKmepaIkv76F8ZwiPGNC7nYhhaxY+4iqP93YUWOd2152B9zj/icL +q9UOiGTs5cfg0VnV3iExeQnXkR40wvkc2x9LYaYS6boSfLQNF10Wg28qU+VYUlDa +cxPTzV8mWV6vXJ6DP4dARK5mspn8LijeP0ccjPStQKdLZWvYghRNF+kgWSElR5Ab +4LbmPbTlzL6cRJe+hOv0ws1EjC/pdp68Z0plDBQng6Ag6HFGRIAeGvvyKjf7MFhv +p//5MCro/LnEEbeCAo0AUQ91J24B3Z5zayttPoLdRqBscI+aqGF0Z2tflgPqHhIS +-----END CERTIFICATE----- diff --git a/http_client/certs/tls-ca-chain.pem b/http_client/certs/tls-ca-chain.pem deleted file mode 100644 index fca78dc..0000000 --- a/http_client/certs/tls-ca-chain.pem +++ /dev/null @@ -1,171 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Validity - Not Before: Jan 9 22:05:43 2022 GMT - Not After : Jan 9 22:05:43 2032 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:cd:01:12:b9:8a:c9:e5:4b:d5:cc:d9:7a:2b:d1: - cb:db:02:23:2a:98:b5:66:65:0d:36:50:e8:9f:02: - 06:ff:c3:aa:a6:9b:fc:2e:5e:79:b8:ae:4b:b1:09: - cf:10:f8:e2:bb:a7:71:78:ee:cb:1f:f6:0c:64:32: - 19:31:84:a7:eb:6e:90:29:2e:9c:05:0e:bb:59:61: - e9:db:1b:db:e3:35:c8:a6:39:f0:2e:de:85:5f:ef: - a9:b3:cc:99:37:03:e7:4f:ac:a4:cd:45:1d:4e:0b: - c3:3c:7c:e2:b1:ca:af:f2:20:62:34:9b:f4:ce:c9: - 93:f6:cc:99:35:f5:f2:14:c3:10:54:fb:c8:94:4e: - e1:07:8e:71:8c:61:a7:27:9c:c7:49:6a:c8:5f:3d: - 22:93:82:61:ec:80:51:84:ce:0b:33:b9:22:ee:e5: - 4f:ab:ad:7d:e5:c0:7a:dc:bf:47:1f:04:73:7e:96: - 86:6e:eb:29:b4:4c:a6:45:b9:e3:4d:81:2b:bb:fc: - 48:1c:7e:f5:25:19:41:24:a2:3a:b3:97:f1:d6:26: - 80:cc:e1:f0:e3:e6:d0:3a:cb:df:73:79:6b:e6:7b: - 32:0c:e3:ee:92:f9:de:de:b2:d2:50:f9:20:49:82: - ed:94:4b:cf:7b:0a:77:e7:01:e2:5e:50:ec:12:03: - 2c:ef - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Subject Key Identifier: - B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54 - X509v3 Authority Key Identifier: - keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - - Authority Information Access: - CA Issuers - URI:http://pki.esodemoapp2.com/ca/root-ca.cer - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://pki.esodemoapp2.com/ca/root-ca.crl - - Signature Algorithm: sha256WithRSAEncryption - c2:ae:b0:30:75:e4:50:32:8b:ee:d3:4c:2c:f0:8d:eb:79:42: - 0c:11:db:6c:17:02:d1:4a:1b:b4:82:05:61:18:73:07:d6:f1: - 83:a5:d4:49:a1:a4:a9:08:67:42:70:fb:f5:20:0d:01:90:be: - bd:eb:d7:5f:d4:60:d4:c5:03:96:6e:22:da:8f:24:39:4b:a7: - d5:16:06:7f:c8:86:e7:dd:2c:cc:c3:b0:ee:6e:28:36:8b:dc: - 49:a3:d9:5a:3e:98:e3:8c:cf:e0:17:a6:c1:4b:17:61:a0:b5: - 0a:2c:57:f4:7b:cd:85:0a:e0:0f:5e:c9:1e:89:6e:c1:73:55: - c1:de:e8:b8:c6:03:cd:57:3d:d3:1e:ef:0c:6b:dc:ff:7d:32: - 51:a2:1a:c2:f2:dd:42:fe:96:9b:ed:34:29:71:04:7a:5e:44: - 6b:5f:94:9b:fc:c3:3a:4e:71:5e:c3:bb:03:e5:cb:85:4f:ba: - 3f:0e:f6:d6:4f:8d:bf:50:fd:a7:b8:d8:b9:f7:54:c8:19:80: - c9:04:22:81:aa:77:74:00:7e:91:cf:e5:53:c9:e4:54:56:9e: - 23:db:51:31:b7:32:f4:24:a9:8d:d5:2f:9d:98:fe:56:e8:fd: - 44:57:ec:ed:12:59:4a:11:5d:cd:fd:ee:ab:eb:9e:70:94:31: - bf:d3:2e:c6 ------BEGIN CERTIFICATE----- -MIIEDTCCAvWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF -bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTQzWhcNMzIwMTA5MjIwNTQz -WjBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl -cnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQESuYrJ5UvVzNl6K9HL2wIjKpi1 -ZmUNNlDonwIG/8Oqppv8Ll55uK5LsQnPEPjiu6dxeO7LH/YMZDIZMYSn626QKS6c -BQ67WWHp2xvb4zXIpjnwLt6FX++ps8yZNwPnT6ykzUUdTgvDPHziscqv8iBiNJv0 -zsmT9syZNfXyFMMQVPvIlE7hB45xjGGnJ5zHSWrIXz0ik4Jh7IBRhM4LM7ki7uVP -q6195cB63L9HHwRzfpaGbusptEymRbnjTYEru/xIHH71JRlBJKI6s5fx1iaAzOHw -4+bQOsvfc3lr5nsyDOPukvne3rLSUPkgSYLtlEvPewp35wHiXlDsEgMs7wIDAQAB -o4HqMIHnMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud -DgQWBBS3urACoee+NMbBBVxmeOW7U12hVDAfBgNVHSMEGDAWgBR8HFvoPrMzCZaS -Mth/RL/MjJOckjBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAKGKWh0dHA6Ly9w -a2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY2VyMDoGA1UdHwQzMDEwL6At -oCuGKWh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY3JsMA0G -CSqGSIb3DQEBCwUAA4IBAQDCrrAwdeRQMovu00ws8I3reUIMEdtsFwLRShu0ggVh -GHMH1vGDpdRJoaSpCGdCcPv1IA0BkL6969df1GDUxQOWbiLajyQ5S6fVFgZ/yIbn -3SzMw7Dubig2i9xJo9laPpjjjM/gF6bBSxdhoLUKLFf0e82FCuAPXskeiW7Bc1XB -3ui4xgPNVz3THu8Ma9z/fTJRohrC8t1C/pab7TQpcQR6XkRrX5Sb/MM6TnFew7sD -5cuFT7o/DvbWT42/UP2nuNi591TIGYDJBCKBqnd0AH6Rz+VTyeRUVp4j21ExtzL0 -JKmN1S+dmP5W6P1EV+ztEllKEV3N/e6r655wlDG/0y7G ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Validity - Not Before: Jan 9 22:05:07 2022 GMT - Not After : Jan 9 22:05:07 2032 GMT - Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:de:ee:86:98:a4:6c:92:71:85:aa:76:16:13:85: - bb:d7:49:37:e5:11:03:49:73:a6:31:c6:d0:fb:27: - ca:70:ec:c2:d0:db:88:d7:3a:97:20:49:fd:7b:4a: - 76:72:d0:c9:16:31:07:14:86:3b:99:67:6f:88:70: - fc:a7:a4:60:81:af:35:68:88:14:75:d3:cf:66:8a: - 28:55:ac:63:98:56:91:2c:55:59:0e:ed:fe:37:2a: - 6f:79:11:08:ca:41:c4:78:d1:d6:83:c1:35:7c:a0: - f4:72:db:5f:16:4f:f7:04:30:26:4b:58:99:cd:52: - 7d:0a:91:e1:29:3d:11:3d:2f:11:1f:6b:0f:e7:95: - 63:ef:e0:4d:c7:d6:b9:15:3a:3c:6b:51:36:eb:df: - 55:e2:a2:e0:e2:24:a9:3e:30:3f:76:15:a8:1a:13: - e1:e3:b2:b5:ae:e6:59:62:a4:2b:64:74:df:82:e5: - a3:ac:c9:6f:c6:39:28:ec:93:57:be:17:c5:71:14: - 85:d8:ae:1c:f7:29:94:10:6d:ad:fe:fb:ea:33:5e: - 6e:e5:f3:8c:73:1c:50:5e:0f:57:55:c7:43:73:cc: - 2a:56:91:35:2b:c1:c8:6e:a6:8e:c9:4b:7b:75:68: - 87:17:3a:7a:ed:6d:54:f6:76:3c:ad:03:e0:e3:b5: - 78:fd - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - 7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - X509v3 Authority Key Identifier: - keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92 - - Signature Algorithm: sha256WithRSAEncryption - c4:50:d2:b2:ec:3b:c9:1b:16:42:f0:a1:c5:97:26:ce:11:e4: - d3:4e:b3:32:36:f5:9b:15:4f:3d:80:b8:07:20:89:26:43:e5: - b7:9b:b7:37:be:a5:7c:5a:92:2e:36:b1:73:a2:35:b7:2e:d1: - a3:55:8c:7d:99:19:43:08:8d:3a:88:78:7e:01:e3:ce:19:5d: - 7c:af:b2:4d:0b:93:08:f3:d4:b3:75:f5:d3:b5:18:9a:b0:cb: - 55:2f:b3:27:6c:38:b1:a1:75:b5:6d:c2:53:c5:91:9e:09:c7: - b3:81:fe:2c:a8:09:0a:ec:dd:ed:d6:10:78:64:ce:c9:bd:25: - ae:de:d8:86:68:d0:0f:ee:db:73:b6:c0:bc:7a:e4:a5:fa:30: - b3:6c:7a:3f:e3:87:20:5c:d0:8e:78:fa:ec:ec:85:81:03:a6: - 58:c4:c8:4d:ee:cc:03:22:68:ed:a4:bb:77:a9:56:c7:9c:33: - 6a:30:c7:50:75:eb:67:3b:40:52:01:d4:67:b5:19:cd:42:d0: - ea:f5:c3:fd:e7:a1:3a:6d:2b:22:6b:2f:61:85:9b:8e:50:8e: - 34:b9:4e:00:5d:d2:89:96:47:b3:d7:ac:eb:9a:fa:76:07:34: - 61:51:a0:2f:20:69:5e:f6:dd:06:2b:1e:c8:82:7f:ce:f0:ba: - 5c:12:ff:f2 ------BEGIN CERTIFICATE----- -MIIDfjCCAmagAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP -MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF -bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTA3WhcNMzIwMTA5MjIwNTA3 -WjBQMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl -cnByaXNlMRswGQYDVQQDDBJFbnRlcnByaXNlIFJvb3QgQ0EwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDe7oaYpGyScYWqdhYThbvXSTflEQNJc6YxxtD7 -J8pw7MLQ24jXOpcgSf17SnZy0MkWMQcUhjuZZ2+IcPynpGCBrzVoiBR1089miihV -rGOYVpEsVVkO7f43Km95EQjKQcR40daDwTV8oPRy218WT/cEMCZLWJnNUn0KkeEp -PRE9LxEfaw/nlWPv4E3H1rkVOjxrUTbr31XiouDiJKk+MD92FagaE+HjsrWu5lli -pCtkdN+C5aOsyW/GOSjsk1e+F8VxFIXYrhz3KZQQba3+++ozXm7l84xzHFBeD1dV -x0NzzCpWkTUrwchupo7JS3t1aIcXOnrtbVT2djytA+DjtXj9AgMBAAGjYzBhMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR8HFvoPrMz -CZaSMth/RL/MjJOckjAfBgNVHSMEGDAWgBR8HFvoPrMzCZaSMth/RL/MjJOckjAN -BgkqhkiG9w0BAQsFAAOCAQEAxFDSsuw7yRsWQvChxZcmzhHk006zMjb1mxVPPYC4 -ByCJJkPlt5u3N76lfFqSLjaxc6I1ty7Ro1WMfZkZQwiNOoh4fgHjzhldfK+yTQuT -CPPUs3X107UYmrDLVS+zJ2w4saF1tW3CU8WRngnHs4H+LKgJCuzd7dYQeGTOyb0l -rt7YhmjQD+7bc7bAvHrkpfows2x6P+OHIFzQjnj67OyFgQOmWMTITe7MAyJo7aS7 -d6lWx5wzajDHUHXrZztAUgHUZ7UZzULQ6vXD/eehOm0rImsvYYWbjlCONLlOAF3S -iZZHs9es65r6dgc0YVGgLyBpXvbdBiseyIJ/zvC6XBL/8g== ------END CERTIFICATE----- diff --git a/http_client/client.go b/http_client/client.go index 935a362..6e260f2 100644 --- a/http_client/client.go +++ b/http_client/client.go @@ -22,10 +22,10 @@ var ( audience = flag.String("audience", "//iam.googleapis.com/projects/248928956783/locations/global/workloadIdentityPools/trusted-workload-pool/providers/attestation-verifier", "Collaborator's audience value") user = flag.String("user", "alice", "user to submit data for") host = flag.String("host", "", "host ip:port to connect to") - server_name = flag.String("server_name", "tee.operatordomain.com", "SNI of the server") - ca_files = flag.String("ca_files", "certs/tls-ca-chain.pem", "RootCA Chain (PEM)") - tls_crt = flag.String("tls_crt", "certs/client.crt", "TLS Certificate (PEM)") - tls_key = flag.String("tls_key", "certs/client.key", "TLS KEY (PEM)") + server_name = flag.String("server_name", "tee.operator.com", "SNI of the server") + ca_files = flag.String("ca_files", "", "RootCA Chain (PEM)") + tls_crt = flag.String("tls_crt", "", "TLS Certificate (PEM)") + tls_key = flag.String("tls_key", "", "TLS KEY (PEM)") ) type PostData struct { @@ -86,7 +86,7 @@ func main() { panic(err) } - resp, err := client.Post(fmt.Sprintf("https://%v/", *host), "application/json", bytes.NewBuffer(body)) + resp, err := client.Post(fmt.Sprintf("https://%s/", *host), "application/json", bytes.NewBuffer(body)) if err != nil { panic(err) } diff --git a/images/artifacts.png b/images/artifacts.png index cdf8a85..c755b65 100644 Binary files a/images/artifacts.png and b/images/artifacts.png differ diff --git a/images/build_hash.png b/images/build_hash.png index 7f720f3..bc01f5b 100644 Binary files a/images/build_hash.png and b/images/build_hash.png differ diff --git a/images/cc_logs.png b/images/cc_logs.png index 15a9119..58f6dc1 100644 Binary files a/images/cc_logs.png and b/images/cc_logs.png differ diff --git a/images/cc_startup.png b/images/cc_startup.png index 1b8d230..be0a15f 100644 Binary files a/images/cc_startup.png and b/images/cc_startup.png differ diff --git a/images/cloud_logging.png b/images/cloud_logging.png index 11a37d7..b921459 100644 Binary files a/images/cloud_logging.png and b/images/cloud_logging.png differ diff --git a/images/commit_hash.png b/images/commit_hash.png deleted file mode 100644 index 4def566..0000000 Binary files a/images/commit_hash.png and /dev/null differ diff --git a/images/conf_space.png b/images/conf_space.png index 7009431..6dbc4dd 100644 Binary files a/images/conf_space.png and b/images/conf_space.png differ diff --git a/images/kms.png b/images/kms.png index 5710d2f..506bbc1 100644 Binary files a/images/kms.png and b/images/kms.png differ diff --git a/images/launch_spec.png b/images/launch_spec.png index 6edbf93..1e8f358 100644 Binary files a/images/launch_spec.png and b/images/launch_spec.png differ diff --git a/images/sts.png b/images/sts.png index 0c6b8e8..57d7203 100644 Binary files a/images/sts.png and b/images/sts.png differ