veyron/runtimes/google/rt: Fix up some loose ends on principal initialization.
(1) If VEYRON_CREDENTIALS is specified but does not exist, create the directory.
(2) Be more descriptive about errors in loading VEYRON_CREDENTIALS
(3) When initializing a default blessing, also mark it as the one to be
shared with all principals. Without this, applications would not be able
to act as IPC clients (using the new security model) without an explicit
call to Runtime.Principal().BlessingStore().Set(). This change just flips
the default, so that a newly minted Principal is ready to be used both
as a client and server, and if it does not want to share credentials
with all servers it connects to, the application can call
Runtime.Principal().BlessingStore().Set(nil, security.AllPrincipals)
Change-Id: Ic2d10e66ea66b3d6b475aeaaf854a794da19ce28
diff --git a/runtimes/google/ipc/stream/vc/vc.go b/runtimes/google/ipc/stream/vc/vc.go
index e239b5a..55a45ea 100644
--- a/runtimes/google/ipc/stream/vc/vc.go
+++ b/runtimes/google/ipc/stream/vc/vc.go
@@ -712,6 +712,7 @@
l = append(l, "Handshake not completed yet")
} else {
l = append(l, "Encryption: "+vc.crypter.String())
+ l = append(l, fmt.Sprintf("LocalPrincipal:%v LocalBlessings:%v RemoteBlessings:%v", vc.localPrincipal.PublicKey(), vc.localBlessings, vc.remoteBlessings))
l = append(l, fmt.Sprintf("LocalID:%q RemoteID:%q", anonymousIfNilPublicID(vc.localID), anonymousIfNilPublicID(vc.remoteID)))
}
for fid, f := range vc.flowMap {
diff --git a/runtimes/google/rt/security.go b/runtimes/google/rt/security.go
index 5e6ea1b..8d3110e 100644
--- a/runtimes/google/rt/security.go
+++ b/runtimes/google/rt/security.go
@@ -20,7 +20,9 @@
)
const (
- privateKeyFile = "privatekey.pem"
+ privateKeyFile = "privatekey.pem"
+ // Environment variable pointing to a directory where information about a principal
+ // (private key, blessing store, blessing roots etc.) is stored.
VeyronCredentialsEnvVar = "VEYRON_CREDENTIALS"
)
@@ -56,7 +58,6 @@
func (rt *vrt) initPrincipal() error {
// TODO(ataly, ashankar): Check if agent environment variables are
// specified and if so initialize principal from agent.
-
if dir := os.Getenv(VeyronCredentialsEnvVar); len(dir) > 0 {
// TODO(ataly, ashankar): If multiple runtimes are getting
// initialized at the same time from the same VEYRON_CREDENTIALS
@@ -77,6 +78,9 @@
if err := rt.principal.BlessingStore().SetDefault(blessing); err != nil {
return err
}
+ if _, err := rt.principal.BlessingStore().Set(blessing, security.AllPrincipals); err != nil {
+ return err
+ }
if err := rt.principal.AddToRoots(blessing); err != nil {
return err
}
@@ -84,9 +88,16 @@
}
func (rt *vrt) initPrincipalFromCredentials(dir string) error {
+ if finfo, err := os.Stat(dir); err == nil {
+ if !finfo.IsDir() {
+ return fmt.Errorf("%q is not a directory", dir)
+ }
+ } else if err := os.MkdirAll(dir, 0700); err != nil {
+ return fmt.Errorf("failed to create %q: %v", dir, err)
+ }
key, err := initKey(dir)
if err != nil {
- return fmt.Errorf("could not initialize ECDSA private key from credentials directory %v: %v", dir, err)
+ return fmt.Errorf("could not initialize private key from credentials directory %v: %v", dir, err)
}
signer := security.NewInMemoryECDSASigner(key)
@@ -227,25 +238,25 @@
defer f.Close()
v, err := vsecurity.LoadPEMKey(f, nil)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("failed to load PEM data from %q: %v", keyPath, v)
}
key, ok := v.(*ecdsa.PrivateKey)
if !ok {
- return nil, fmt.Errorf("could not read ECDSA private key from data of type %T", v)
+ return nil, fmt.Errorf("%q contains a %T, not an ECDSA private key", keyPath, v)
}
return key, nil
} else if !os.IsNotExist(err) {
- return nil, err
+ return nil, fmt.Errorf("failed to read %q: %v", keyPath, err)
}
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("failed to generate a private key: %v", err)
}
f, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE, 0600)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("failed to open %q for writing: %v", keyPath, err)
}
defer f.Close()
return key, vsecurity.SavePEMKey(f, key, nil)
