core

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2021 License: MPL-2.0 Imports: 37 Imported by: 2

Documentation

Overview

Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities.

Index

Constants

View Source 
const SealedDataFname string = "sealed_data"

SealedDataFname contains the file name in which the state is sealed on disk in seal_dir

View Source 
const SealedKeyFname string = "sealed_key"

SealedKeyFname contains the file name in which the key is sealed with the seal key on disk in seal_dir

Variables

View Source 
var ErrEncryptionKey = errors.New("cannot unseal encryption key")

ErrEncryptionKey occurs if unsealing the encryption key failed.

Functions

This section is empty.

Types

type AESGCMSealer 

type AESGCMSealer struct {
	// contains filtered or unexported fields
}

AESGCMSealer implements the Sealer interface using AES-GCM for confidentiallity and authentication

func NewAESGCMSealer 

func NewAESGCMSealer(sealDir string) *AESGCMSealer

NewAESGCMSealer creates and initializes a new AESGCMSealer object

func (*AESGCMSealer) Seal 

func (s *AESGCMSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error

Seal encrypts and stores information to the fs

func (*AESGCMSealer) SetEncryptionKey added in v0.1.1 

func (s *AESGCMSealer) SetEncryptionKey(encryptionKey []byte) error

SetEncryptionKey sets or restores an encryption key

func (*AESGCMSealer) Unseal 

func (s *AESGCMSealer) Unseal() ([]byte, []byte, error)

Unseal reads and decrypts stored information from the fs

type ClientCore 

type ClientCore interface {
	SetManifest(ctx context.Context, rawManifest []byte) (recoverySecretMap map[string][]byte, err error)
	GetCertQuote(ctx context.Context) (cert string, certQuote []byte, err error)
	GetManifestSignature(ctx context.Context) (manifestSignature []byte)
	GetStatus(ctx context.Context) (statusCode int, status string, err error)
	Recover(ctx context.Context, encryptionKey []byte) (int, error)
	VerifyAdmin(ctx context.Context, clientCerts []*x509.Certificate) bool
	UpdateManifest(ctx context.Context, rawUpdateManifest []byte) error
}

ClientCore provides the core functionality for the client. It can be used by e.g. a http server

type Core 

type Core struct {
	// contains filtered or unexported fields
}

Core implements the core logic of the Coordinator

func NewCore 

func NewCore(dnsNames []string, qv quote.Validator, qi quote.Issuer, sealer Sealer, recovery recovery.Recovery, zapLogger *zap.Logger) (*Core, error)

NewCore creates and initializes a new Core object

func NewCoreWithMocks 

func NewCoreWithMocks() *Core

NewCoreWithMocks creates a new core object with quote and seal mocks for testing.

func (*Core) Activate 

func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.ActivationResp, error)

Activate implements the MarbleAPI function to authenticate a marble (implements the MarbleServer interface)

Verifies the marble's integritiy and subsequently provides the marble with a certificate for authentication and application-specific parameters as defined in the Coordinator's manifest.

req needs to contain a MarbleType present in the Coordinator's manifest and a CSR with the Subject and DNSNames set with desired values.

Returns a signed certificate-key-pair and the application's parameters if the authentication was successful. Returns an error if the authentication failed.

func (*Core) GetCertQuote 

func (c *Core) GetCertQuote(ctx context.Context) (string, []byte, error)

GetCertQuote gets the Coordinators certificate and corresponding quote (containing the cert)

Returns the a remote attestation quote of its own certificate alongside this certificate that allows to verify the Coordinator's integrity and authentication for use of the ClientAPI.

func (*Core) GetManifestSignature 

func (c *Core) GetManifestSignature(ctx context.Context) []byte

GetManifestSignature returns the hash of the manifest

Returns a SHA256 hash of the active manifest.

func (*Core) GetStatus 

func (c *Core) GetStatus(ctx context.Context) (statusCode int, status string, err error)

GetStatus returns status information about the state of the mesh.

func (*Core) GetTLSConfig 

func (c *Core) GetTLSConfig() (*tls.Config, error)

GetTLSConfig gets the core's TLS configuration

func (*Core) GetTLSIntermediateCertificate added in v0.3.0 

func (c *Core) GetTLSIntermediateCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetTLSIntermediateCertificate creates a TLS certificate for the Coordinator's x509 intermediate certificate based on the self-signed x509 root certificate

func (*Core) GetTLSRootCertificate added in v0.3.0 

func (c *Core) GetTLSRootCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetTLSRootCertificate creates a TLS certificate for the Coordinators self-signed x509 certificate

func (*Core) Recover added in v0.1.1 

func (c *Core) Recover(ctx context.Context, secret []byte) (int, error)

Recover sets an encryption key (ideally decrypted from the recovery data) and tries to unseal and load a saved state again.

func (*Core) SetManifest 

func (c *Core) SetManifest(ctx context.Context, rawManifest []byte) (map[string][]byte, error)

SetManifest sets the manifest, once and for all

rawManifest is the manifest of type Manifest in JSON format.

func (*Core) UpdateManifest added in v0.3.0 

func (c *Core) UpdateManifest(ctx context.Context, rawUpdateManifest []byte) error

UpdateManifest allows to update certain package parameters, supplied via a JSON manifest

func (*Core) VerifyAdmin added in v0.3.0 

func (c *Core) VerifyAdmin(ctx context.Context, clientCerts []*x509.Certificate) bool

VerifyAdmin checks if a given client certificate matches the admin certificates specified in the manifest

type MockSealer 

type MockSealer struct {
	// contains filtered or unexported fields
}

MockSealer is a mockup sealer

func (*MockSealer) Seal 

func (s *MockSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error

Seal implements the Sealer interface

func (*MockSealer) SetEncryptionKey added in v0.1.1 

func (s *MockSealer) SetEncryptionKey(key []byte) error

SetEncryptionKey implements the Sealer interface

func (*MockSealer) Unseal 

func (s *MockSealer) Unseal() ([]byte, []byte, error)

Unseal implements the Sealer interface

type NoEnclaveSealer added in v0.1.1 

type NoEnclaveSealer struct {
	// contains filtered or unexported fields
}

NoEnclaveSealer is a sealed for a -noenclave instance and does perform encryption with a fixed key

func NewNoEnclaveSealer added in v0.1.1 

func NewNoEnclaveSealer(sealDir string) *NoEnclaveSealer

NewNoEnclaveSealer creates and initializes a new NoEnclaveSealer object

func (*NoEnclaveSealer) Seal added in v0.1.1 

func (s *NoEnclaveSealer) Seal(unencryptedData []byte, toBeEncrypted []byte) error

Seal writes the given data encrypted and the used key as plaintext to the disk

func (*NoEnclaveSealer) SetEncryptionKey added in v0.1.1 

func (s *NoEnclaveSealer) SetEncryptionKey(key []byte) error

SetEncryptionKey implements the Sealer interface

func (*NoEnclaveSealer) Unseal added in v0.1.1 

func (s *NoEnclaveSealer) Unseal() ([]byte, []byte, error)

Unseal reads the plaintext state from disk

type Sealer 

type Sealer interface {
	Seal(unencryptedData []byte, toBeEncrypted []byte) error
	Unseal() (unencryptedData []byte, decryptedData []byte, err error)
	SetEncryptionKey(key []byte) error
}

Sealer is an interface for the Core object to seal information to the filesystem for persistence

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.