Documentation ¶
Overview ¶
Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities.
Index ¶
- Constants
- Variables
- type AESGCMSealer
- type Certificate
- type ClientCore
- type Core
- func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)
- func (c *Core) GetCertQuote(ctx context.Context) (string, []byte, error)
- func (c *Core) GetManifestSignature(ctx context.Context) []byte
- func (c *Core) GetStatus(ctx context.Context) (statusCode int, status string, err error)
- func (c *Core) GetTLSCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (c *Core) GetTLSConfig() (*tls.Config, error)
- func (c *Core) Recover(ctx context.Context, encryptionKey []byte) error
- func (c *Core) SetManifest(ctx context.Context, rawManifest []byte) ([]byte, error)
- type Manifest
- type Marble
- type MockSealer
- type NoEnclaveSealer
- type PrivateKey
- type PublicKey
- type Sealer
- type Secret
Constants ¶
const CoordinatorName string = "Marblerun Coordinator"
CoordinatorName is the name of the Coordinator. It is used as CN of the root certificate.
const SealedDataFname string = "sealed_data"
SealedDataFname contains the file name in which the state is sealed on disk in seal_dir
const SealedKeyFname string = "sealed_key"
SealedKeyFname contains the file name in which the key is sealed with the seal key on disk in seal_dir
Variables ¶
var ErrEncryptionKey = errors.New("cannot unseal encryption key")
ErrEncryptionKey occurs if unsealing the encryption key failed.
Functions ¶
This section is empty.
Types ¶
type AESGCMSealer ¶
type AESGCMSealer struct {
// contains filtered or unexported fields
}
AESGCMSealer implements the Sealer interface using AES-GCM for confidentiallity and authentication
func NewAESGCMSealer ¶
func NewAESGCMSealer(sealDir string) *AESGCMSealer
NewAESGCMSealer creates and initializes a new AESGCMSealer object
func (*AESGCMSealer) GenerateNewEncryptionKey ¶ added in v0.1.1
func (s *AESGCMSealer) GenerateNewEncryptionKey() error
GenerateNewEncryptionKey generates a random 128 Bit (16 Byte) key to encrypt the state
func (*AESGCMSealer) Seal ¶
func (s *AESGCMSealer) Seal(data []byte) ([]byte, error)
Seal encrypts and stores information to the fs
func (*AESGCMSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *AESGCMSealer) SetEncryptionKey(encryptionKey []byte) error
SetEncryptionKey sets or restores an encryption key
func (*AESGCMSealer) Unseal ¶
func (s *AESGCMSealer) Unseal() ([]byte, error)
Unseal reads and decrypts stored information from the fs
type Certificate ¶ added in v0.1.1
type Certificate x509.Certificate
Certificate is an x509.Certificate
func (Certificate) MarshalJSON ¶ added in v0.1.1
func (c Certificate) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*Certificate) UnmarshalJSON ¶ added in v0.1.1
func (c *Certificate) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Marshaler interface.
type ClientCore ¶
type ClientCore interface { SetManifest(ctx context.Context, rawManifest []byte) (recoveryDataBytes []byte, err error) GetCertQuote(ctx context.Context) (cert string, certQuote []byte, err error) GetManifestSignature(ctx context.Context) (manifestSignature []byte) GetStatus(ctx context.Context) (statusCode int, status string, err error) Recover(ctx context.Context, encryptionKey []byte) error }
ClientCore provides the core functionality for the client. It can be used by e.g. a http server
type Core ¶
type Core struct {
// contains filtered or unexported fields
}
Core implements the core logic of the Coordinator
func NewCore ¶
func NewCore(dnsNames []string, qv quote.Validator, qi quote.Issuer, sealer Sealer, zapLogger *zap.Logger) (*Core, error)
NewCore creates and initializes a new Core object
func NewCoreWithMocks ¶
func NewCoreWithMocks() *Core
NewCoreWithMocks creates a new core object with quote and seal mocks for testing.
func (*Core) Activate ¶
func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)
Activate implements the MarbleAPI function to authenticate a marble (implements the MarbleServer interface)
Verifies the marble's integritiy and subsequently provides the marble with a certificate for authentication and application-specific parameters as defined in the Coordinator's manifest.
req needs to contain a MarbleType present in the Coordinator's manifest and a CSR with the Subject and DNSNames set with desired values.
Returns a signed certificate-key-pair and the application's parameters if the authentication was successful. Returns an error if the authentication failed.
func (*Core) GetCertQuote ¶
GetCertQuote gets the Coordinators certificate and corresponding quote (containing the cert)
Returns the a remote attestation quote of its own certificate alongside this certificate that allows to verify the Coordinator's integrity and authentication for use of the ClientAPI.
func (*Core) GetManifestSignature ¶
GetManifestSignature returns the hash of the manifest
Returns a SHA256 hash of the active manifest.
func (*Core) GetTLSCertificate ¶
func (c *Core) GetTLSCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetTLSCertificate creates a TLS certificate for the Coordinators self-signed x509 certificate
func (*Core) GetTLSConfig ¶
GetTLSConfig gets the core's TLS configuration
type Manifest ¶
type Manifest struct { // Packages contains the allowed enclaves and their properties. Packages map[string]quote.PackageProperties // Infrastructures contains the allowed infrastructure providers and their properties. Infrastructures map[string]quote.InfrastructureProperties // Marbles contains the allowed services with their corresponding enclave and configuration parameters. Marbles map[string]Marble // Clients contains TLS certificates for authenticating clients that use the ClientAPI. Clients map[string][]byte // Secrets holds user-specified secrets, which should be generated and later on stored in a marble (if not shared) or in the core (if shared). Secrets map[string]Secret // Recovery holds a RSA public key to encrypt the state encryption key, which gets returned over the Client API when setting a manifest. RecoveryKey string }
Manifest defines the rules of a mesh.
type Marble ¶
type Marble struct { // Package references one of the allowed enclaves in the manifest. Package string // MaxActivations allows to limit the number of marbles of a kind. MaxActivations uint // Parameters contains lists for files, environment variables and commandline arguments that should be passed to the application. // Placeholder variables are supported for specific assets of the marble's activation process. Parameters *rpc.Parameters }
Marble describes a service in the mesh that should be handled and verified by the Coordinator
type MockSealer ¶
type MockSealer struct {
// contains filtered or unexported fields
}
MockSealer is a mockup sealer
func (*MockSealer) GenerateNewEncryptionKey ¶ added in v0.1.1
func (s *MockSealer) GenerateNewEncryptionKey() error
GenerateNewEncryptionKey implements the Sealer interface
func (*MockSealer) Seal ¶
func (s *MockSealer) Seal(data []byte) ([]byte, error)
Seal implements the Sealer interface
func (*MockSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *MockSealer) SetEncryptionKey(key []byte) error
SetEncryptionKey implements the Sealer interface
func (*MockSealer) Unseal ¶
func (s *MockSealer) Unseal() ([]byte, error)
Unseal implements the Sealer interface
type NoEnclaveSealer ¶ added in v0.1.1
type NoEnclaveSealer struct {
// contains filtered or unexported fields
}
NoEnclaveSealer is a sealed for a -noenclave instance and does perform encryption with a fixed key
func NewNoEnclaveSealer ¶ added in v0.1.1
func NewNoEnclaveSealer(sealDir string) *NoEnclaveSealer
NewNoEnclaveSealer creates and initializes a new NoEnclaveSealer object
func (*NoEnclaveSealer) GenerateNewEncryptionKey ¶ added in v0.1.1
func (s *NoEnclaveSealer) GenerateNewEncryptionKey() error
GenerateNewEncryptionKey implements the Sealer interface
func (*NoEnclaveSealer) Seal ¶ added in v0.1.1
func (s *NoEnclaveSealer) Seal(data []byte) ([]byte, error)
Seal writes the given data encrypted and the used key as plaintext to the disk
func (*NoEnclaveSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *NoEnclaveSealer) SetEncryptionKey(key []byte) error
SetEncryptionKey implements the Sealer interface
func (*NoEnclaveSealer) Unseal ¶ added in v0.1.1
func (s *NoEnclaveSealer) Unseal() ([]byte, error)
Unseal reads the plaintext state from disk
type PrivateKey ¶ added in v0.1.1
type PrivateKey []byte
PrivateKey is a wrapper for a binary private key, which we need for type differentiation in the PEM encoding function
type PublicKey ¶ added in v0.1.1
type PublicKey []byte
PublicKey is a wrapper for a binary public key, which we need for type differentiation in the PEM encoding function
type Sealer ¶
type Sealer interface { Seal(data []byte) ([]byte, error) Unseal() ([]byte, error) GenerateNewEncryptionKey() error SetEncryptionKey(key []byte) error }
Sealer is an interface for the Core object to seal information to the filesystem for persistence
type Secret ¶ added in v0.1.1
type Secret struct { Type string Size uint Cert Certificate ValidFor uint Private PrivateKey Public PublicKey }
Secret defines a structure for storing certificates & encryption keys