TLS tag for information flow #814
Comments
|
This should probably use subject alternative names (SAN), as the use of CN is considered deprecated. |
|
Related to #819 |
Covers SAN name only Ref project-oak#814
Covers SAN name only. Not used in code yet. Ref project-oak#814
Covers SAN name only. Not used in code yet. Ref #814
|
I am implementing this now, but I cannot find a way of getting the actual server name from an established gRPC channel. I am considering adding a oak/oak/proto/application.proto Lines 103 to 113 in 9679f79 and then pass that to @daviddrysdale @conradgrobler @ipetr0v does this sound reasonable? It would need we would have to pass both from existing application when creating a gRPC client node though. Alternatively, I don't think there is a way of uniquely determining the TLS domain name from just the URI, right? i.e. |
|
I think the trusted domain and the SAN entries in the certificates can be separated. If a user trusts a domain (e.g. Another (but probably future and separate) feature that might be useful would be to be able to specify a certificate fingerprint to trust, in which case the domain name is not important, only that it was verified using a specific certificate. |
|
So if the connection is to
This goes back to my original question: how do we get any details about an established TLS connection, for instance in order to check fingerprint or any other details of the cert used for the handshake? |
If we allow users to specify wildcards for trust (I am not sure we should), we should be quite strict and require explicit wildcards. E.g. if a user specifies
I suspect this would involve using lower level components from rustls for setting up the initial connection (perhaps by writing a custom TLS connector that stores the certificate information). The Channel is generic, and can represent a plain unencrypted connection or a TLS encrypted channel if TLS is enabled. |
For simple cases, is this needed? If we've asked To put it another way, could we get away with just extracting |
|
This is what I ended up doing in fact (PR coming soon), but it seems in the future we may want more flexibility, for instance if |
I'm not sure it would be safe to assume any correlation between the SAN domains covered in a UCC cert (example). |
Replace the certificate SAN name field in the label, with a field that represents the authority (host:port) of the remote endpoint instead. Make `run_event_loop` more type safe by passing in a `Reciever<T>` where `T` is the same type of the `Node<T>` that actually handles the messages. Create an explicit `GrpcServerInit` message to pass to a gRPC server pseudo-node, instead of manually passing handles to it in an unstructured way. Remove unused `address` field from `GrpcClientConfiguration` protobuf message. Split aggregator example in two nodes, so that the gRPC worker node may be assigned a different label in the future, to reflect the fact that it is handling non-public data. Add explicit scheme to gRPC client URL in aggregator example (not sure how / whether it worked previously, Tonic complains). Make aggregator client submit a meaningful number of samples in order to reach the aggregation threshold, instead of just one. Ref project-oak#814
Replace the certificate SAN name field in the label, with a field that represents the authority (host:port) of the remote endpoint instead. Make `run_event_loop` more type safe by passing in a `Reciever<T>` where `T` is the same type of the `Node<T>` that actually handles the messages. Create an explicit `GrpcServerInit` message to pass to a gRPC server pseudo-node, instead of manually passing handles to it in an unstructured way. Remove unused `address` field from `GrpcClientConfiguration` protobuf message. Split aggregator example in two nodes, so that the gRPC worker node may be assigned a different label in the future, to reflect the fact that it is handling non-public data. Add explicit scheme to gRPC client URL in aggregator example (not sure how / whether it worked previously, Tonic complains). Make aggregator client submit a meaningful number of samples in order to reach the aggregation threshold, instead of just one. Ref project-oak#814
Replace the certificate SAN name field in the label, with a field that represents the authority (host:port) of the remote endpoint instead. Make `run_event_loop` more type safe by passing in a `Reciever<T>` where `T` is the same type of the `Node<T>` that actually handles the messages. Create an explicit `GrpcServerInit` message to pass to a gRPC server pseudo-node, instead of manually passing handles to it in an unstructured way. Remove unused `address` field from `GrpcClientConfiguration` protobuf message. Split aggregator example in two nodes, so that the gRPC worker node may be assigned a different label in the future, to reflect the fact that it is handling non-public data. Add explicit scheme to gRPC client URL in aggregator example (not sure how / whether it worked previously, Tonic complains). Make aggregator client submit a meaningful number of samples in order to reach the aggregation threshold, instead of just one. Ref project-oak#814
Replace the certificate SAN name field in the label, with a field that represents the authority (host:port) of the remote endpoint instead. Make `run_event_loop` more type safe by passing in a `Reciever<T>` where `T` is the same type of the `Node<T>` that actually handles the messages. Create an explicit `GrpcServerInit` message to pass to a gRPC server pseudo-node, instead of manually passing handles to it in an unstructured way. Remove unused `address` field from `GrpcClientConfiguration` protobuf message. Split aggregator example in two nodes, so that the gRPC worker node may be assigned a different label in the future, to reflect the fact that it is handling non-public data. Add explicit scheme to gRPC client URL in aggregator example (not sure how / whether it worked previously, Tonic complains). Make aggregator client submit a meaningful number of samples in order to reach the aggregation threshold, instead of just one. Ref project-oak#814
Replace the certificate SAN name field in the label, with a field that represents the authority (host:port) of the remote endpoint instead. Make `run_event_loop` more type safe by passing in a `Reciever<T>` where `T` is the same type of the `Node<T>` that actually handles the messages. Create an explicit `GrpcServerInit` message to pass to a gRPC server pseudo-node, instead of manually passing handles to it in an unstructured way. Remove unused `address` field from `GrpcClientConfiguration` protobuf message. Split aggregator example in two nodes, so that the gRPC worker node may be assigned a different label in the future, to reflect the fact that it is handling non-public data. Add explicit scheme to gRPC client URL in aggregator example (not sure how / whether it worked previously, Tonic complains). Make aggregator client submit a meaningful number of samples in order to reach the aggregation threshold, instead of just one. Ref #814
Introduce a new type of tag to the information flow control system, which specifies the common name (CN) (and / or other fields) of a certificate that needs to be presented over TLS by a non-Oak destination server.
For instance, data labelled with a secrecy tag of "tls:spanner.google.com" may be sent to that destination via a gRPC client pseudo-node.
The enforcement of this label is managed by the gRPC client pseudo-node implementation. If and when other kinds of pseudo-nodes are implemented (e.g. HTTP client), those will also need to enforce such label. Effectively, the gRPC client pseudo-node must have the ability to declassify this label, based on the details of the entity on the other side of a TLS connection.
oak/oak/proto/policy.proto
Lines 37 to 42 in 006b921
The text was updated successfully, but these errors were encountered: