Documentation
¶
Overview ¶
Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities.
Index ¶
- Constants
- Variables
- type AESGCMSealer
- type ClientCore
- type Core
- func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)
- func (c *Core) GetCertQuote(ctx context.Context) (string, []byte, error)
- func (c *Core) GetManifestSignature(ctx context.Context) []byte
- func (c *Core) GetStatus(ctx context.Context) (statusCode int, status string, err error)
- func (c *Core) GetTLSConfig() (*tls.Config, error)
- func (c *Core) GetTLSIntermediateCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (c *Core) GetTLSRootCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (c *Core) Recover(ctx context.Context, secret []byte) (int, error)
- func (c *Core) SetManifest(ctx context.Context, rawManifest []byte) (map[string][]byte, error)
- func (c *Core) UpdateManifest(ctx context.Context, rawUpdateManifest []byte) error
- func (c *Core) VerifyAdmin(ctx context.Context, clientCerts []*x509.Certificate) bool
- type MockSealer
- type NoEnclaveSealer
- type Sealer
Constants ¶
const SealedDataFname string = "sealed_data"
SealedDataFname contains the file name in which the state is sealed on disk in seal_dir
const SealedKeyFname string = "sealed_key"
SealedKeyFname contains the file name in which the key is sealed with the seal key on disk in seal_dir
Variables ¶
var ErrEncryptionKey = errors.New("cannot unseal encryption key")
ErrEncryptionKey occurs if unsealing the encryption key failed.
Functions ¶
This section is empty.
Types ¶
type AESGCMSealer ¶
type AESGCMSealer struct {
// contains filtered or unexported fields
}
AESGCMSealer implements the Sealer interface using AES-GCM for confidentiallity and authentication
func NewAESGCMSealer ¶
func NewAESGCMSealer(sealDir string) *AESGCMSealer
NewAESGCMSealer creates and initializes a new AESGCMSealer object
func (*AESGCMSealer) Seal ¶
func (s *AESGCMSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error
Seal encrypts and stores information to the fs
func (*AESGCMSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *AESGCMSealer) SetEncryptionKey(encryptionKey []byte) error
SetEncryptionKey sets or restores an encryption key
type ClientCore ¶
type ClientCore interface { SetManifest(ctx context.Context, rawManifest []byte) (recoverySecretMap map[string][]byte, err error) GetCertQuote(ctx context.Context) (cert string, certQuote []byte, err error) GetManifestSignature(ctx context.Context) (manifestSignature []byte) GetStatus(ctx context.Context) (statusCode int, status string, err error) Recover(ctx context.Context, encryptionKey []byte) (int, error) VerifyAdmin(ctx context.Context, clientCerts []*x509.Certificate) bool UpdateManifest(ctx context.Context, rawUpdateManifest []byte) error }
ClientCore provides the core functionality for the client. It can be used by e.g. a http server
type Core ¶
type Core struct {
// contains filtered or unexported fields
}
Core implements the core logic of the Coordinator
func NewCore ¶
func NewCore(dnsNames []string, qv quote.Validator, qi quote.Issuer, sealer Sealer, recovery recovery.Recovery, zapLogger *zap.Logger) (*Core, error)
NewCore creates and initializes a new Core object
func NewCoreWithMocks ¶
func NewCoreWithMocks() *Core
NewCoreWithMocks creates a new core object with quote and seal mocks for testing.
func (*Core) Activate ¶
func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)
Activate implements the MarbleAPI function to authenticate a marble (implements the MarbleServer interface)
Verifies the marble's integritiy and subsequently provides the marble with a certificate for authentication and application-specific parameters as defined in the Coordinator's manifest.
req needs to contain a MarbleType present in the Coordinator's manifest and a CSR with the Subject and DNSNames set with desired values.
Returns a signed certificate-key-pair and the application's parameters if the authentication was successful. Returns an error if the authentication failed.
func (*Core) GetCertQuote ¶
GetCertQuote gets the Coordinators certificate and corresponding quote (containing the cert)
Returns the a remote attestation quote of its own certificate alongside this certificate that allows to verify the Coordinator's integrity and authentication for use of the ClientAPI.
func (*Core) GetManifestSignature ¶
GetManifestSignature returns the hash of the manifest
Returns a SHA256 hash of the active manifest.
func (*Core) GetTLSConfig ¶
GetTLSConfig gets the core's TLS configuration
func (*Core) GetTLSIntermediateCertificate ¶ added in v0.3.0
func (c *Core) GetTLSIntermediateCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetTLSIntermediateCertificate creates a TLS certificate for the Coordinator's x509 intermediate certificate based on the self-signed x509 root certificate
func (*Core) GetTLSRootCertificate ¶ added in v0.3.0
func (c *Core) GetTLSRootCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetTLSRootCertificate creates a TLS certificate for the Coordinators self-signed x509 certificate
func (*Core) Recover ¶ added in v0.1.1
Recover sets an encryption key (ideally decrypted from the recovery data) and tries to unseal and load a saved state again.
func (*Core) SetManifest ¶
SetManifest sets the manifest, once and for all
rawManifest is the manifest of type Manifest in JSON format.
func (*Core) UpdateManifest ¶ added in v0.3.0
UpdateManifest allows to update certain package parameters, supplied via a JSON manifest
func (*Core) VerifyAdmin ¶ added in v0.3.0
VerifyAdmin checks if a given client certificate matches the admin certificates specified in the manifest
type MockSealer ¶
type MockSealer struct {
// contains filtered or unexported fields
}
MockSealer is a mockup sealer
func (*MockSealer) Seal ¶
func (s *MockSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error
Seal implements the Sealer interface
func (*MockSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *MockSealer) SetEncryptionKey(key []byte) error
SetEncryptionKey implements the Sealer interface
type NoEnclaveSealer ¶ added in v0.1.1
type NoEnclaveSealer struct {
// contains filtered or unexported fields
}
NoEnclaveSealer is a sealed for a -noenclave instance and does perform encryption with a fixed key
func NewNoEnclaveSealer ¶ added in v0.1.1
func NewNoEnclaveSealer(sealDir string) *NoEnclaveSealer
NewNoEnclaveSealer creates and initializes a new NoEnclaveSealer object
func (*NoEnclaveSealer) Seal ¶ added in v0.1.1
func (s *NoEnclaveSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error
Seal writes the given data encrypted and the used key as plaintext to the disk
func (*NoEnclaveSealer) SetEncryptionKey ¶ added in v0.1.1
func (s *NoEnclaveSealer) SetEncryptionKey(key []byte) error
SetEncryptionKey implements the Sealer interface