atls

Documentation

Overview

aTLS provides config generation functions to bootstrap attested TLS connections.

Index

• Variables
• func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator, privKey *ecdsa.PrivateKey) (*tls.Config, error)
• func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error)
• type FakeAttestationDoc
• type FakeIssuer
  • func NewFakeIssuer(oid Getter) *FakeIssuer
  • func (FakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byte, error)
• type FakeValidator
  • func NewFakeValidator(oid Getter) *FakeValidator
  • func (v FakeValidator) Validate(_ context.Context, attDoc []byte, nonce []byte, _ []byte) error
• type Getter
• type Issuer
• type Validator
  • func NewFakeValidators(oid Getter) []Validator

Variables

var (
	// NoValidator skips validation of the server's attestation document.
	NoValidator Validator
	// NoIssuer skips embedding the client's attestation document.
	NoIssuer Issuer
)

Functions

func CreateAttestationClientTLSConfig

func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator, privKey *ecdsa.PrivateKey) (*tls.Config, error)

CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document.

ATTENTION: The tls.Config ensures freshness of the server's attestation only for the first connection it is used for. If freshness is required, you must create a new tls.Config for each connection or ensure freshness on the protocol level. If freshness is not required, you can reuse this tls.Config.

If no validators are set, the server's attestation document will not be verified. If issuer is nil, the client will be unable to perform mutual aTLS.

func CreateAttestationServerTLSConfig

func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator) (*tls.Config, error)

CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document. Pass a list of validators to enable mutual aTLS. If issuer is nil, no attestation will be embedded.

Types

type FakeAttestationDoc

type FakeAttestationDoc struct {
	UserData []byte
	Nonce    []byte
}

FakeAttestationDoc is a fake attestation document used for testing.

type FakeIssuer

type FakeIssuer struct {
	Getter
}

FakeIssuer fakes an issuer and can be used for tests.

func NewFakeIssuer

func NewFakeIssuer(oid Getter) *FakeIssuer

NewFakeIssuer creates a new FakeIssuer with the given OID.

func (FakeIssuer) Issue

func (FakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byte, error)

Issue marshals the user data and returns it.

type FakeValidator

type FakeValidator struct {
	Getter
	// contains filtered or unexported fields
}

FakeValidator fakes a validator and can be used for tests.

func NewFakeValidator

func NewFakeValidator(oid Getter) *FakeValidator

NewFakeValidator creates a new FakeValidator with the given OID.

func (FakeValidator) Validate

func (v FakeValidator) Validate(_ context.Context, attDoc []byte, nonce []byte, _ []byte) error

Validate unmarshals the attestation document and verifies the nonce.

type Getter

type Getter interface {
	OID() asn1.ObjectIdentifier
}

Getter returns an ASN.1 Object Identifier.

type Issuer

type Issuer interface {
	Getter
	Issue(ctx context.Context, userData []byte, nonce []byte) (quote []byte, err error)
}

Issuer issues an attestation document.

type Validator

type Validator interface {
	Getter
	Validate(ctx context.Context, attDoc []byte, nonce []byte, peerPublicKey []byte) error
}

Validator is able to validate an attestation document.

func NewFakeValidators

func NewFakeValidators(oid Getter) []Validator

NewFakeValidators returns a slice with a single FakeValidator.