MCPcopy Create free account
hub / github.com/Dstack-TEE/dstack / get_or_generate_key_store

Method get_or_generate_key_store

dstack-util/src/system_setup.rs:496–581  ·  view source on GitHub ↗
(&self)

Source from the content-addressed store, hash-verified

494 }
495
496 async fn get_or_generate_key_store(&self) -> Result<GatewayKeyStore> {
497 // Try to load existing cache
498 let cache = GatewayKeyStore::load();
499
500 // If cache is fully valid, return it
501 if let Some(ref cache) = cache {
502 if cache.is_cert_valid() {
503 info!("Using cached gateway key store");
504 return Ok(cache.clone());
505 }
506 }
507
508 // Reuse WireGuard keys from cache if available, otherwise generate new ones
509 let (wg_sk, wg_pk) = if let Some(ref cache) = cache {
510 info!("Reusing cached WireGuard keys");
511 (cache.wg_sk.clone(), cache.wg_pk.clone())
512 } else {
513 info!("Generating new WireGuard keys");
514 let sk = cmd!(wg genkey)?;
515 let pk =
516 cmd!(echo $sk | wg pubkey).or(Err(anyhow!("Failed to generate public key")))?;
517 (sk, pk)
518 };
519
520 // Request new client certificates
521 info!("Requesting new client certificates");
522 let now = std::time::SystemTime::now()
523 .duration_since(std::time::UNIX_EPOCH)
524 .map(|d| d.as_secs())
525 .unwrap_or(0);
526 let cert_not_after = now + CERT_VALIDITY_SECS;
527 let cert_client = CertRequestClient::create(
528 self.keys,
529 self.shared.sys_config.pccs_url.as_deref(),
530 self.shared.sys_config.vm_config.clone(),
531 )
532 .await
533 .context("Failed to create cert client")?;
534 let key =
535 KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).context("Failed to generate key")?;
536
537 // Request certificate without quote (for new gateways)
538 let config = CertConfigV2 {
539 org_name: None,
540 subject: "dstack-guest-agent".to_string(),
541 subject_alt_names: vec![],
542 usage_server_auth: false,
543 usage_client_auth: true,
544 ext_quote: false,
545 ext_app_info: true,
546 not_before: None,
547 not_after: Some(cert_not_after),
548 };
549 let certs = sign_cert_request(&cert_client, &key, config)
550 .await
551 .context("Failed to request cert")?;
552 let client_cert = certs.join("\n");
553 let client_key = key.serialize_pem();

Callers 1

setupMethod · 0.80

Calls 3

sign_cert_requestFunction · 0.85
is_cert_validMethod · 0.80
cloneMethod · 0.80

Tested by

no test coverage detected