Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move key handling to tang itself #53

Merged
merged 3 commits into from
Dec 1, 2020
Merged

Move key handling to tang itself #53

merged 3 commits into from
Dec 1, 2020

Conversation

sergio-correia
Copy link
Collaborator

This effectively removes the cache directory -- usually /var/cache/tang
--, which had pre-computed files with signed advertisements and JWK with
keys for deriving new keys.

This computation was done by the tangd-update script, which has also
been removed in this commit.

We relied on systemd to run this script whenever the JWK dir -- usually
/var/db/tang, which is where the actual keys are located -- changed, to
keep the cache directory updated, but this is sometimes unreliable,
causing issues like the ones reported in #23 and #24.

As of now, tang performs these computations itself and does not depend
on external scripts to make sure it has reliable information regarding
its keys.

Tests added as well.

Resolves: #23
Resolves: #24

@sergio-correia sergio-correia mentioned this pull request Nov 28, 2020
Closed
@cbiedl
Copy link

cbiedl commented Nov 28, 2020

Not looking good on armhf, possibly still a race

1/3 adv       TIMEOUT        90.13s

--- command ---
22:10:54 SD_ACTIVATE='/usr/bin/systemd-socket-activate --inetd' PATH='/<<PKGBUILDDIR>>/src:/<<PKGBUILDDIR>>/obj-arm-linux-gnueabihf/src:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' /<<PKGBUILDDIR>>/tests/adv
--- stdout ---
{"payload": "eyJrZXlzIjogW3siYWxnIjogIkVTNTEyIiwgImNydiI6ICJQLTUyMSIsICJrZXlfb3BzIjogWyJ2ZXJpZnkiXSwgImt0eSI6ICJFQyIsICJ4IjogIkFVLWZZc19HZHd5Q2g0N0tDOEU5U0tkWERxMU9nYU9CcVNiQ1JPMlNYN1JvMnBxWVoyZ0llZzBiRU9COFowTzk3TlJjcjFpLS12dHljTE9TQTNQaFBtY3AiLCAieSI6ICJBQVdjRXVsRlkxTGNTZzZJUk9xQ25DMkZIWW9tTEVrd2hkU3BhTDlXZTJvUi1RY1l4a1RobFcxb01NX2loR1lVc3Z6cnhXeVdWd2Ewa191LWpSYmdNa2p3In0sIHsiYWxnIjogIkVDTVIiLCAiY3J2IjogIlAtNTIxIiwgImtleV9vcHMiOiBbImRlcml2ZUtleSJdLCAia3R5IjogIkVDIiwgIngiOiAiQUV1Mjd5dm9KUjNxN2xHaDY1VFBNZWxzMy1Rc3hxTmJRajA3SzQxMkJlVjlxRzFuODhYX1hhSV9wQTMxTU1Ua2prV2pSbW8yMnhOX3YwRi1jVjBvZjk3YSIsICJ5IjogIkFjMkNvRnQ2X19uR1pXam9GamFwdWYyOEdpY29HaTJWaDVOc3JsYjBkQ1BMOW12VlFOMVFjaWNueUNhd2hGUW9KcGxXUmtVYWstSkZpczdLaVlaRWVENnkifV19", "protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9", "signature": "AFmazBHspqbzUUIrSbRA5NiIB1ePk1K69bFcuCbMZ0QHfeGv7GlsWrd6Y78I464pPYuYGTL6StQ_ojTrvZcbR3hGAAf18u7KesoT0efZhbgYqd0UU3ZqmYyLZrbztjPT2Pfua2xDVPPF-L_rpYxoZXnu9FPyW69a4W1HmKcwaJxzGV_3"}
--- stderr ---
+ trap on_exit EXIT
+ trap exit ERR
++ mktemp -d
+ export TMP=/tmp/tmp.gwHry8iGOS
+ TMP=/tmp/tmp.gwHry8iGOS
+ mkdir -p /tmp/tmp.gwHry8iGOS/db
+ tangd-keygen /tmp/tmp.gwHry8iGOS/db sig exc
+ jose jwk gen -i '{"alg": "ES512"}' -o /tmp/tmp.gwHry8iGOS/db/.sig.jwk
+ jose jwk gen -i '{"alg": "ES512"}' -o /tmp/tmp.gwHry8iGOS/db/.oth.jwk
++ shuf -i 1024-65536 -n 1
+ export PORT=50243
+ PORT=50243
+ export PID=301670
+ PID=301670
+ sleep 0.5
+ /usr/bin/systemd-socket-activate --inetd -l 127.0.0.1:50243 -a tangd /tmp/tmp.gwHry8iGOS/db
Listening on 127.0.0.1:50243 as 3.
+ fetch /
+ curl -sfg http://127.0.0.1:50243/
Communication attempt on fd 3.
Connection from 127.0.0.1:57526 to 127.0.0.1:50243
Spawned tangd (tangd /tmp/tmp.gwHry8iGOS/db) as PID 301678.
Execing tangd (tangd /tmp/tmp.gwHry8iGOS/db)
<unknown> GET / => 404 (../src/http.c:128)
Child 301678 died with code 0
(...)

Will check further and report.

@cbiedl
Copy link

cbiedl commented Nov 28, 2020

Not looking good on armhf. Test suite fails

<unknown> GET / => 404 (../src/http.c:128)

Will check further, stay tuned.

@sergio-correia
Copy link
Collaborator Author

Not looking good on armhf. Test suite fails

<unknown> GET / => 404 (../src/http.c:128)

A couple of tests are expected to return 404. Try to increase the timeout in test/meson.build and see if it actually fails some test or manages to complete them.

@sergio-correia
Add functions for key manipulation
7555ba3 
We currently rely on the tangd-update script to read the keys and
generate signed advertisements as well as JWKs for key derivation.

Whenever there is a change in the directory containing the actual
keys, we run tangd-update through a systemd file watching mechanism,
so that we can have a cache directory with updated advertisements +
JWKs.

As reported in latchset#23 and latchset#24, this mechanism can be unreliable in
certain situations, and having up-to-date information on the keys that
are available is critical to tang, so the idea here is to remove this
dependency on external scripts (e.g. tangd-update) and move this
computation to tang itself.

In this commit we add the related functions for key manipulation so
that in a next step we can start using it in tang.
@sergio-correia
Add tests for key manipulation functions
eeb73dc 
In this commit we add tests for the key manipulation functions added in
src/keys.{c|h}.
@sergio-correia sergio-correia force-pushed the move-key-handling-to-tang branch from 39ae3ea to 5bed056 Compare November 29, 2020 04:28
@sergio-correia
Copy link
Collaborator Author

@cbiedl: could you try this updated version, please?

@sergio-correia
Move key handling to tang itself
c0f080e 
Use the key manipulation functions added in src/keys.{c|h} in tangd.

This effectively removes the need for a cache directory -- usually
/var/cache/tang --, which contained pre-computed files with signed
advertisements and JWK with keys for deriving new keys.

This computation was done by the tangd-update script, which has also
been removed in this commit.

We relied on systemd to run this script whenever the JWK dir -- usually
/var/db/tang, which is where the actual keys are located -- changed, to
keep the cache directory updated, but this is sometimes unreliable,
causing issues like the ones reported in latchset#23 and latchset#24.

As of now, tang performs these computations itself and does not depend
on external scripts to make sure it has reliable information regarding
its keys.

Additionally, tang also creates a new pair of keys if none exist.
@sergio-correia sergio-correia force-pushed the move-key-handling-to-tang branch from 5bed056 to c0f080e Compare November 29, 2020 13:55
@cbiedl
Copy link

cbiedl commented Nov 29, 2020

Looks fine here, build passes on armhf, requesting an advertisement works as expected.

One thing in the sources, though: units/tangd.socket is coverved by .gitignore, such a situation can lead to confusion and strange errors.

@sergio-correia
Copy link
Collaborator Author

Looks fine here, build passes on armhf, requesting an advertisement works as expected.

Thanks for testing.

One thing in the sources, though: units/tangd.socket is coverved by .gitignore, such a situation can lead to confusion and strange errors.

Good point. Looking into .gitignore, I see many entries related to autotools, that could be removed. I will remove .socket from there for now and clean it up more broadly in a follow-up PR.

@sergio-correia sergio-correia merged commit 7119454 into latchset:master Dec 1, 2020
@sergio-correia sergio-correia deleted the move-key-handling-to-tang branch December 1, 2020 14:26
@rugk
Copy link

rugk commented Feb 8, 2021

Just as a follow/heads-up:

I will remove .socket from there for now and clean it up more broadly in a follow-up PR.

Did you actually do this, @sergio-correia? I've checked your recent PRs and they all seem to be about something different.

@rugk rugk mentioned this pull request Feb 8, 2021
Closed
@sergio-correia
Copy link
Collaborator Author

Just as a follow/heads-up:

I will remove .socket from there for now and clean it up more broadly in a follow-up PR.

Did you actually do this, @sergio-correia?
[...]

Not yet. .gitignore still needs some clean up.

achanu pushed a commit to achanu/tang-container that referenced this pull request May 8, 2021
Fix removed /usr/libexec/tangd-update and /var/cache/tang since tang …
52fe98d 
…update (latchset/tang#53)
achanu added a commit to achanu/tang-container that referenced this pull request May 17, 2021
@achanu
Fix removed /usr/libexec/tangd-update and /var/cache/tang since tang …
25bdb28 
…update (latchset/tang#53)
achanu added a commit to achanu/tang-container that referenced this pull request May 17, 2021
@achanu
Fix removed /usr/libexec/tangd-update and /var/cache/tang since tang …
68ce37a 
…update (latchset/tang#53)
achanu added a commit to achanu/tang-container that referenced this pull request May 17, 2021
@achanu
Fix removed /usr/libexec/tangd-update and /var/cache/tang since tang …
d2a17d7 
…update (latchset/tang#53)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZelenyMartin ZelenyMartin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Removing /var/cache/tang breaks Tang Using file watching to update /var/cache/tang is unreliable
4 participants
@sergio-correia @cbiedl @rugk @ZelenyMartin