(&self)
| 494 | } |
| 495 | |
| 496 | async fn get_or_generate_key_store(&self) -> Result<GatewayKeyStore> { |
| 497 | // Try to load existing cache |
| 498 | let cache = GatewayKeyStore::load(); |
| 499 | |
| 500 | // If cache is fully valid, return it |
| 501 | if let Some(ref cache) = cache { |
| 502 | if cache.is_cert_valid() { |
| 503 | info!("Using cached gateway key store"); |
| 504 | return Ok(cache.clone()); |
| 505 | } |
| 506 | } |
| 507 | |
| 508 | // Reuse WireGuard keys from cache if available, otherwise generate new ones |
| 509 | let (wg_sk, wg_pk) = if let Some(ref cache) = cache { |
| 510 | info!("Reusing cached WireGuard keys"); |
| 511 | (cache.wg_sk.clone(), cache.wg_pk.clone()) |
| 512 | } else { |
| 513 | info!("Generating new WireGuard keys"); |
| 514 | let sk = cmd!(wg genkey)?; |
| 515 | let pk = |
| 516 | cmd!(echo $sk | wg pubkey).or(Err(anyhow!("Failed to generate public key")))?; |
| 517 | (sk, pk) |
| 518 | }; |
| 519 | |
| 520 | // Request new client certificates |
| 521 | info!("Requesting new client certificates"); |
| 522 | let now = std::time::SystemTime::now() |
| 523 | .duration_since(std::time::UNIX_EPOCH) |
| 524 | .map(|d| d.as_secs()) |
| 525 | .unwrap_or(0); |
| 526 | let cert_not_after = now + CERT_VALIDITY_SECS; |
| 527 | let cert_client = CertRequestClient::create( |
| 528 | self.keys, |
| 529 | self.shared.sys_config.pccs_url.as_deref(), |
| 530 | self.shared.sys_config.vm_config.clone(), |
| 531 | ) |
| 532 | .await |
| 533 | .context("Failed to create cert client")?; |
| 534 | let key = |
| 535 | KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).context("Failed to generate key")?; |
| 536 | |
| 537 | // Request certificate without quote (for new gateways) |
| 538 | let config = CertConfigV2 { |
| 539 | org_name: None, |
| 540 | subject: "dstack-guest-agent".to_string(), |
| 541 | subject_alt_names: vec![], |
| 542 | usage_server_auth: false, |
| 543 | usage_client_auth: true, |
| 544 | ext_quote: false, |
| 545 | ext_app_info: true, |
| 546 | not_before: None, |
| 547 | not_after: Some(cert_not_after), |
| 548 | }; |
| 549 | let certs = sign_cert_request(&cert_client, &key, config) |
| 550 | .await |
| 551 | .context("Failed to request cert")?; |
| 552 | let client_cert = certs.join("\n"); |
| 553 | let client_key = key.serialize_pem(); |
no test coverage detected