Adds an option to serve and verify regular TLS

Ruteri · Ruteri · commit 8f317660eefc · 2024-10-04T12:38:56.000+02:00
diff --git a/cmd/proxy-client/main.go b/cmd/proxy-client/main.go
@@ -1,14 +1,14 @@
 package main
 
 import (
+	"errors"
 	"log"
 	"net/http"
 	"os"
 
 	"github.com/flashbots/cvm-reverse-proxy/common"
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	"github.com/flashbots/cvm-reverse-proxy/proxy"
-
 	"github.com/urfave/cli/v2" // imports as package "cli"
 )
 
@@ -28,6 +28,11 @@ var flags []cli.Flag = []cli.Flag{
 		Value: string(proxy.AttestationAzureTDX),
 		Usage: "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
 	},
+	&cli.BoolFlag{
+		Name:  "verify-tls",
+		Value: false,
+		Usage: "verify server's TLS certificate instead of server's attestation. Only valid for server-attestation-type=none.",
+	},
 	&cli.StringFlag{
 		Name:  "server-measurements",
 		Usage: "optional path to JSON measurements enforced on the server",
@@ -76,6 +81,11 @@ func runClient(cCtx *cli.Context) error {
 		Version: common.Version,
 	})
 
+	if cCtx.String("server-attestation-type") != "none" && cCtx.Bool("verify-tls") {
+		log.Error("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
+		return errors.New("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
+	}
+
 	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
 	if err != nil {
 		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
@@ -106,6 +116,11 @@ func runClient(cCtx *cli.Context) error {
 		return err
 	}
 
+	if cCtx.Bool("verify-tls") {
+		tlsConfig.InsecureSkipVerify = false
+		tlsConfig.VerifyPeerCertificate = nil // TODO: make sure this is needed
+	}
+
 	proxyHandler := proxy.NewProxy(targetAddr, validators).WithTransport(&http.Transport{TLSClientConfig: tlsConfig})
 
 	log.With("listenAddr", listenAddr).Info("about to start proxy")
diff --git a/cmd/proxy-server/main.go b/cmd/proxy-server/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"log"
 	"net/http"
 	"os"
@@ -13,7 +14,6 @@ import (
 	"github.com/flashbots/cvm-reverse-proxy/common"
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	"github.com/flashbots/cvm-reverse-proxy/proxy"
-
 	"github.com/urfave/cli/v2" // imports as package "cli"
 )
 
@@ -38,6 +38,14 @@ var flags []cli.Flag = []cli.Flag{
 		Value: string(proxy.AttestationNone),
 		Usage: "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
 	},
+	&cli.StringFlag{
+		Name:  "tls-certificate",
+		Usage: "Certificate to present (PEM)",
+	},
+	&cli.StringFlag{
+		Name:  "tls-private-key",
+		Usage: "Private key for the certificate (PEM)",
+	},
 	&cli.StringFlag{
 		Name:  "client-measurements",
 		Usage: "optional path to JSON measurements enforced on the client",
@@ -73,6 +81,10 @@ func runServer(cCtx *cli.Context) error {
 	clientMeasurements := cCtx.String("client-measurements")
 	logJSON := cCtx.Bool("log-json")
 	logDebug := cCtx.Bool("log-debug")
+	serverAttestationTypeFlag := cCtx.String("server-attestation-type")
+
+	certFile := cCtx.String("tls-certificate")
+	keyFile := cCtx.String("tls-private-key")
 
 	log := common.SetupLogger(&common.LoggingOpts{
 		Debug:   logDebug,
@@ -81,7 +93,18 @@ func runServer(cCtx *cli.Context) error {
 		Version: common.Version,
 	})
 
-	serverAttestationType, err := proxy.ParseAttestationType(cCtx.String("server-attestation-type"))
+	useRegularTLS := certFile != "" || keyFile != ""
+	if serverAttestationTypeFlag != "none" && useRegularTLS {
+		log.Error("invalid combination of --tls-certificate, --tls-private-key and --server-attestation-type flags passed (only 'none' is allowed)")
+		return errors.New("invalid combination of --tls-certificate, --tls-private-key and --server-attestation-type flags passed (only 'none' is allowed)")
+	}
+
+	if useRegularTLS && (certFile == "" || keyFile == "") {
+		log.Error("not all of --tls-certificate and --tls-private-key specified")
+		return errors.New("not all of --tls-certificate and --tls-private-key specified")
+	}
+
+	serverAttestationType, err := proxy.ParseAttestationType(serverAttestationTypeFlag)
 	if err != nil {
 		log.With("attestation-type", cCtx.String("server-attestation-type")).Error("invalid server-attestation-type passed, see --help")
 		return err
@@ -112,6 +135,29 @@ func runServer(cCtx *cli.Context) error {
 		panic(err)
 	}
 
+	if useRegularTLS {
+		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			log.Error("could not load tls key pair", "err", err)
+			return err
+		}
+
+		originalGetConfigForClient := confTLS.GetConfigForClient
+		confTLS.GetConfigForClient = func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+			ogClientConfig, err := originalGetConfigForClient(clientHello)
+			if err != nil {
+				return ogClientConfig, err
+			}
+
+			// Note: we don't have to copy the certificate because it's always created per request
+			ogClientConfig.Certificates = []tls.Certificate{cert}
+			ogClientConfig.GetClientCertificate = nil
+			ogClientConfig.ServerName = ""
+			return ogClientConfig, nil
+		}
+
+	}
+
 	// Create an HTTP server
 	server := &http.Server{
 		Addr:      listenAddr,
