README
¶
This package implements a range of methods that are used across sub-packages.
token enables retrieving an authentication token if run within an Azure VM. The Azure VM needs to be assigned a managed identity that has proper permissions to the Azure resource that requires authentication.
Documentation
¶
Index ¶
- Constants
- Variables
- func AesUnwrapPadding(block cipher.Block, cipherText []byte) ([]byte, error)
- func ConcatenateCerts(thimCerts THIMCerts) []byte
- func GenerateJWKSet(privateWrappingKey *rsa.PrivateKey) ([]byte, error)
- func GenerateJWKSetFromPEM(privatePEMString string) ([]byte, error)
- func GetReferenceInfoFile(securityContextDir string, ReferenceInfoFilename string) (string, error)
- func GetUvmSecurityCtxDir() (string, error)
- func HTTPGetRequest(uri string, metadata bool) (*http.Response, error)
- func HTTPPRequest(httpType string, uri string, jsonData []byte, authorizationToken string) (*http.Response, error)
- func HTTPResponseBody(httpResponse *http.Response) ([]byte, error)
- func ParseTHIMTCBM(thimCerts THIMCerts) (uint64, error)
- func ParseX509Certificate(certstring string) (*x509.Certificate, error)
- func PrivateKeyFromPEM(privatePEMString string) (*rsa.PrivateKey, error)
- func RSAPrivateKeyFromJWK(jwKey *jwk.Key) (*rsa.PrivateKey, error)
- func RsaAESKeyUnwrap(alg string, ciphertext []byte, priv *rsa.PrivateKey) ([]byte, error)
- func ThimCertsAbsent(thim *THIMCerts) bool
- func ValidateJWSToken(token string, key interface{}, alg jwa.SignatureAlgorithm) ([]byte, error)
- func VerifyJWSToken(token string) error
- func VerifyX509CertChain(dnsName string, certChain []string, roots *x509.CertPool) error
- type AKV
- type ClaimStruct
- type HTTPError
- type Identity
- type ImportKeyResponse
- type ImportKeyResponseKey
- type KeyBlob
- type KeyDerivationBlob
- type MAA
- type OuterClaimStruct
- type ReleaseKeyEncryptedKey
- type ReleaseKeyReleasePolicy
- type ReleaseKeyResponseKey
- type ReleasePolicy
- type THIMCerts
- type TokenResponse
- type UvmInformation
Constants ¶
const ( AKVImportKeyRequestURITemplate = "https://%s/keys/%s?%s" AKVReleaseKeyRequestURITemplate = "https://%s/keys/%s/release?%s" // We use 2048-bit RSA cryptography RSASize = 2048 )
const ( SecurityContextDirTemplate = "security-context-*" PolicyFilename = "security-policy-base64" HostAMDCertFilename = "host-amd-cert-base64" ReferenceInfoFilename = "reference-info-base64" )
const (
AttestRequestURITemplate = "https://%s/attest/%s?%s"
)
const GenerateTestData = false
const (
TokenURITemplate = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01"
)
Variables ¶
var AIV = []byte{0xA6, 0x59, 0x59, 0xA6}
AIV (alternate IV) as specified in RFC-5649
Functions ¶
func AesUnwrapPadding ¶
AESUnwrapPadding decrypts the provided cipher text with the given AES cipher (and corresponding key), using the AES Key Wrap algorithm (RFC-5649). The decrypted cipher text is verified using the alternative IV and will return an error if validation fails.
func ConcatenateCerts ¶
func GenerateJWKSet ¶
func GenerateJWKSet(privateWrappingKey *rsa.PrivateKey) ([]byte, error)
GenerateJWKSet generates a JWK set from an RSA private key
func GenerateJWKSetFromPEM ¶
GenerateJWKSetFromPEM generates a JWK set from an RSA private key in PEM format
func GetReferenceInfoFile ¶
func GetUvmSecurityCtxDir ¶
func HTTPPRequest ¶
func ParseTHIMTCBM ¶
func ParseX509Certificate ¶
func ParseX509Certificate(certstring string) (*x509.Certificate, error)
parseX509Certificate parses a x509 certificate from a string
func PrivateKeyFromPEM ¶
func PrivateKeyFromPEM(privatePEMString string) (*rsa.PrivateKey, error)
PrivateKeyFromPEM generates a private RSA key from PEM string
func RSAPrivateKeyFromJWK ¶
func RSAPrivateKeyFromJWK(jwKey *jwk.Key) (*rsa.PrivateKey, error)
func RsaAESKeyUnwrap ¶
rsaAESKeyUnwrap unwraps a key using the RSA_AES algorithm
func ThimCertsAbsent ¶
func ValidateJWSToken ¶
func ValidateJWSToken(token string, key interface{}, alg jwa.SignatureAlgorithm) ([]byte, error)
validateJWSToken validates a JWS token using the key and alg attributes
func VerifyJWSToken ¶
verifyJWSTokenconfirms that the JWS token is valid comprising three fields: header, payload, signature
Types ¶
type AKV ¶
type AKV struct {
Endpoint string `json:"endpoint"`
APIVersion string `json:"api_version,omitempty"`
BearerToken string `json:"bearer_token,omitempty"`
}
func (AKV) ImportPlaintextKey ¶
func (akv AKV) ImportPlaintextKey(key interface{}, releasePolicy ReleasePolicy, keyName string) (AKVResponse *ImportKeyResponse, err error)
ImportPlaintextKey imports a plaintext key to a HSM-backed keyvault. The key is associated with a release policy
func (AKV) ReleaseKey ¶
func (akv AKV) ReleaseKey(maaTokenBase64 string, kid string, privateWrappingKey *rsa.PrivateKey) (_ []byte, _ string, err error)
ReleaseKey releases a key from a key vault. It takes as attributes the MAA token, the identifier of the key to be released and the private key of the wrapping RSA key pair that has been used by the AKV to wrap the released secret. Recall that the MAA token contains the public key of the wrapping RSA key pair as a runtime claim. The AKV uses the key to wrap released secrets if the claims in the MAA token satisfy the release policy. ReleaseKey uses the private key to locally unwrap the released secrets. The private key is kept within the utility VM and hence is isolated with hardware-based guarantees.
type ClaimStruct ¶
SKR releasy policy struct
type ImportKeyResponse ¶
type ImportKeyResponse struct {
Attributes interface{} `json:"attributes"`
Key ImportKeyResponseKey `json:"key"`
}
type ImportKeyResponseKey ¶
type KeyDerivationBlob ¶
type KeyDerivationBlob struct {
Salt string `json:"salt,omitempty`
Label string `json:"label,omitemtpy`
}
KeyDerivationBlob contains information about the key that needs to be derived from a secret that has been released
Safe use of this is to ensure that the secret has enough entropy. Examples include RSA private keys.
type MAA ¶
type MAA struct {
Endpoint string `json:"endpoint"`
TEEType string `json:"tee_type,omitempty"`
APIVersion string `json:"api_version,omitempty"`
}
MAA contains information about the MAA service that acts as the author of the claims
func (MAA) Attest ¶
func (maa MAA) Attest(SNPReportHexBytes []byte, vcekCertChain []byte, policyBlobBytes []byte, keyBlobBytes []byte, encodedUvmReferenceInfo []byte) (MAAToken string, err error)
attest interracts with MAA to fetch an MAA token. A valid MAA attest request requires a cert chain that endorses the signing key of the attestation report, the hardware attestation report, and additional evidence, including the policy blob and the key blob, whose hash have been included in the HOST_DATA and REPORT_DATA fields of the attestation report, respectively.
MAA validates the signature of the attestation report using the public key of the leaf certificate of the cert chain, validates the cert chain, and finally validates the additional evidence against the HOST_DATA and REPORT_DATA fields of the validated attestation report. Upon successful attestation, MAA issues an MAA token which presents the policy blob as inittime claims and the key blob as runtime claims.
Note, the using the leaf cert will be changed to a DID based scheme similar to fragments.
type OuterClaimStruct ¶
type OuterClaimStruct struct {
Authority string `json:"authority"`
AllOf []ClaimStruct `json:"allOf"`
}
type ReleaseKeyEncryptedKey ¶
type ReleaseKeyReleasePolicy ¶
type ReleaseKeyResponseKey ¶
type ReleaseKeyResponseKey struct {
Attributes interface{} `json:"attributes"`
Key ReleaseKeyEncryptedKey `json:"key"`
ReleasePolicy ReleaseKeyReleasePolicy `json:"release_policy"`
}
type ReleasePolicy ¶
type ReleasePolicy struct {
Version string `json:"version"`
AnyOf []OuterClaimStruct `json:"anyOf"`
}
type THIMCerts ¶
type THIMCerts struct {
VcekCert string `json:"vcekCert"`
Tcbm string `json:"tcbm"`
CertificateChain string `json:"certificateChain"`
CacheControl string `json:"cacheControl"`
}
format of the json provided to the UVM by hcsshim. Comes from the THIM endpoint and is a base64 encoded json string
func ParseTHIMCertsFromByte ¶
type TokenResponse ¶
type UvmInformation ¶
type UvmInformation struct {
EncodedSecurityPolicy string // base64 customer security policy
InitialCerts THIMCerts // platform certificates for the actual physical host
EncodedUvmReferenceInfo string // base64 encoded endorsements for the particular UVM image
}
func GetUvmInformation ¶
func GetUvmInformation() (UvmInformation, error)
func GetUvmInformationFromEnv ¶
func GetUvmInformationFromEnv() (UvmInformation, error)
func GetUvmInformationFromFiles ¶
func GetUvmInformationFromFiles() (UvmInformation, error)
Source Files