GO-2025-3455: Contrast's unauthenticated recovery allows Coordinator impersonation in github.com/edgelesssys/contrast

authority

package

v1.0.0 Latest Latest Go to latest Published: Sep 4, 2024 License: AGPL-3.0 Imports: 28 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/contrast

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Authority
- func New(hist *history.History, reg *prometheus.Registry, log *slog.Logger) *Authority
type Bundle

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrAlreadyRecovered is returned if seedEngine initialization was requested but a seed is already set.
	ErrAlreadyRecovered = errors.New("coordinator is already recovered")
	// ErrNeedsRecovery is returned if state exists, but no secrets are available, e.g. after restart.
	ErrNeedsRecovery = errors.New("coordinator is in recovery mode")
)

View Source

var ErrNoManifest = errors.New("no manifest configured")

ErrNoManifest is returned when a manifest is needed but not present.

Functions ¶

This section is empty.

Types ¶

type Authority ¶

type Authority struct {
	userapi.UnimplementedUserAPIServer
	// contains filtered or unexported fields
}

Authority manages the manifest state of Contrast.

func New ¶

func New(hist *history.History, reg *prometheus.Registry, log *slog.Logger) *Authority

New creates a new Authority instance.

func (*Authority) GetCertBundle ¶

func (m *Authority) GetCertBundle(peerPublicKeyHashStr string) (Bundle, error)

GetCertBundle retrieves the certificate bundle created for the peer identified by the given public key.

func (*Authority) GetManifests ¶ added in v0.8.0

func (a *Authority) GetManifests(_ context.Context, _ *userapi.GetManifestsRequest,
) (*userapi.GetManifestsResponse, error)

GetManifests retrieves the current CA certificates, the manifest history and all policies.

func (*Authority) Recover ¶ added in v0.8.0

func (a *Authority) Recover(_ context.Context, req *userapi.RecoverRequest) (*userapi.RecoverResponse, error)

Recover recovers the Coordinator from a seed and salt.

func (*Authority) SNPValidateOpts ¶

func (m *Authority) SNPValidateOpts(report *sevsnp.Report) (*validate.Options, error)

SNPValidateOpts returns SNP validation options from reference values.

It also ensures that the policy hash in the report's HOSTDATA is allowed by the current manifest.

func (*Authority) SetManifest ¶

func (a *Authority) SetManifest(ctx context.Context, req *userapi.SetManifestRequest) (*userapi.SetManifestResponse, error)

SetManifest registers a new manifest at the Coordinator.

func (*Authority) ValidateCallback ¶

func (m *Authority) ValidateCallback(_ context.Context, report *sevsnp.Report,
	_ asn1.ObjectIdentifier, _, _, peerPubKeyBytes []byte,
) error

ValidateCallback creates a certificate bundle for the verified client.

type Bundle ¶

type Bundle struct {
	WorkloadCert   []byte
	MeshCA         []byte
	IntermediateCA []byte
	RootCA         []byte
}

Bundle is a set of PEM-encoded certificates for Contrast workloads.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL