Move TLS parameters out of application config

Fixes #961

docs/programming-oak.md

@@ -237,8 +237,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {
@@ -531,7 +529,6 @@ to configure and run the Runtime.
         FRONTEND_ENTRYPOINT_NAME,
     );
 
-    let (runtime, entry_channel) =
-        oak_runtime::configure_and_run(configuration, oak_runtime::RuntimeConfiguration::default())
+    let (runtime, entry_channel) = oak_runtime::configure_and_run(
 ```
 <!-- prettier-ignore-end -->

examples/abitest/config/config.textproto

@@ -30,23 +30,19 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {
   name: "grpc-client"
   grpc_client_config {
     uri: "https://localhost:7878"
-    root_tls_certificate: "<bytes>"
     address: "localhost:7878"
   }
 }
 node_configs {
   name: "absent-grpc-client"
   grpc_client_config {
     uri: "https://test.invalid:9999"
-    root_tls_certificate: "<bytes>"
     address: "test.invalid:9999"
   }
 }

examples/abitest/tests/src/tests.rs

@@ -52,9 +52,12 @@ fn test_abi() {
         FRONTEND_ENTRYPOINT_NAME,
     );
 
-    let (runtime, entry_channel) =
-        oak_runtime::configure_and_run(configuration, oak_runtime::RuntimeConfiguration::default())
-            .expect("unable to configure runtime with test wasm");
+    let (runtime, entry_channel) = oak_runtime::configure_and_run(
+        configuration,
+        oak_runtime::RuntimeConfiguration::default(),
+        oak_runtime::GrpcConfiguration::default(),
+    )
+    .expect("unable to configure runtime with test wasm");
 
     // TODO(#540): reinstate storage, gRPC client and Roughtime tests when Rust
     // runtime supports them.

examples/aggregator/config/config.textproto

@@ -8,15 +8,12 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {
   name: "grpc-client"
   grpc_client_config {
     uri: "https://localhost:8888"
-    root_tls_certificate: "<bytes>"
     address: "127.0.0.1:8888"
   }
 }

examples/chat/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/hello_world/config/config.textproto

@@ -14,8 +14,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/machine_learning/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/private_set_intersection/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/running_average/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/rustfmt/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/tensorflow/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

examples/translator/config/config.textproto

@@ -8,8 +8,6 @@ node_configs {
   name: "grpc-server"
   grpc_server_config {
     address: "[::]:8080"
-    grpc_tls_private_key: "<bytes>"
-    grpc_tls_certificate: "<bytes>"
   }
 }
 node_configs {

oak/proto/application.proto

@@ -81,10 +81,6 @@ message GrpcServerConfiguration {
   // The endpoint address for the gRPC server to listen on.
   // `address` is represented as an "ip_address:tcp_port" string.
   string address = 1;
-  // Loaded private RSA key file used by a gRPC server pseudo-Node.
-  string grpc_tls_private_key = 2;
-  // Loaded PEM encoded X.509 TLS certificate file used by a gRPC server pseudo-Node.
-  string grpc_tls_certificate = 3;
 }
 
 // GrpcClientConfiguration describes the configuration of a gRPC client
@@ -94,12 +90,9 @@ message GrpcClientConfiguration {
   // The URI component of a gRPC server endpoint. Must contain the "Host" element.
   // https://docs.rs/tonic/0.2.1/tonic/transport/struct.Uri.html
   string uri = 1;
-  // Loaded PEM encoded X.509 TLS root certificate file used to authenticate an external gRPC
-  // service.
-  string root_tls_certificate = 2;
   // The endpoint address of the external gRPC service.
   // `address` is represented as an "ip_address:tcp_port" string.
-  string address = 3;
+  string address = 2;
 }
 
 // RoughtimeClientConfiguration describes the configuration of a Roughtime

oak/server/rust/oak_glue/src/lib.rs

@@ -19,7 +19,8 @@ use lazy_static::lazy_static;
 use log::{debug, error, info, warn};
 use oak_abi::OakStatus;
 use oak_runtime::{
-    proto::oak::application::ApplicationConfiguration, runtime::RuntimeProxy, NodeId,
+    proto::oak::application::ApplicationConfiguration, runtime::RuntimeProxy, GrpcConfiguration,
+    NodeId,
 };
 use prost::Message;
 use std::{convert::TryInto, io::Cursor, sync::RwLock};
@@ -115,14 +116,17 @@ pub unsafe extern "C" fn glue_start(
 
         // Configure the Rust Runtime, and run the gRPC server pseudo-Node as the implicit
         // initial Node.
-        let (grpc_proxy, grpc_handle) =
-            match oak_runtime::configure_and_run(app_config, runtime_config) {
-                Ok(p) => p,
-                Err(status) => {
-                    error!("Failed to start runtime: {:?}", status);
-                    return oak_abi::INVALID_HANDLE;
-                }
-            };
+        let (grpc_proxy, grpc_handle) = match oak_runtime::configure_and_run(
+            app_config,
+            runtime_config,
+            GrpcConfiguration::default(),
+        ) {
+            Ok(p) => p,
+            Err(status) => {
+                error!("Failed to start runtime: {:?}", status);
+                return oak_abi::INVALID_HANDLE;
+            }
+        };
         *node_id = grpc_proxy.node_id.0;
         info!(
             "runtime started, grpc_node_id={}, grpc_handle={}",

oak/server/rust/oak_loader/BUILD

@@ -31,9 +31,11 @@ rust_binary(
         "//cargo:anyhow",
         "//cargo:log",
         "//cargo:prost",
+        "//cargo:rustls",
         "//cargo:signal_hook",
         "//cargo:simple_logger",
         "//cargo:structopt",
+        "//cargo:tonic",
         "//oak/server/rust/oak_runtime",
     ],
 )

oak/server/rust/oak_loader/Cargo.toml

@@ -17,9 +17,13 @@ anyhow = "*"
 log = "*"
 oak_runtime = "=0.1.0"
 prost = "*"
+rustls = "*"
 signal-hook = "*"
 simple_logger = "*"
 structopt = "*"
+# Using an old version that is supported by `cargo-raze`:
+# https://github.com/google/cargo-raze/issues/41#issuecomment-592274128
+tonic = { version = "=0.1.1", features = ["tls"] }
 
 [dev-dependencies]
 maplit = "*"

oak/server/rust/oak_loader/src/main.rs

@@ -27,7 +27,10 @@
 use anyhow::anyhow;
 use core::str::FromStr;
 use log::{debug, info};
-use oak_runtime::{configure_and_run, proto::oak::application::ApplicationConfiguration};
+use oak_runtime::{
+    configure_and_run,
+    proto::oak::application::{ApplicationConfiguration, ConfigMap},
+};
 use prost::Message;
 use std::{
     collections::HashMap,
@@ -39,15 +42,11 @@ use std::{
     },
 };
 use structopt::StructOpt;
+use tonic::transport::{Certificate, Identity};
 
 #[cfg(test)]
 mod tests;
 
-use oak_runtime::proto::oak::application::{
-    node_configuration::ConfigType::{GrpcClientConfig, GrpcServerConfig},
-    ConfigMap,
-};
-
 #[derive(StructOpt, Clone, Debug)]
 #[structopt(about = "Oak Loader")]
 pub struct Opt {
@@ -133,6 +132,18 @@ pub fn parse_config_map(config_files: &[ConfigEntry]) -> anyhow::Result<ConfigMa
     })
 }
 
+/// Check the correctness of a PEM encoded TLS certificate.
+fn load_certificate(certificate: &str) -> anyhow::Result<Certificate> {
+    use rustls::internal::pemfile::certs;
+
+    let mut cursor = std::io::Cursor::new(certificate);
+    // `rustls` doesn't specify certificate parsing errors:
+    // https://docs.rs/rustls/0.17.0/rustls/internal/pemfile/fn.certs.html
+    certs(&mut cursor).map_err(|()| anyhow!("could not parse TLS certificate"))?;
+
+    Ok(Certificate::from_pem(certificate))
+}
+
 fn main() -> anyhow::Result<()> {
     if cfg!(feature = "oak_debug") {
         simple_logger::init_by_env();
@@ -150,45 +161,42 @@ fn main() -> anyhow::Result<()> {
 
     // Load application configuration.
     let app_config_data = read_file(&opt.application)?;
-    let mut app_config = ApplicationConfiguration::decode(app_config_data.as_ref())?;
-
-    // Assign a TLS identity to all gRPC server and client nodes in the application configuration.
-    let grpc_tls_private_key = read_to_string(&opt.grpc_tls_private_key)?;
-    let grpc_tls_certificate = read_to_string(&opt.grpc_tls_certificate)?;
-    let root_tls_certificate = read_to_string(&opt.root_tls_certificate)?;
-    for node in &mut app_config.node_configs {
-        if let Some(GrpcServerConfig(ref mut grpc_server_config)) = node.config_type {
-            grpc_server_config.grpc_tls_private_key = grpc_tls_private_key.clone();
-            grpc_server_config.grpc_tls_certificate = grpc_tls_certificate.clone();
-        } else if let Some(GrpcClientConfig(ref mut grpc_client_config)) = node.config_type {
-            grpc_client_config.root_tls_certificate = root_tls_certificate.clone();
-        }
-    }
+    let application_configuration = ApplicationConfiguration::decode(app_config_data.as_ref())?;
 
     // Create Runtime config.
-    #[cfg(feature = "oak_debug")]
-    let runtime_config = oak_runtime::RuntimeConfiguration {
-        metrics_port: if opt.no_metrics {
-            None
-        } else {
+    let runtime_configuration = oak_runtime::RuntimeConfiguration {
+        metrics_port: if cfg!(feature = "oak_debug") && !opt.no_metrics {
             Some(opt.metrics_port)
-        },
-        introspect_port: if opt.no_introspect {
-            None
         } else {
+            None
+        },
+        introspect_port: if cfg!(feature = "oak_debug") && !opt.no_introspect {
             Some(opt.introspect_port)
+        } else {
+            None
         },
     };
-    #[cfg(not(feature = "oak_debug"))]
-    let runtime_config = oak_runtime::RuntimeConfiguration {
-        metrics_port: None,
-        introspect_port: None,
+
+    // Create the overall gRPC configuration.
+    let grpc_tls_private_key = read_to_string(&opt.grpc_tls_private_key)?;
+    let grpc_tls_certificate = read_to_string(&opt.grpc_tls_certificate)?;
+    let root_tls_certificate = read_to_string(&opt.root_tls_certificate)?;
+    let grpc_configuration = oak_runtime::GrpcConfiguration {
+        grpc_server_tls_identity: Some(Identity::from_pem(
+            grpc_tls_certificate,
+            grpc_tls_private_key,
+        )),
+        grpc_client_root_tls_certificate: Some(load_certificate(&root_tls_certificate)?),
     };
 
     // Start the Runtime from the given config.
-    info!("starting Runtime, config {:?}", runtime_config);
-    let (runtime, initial_handle) = configure_and_run(app_config, runtime_config)
-        .map_err(|status| anyhow!("status {:?}", status))?;
+    info!("starting Runtime, config {:?}", runtime_configuration);
+    let (runtime, initial_handle) = configure_and_run(
+        application_configuration,
+        runtime_configuration,
+        grpc_configuration,
+    )
+    .map_err(|status| anyhow!("could not start runtime, status: {:?}", status))?;
     info!(
         "initial node {:?} with write handle {:?}",
         runtime.node_id, initial_handle