Documentation ¶
Overview ¶
Package server contains the reference server implementation for the CC + EKM integration.
Index ¶
- Constants
- type Channel
- type SecureSessionHTTPService
- type SecureSessionService
- func (s *SecureSessionService) BeginSession(ctx context.Context, req *sspb.BeginSessionRequest) (*sspb.BeginSessionResponse, error)
- func (s *SecureSessionService) ConfidentialUnwrap(ctx context.Context, req *cwpb.ConfidentialUnwrapRequest) (*cwpb.ConfidentialUnwrapResponse, error)
- func (s *SecureSessionService) ConfidentialWrap(ctx context.Context, req *cwpb.ConfidentialWrapRequest) (*cwpb.ConfidentialWrapResponse, error)
- func (s *SecureSessionService) EndSession(ctx context.Context, req *sspb.EndSessionRequest) (*sspb.EndSessionResponse, error)
- func (s *SecureSessionService) Finalize(ctx context.Context, req *sspb.FinalizeRequest) (*sspb.FinalizeResponse, error)
- func (s *SecureSessionService) Handshake(ctx context.Context, req *sspb.HandshakeRequest) (*sspb.HandshakeResponse, error)
- func (s *SecureSessionService) NegotiateAttestation(ctx context.Context, req *sspb.NegotiateAttestationRequest) (*sspb.NegotiateAttestationResponse, error)
- func (s *SecureSessionService) Wrap(keyURI string, aad, plaintext []byte) []byte
- type SrvState
Constants ¶
const ( ServerStateUninitialized = iota ServerStateInitiated ServerStateHandshakeCompleted ServerStateAttestationNegotiated ServerStateAttestationAccepted ServerStateEnded ServerStateFailed ServerStateUnknown )
Constants representing different ClientStates.
const ( // KeyPath1 is the key path for key1 in the reference server, which has // no policy requirements. KeyPath1 = "key1" // KeyPath2 is the key path for key2 in the reference server, which requires // a minimum technology of SEV to wrap or unwrap keys. KeyPath2 = "key2" // TokenMetadataKey metadata key for the JWT. TokenMetadataKey = "authorization" // TokenPrefix is prepended to the JWT in the HTTP header/context map. TokenPrefix = "Bearer " )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Channel ¶
type Channel struct {
// contains filtered or unexported fields
}
Channel for connection internals
func NewChannel ¶
NewChannel sets up tls context and network shim
type SecureSessionHTTPService ¶
type SecureSessionHTTPService struct {
// contains filtered or unexported fields
}
SecureSessionHTTPService is an HTTP-to-gRPC proxy for SecureSessionService, to be used for local testing only.
func NewSecureSessionHTTPService ¶
func NewSecureSessionHTTPService(address, authToken string) (*SecureSessionHTTPService, error)
NewSecureSessionHTTPService creates and returns an instance of SecureSessionHTTPService. The Caller should Close using SecureSessionHTTPService.Close() when finished.
func NewSecureSessionHTTPServiceWithFakeClients ¶
func NewSecureSessionHTTPServiceWithFakeClients(address, authToken string, sessionClient ssgrpc.ConfidentialEkmSessionEstablishmentServiceClient, wrapClient cwgrpc.ConfidentialWrapUnwrapServiceClient) (*SecureSessionHTTPService, error)
NewSecureSessionHTTPServiceWithFakeClients creates and returns an instance of SecureSessionHTTPService with the provided fake clients. The Caller should Close using SecureSessionHTTPService.Close() when finished.
func (*SecureSessionHTTPService) Handler ¶
func (s *SecureSessionHTTPService) Handler(w http.ResponseWriter, r *http.Request)
Handler acts as a HandlerFunc for HTTP servers.
type SecureSessionService ¶
type SecureSessionService struct { // Necessary to embed these to maintain forward compatibility. pb.UnimplementedConfidentialEkmSessionEstablishmentServiceServer cwpb.UnimplementedConfidentialWrapUnwrapServiceServer // contains filtered or unexported fields }
SecureSessionService implements the SecureSession interface.
func NewSecureSessionService ¶
func NewSecureSessionService(tlsVersion uint16, audience string) (srv *SecureSessionService, err error)
NewSecureSessionService creates instance of secure session service
func (*SecureSessionService) BeginSession ¶
func (s *SecureSessionService) BeginSession(ctx context.Context, req *sspb.BeginSessionRequest) (*sspb.BeginSessionResponse, error)
func (*SecureSessionService) ConfidentialUnwrap ¶
func (s *SecureSessionService) ConfidentialUnwrap(ctx context.Context, req *cwpb.ConfidentialUnwrapRequest) (*cwpb.ConfidentialUnwrapResponse, error)
ConfidentialUnwrap unwraps the given ciphertext with aad by splitting on the first instance of the requested key. The expected format of the wrapped text is (aad | key | plaintext). If the requested key is not present, or if the first part of the split does not match the aad, the unwrapping fails and returns an error. Otherwise, returns the determined plaintext.
func (*SecureSessionService) ConfidentialWrap ¶
func (s *SecureSessionService) ConfidentialWrap(ctx context.Context, req *cwpb.ConfidentialWrapRequest) (*cwpb.ConfidentialWrapResponse, error)
ConfidentialWrap wraps the aad and plaintext in the request by concatenating them as (aad | key | plaintext).
func (*SecureSessionService) EndSession ¶
func (s *SecureSessionService) EndSession(ctx context.Context, req *sspb.EndSessionRequest) (*sspb.EndSessionResponse, error)
func (*SecureSessionService) Finalize ¶
func (s *SecureSessionService) Finalize(ctx context.Context, req *sspb.FinalizeRequest) (*sspb.FinalizeResponse, error)
func (*SecureSessionService) Handshake ¶
func (s *SecureSessionService) Handshake(ctx context.Context, req *sspb.HandshakeRequest) (*sspb.HandshakeResponse, error)
func (*SecureSessionService) NegotiateAttestation ¶
func (s *SecureSessionService) NegotiateAttestation(ctx context.Context, req *sspb.NegotiateAttestationRequest) (*sspb.NegotiateAttestationResponse, error)
func (*SecureSessionService) Wrap ¶
func (s *SecureSessionService) Wrap(keyURI string, aad, plaintext []byte) []byte
Wrap takes in a keyPath, aad, and plaintext, and outputs the wrapped plaintext that the server returns. Invariant: object must have been created through NewSecureSessionService to set up keys. keyURI must be valid.