sentry/client: Use separate TLS certificate

oasisprotocol · Apr 3, 2020 · 36e985d · 36e985d
1 parent 27bae53
commit 36e985d
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 14 deletions.
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -203,7 +203,7 @@ steps:
   ###############
   - label: E2E tests
     parallelism: 7
-    timeout_in_minutes: 12
+    timeout_in_minutes: 9
     command:
       - .buildkite/scripts/download_e2e_test_artifacts.sh
       - .buildkite/scripts/test_e2e.sh

diff --git a/.changelog/2098.breaking.md b/.changelog/2098.breaking.md
@@ -0,0 +1,5 @@
+Sentry nodes no longer require TLS certificate file of the upstream node
+
+The `worker.sentry.grpc.upstream.cert` option has been removed.
+Instead, use `worker.sentry.grpc.upstream.id` to specify the
+upstream node's ID.
diff --git a/.changelog/2098.feature.md b/.changelog/2098.feature.md
@@ -3,4 +3,4 @@ node: Add automatic TLS certificate rotation support
 It is now possible to automatically rotate the node's TLS
 certificates every N epochs by passing the command-line flag
 `worker.registration.rotate_certs`.
-Do not use this if you use sentry nodes or IAS proxies.
+Do not use this option on sentry nodes or IAS proxies.
diff --git a/go/common/identity/identity.go b/go/common/identity/identity.go
@@ -30,6 +30,10 @@ const (
 
 	tlsKeyFilename  = "tls_identity.pem"
 	tlsCertFilename = "tls_identity_cert.pem"
+
+	// These are used for the sentry client connection to the sentry node and are never rotated.
+	tlsSentryClientKeyFilename  = "sentry_client_tls_identity.pem"
+	tlsSentryClientCertFilename = "sentry_client_tls_identity_cert.pem"
 )
 
 // ErrCertificateRotationForbidden is returned by RotateCertificates if
@@ -56,6 +60,8 @@ type Identity struct {
 	nextTLSCertificate *tls.Certificate
 	// DoNotRotateTLS flag is true if we mustn't rotate the TLS certificates.
 	DoNotRotateTLS bool
+	// TLSSentryClientCertificate is the client certificate used for connecting to the sentry node's control connection.
+	TLSSentryClientCertificate *tls.Certificate
 }
 
 // RotateCertificates rotates the identity's TLS certificates.
@@ -218,14 +224,31 @@ func doLoadOrGenerate(dataDir string, signerFactory signature.SignerFactory, sho
 		}
 	}
 
+	// Load or generate the sentry client certificate for this node.
+	tlsSentryClientCertPath, tlsSentryClientKeyPath := TLSSentryClientCertPaths(dataDir)
+	sentryClientCert, err := tlsCert.Load(tlsSentryClientCertPath, tlsSentryClientKeyPath)
+	if err != nil {
+		// Load failed, generate fresh sentry client cert.
+		sentryClientCert, err = tlsCert.Generate(CommonName)
+		if err != nil {
+			return nil, err
+		}
+		// And save it to disk.
+		err = tlsCert.Save(tlsSentryClientCertPath, tlsSentryClientKeyPath, sentryClientCert)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &Identity{
-		NodeSigner:         signers[0],
-		P2PSigner:          signers[1],
-		ConsensusSigner:    signers[2],
-		tlsSigner:          memory.NewFromRuntime(cert.PrivateKey.(ed25519.PrivateKey)),
-		tlsCertificate:     cert,
-		nextTLSCertificate: nextCert,
-		DoNotRotateTLS:     dnr,
+		NodeSigner:                 signers[0],
+		P2PSigner:                  signers[1],
+		ConsensusSigner:            signers[2],
+		tlsSigner:                  memory.NewFromRuntime(cert.PrivateKey.(ed25519.PrivateKey)),
+		tlsCertificate:             cert,
+		nextTLSCertificate:         nextCert,
+		DoNotRotateTLS:             dnr,
+		TLSSentryClientCertificate: sentryClientCert,
 	}, nil
 }
 
@@ -239,3 +262,14 @@ func TLSCertPaths(dataDir string) (string, string) {
 
 	return tlsCertPath, tlsKeyPath
 }
+
+// TLSSentryClientCertPaths returns the sentry client TLS private key and
+// certificate paths relative to the passed data directory.
+func TLSSentryClientCertPaths(dataDir string) (string, string) {
+	var (
+		tlsKeyPath  = filepath.Join(dataDir, tlsSentryClientKeyFilename)
+		tlsCertPath = filepath.Join(dataDir, tlsSentryClientCertFilename)
+	)
+
+	return tlsCertPath, tlsKeyPath
+}
diff --git a/go/sentry/client/client.go b/go/sentry/client/client.go
@@ -45,11 +45,9 @@ func (c *Client) createConnection() error {
 	certPool := x509.NewCertPool()
 	certPool.AddCert(c.sentryCert)
 	creds := credentials.NewTLS(&tls.Config{
-		RootCAs:    certPool,
-		ServerName: identity.CommonName,
-		GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			return c.nodeIdentity.GetTLSCertificate(), nil
-		},
+		RootCAs:      certPool,
+		ServerName:   identity.CommonName,
+		Certificates: []tls.Certificate{*c.nodeIdentity.TLSSentryClientCertificate},
 	})
 	opts := grpc.WithTransportCredentials(creds)