add listening socket; update attestation change specs

salrashid123 · Mar 29, 2023 · a7f2797 · a7f2797
1 parent d6288fd
commit a7f2797
Show file tree

Hide file tree

Showing 27 changed files with 1,112 additions and 139 deletions.
diff --git a/README.md b/README.md
diff --git a/app/BUILD.bazel b/app/BUILD.bazel
@@ -27,7 +27,10 @@ container_image(
     },    
     files = [
         ":main",
-        ":config.json", 
+        ":config.json",
+        "//certs:tls-ca-chain.pem",
+        "//certs:tee.crt",
+        "//certs:tee.key",               
     ],
     ports = ["8081"],
     repository = "us-central1-docker.pkg.dev/builder-project/repo1/tee",
@@ -45,6 +48,8 @@ go_library(
         "@org_golang_x_oauth2//google:go_default_library",
         "@com_github_golang_jwt_jwt//:go_default_library",
         "@com_github_lestrrat_go_jwx//jwk:go_default_library",
+        "@com_github_gorilla_mux//:go_default_library",
+        "@org_golang_x_net//http2:go_default_library",
         "@org_golang_google_api//option:go_default_library",
         "@com_google_cloud_go_pubsub//:go_default_library",
         "@com_google_cloud_go_kms//apiv1:go_default_library",

diff --git a/app/Dockerfile b/app/Dockerfile
@@ -17,6 +17,10 @@ LABEL "tee.launch_policy.log_redirect"="always"
 COPY --from=build /go/bin/server /
 COPY --from=build /go/src/app/config.json /config.json
 
+COPY --from=build /go/src/app/tls-ca-chain.pem /tls-ca-chain.pem
+COPY --from=build /go/src/app/tee.crt /tee.crt
+COPY --from=build /go/src/app/ctee.key /tee.key
+
 EXPOSE 8081
 
 ENTRYPOINT ["/server"]

diff --git a/app/certs/BUILD.bazel b/app/certs/BUILD.bazel
@@ -0,0 +1,5 @@
+exports_files([
+    "tls-ca-chain.pem",
+    "tee.crt",
+    "tee.key",
+    ])
diff --git a/app/certs/tee.crt b/app/certs/tee.crt
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 53 (0x35)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA
+        Validity
+            Not Before: Mar 26 20:52:30 2023 GMT
+            Not After : Jul  3 20:52:30 2025 GMT
+        Subject: C=US, O=Google, OU=Enterprise, CN=tee.operatordomain.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b0:c8:9c:d1:19:3a:ed:9d:86:cb:82:06:49:70:
+                    f2:d8:ea:5f:f5:3e:f0:b1:ee:8b:e1:b7:67:fd:f8:
+                    3f:1b:ba:41:12:8c:0a:eb:f2:27:6e:7d:cf:0a:5a:
+                    76:3c:dd:a7:67:f8:cb:9c:62:78:d2:43:97:db:50:
+                    ab:0a:4a:a5:b7:d4:ee:4d:20:63:dd:a4:98:58:24:
+                    55:5a:a4:da:1c:f9:73:9f:39:d1:fb:e9:35:3f:cb:
+                    97:9a:d4:9d:9a:1f:f0:d5:d0:1c:cd:aa:c8:b2:2e:
+                    d0:ee:e2:ae:cc:8b:de:c4:05:02:81:0e:6c:c6:40:
+                    f8:ec:40:cf:27:60:44:76:b7:74:07:3d:fc:70:f8:
+                    58:ec:ce:49:3d:7d:12:ce:68:eb:aa:eb:b9:ac:95:
+                    3a:8c:92:3a:53:2a:3c:1b:ce:56:57:90:a8:cb:47:
+                    51:1a:a2:a9:a5:3a:4d:da:74:7d:e2:50:c2:d8:0e:
+                    dd:ab:87:13:bd:3c:89:1e:e3:af:da:5c:74:cf:30:
+                    47:62:62:9a:be:92:10:00:e6:1f:9e:ae:ad:aa:d0:
+                    df:8b:f0:14:29:28:32:43:7a:cb:6e:1d:05:65:b2:
+                    b5:c4:26:85:77:98:c8:18:8d:9c:28:6b:0f:b3:e5:
+                    23:e0:85:51:2f:3d:80:15:45:48:bf:ce:0b:42:e3:
+                    3e:8b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                0F:FB:C6:13:F0:36:5F:76:1F:A7:FB:F0:0E:06:15:77:0E:C4:F4:73
+            X509v3 Authority Key Identifier: 
+                B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54
+            Authority Information Access: 
+                CA Issuers - URI:http://pki.esodemoapp2.com/ca/tls-ca.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://pki.esodemoapp2.com/ca/tls-ca.crl
+            X509v3 Subject Alternative Name: 
+                DNS:tee.operatordomain.com
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a6:aa:a5:a5:b8:5e:97:58:06:b1:49:8b:5b:b9:ca:ba:27:c5:
+        75:d5:e2:fe:6a:3d:34:59:a0:77:57:90:02:97:b0:0a:e6:5b:
+        88:6f:07:66:3e:ca:71:90:a4:c6:01:3b:53:52:9a:f8:1b:c7:
+        a1:c6:ec:fe:b3:57:9c:9c:c0:54:1a:17:69:15:42:06:cf:62:
+        6e:d7:5c:39:93:cb:b6:e2:b1:15:df:13:2a:08:6c:f9:1a:4a:
+        46:3a:32:4e:6c:99:49:c4:28:01:b9:23:ad:34:a5:24:f3:ec:
+        be:af:7c:3c:7e:20:f1:b0:ae:5c:43:3f:d8:d0:07:e7:25:43:
+        5e:8d:33:bd:e3:e8:07:e4:05:e6:05:ea:2a:75:ba:1b:53:3f:
+        29:97:b7:18:13:21:e8:c8:7c:b3:cb:2b:64:1b:6e:ef:79:fe:
+        48:2d:4a:ef:0c:ce:a8:e7:27:9d:56:9d:47:38:e2:c5:f9:97:
+        42:5d:97:a6:11:5f:41:a7:e8:1b:9a:5d:ce:b1:e1:0e:d5:57:
+        4e:cd:b4:5b:86:09:9f:27:5c:fa:5d:f8:b5:e7:d8:8a:55:d8:
+        04:33:8f:31:98:5c:79:33:fa:ec:79:b2:b0:89:b2:fc:74:c8:
+        63:c8:68:ed:08:d1:ff:f8:18:0a:d6:58:15:c6:29:a0:ec:15:
+        85:c8:0f:1f
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBNTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEP
+MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlF
+bnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDMyNjIwNTIzMFoXDTI1MDcw
+MzIwNTIzMFowVDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UE
+CwwKRW50ZXJwcmlzZTEfMB0GA1UEAwwWdGVlLm9wZXJhdG9yZG9tYWluLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDInNEZOu2dhsuCBklw8tjq
+X/U+8LHui+G3Z/34Pxu6QRKMCuvyJ259zwpadjzdp2f4y5xieNJDl9tQqwpKpbfU
+7k0gY92kmFgkVVqk2hz5c5850fvpNT/Ll5rUnZof8NXQHM2qyLIu0O7irsyL3sQF
+AoEObMZA+OxAzydgRHa3dAc9/HD4WOzOST19Es5o66rruayVOoySOlMqPBvOVleQ
+qMtHURqiqaU6Tdp0feJQwtgO3auHE708iR7jr9pcdM8wR2Jimr6SEADmH56urarQ
+34vwFCkoMkN6y24dBWWytcQmhXeYyBiNnChrD7PlI+CFUS89gBVFSL/OC0LjPosC
+AwEAAaOCARgwggEUMA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQP+8YT8DZfdh+n+/AOBhV3DsT0czAfBgNV
+HSMEGDAWgBS3urACoee+NMbBBVxmeOW7U12hVDBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAKGKGh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Rscy1jYS5j
+ZXIwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20v
+Y2EvdGxzLWNhLmNybDAhBgNVHREEGjAYghZ0ZWUub3BlcmF0b3Jkb21haW4uY29t
+MA0GCSqGSIb3DQEBCwUAA4IBAQCmqqWluF6XWAaxSYtbucq6J8V11eL+aj00WaB3
+V5ACl7AK5luIbwdmPspxkKTGATtTUpr4G8ehxuz+s1ecnMBUGhdpFUIGz2Ju11w5
+k8u24rEV3xMqCGz5GkpGOjJObJlJxCgBuSOtNKUk8+y+r3w8fiDxsK5cQz/Y0Afn
+JUNejTO94+gH5AXmBeoqdbobUz8pl7cYEyHoyHyzyytkG27vef5ILUrvDM6o5yed
+Vp1HOOLF+ZdCXZemEV9Bp+gbml3OseEO1VdOzbRbhgmfJ1z6Xfi159iKVdgEM48x
+mFx5M/rsebKwibL8dMhjyGjtCNH/+BgK1lgVximg7BWFyA8f
+-----END CERTIFICATE-----
diff --git a/app/certs/tee.key b/app/certs/tee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwyJzRGTrtnYbL
+ggZJcPLY6l/1PvCx7ovht2f9+D8bukESjArr8idufc8KWnY83adn+MucYnjSQ5fb
+UKsKSqW31O5NIGPdpJhYJFVapNoc+XOfOdH76TU/y5ea1J2aH/DV0BzNqsiyLtDu
+4q7Mi97EBQKBDmzGQPjsQM8nYER2t3QHPfxw+Fjszkk9fRLOaOuq67mslTqMkjpT
+KjwbzlZXkKjLR1EaoqmlOk3adH3iUMLYDt2rhxO9PIke46/aXHTPMEdiYpq+khAA
+5h+erq2q0N+L8BQpKDJDestuHQVlsrXEJoV3mMgYjZwoaw+z5SPghVEvPYAVRUi/
+zgtC4z6LAgMBAAECggEAB9NJhcP9JMmFTvrZdmTGiy2Mw9leZDHwBTTOKKLVgE+1
+U7HZRep5Ll3pTUcF1tnk8ChGMwz01jHhxfaDK7h0L3gAeG+HnCcOC1DIanPDp+au
+5Ix1rBX9om5LrrHcrBbf3UcSD1SQ/7osy3ZDUJCccsbZ/oZ58CiuHB8eTFrpjOus
+851+2Tus5VcNMaearSxOGKYz4qsRrLpUXz05ln+f4xRtwYo6VnZocktR8p9H4qhz
+lcHvieEnKGvhyxSkSicEe8o2s4S9Ovgog3aQGf8pS+94UC6Kh1t0JpPX8aFUAISV
+GOvvumR8hZ5mWiia61ierhy0O8nSIpmL4G6u5AZ9KQKBgQD1VYCepeD29Q+tdQyM
+COCKEKogIiKA8+Yd1cUmOD+T/zWCpWhUctqAoSlVNN/701M2fgf6mbASf+otaY/T
+eOicbCs8l5SovRPJ3O9Fa8W53/sbGVjZqCyFopk99697RjVC0qDcsAl/fzZvITfT
+Rj6p3AApmwGlgkLzNLse0YsPdwKBgQC4eCoLODRncAcZYdPzKBrBtLQYXGNXC02A
+3Ol4Cs7hKzwZ4nP0vZnW4rrpHuW8v0Zq42EMNVd8pOsXlgzg/NNb47VQLT9c5ZLK
+5SB0UHLxOYPxIWr0cijPqLxEWoSxOrTQFg1/+yoS2SYdLtN7ncjj2PsyTTEBoT6m
+6EzIuqSWjQKBgQDnAvcU7F+US5fSnogNCILenuiDT4Er6f4Ck/uLjKWZZ1PszHIc
+KvZC7v5rpFlQ2GHfyvcaa0NXeCl7T45F8/Ec8eIYsScjaL9McoS/2saZyyW5E7oN
+YgViZIRlzGfp7WdTn+AnTn/zFUedhyr4/4kcCvQAOVxoi+sc9cdJMsj96wKBgQCN
+tIFXrQ1UiFJrxSK0H5KuSsouDIqjSyN2Yj1W4baackPw/mxlDWEoGXPLsNh6bdUC
+NzlNz4wtS+Lsc2/hRVZ3uCyIMroB+rkQ84JC16n0dGJO0YT/0tJW8x/swjw8iQRs
+9QPZ1G81m2oT8Oy0gTjZDs2ojnOe9ObUAI87g2T74QKBgG5ifvIzH/5FV+U7A50N
+SUGaRBv7E3s9ay1ye0N/cKe7hSrugvAwgrv6Y0IUYidb3ktvk8X6e9Q4MUgR6vHy
+2Jg+wTcpLbRsQIpMYV2O6ofvLYF3qrL6Z3xKEg+KdikuJJ+NrfyAQwCn5taQvfYL
+2Nh7hBK2U8/Fv66L7FgFW8Ie
+-----END PRIVATE KEY-----
diff --git a/app/certs/tls-ca-chain.pem b/app/certs/tls-ca-chain.pem
@@ -0,0 +1,171 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA
+        Validity
+            Not Before: Jan  9 22:05:43 2022 GMT
+            Not After : Jan  9 22:05:43 2032 GMT
+        Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Subordinate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cd:01:12:b9:8a:c9:e5:4b:d5:cc:d9:7a:2b:d1:
+                    cb:db:02:23:2a:98:b5:66:65:0d:36:50:e8:9f:02:
+                    06:ff:c3:aa:a6:9b:fc:2e:5e:79:b8:ae:4b:b1:09:
+                    cf:10:f8:e2:bb:a7:71:78:ee:cb:1f:f6:0c:64:32:
+                    19:31:84:a7:eb:6e:90:29:2e:9c:05:0e:bb:59:61:
+                    e9:db:1b:db:e3:35:c8:a6:39:f0:2e:de:85:5f:ef:
+                    a9:b3:cc:99:37:03:e7:4f:ac:a4:cd:45:1d:4e:0b:
+                    c3:3c:7c:e2:b1:ca:af:f2:20:62:34:9b:f4:ce:c9:
+                    93:f6:cc:99:35:f5:f2:14:c3:10:54:fb:c8:94:4e:
+                    e1:07:8e:71:8c:61:a7:27:9c:c7:49:6a:c8:5f:3d:
+                    22:93:82:61:ec:80:51:84:ce:0b:33:b9:22:ee:e5:
+                    4f:ab:ad:7d:e5:c0:7a:dc:bf:47:1f:04:73:7e:96:
+                    86:6e:eb:29:b4:4c:a6:45:b9:e3:4d:81:2b:bb:fc:
+                    48:1c:7e:f5:25:19:41:24:a2:3a:b3:97:f1:d6:26:
+                    80:cc:e1:f0:e3:e6:d0:3a:cb:df:73:79:6b:e6:7b:
+                    32:0c:e3:ee:92:f9:de:de:b2:d2:50:f9:20:49:82:
+                    ed:94:4b:cf:7b:0a:77:e7:01:e2:5e:50:ec:12:03:
+                    2c:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                B7:BA:B0:02:A1:E7:BE:34:C6:C1:05:5C:66:78:E5:BB:53:5D:A1:54
+            X509v3 Authority Key Identifier: 
+                keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92
+
+            Authority Information Access: 
+                CA Issuers - URI:http://pki.esodemoapp2.com/ca/root-ca.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://pki.esodemoapp2.com/ca/root-ca.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         c2:ae:b0:30:75:e4:50:32:8b:ee:d3:4c:2c:f0:8d:eb:79:42:
+         0c:11:db:6c:17:02:d1:4a:1b:b4:82:05:61:18:73:07:d6:f1:
+         83:a5:d4:49:a1:a4:a9:08:67:42:70:fb:f5:20:0d:01:90:be:
+         bd:eb:d7:5f:d4:60:d4:c5:03:96:6e:22:da:8f:24:39:4b:a7:
+         d5:16:06:7f:c8:86:e7:dd:2c:cc:c3:b0:ee:6e:28:36:8b:dc:
+         49:a3:d9:5a:3e:98:e3:8c:cf:e0:17:a6:c1:4b:17:61:a0:b5:
+         0a:2c:57:f4:7b:cd:85:0a:e0:0f:5e:c9:1e:89:6e:c1:73:55:
+         c1:de:e8:b8:c6:03:cd:57:3d:d3:1e:ef:0c:6b:dc:ff:7d:32:
+         51:a2:1a:c2:f2:dd:42:fe:96:9b:ed:34:29:71:04:7a:5e:44:
+         6b:5f:94:9b:fc:c3:3a:4e:71:5e:c3:bb:03:e5:cb:85:4f:ba:
+         3f:0e:f6:d6:4f:8d:bf:50:fd:a7:b8:d8:b9:f7:54:c8:19:80:
+         c9:04:22:81:aa:77:74:00:7e:91:cf:e5:53:c9:e4:54:56:9e:
+         23:db:51:31:b7:32:f4:24:a9:8d:d5:2f:9d:98:fe:56:e8:fd:
+         44:57:ec:ed:12:59:4a:11:5d:cd:fd:ee:ab:eb:9e:70:94:31:
+         bf:d3:2e:c6
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP
+MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF
+bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTQzWhcNMzIwMTA5MjIwNTQz
+WjBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl
+cnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQESuYrJ5UvVzNl6K9HL2wIjKpi1
+ZmUNNlDonwIG/8Oqppv8Ll55uK5LsQnPEPjiu6dxeO7LH/YMZDIZMYSn626QKS6c
+BQ67WWHp2xvb4zXIpjnwLt6FX++ps8yZNwPnT6ykzUUdTgvDPHziscqv8iBiNJv0
+zsmT9syZNfXyFMMQVPvIlE7hB45xjGGnJ5zHSWrIXz0ik4Jh7IBRhM4LM7ki7uVP
+q6195cB63L9HHwRzfpaGbusptEymRbnjTYEru/xIHH71JRlBJKI6s5fx1iaAzOHw
+4+bQOsvfc3lr5nsyDOPukvne3rLSUPkgSYLtlEvPewp35wHiXlDsEgMs7wIDAQAB
+o4HqMIHnMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
+DgQWBBS3urACoee+NMbBBVxmeOW7U12hVDAfBgNVHSMEGDAWgBR8HFvoPrMzCZaS
+Mth/RL/MjJOckjBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAKGKWh0dHA6Ly9w
+a2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY2VyMDoGA1UdHwQzMDEwL6At
+oCuGKWh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY3JsMA0G
+CSqGSIb3DQEBCwUAA4IBAQDCrrAwdeRQMovu00ws8I3reUIMEdtsFwLRShu0ggVh
+GHMH1vGDpdRJoaSpCGdCcPv1IA0BkL6969df1GDUxQOWbiLajyQ5S6fVFgZ/yIbn
+3SzMw7Dubig2i9xJo9laPpjjjM/gF6bBSxdhoLUKLFf0e82FCuAPXskeiW7Bc1XB
+3ui4xgPNVz3THu8Ma9z/fTJRohrC8t1C/pab7TQpcQR6XkRrX5Sb/MM6TnFew7sD
+5cuFT7o/DvbWT42/UP2nuNi591TIGYDJBCKBqnd0AH6Rz+VTyeRUVp4j21ExtzL0
+JKmN1S+dmP5W6P1EV+ztEllKEV3N/e6r655wlDG/0y7G
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA
+        Validity
+            Not Before: Jan  9 22:05:07 2022 GMT
+            Not After : Jan  9 22:05:07 2032 GMT
+        Subject: C=US, O=Google, OU=Enterprise, CN=Enterprise Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:de:ee:86:98:a4:6c:92:71:85:aa:76:16:13:85:
+                    bb:d7:49:37:e5:11:03:49:73:a6:31:c6:d0:fb:27:
+                    ca:70:ec:c2:d0:db:88:d7:3a:97:20:49:fd:7b:4a:
+                    76:72:d0:c9:16:31:07:14:86:3b:99:67:6f:88:70:
+                    fc:a7:a4:60:81:af:35:68:88:14:75:d3:cf:66:8a:
+                    28:55:ac:63:98:56:91:2c:55:59:0e:ed:fe:37:2a:
+                    6f:79:11:08:ca:41:c4:78:d1:d6:83:c1:35:7c:a0:
+                    f4:72:db:5f:16:4f:f7:04:30:26:4b:58:99:cd:52:
+                    7d:0a:91:e1:29:3d:11:3d:2f:11:1f:6b:0f:e7:95:
+                    63:ef:e0:4d:c7:d6:b9:15:3a:3c:6b:51:36:eb:df:
+                    55:e2:a2:e0:e2:24:a9:3e:30:3f:76:15:a8:1a:13:
+                    e1:e3:b2:b5:ae:e6:59:62:a4:2b:64:74:df:82:e5:
+                    a3:ac:c9:6f:c6:39:28:ec:93:57:be:17:c5:71:14:
+                    85:d8:ae:1c:f7:29:94:10:6d:ad:fe:fb:ea:33:5e:
+                    6e:e5:f3:8c:73:1c:50:5e:0f:57:55:c7:43:73:cc:
+                    2a:56:91:35:2b:c1:c8:6e:a6:8e:c9:4b:7b:75:68:
+                    87:17:3a:7a:ed:6d:54:f6:76:3c:ad:03:e0:e3:b5:
+                    78:fd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92
+            X509v3 Authority Key Identifier: 
+                keyid:7C:1C:5B:E8:3E:B3:33:09:96:92:32:D8:7F:44:BF:CC:8C:93:9C:92
+
+    Signature Algorithm: sha256WithRSAEncryption
+         c4:50:d2:b2:ec:3b:c9:1b:16:42:f0:a1:c5:97:26:ce:11:e4:
+         d3:4e:b3:32:36:f5:9b:15:4f:3d:80:b8:07:20:89:26:43:e5:
+         b7:9b:b7:37:be:a5:7c:5a:92:2e:36:b1:73:a2:35:b7:2e:d1:
+         a3:55:8c:7d:99:19:43:08:8d:3a:88:78:7e:01:e3:ce:19:5d:
+         7c:af:b2:4d:0b:93:08:f3:d4:b3:75:f5:d3:b5:18:9a:b0:cb:
+         55:2f:b3:27:6c:38:b1:a1:75:b5:6d:c2:53:c5:91:9e:09:c7:
+         b3:81:fe:2c:a8:09:0a:ec:dd:ed:d6:10:78:64:ce:c9:bd:25:
+         ae:de:d8:86:68:d0:0f:ee:db:73:b6:c0:bc:7a:e4:a5:fa:30:
+         b3:6c:7a:3f:e3:87:20:5c:d0:8e:78:fa:ec:ec:85:81:03:a6:
+         58:c4:c8:4d:ee:cc:03:22:68:ed:a4:bb:77:a9:56:c7:9c:33:
+         6a:30:c7:50:75:eb:67:3b:40:52:01:d4:67:b5:19:cd:42:d0:
+         ea:f5:c3:fd:e7:a1:3a:6d:2b:22:6b:2f:61:85:9b:8e:50:8e:
+         34:b9:4e:00:5d:d2:89:96:47:b3:d7:ac:eb:9a:fa:76:07:34:
+         61:51:a0:2f:20:69:5e:f6:dd:06:2b:1e:c8:82:7f:ce:f0:ba:
+         5c:12:ff:f2
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIBATANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP
+MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF
+bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTA3WhcNMzIwMTA5MjIwNTA3
+WjBQMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl
+cnByaXNlMRswGQYDVQQDDBJFbnRlcnByaXNlIFJvb3QgQ0EwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDe7oaYpGyScYWqdhYThbvXSTflEQNJc6YxxtD7
+J8pw7MLQ24jXOpcgSf17SnZy0MkWMQcUhjuZZ2+IcPynpGCBrzVoiBR1089miihV
+rGOYVpEsVVkO7f43Km95EQjKQcR40daDwTV8oPRy218WT/cEMCZLWJnNUn0KkeEp
+PRE9LxEfaw/nlWPv4E3H1rkVOjxrUTbr31XiouDiJKk+MD92FagaE+HjsrWu5lli
+pCtkdN+C5aOsyW/GOSjsk1e+F8VxFIXYrhz3KZQQba3+++ozXm7l84xzHFBeD1dV
+x0NzzCpWkTUrwchupo7JS3t1aIcXOnrtbVT2djytA+DjtXj9AgMBAAGjYzBhMA4G
+A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR8HFvoPrMz
+CZaSMth/RL/MjJOckjAfBgNVHSMEGDAWgBR8HFvoPrMzCZaSMth/RL/MjJOckjAN
+BgkqhkiG9w0BAQsFAAOCAQEAxFDSsuw7yRsWQvChxZcmzhHk006zMjb1mxVPPYC4
+ByCJJkPlt5u3N76lfFqSLjaxc6I1ty7Ro1WMfZkZQwiNOoh4fgHjzhldfK+yTQuT
+CPPUs3X107UYmrDLVS+zJ2w4saF1tW3CU8WRngnHs4H+LKgJCuzd7dYQeGTOyb0l
+rt7YhmjQD+7bc7bAvHrkpfows2x6P+OHIFzQjnj67OyFgQOmWMTITe7MAyJo7aS7
+d6lWx5wzajDHUHXrZztAUgHUZ7UZzULQ6vXD/eehOm0rImsvYYWbjlCONLlOAF3S
+iZZHs9es65r6dgc0YVGgLyBpXvbdBiseyIJ/zvC6XBL/8g==
+-----END CERTIFICATE-----
diff --git a/app/claims.go b/app/claims.go
@@ -57,7 +57,7 @@ type Claims struct {
 	OEMID                 uint64       `json:"oemid"`
 	HardwareModel         string       `json:"hwmodel"`
 	SoftwareName          string       `json:"swname"`
-	SoftwareVersion       string       `json:"swversion"`
+	SoftwareVersion       []string     `json:"swversion"`
 	Dbgstat               string       `json:"dbgstat"`
 	GoogleServiceAccounts []string     `json:"google_service_accounts"`
 	Submods               SubmodClaims `json:"submods"`

diff --git a/app/go.mod b/app/go.mod
@@ -7,6 +7,7 @@ require (
 	cloud.google.com/go/logging v1.6.1
 	cloud.google.com/go/pubsub v1.27.1
 	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/gorilla/mux v1.8.0
 	github.com/lestrrat/go-jwx v0.9.1
 	golang.org/x/oauth2 v0.5.0
 	google.golang.org/api v0.110.0
@@ -28,7 +29,7 @@ require (
 	github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/net v0.6.0 // indirect
+	golang.org/x/net v0.6.0
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect

diff --git a/app/go.sum b/app/go.sum
@@ -59,6 +59,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9
 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ=
 github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/lestrrat/go-jwx v0.9.1 h1:LbObMwh+lyWzIyVMd7iqsv1Az4EJDO0hURuSP1BFZcU=
 github.com/lestrrat/go-jwx v0.9.1/go.mod h1:wcNNJptrY9449mBu35x6pVnncAgclwoiqdxFoizCVnM=
 github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 h1:ttJD8hTqvrPEUBoAG5hJKbDOJ84u7zmbnZsUL4V9430=