Documentation
¶
Index ¶
- func SignAttestationReport(mu *sync.Mutex, ar ArJws, priv crypto.PrivateKey, pub crypto.PublicKey, ...) (bool, []byte)
- type AppDescription
- type AppManifest
- type ArJws
- type ArPlain
- type CertParams
- type CompanyDescription
- type ConnectorDescription
- type ExternalInterface
- type HashChainElem
- type InternalConnection
- type JSONType
- type Measurement
- type MeasurementParams
- type Measurer
- type Name
- type OsManifest
- type RtmManifest
- type SwMeasurement
- type SwParams
- type SwVerification
- type TpmCerts
- type TpmMeasurement
- type TpmParams
- type TpmVerification
- type Validity
- type VerificationResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SignAttestationReport ¶
func SignAttestationReport(mu *sync.Mutex, ar ArJws, priv crypto.PrivateKey, pub crypto.PublicKey, certsPem [][]byte) (bool, []byte)
SignAttestationReport signs the attestation report with private key 'priv' and appends the pem encoded certificate chain 'certsPem' to the JWS structure. The certificates must be handed over in the order they should be appended (Signing Certificate -> Intermediate Certificates -> Root CA Certificate) Parameter 'mu' is an optional mutex, in case the private key requires exclusive access (e.g. because it is located in a hardware module)
Types ¶
type AppDescription ¶
type AppDescription struct { Type string `json:"type"` Name string `json:"name"` AppManifest string `json:"appManifest"` // Links to Type 'App Manifest'->'Name' External []ExternalInterface `json:"externalConnections"` }
AppDescription represents the JSON attestation report element of type 'App Description' signed by the operator
type AppManifest ¶
type AppManifest struct { Type string `json:"type"` Name string `json:"name"` DevCommonName string `json:"developerCommonName"` Version string `json:"version"` Oss []string `json:"oss"` // Links to Type 'OsManifest'->'Name' Description string `json:"description"` CertificationLevel int `json:"certificationLevel"` Validity Validity `json:"validity"` Verifications []SwVerification `json:"verifications"` }
AppManifest represents the JSON attestation report element of type 'App Manifest' signed by developer, evaluator, certifier
type ArJws ¶
type ArJws struct { Type string `json:"type"` TpmM TpmMeasurement `json:"tpmMeasurement,omitempty"` SWM []SwMeasurement `json:"swMeasurements,omitempty"` RtmManifest string `json:"rtmManifests"` OsManifest string `json:"osManifest"` AppManifests []string `json:"appManifests"` CompanyDescription string `json:"companyDescription"` ConnectorDescription string `json:"connectorDescription"` Nonce string `json:"nonce"` }
ArJws represents the attestation report in JWS format with its contents already in signed JWs format
func GenAttestationReport ¶
func GenAttestationReport(nonce []byte, metadata [][]byte, measurements []Measurement, measurementParams []MeasurementParams) ArJws
GenAttestationReport generates an attestation report with the provided nonce 'nonce' and manifests and descriptions 'metadata'. The manifests and descriptions must be raw JWS tokens in the JWS JSON full serialization format. Takes a list of 'measurements' and accompanying 'measurementParams', which must be arrays of the same length. The 'measurements' must implement the attestation report 'Measurer' interface providing a method for collecting the measurements from a hardware or software interface
type ArPlain ¶
type ArPlain struct { Type string `json:"type"` TpmM TpmMeasurement `json:"tpmMeasurement,omitempty"` SWM []SwMeasurement `json:"swMeasurements,omitempty"` RtmManifest RtmManifest `json:"rtmManifest"` OsManifest OsManifest `json:"osManifest"` AppManifests []AppManifest `json:"appManifests"` CompanyDescription CompanyDescription `json:"companyDescription"` ConnectorDescription ConnectorDescription `json:"connectorDescription"` Nonce string `json:"nonce"` }
ArPlain represents the attestation report with its plain elements
type CertParams ¶
type CertParams struct { Type string `json:"type"` Subject Name `json:"subject,omitempty"` SANs []string `json:"sans,omitempty"` }
CertParams contains params of an x.509 certificate. The tpm module cannot send an AK CSR to the server, as the AK is a restricted key which does not allow signing of non-TPM-based objects such as CSRs. Therefore, pass the certificate parameters encoded in this structure
type CompanyDescription ¶
type CompanyDescription struct { Type string `json:"type"` DN string `json:"dn"` CertificationLevel int `json:"certificationLevel"` Description string `json:"description"` Validity Validity `json:"validity"` }
CompanyDescription represents the JSON attestation report element of type 'Company Description' signed by company representative, evaluator, certifier
type ConnectorDescription ¶
type ConnectorDescription struct { Type string `json:"type"` Fqdn string `json:"fqdn"` Description string `json:"description"` Location string `json:"location"` RtmManifest string `json:"rtmManifest"` OsManifest string `json:"osManifest"` AppDescriptions []AppDescription `json:"appDescriptions"` Internal []InternalConnection `json:"internalConnections"` External []ExternalInterface `json:"externalEndpoints"` }
ConnectorDescription represents the JSON attestation report element of type 'Connector Description' signed by the operator
type ExternalInterface ¶
type ExternalInterface struct { Type string `json:"type"` AppEndpoint string `json:"appEndpoint"` // Links to Type 'App Manifest'->'Endpoint' Interface string `json:"interface"` // Links to Type 'App Description'->'Name' Port int `json:"port"` // Links to Type 'App Manifest'->'Endpoint' }
ExternalInterface represents the JSON attestation report element of type 'External Interfaces' signed by the operator
type HashChainElem ¶
type HashChainElem struct { Type string `json:"type"` Pcr int32 `json:"pcr"` Sha256 []string `json:"sha256"` }
HashChainElem represents the JSON attestation report element of type 'Hash Chain' embedded in 'TPM Measurement'
type InternalConnection ¶
type InternalConnection struct { Type string `json:"type"` NameAppA string `json:"nameAppA"` // Links to Type 'App Description'->'Name' EndpointAppA string `json:"endpointAppA"` // Links to Type 'App Manifest'->'Endpoint' NameAppB string `json:"nameAppB"` // Links to Type 'App Description'->'Name' EndpointAppB string `json:"endpointAppB"` // Links to Type 'App Manifest'->'Endpoint' }
InternalConnection represents the JSON attestation report element of type 'Internal Connection' signed by the operator
type JSONType ¶
type JSONType struct {
Type string `json:"type"`
}
JSONType is a helper struct for just extracting the JSON 'Type'
type Measurement ¶
type Measurement interface{}
Measurement is a generic interface for a Measurement, such as a TpmMeasurement
type MeasurementParams ¶
type MeasurementParams interface{}
MeasurementParams is a generic interface for measurement parameters
type Measurer ¶
type Measurer interface {
Measure(mp MeasurementParams) (Measurement, error)
}
Measurer is an interface implementing the Measure method for each type of measurement Each type of interface that is capable of providing measurements (such as the tpmw module) is expected to implement this method. The attestationreport module will call this method to retrieve the measurements of the platform during attestation report generation.
type Name ¶
type Name struct { CommonName string `json:"commonName,omitempty"` Country string `json:"country,omitempty"` Organization string `json:"organization,omitempty"` OrganizationalUnit string `json:"organizationalUnit,omitempty"` Locality string `json:"locality,omitempty"` Province string `json:"province,omitempty"` StreetAddress string `json:"streetAddress,omitempty"` PostalCode string `json:"postalCode,omitempty"` Names []interface{} `json:"names,omitempty"` }
Name is the PKIX Name for CertParams
type OsManifest ¶
type OsManifest struct { Type string `json:"type"` Name string `json:"name"` DevCommonName string `json:"developerCommonName"` Version string `json:"version"` Rtms []string `json:"rtms"` // Links to Type 'RTM Manifest'->'Name' Description string `json:"description"` CertificationLevel int `json:"certificationLevel"` Validity Validity `json:"validity"` Verifications []TpmVerification `json:"verifications"` }
OsManifest represents the JSON attestation report element of type 'OsManifest' signed by developer, evaluator, certifier
type RtmManifest ¶
type RtmManifest struct { Type string `json:"type"` Name string `json:"name"` DevCommonName string `json:"developerCommonName"` Version string `json:"version"` Description string `json:"description"` CertificationLevel int `json:"certificationLevel"` Validity Validity `json:"validity"` Verifications []TpmVerification `json:"verifications"` }
RtmManifest represents the JSON attestation report element of type 'RTM Manifest' signed by developer, evaluator, certifier
type SwMeasurement ¶
type SwMeasurement struct { Type string `json:"type"` Name string `json:"name"` Sha256 string `json:"sha256"` }
SwMeasurement represents the JSON attestation report element of type 'Software Measurement' signed by the device
type SwParams ¶
type SwParams struct{}
SwParams are parameters for retrieving SW measurements. Currently none required
type SwVerification ¶
type SwVerification struct { Type string `json:"type"` Name string `json:"name"` Sha256 string `json:"sha256"` }
SwVerification represents the JSON attestation report element of type 'Software Verification' signed by the device
type TpmCerts ¶
type TpmCerts struct { AkCert string `json:"akCert"` Intermediates []string `json:"akIntermediates"` CaCert string `json:"caCertificate"` }
TpmCerts is a helper struct for the AK certificate chain
type TpmMeasurement ¶
type TpmMeasurement struct { Type string `json:"type"` Message string `json:"message"` Signature string `json:"signature"` Certs TpmCerts `json:"certs"` HashChain []*HashChainElem `json:"hashChain"` }
TpmMeasurement represents the JSON attestation report element of type 'TPM Measurement' signed by the device
type TpmParams ¶
TpmParams are Parameters for retrieving TPM measurements: The nonce is embedded into the quote. Pcrs must be set to the PCRs that should be embedded into the quote. Certs represent the AK certificate chain including EK and CA. UseIma species if the kernel's Integrity Measurement Architecture (IMA) should be used and ImaPcr specifies the PCR used by the IMA (kernel config)
type TpmVerification ¶
type TpmVerification struct { Type string `json:"type"` Name string `json:"name"` Pcr int `json:"pcr"` Sha256 string `json:"sha256"` }
TpmVerification represents the JSON attestation report element of type 'TPM Verification' signed by the device
type VerificationResult ¶
type VerificationResult struct { Type string `json:"type"` Success bool `json:"raSuccessful"` CertLevel int `json:"certificationLevel"` Log []string `json:"log"` }
VerificationResult represents the following JSON attestation report element of type 'Verification Result'.
func VerifyAttestationReport ¶
func VerifyAttestationReport(arRaw string, nonce, caCertPem []byte) VerificationResult
VerifyAttestationReport verifies an attestation report in full serialized JWS format against the supplied nonce and CA certificate. Verifies the certificate chains of all attestation report elements as well as the measurements against the verifications and the compatibility of software artefacts.