core

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2020 License: MPL-2.0 Imports: 36 Imported by: 2

Documentation

Overview

Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities.

Index

Constants

View Source 
const CoordinatorName string = "Marblerun Coordinator"

CoordinatorName is the name of the Coordinator. It is used as CN of the root certificate.

View Source 
const SealedDataFname string = "sealed_data"

SealedDataFname contains the file name in which the state is sealed on disk in seal_dir

View Source 
const SealedKeyFname string = "sealed_key"

SealedKeyFname contains the file name in which the key is sealed with the seal key on disk in seal_dir

Variables

View Source 
var ErrEncryptionKey = errors.New("cannot unseal encryption key")

ErrEncryptionKey occurs if unsealing the encryption key failed.

Functions

This section is empty.

Types

type AESGCMSealer 

type AESGCMSealer struct {
	// contains filtered or unexported fields
}

AESGCMSealer implements the Sealer interface using AES-GCM for confidentiallity and authentication

func NewAESGCMSealer 

func NewAESGCMSealer(sealDir string) *AESGCMSealer

NewAESGCMSealer creates and initializes a new AESGCMSealer object

func (*AESGCMSealer) GenerateNewEncryptionKey added in v0.1.1 

func (s *AESGCMSealer) GenerateNewEncryptionKey() error

GenerateNewEncryptionKey generates a random 128 Bit (16 Byte) key to encrypt the state

func (*AESGCMSealer) Seal 

func (s *AESGCMSealer) Seal(data []byte) ([]byte, error)

Seal encrypts and stores information to the fs

func (*AESGCMSealer) SetEncryptionKey added in v0.1.1 

func (s *AESGCMSealer) SetEncryptionKey(encryptionKey []byte) error

SetEncryptionKey sets or restores an encryption key

func (*AESGCMSealer) Unseal 

func (s *AESGCMSealer) Unseal() ([]byte, error)

Unseal reads and decrypts stored information from the fs

type Certificate added in v0.1.1 

type Certificate x509.Certificate

Certificate is an x509.Certificate

func (Certificate) MarshalJSON added in v0.1.1 

func (c Certificate) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*Certificate) UnmarshalJSON added in v0.1.1 

func (c *Certificate) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Marshaler interface.

type ClientCore 

type ClientCore interface {
	SetManifest(ctx context.Context, rawManifest []byte) (recoveryDataBytes []byte, err error)
	GetCertQuote(ctx context.Context) (cert string, certQuote []byte, err error)
	GetManifestSignature(ctx context.Context) (manifestSignature []byte)
	GetStatus(ctx context.Context) (statusCode int, status string, err error)
	Recover(ctx context.Context, encryptionKey []byte) error
}

ClientCore provides the core functionality for the client. It can be used by e.g. a http server

type Core 

type Core struct {
	// contains filtered or unexported fields
}

Core implements the core logic of the Coordinator

func NewCore 

func NewCore(dnsNames []string, qv quote.Validator, qi quote.Issuer, sealer Sealer, zapLogger *zap.Logger) (*Core, error)

NewCore creates and initializes a new Core object

func NewCoreWithMocks 

func NewCoreWithMocks() *Core

NewCoreWithMocks creates a new core object with quote and seal mocks for testing.

func (*Core) Activate 

func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)

Activate implements the MarbleAPI function to authenticate a marble (implements the MarbleServer interface)

Verifies the marble's integritiy and subsequently provides the marble with a certificate for authentication and application-specific parameters as defined in the Coordinator's manifest.

req needs to contain a MarbleType present in the Coordinator's manifest and a CSR with the Subject and DNSNames set with desired values.

Returns a signed certificate-key-pair and the application's parameters if the authentication was successful. Returns an error if the authentication failed.

func (*Core) GetCertQuote 

func (c *Core) GetCertQuote(ctx context.Context) (string, []byte, error)

GetCertQuote gets the Coordinators certificate and corresponding quote (containing the cert)

Returns the a remote attestation quote of its own certificate alongside this certificate that allows to verify the Coordinator's integrity and authentication for use of the ClientAPI.

func (*Core) GetManifestSignature 

func (c *Core) GetManifestSignature(ctx context.Context) []byte

GetManifestSignature returns the hash of the manifest

Returns a SHA256 hash of the active manifest.

func (*Core) GetStatus 

func (c *Core) GetStatus(ctx context.Context) (statusCode int, status string, err error)

GetStatus returns status information about the state of the mesh.

func (*Core) GetTLSCertificate 

func (c *Core) GetTLSCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetTLSCertificate creates a TLS certificate for the Coordinators self-signed x509 certificate

func (*Core) GetTLSConfig 

func (c *Core) GetTLSConfig() (*tls.Config, error)

GetTLSConfig gets the core's TLS configuration

func (*Core) Recover added in v0.1.1 

func (c *Core) Recover(ctx context.Context, encryptionKey []byte) error

Recover sets an encryption key (ideally decrypted from the recovery data) and tries to unseal and load a saved state again.

func (*Core) SetManifest 

func (c *Core) SetManifest(ctx context.Context, rawManifest []byte) ([]byte, error)

SetManifest sets the manifest, once and for all

rawManifest is the manifest of type Manifest in JSON format.

type Manifest 

type Manifest struct {
	// Packages contains the allowed enclaves and their properties.
	Packages map[string]quote.PackageProperties
	// Infrastructures contains the allowed infrastructure providers and their properties.
	Infrastructures map[string]quote.InfrastructureProperties
	// Marbles contains the allowed services with their corresponding enclave and configuration parameters.
	Marbles map[string]Marble
	// Clients contains TLS certificates for authenticating clients that use the ClientAPI.
	Clients map[string][]byte
	// Secrets holds user-specified secrets, which should be generated and later on stored in a marble (if not shared) or in the core (if shared).
	Secrets map[string]Secret
	// Recovery holds a RSA public key to encrypt the state encryption key, which gets returned over the Client API when setting a manifest.
	RecoveryKey string
}

Manifest defines the rules of a mesh.

func (Manifest) Check 

func (m Manifest) Check(ctx context.Context) error

Check checks if the manifest is consistent.

type Marble 

type Marble struct {
	// Package references one of the allowed enclaves in the manifest.
	Package string
	// MaxActivations allows to limit the number of marbles of a kind.
	MaxActivations uint
	// Parameters contains lists for files, environment variables and commandline arguments that should be passed to the application.
	// Placeholder variables are supported for specific assets of the marble's activation process.
	Parameters *rpc.Parameters
}

Marble describes a service in the mesh that should be handled and verified by the Coordinator

type MockSealer 

type MockSealer struct {
	// contains filtered or unexported fields
}

MockSealer is a mockup sealer

func (*MockSealer) GenerateNewEncryptionKey added in v0.1.1 

func (s *MockSealer) GenerateNewEncryptionKey() error

GenerateNewEncryptionKey implements the Sealer interface

func (*MockSealer) Seal 

func (s *MockSealer) Seal(data []byte) ([]byte, error)

Seal implements the Sealer interface

func (*MockSealer) SetEncryptionKey added in v0.1.1 

func (s *MockSealer) SetEncryptionKey(key []byte) error

SetEncryptionKey implements the Sealer interface

func (*MockSealer) Unseal 

func (s *MockSealer) Unseal() ([]byte, error)

Unseal implements the Sealer interface

type NoEnclaveSealer added in v0.1.1 

type NoEnclaveSealer struct {
	// contains filtered or unexported fields
}

NoEnclaveSealer is a sealed for a -noenclave instance and does perform encryption with a fixed key

func NewNoEnclaveSealer added in v0.1.1 

func NewNoEnclaveSealer(sealDir string) *NoEnclaveSealer

NewNoEnclaveSealer creates and initializes a new NoEnclaveSealer object

func (*NoEnclaveSealer) GenerateNewEncryptionKey added in v0.1.1 

func (s *NoEnclaveSealer) GenerateNewEncryptionKey() error

GenerateNewEncryptionKey implements the Sealer interface

func (*NoEnclaveSealer) Seal added in v0.1.1 

func (s *NoEnclaveSealer) Seal(data []byte) ([]byte, error)

Seal writes the given data encrypted and the used key as plaintext to the disk

func (*NoEnclaveSealer) SetEncryptionKey added in v0.1.1 

func (s *NoEnclaveSealer) SetEncryptionKey(key []byte) error

SetEncryptionKey implements the Sealer interface

func (*NoEnclaveSealer) Unseal added in v0.1.1 

func (s *NoEnclaveSealer) Unseal() ([]byte, error)

Unseal reads the plaintext state from disk

type PrivateKey added in v0.1.1 

type PrivateKey []byte

PrivateKey is a wrapper for a binary private key, which we need for type differentiation in the PEM encoding function

type PublicKey added in v0.1.1 

type PublicKey []byte

PublicKey is a wrapper for a binary public key, which we need for type differentiation in the PEM encoding function

type Sealer 

type Sealer interface {
	Seal(data []byte) ([]byte, error)
	Unseal() ([]byte, error)
	GenerateNewEncryptionKey() error
	SetEncryptionKey(key []byte) error
}

Sealer is an interface for the Core object to seal information to the filesystem for persistence

type Secret added in v0.1.1 

type Secret struct {
	Type     string
	Size     uint
	Shared   bool
	Cert     Certificate
	ValidFor uint
	Private  PrivateKey
	Public   PublicKey
}

Secret defines a structure for storing certificates & encryption keys

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.