diff --git a/coordinator/core/marbleapi.go b/coordinator/core/marbleapi.go index 1fb688d3..91ef45f7 100644 --- a/coordinator/core/marbleapi.go +++ b/coordinator/core/marbleapi.go @@ -41,8 +41,9 @@ import ( ) type reservedSecrets struct { - RootCA manifest.Secret - MarbleCert manifest.Secret + RootCA manifest.Secret + MarbleCert manifest.Secret + CoordinatorRoot manifest.Secret } // Defines the "MarbleRun" prefix when mentioned in a manifest. @@ -159,14 +160,6 @@ func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (res *rpc.A return nil, status.Errorf(codes.Internal, "customizing marble parameters: %s", err) } - // Add Coordinator root cert to env so that Marbles can use the Coordinator client API - coordinatorRootCert, err := getCoordinatorRootCertAsPEM(txdata) - if err != nil { - c.log.Error("Couldn't retrieve Coordinator root certificate", zap.Error(err)) - return nil, status.Errorf(codes.Internal, "retrieving Coordinator root certificate: %s", err) - } - params.Env[globalconstants.MarbleEnvironmentCoordinatorRootCA] = coordinatorRootCert - // write response resp := &rpc.ActivationResp{ Parameters: params, @@ -371,10 +364,15 @@ func customizeParameters(params manifest.Parameters, specialSecrets reservedSecr if err != nil { return nil, fmt.Errorf("encoding marble private key: %w", err) } + coordinatorRootPem, err := manifest.EncodeSecretDataToPem(specialSecrets.CoordinatorRoot.Cert) + if err != nil { + return nil, fmt.Errorf("encoding Coordinator root CA: %w", err) + } customParams.Env[marble.MarbleEnvironmentRootCA] = []byte(rootCaPem) customParams.Env[marble.MarbleEnvironmentCertificateChain] = []byte(marbleCertPem + rootCaPem) customParams.Env[marble.MarbleEnvironmentPrivateKey] = []byte(encodedPrivKey) + customParams.Env[globalconstants.MarbleEnvironmentCoordinatorRootCA] = []byte(coordinatorRootPem) return &customParams, nil } @@ -424,10 +422,16 @@ func (c *Core) generateMarbleAuthSecrets(txdata storeGetter, req *rpc.Activation if err != nil { return reservedSecrets{}, err } + coordinatorRootCert, err := txdata.GetCertificate(constants.SKCoordinatorRootCert) + if err != nil { + return reservedSecrets{}, err + } + // customize marble's parameters authSecrets := reservedSecrets{ - RootCA: manifest.Secret{Cert: manifest.Certificate(*marbleRootCert)}, - MarbleCert: manifest.Secret{Cert: manifest.Certificate(*marbleCert), Public: encodedPubKey, Private: encodedPrivKey}, + RootCA: manifest.Secret{Cert: manifest.Certificate(*marbleRootCert)}, + MarbleCert: manifest.Secret{Cert: manifest.Certificate(*marbleCert), Public: encodedPubKey, Private: encodedPrivKey}, + CoordinatorRoot: manifest.Secret{Cert: manifest.Certificate(*coordinatorRootCert)}, } return authSecrets, nil @@ -508,18 +512,6 @@ func (c *Core) setTTLSConfig(txdata storeGetter, marble *manifest.Marble, specia return nil } -func getCoordinatorRootCertAsPEM(txdata storeGetter) ([]byte, error) { - rootCert, err := txdata.GetCertificate(constants.SKCoordinatorRootCert) - if err != nil { - return nil, fmt.Errorf("loading root certificate from store: %w", err) - } - pemCertRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) - if len(pemCertRoot) <= 0 { - return nil, errors.New("pem.EncodeToMemory failed for root certificate") - } - return pemCertRoot, nil -} - type storeGetter interface { GetActivations(name string) (uint, error) GetCertificate(name string) (*x509.Certificate, error)