fixup! api: add SetMonotonicCounter

edgelesssys · Oct 9, 2024 · b9ed237 · b9ed237
1 parent 2b55743
commit b9ed237
Showing 1 changed file with 16 additions and 24 deletions.
diff --git a/coordinator/core/marbleapi.go b/coordinator/core/marbleapi.go
@@ -41,8 +41,9 @@ import (
 )
 
 type reservedSecrets struct {
-	RootCA     manifest.Secret
-	MarbleCert manifest.Secret
+	RootCA          manifest.Secret
+	MarbleCert      manifest.Secret
+	CoordinatorRoot manifest.Secret
 }
 
 // Defines the "MarbleRun" prefix when mentioned in a manifest.
@@ -159,14 +160,6 @@ func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (res *rpc.A
 		return nil, status.Errorf(codes.Internal, "customizing marble parameters: %s", err)
 	}
 
-	// Add Coordinator root cert to env so that Marbles can use the Coordinator client API
-	coordinatorRootCert, err := getCoordinatorRootCertAsPEM(txdata)
-	if err != nil {
-		c.log.Error("Couldn't retrieve Coordinator root certificate", zap.Error(err))
-		return nil, status.Errorf(codes.Internal, "retrieving Coordinator root certificate: %s", err)
-	}
-	params.Env[globalconstants.MarbleEnvironmentCoordinatorRootCA] = coordinatorRootCert
-
 	// write response
 	resp := &rpc.ActivationResp{
 		Parameters: params,
@@ -371,10 +364,15 @@ func customizeParameters(params manifest.Parameters, specialSecrets reservedSecr
 	if err != nil {
 		return nil, fmt.Errorf("encoding marble private key: %w", err)
 	}
+	coordinatorRootPem, err := manifest.EncodeSecretDataToPem(specialSecrets.CoordinatorRoot.Cert)
+	if err != nil {
+		return nil, fmt.Errorf("encoding Coordinator root CA: %w", err)
+	}
 
 	customParams.Env[marble.MarbleEnvironmentRootCA] = []byte(rootCaPem)
 	customParams.Env[marble.MarbleEnvironmentCertificateChain] = []byte(marbleCertPem + rootCaPem)
 	customParams.Env[marble.MarbleEnvironmentPrivateKey] = []byte(encodedPrivKey)
+	customParams.Env[globalconstants.MarbleEnvironmentCoordinatorRootCA] = []byte(coordinatorRootPem)
 
 	return &customParams, nil
 }
@@ -424,10 +422,16 @@ func (c *Core) generateMarbleAuthSecrets(txdata storeGetter, req *rpc.Activation
 	if err != nil {
 		return reservedSecrets{}, err
 	}
+	coordinatorRootCert, err := txdata.GetCertificate(constants.SKCoordinatorRootCert)
+	if err != nil {
+		return reservedSecrets{}, err
+	}
+
 	// customize marble's parameters
 	authSecrets := reservedSecrets{
-		RootCA:     manifest.Secret{Cert: manifest.Certificate(*marbleRootCert)},
-		MarbleCert: manifest.Secret{Cert: manifest.Certificate(*marbleCert), Public: encodedPubKey, Private: encodedPrivKey},
+		RootCA:          manifest.Secret{Cert: manifest.Certificate(*marbleRootCert)},
+		MarbleCert:      manifest.Secret{Cert: manifest.Certificate(*marbleCert), Public: encodedPubKey, Private: encodedPrivKey},
+		CoordinatorRoot: manifest.Secret{Cert: manifest.Certificate(*coordinatorRootCert)},
 	}
 
 	return authSecrets, nil
@@ -508,18 +512,6 @@ func (c *Core) setTTLSConfig(txdata storeGetter, marble *manifest.Marble, specia
 	return nil
 }
 
-func getCoordinatorRootCertAsPEM(txdata storeGetter) ([]byte, error) {
-	rootCert, err := txdata.GetCertificate(constants.SKCoordinatorRootCert)
-	if err != nil {
-		return nil, fmt.Errorf("loading root certificate from store: %w", err)
-	}
-	pemCertRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw})
-	if len(pemCertRoot) <= 0 {
-		return nil, errors.New("pem.EncodeToMemory failed for root certificate")
-	}
-	return pemCertRoot, nil
-}
-
 type storeGetter interface {
 	GetActivations(name string) (uint, error)
 	GetCertificate(name string) (*x509.Certificate, error)