kms: Use intermediate cert to sign app certs

Author: kvinwang

cert-client/src/lib.rs

@@ -23,7 +23,7 @@ impl CertRequestClient {
         match self {
             CertRequestClient::Local { ca } => {
                 let cert = ca
-                    .sign_csr(csr, None)
+                    .sign_csr(csr, None, "app:custom")
                     .context("Failed to sign certificate")?;
                 Ok(vec![cert.pem(), ca.pem_cert.clone()])
             }

kms/src/main_service.rs

@@ -11,7 +11,7 @@ use kms_rpc::{
 use ra_rpc::{Attestation, CallContext, RpcCall};
 use ra_tls::{
     attestation::VerifiedAttestation,
-    cert::{CaCert, CertSigningRequest},
+    cert::{CaCert, CertRequest, CertSigningRequest},
     kdf,
 };
 use scale::Decode;
@@ -138,6 +138,26 @@ impl RpcHandler {
             tproxy_app_id: response.tproxy_app_id,
         })
     }
+
+    fn derive_app_ca(&self, app_id: &[u8]) -> Result<CaCert> {
+        let context_data = vec![app_id, b"app-ca"];
+        let app_key = kdf::derive_ecdsa_key_pair(&self.state.root_ca.key, &context_data)
+            .context("Failed to derive app disk key")?;
+        let req = CertRequest::builder()
+            .key(&app_key)
+            .org_name("Dstack")
+            .subject("Dstack App CA")
+            .ca_level(0)
+            .app_id(app_id)
+            .special_usage("app:ca")
+            .build();
+        let app_ca = self
+            .state
+            .root_ca
+            .sign(req)
+            .context("Failed to sign App CA")?;
+        Ok(CaCert::from_parts(app_key, app_ca))
+    }
 }
 
 impl KmsRpc for RpcHandler {
@@ -245,13 +265,16 @@ impl KmsRpc for RpcHandler {
         let app_info = self
             .ensure_app_attestation_allowed(&attestation, false, true)
             .await?;
-        let cert = self
-            .state
-            .root_ca
-            .sign_csr(&csr, Some(&app_info.boot_info.app_id))
+        let app_ca = self.derive_app_ca(&app_info.boot_info.app_id)?;
+        let cert = app_ca
+            .sign_csr(&csr, Some(&app_info.boot_info.app_id), "app:custom")
             .context("Failed to sign certificate")?;
         Ok(SignCertResponse {
-            certificate_chain: vec![cert.pem(), self.state.root_ca.pem_cert.clone()],
+            certificate_chain: vec![
+                cert.pem(),
+                app_ca.pem_cert.clone(),
+                self.state.root_ca.pem_cert.clone(),
+            ],
         })
     }
 }

kms/src/onboard_service.rs

@@ -126,7 +126,7 @@ impl Keys {
         let ca_cert = CertRequest::builder()
             .org_name("Dstack")
             .subject("Dstack KMS CA")
-            .ca_level(0)
+            .ca_level(1)
             .key(&ca_key)
             .build()
             .self_signed()?;

ra-tls/src/cert.rs

@@ -53,6 +53,15 @@ impl CaCert {
         })
     }
 
+    /// Instantiate a new CA certificate with a given private key and pem cert.
+    pub fn from_parts(key: KeyPair, cert: Certificate) -> Self {
+        Self {
+            pem_cert: cert.pem(),
+            cert,
+            key,
+        }
+    }
+
     /// Load a CA certificate and private key from files.
     pub fn load(cert_path: impl AsRef<Path>, key_path: impl AsRef<Path>) -> Result<Self> {
         let pem_key = fs::read_to_string(key_path).context("Failed to read key file")?;
@@ -66,7 +75,12 @@ impl CaCert {
     }
 
     /// Sign a remote certificate signing request.
-    pub fn sign_csr(&self, csr: &CertSigningRequest, app_id: Option<&[u8]>) -> Result<Certificate> {
+    pub fn sign_csr(
+        &self,
+        csr: &CertSigningRequest,
+        app_id: Option<&[u8]>,
+        usage: &str,
+    ) -> Result<Certificate> {
         let pki = rcgen::SubjectPublicKeyInfo::from_der(&csr.pubkey)
             .context("Failed to parse signature")?;
         let cfg = &csr.config;
@@ -80,6 +94,7 @@ impl CaCert {
             .maybe_quote(cfg.ext_quote.then_some(&csr.quote))
             .maybe_event_log(cfg.ext_quote.then_some(&csr.event_log))
             .maybe_app_id(app_id)
+            .special_usage(usage)
             .build();
         self.sign(req).context("Failed to sign certificate")
     }