server: Implement auto-init handshake to negotiate CA certs between n…

…odes This PR implements the init protocol phase of the cert-free setup described in cockroachdb#51991. A lot of the code is pulled out of Aaron's reference implementation of this protocol: https://github.com/aaron-crl/toy-secure-init-handshake/tree/n-way-join One part of cockroachdb#60632. Release note: None.
itsbilal · Feb 19, 2021 · 2ae7b43 · 2ae7b43
1 parent 410940c
commit 2ae7b43
Show file tree

Hide file tree

Showing 4 changed files with 538 additions and 13 deletions.
diff --git a/pkg/cli/connect.go b/pkg/cli/connect.go
@@ -10,7 +10,12 @@
 
 package cli
 
-import "github.com/spf13/cobra"
+import (
+ "context"
+
+ "github.com/cockroachdb/cockroach/pkg/server"
+ "github.com/spf13/cobra"
+)
 
 // connectCmd triggers a TLS initialization handshake and writes
 // certificates in the specified certs-dir for use with start.
@@ -28,7 +33,9 @@ secure inter-node connections.
 // runConnect connects to other nodes and negotiates an initialization bundle
 // for use with secure inter-node connections.
 func runConnect(cmd *cobra.Command, args []string) error {
- // TODO(bilal): Implement TLS init handshake.
- // https://github.com/cockroachdb/cockroach/issues/60632
- return nil
+ peers := []string(serverCfg.JoinList)
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ return server.InitHandshake(ctx, baseCfg, baseCfg.InitToken, peers, baseCfg.SSLCertsDir, startCtx.serverListenAddr, serverListenPort)
 }
diff --git a/pkg/security/auto_tls_init.go b/pkg/security/auto_tls_init.go
@@ -114,31 +114,31 @@ func CreateServiceCertAndKey(lifespan time.Duration, service, hostname string, c
  // Create random serial number for CA.
  serialNumber, err := createCertificateSerialNumber()
  if err != nil {
- return
+ return nil, nil, err
  }
 
  caCertBlock, _ := pem.Decode(caCertPEM)
  if caCertBlock == nil {
  err = errors.New("failed to parse valid PEM from CaCertificate blob")
- return
+ return nil, nil, err
  }
 
  caCert, err := x509.ParseCertificate(caCertBlock.Bytes)
  if err != nil {
  err = errors.New("failed to parse valid Certificate from PEM blob")
- return
+ return nil, nil, err
  }
 
  caKeyBlock, _ := pem.Decode(caKeyPEM)
  if caKeyBlock == nil {
  err = errors.New("failed to parse valid PEM from CaKey blob")
- return
+ return nil, nil, err
  }
 
- caKey, err := x509.ParsePKCS8PrivateKey(caKeyBlock.Bytes)
+ caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
  if err != nil {
  err = errors.New("failed to parse valid Certificate from PEM blob")
- return
+ return nil, nil, err
  }
 
  // Bulid service certificate template; template will be used for all
@@ -170,12 +170,12 @@ func CreateServiceCertAndKey(lifespan time.Duration, service, hostname string, c
 
  servicePrivKey, err := rsa.GenerateKey(rand.Reader, defaultKeySize)
  if err != nil {
- return
+ return nil, nil, err
  }
 
  serviceCertBytes, err := x509.CreateCertificate(rand.Reader, serviceCert, caCert, &servicePrivKey.PublicKey, caKey)
  if err != nil {
- return
+ return nil, nil, err
  }
 
  serviceCertBlock := new(bytes.Buffer)
@@ -190,5 +190,5 @@ func CreateServiceCertAndKey(lifespan time.Duration, service, hostname string, c
  Bytes: x509.MarshalPKCS1PrivateKey(servicePrivKey),
  })
 
- return
+ return serviceCertBlock.Bytes(), certPrivKeyPEM.Bytes(), nil
 }