-
Notifications
You must be signed in to change notification settings - Fork 11
/
enclave_keys.go
82 lines (67 loc) · 1.96 KB
/
enclave_keys.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package main
import (
"bytes"
"crypto/sha256"
"encoding/base64"
"sync"
)
// enclaveKeys holds key material for nitriding itself (the HTTPS certificate)
// and for the enclave application (whatever the application wants to "store"
// in nitriding). These keys are meant to be managed by a leader enclave and --
// if horizontal scaling is required -- synced to worker enclaves. The struct
// implements getters and setters that allow for thread-safe setting and getting
// of members.
type enclaveKeys struct {
sync.Mutex
NitridingKey []byte `json:"nitriding_key"`
NitridingCert []byte `json:"nitriding_cert"`
AppKeys []byte `json:"app_keys"`
}
func (e1 *enclaveKeys) equal(e2 *enclaveKeys) bool {
e1.Lock()
e2.Lock()
defer e1.Unlock()
defer e2.Unlock()
return bytes.Equal(e1.NitridingCert, e2.NitridingCert) &&
bytes.Equal(e1.NitridingKey, e2.NitridingKey) &&
bytes.Equal(e1.AppKeys, e2.AppKeys)
}
func (e *enclaveKeys) setAppKeys(appKeys []byte) {
e.Lock()
defer e.Unlock()
e.AppKeys = appKeys
}
func (e *enclaveKeys) setNitridingKeys(key, cert []byte) {
e.Lock()
defer e.Unlock()
e.NitridingKey = key
e.NitridingCert = cert
}
func (e *enclaveKeys) set(newKeys *enclaveKeys) {
e.setAppKeys(newKeys.AppKeys)
e.setNitridingKeys(newKeys.NitridingKey, newKeys.NitridingCert)
}
func (e *enclaveKeys) copy() *enclaveKeys {
e.Lock()
defer e.Unlock()
return &enclaveKeys{
NitridingKey: e.NitridingKey,
NitridingCert: e.NitridingCert,
AppKeys: e.AppKeys,
}
}
func (e *enclaveKeys) getAppKeys() []byte {
e.Lock()
defer e.Unlock()
return e.AppKeys
}
// hashAndB64 returns the Base64-encoded hash over our key material. The
// resulting string is not confidential as it's impractical to reverse the key
// material.
func (e *enclaveKeys) hashAndB64() string {
e.Lock()
defer e.Unlock()
keys := append(append(e.NitridingCert, e.NitridingKey...), e.AppKeys...)
hash := sha256.Sum256(keys)
return base64.StdEncoding.EncodeToString(hash[:])
}