verify

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 15 Imported by: 7

Documentation

Overview

Package verify includes logic and embedded AMD keys to check attestation report signatures.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrMissingVlek is returned when attempting to verify a VLEK-signed report that doesn't also
	// have its VLEK certificate attached.
	ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing")
)

Functions

func GetAttestationFromReport added in v0.2.4

func GetAttestationFromReport(report *spb.Report, options *Options) (*spb.Attestation, error)

GetAttestationFromReport uses AMD's Key Distribution Service (KDS) to download the certificate chain for the VCEK that supposedly signed the given report, and returns the Attestation representation of their combination. If getter is nil, uses Golang's http.Get.

func GetCrlAndCheckRoot added in v0.4.0

func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)

GetCrlAndCheckRoot downloads the given cert's CRL from one of the distribution points and verifies that the CRL is valid and doesn't revoke an intermediate key.

func RawSnpReport added in v0.2.4

func RawSnpReport(rawReport []byte, options *Options) error

RawSnpReport verifies the raw bytes representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.

func SnpAttestation

func SnpAttestation(attestation *spb.Attestation, options *Options) error

SnpAttestation verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo, provided the certificate chain is valid.

func SnpProtoReportSignature

func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error

SnpProtoReportSignature verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo.

func SnpReport added in v0.2.4

func SnpReport(report *spb.Report, options *Options) error

SnpReport verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.

func SnpReportSignature

func SnpReportSignature(report []byte, vcek *x509.Certificate) error

SnpReportSignature verifies the attestation report's signature based on the report's SignatureAlgo.

func VcekNotRevoked added in v0.4.0

func VcekNotRevoked(r *trust.AMDRootCerts, _ *x509.Certificate, options *Options) error

VcekNotRevoked will consult the online CRL listed in the VCEK certificate for whether this cert has been revoked. Returns nil if not revoked, error on any problem.

Types

type CRLUnavailableErr

type CRLUnavailableErr struct {
	// contains filtered or unexported fields
}

CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html

type Options

type Options struct {
	// CheckRevocations set to true if the verifier should retrieve the CRL from the network and check
	// if the VCEK or ASK have been revoked according to the ARK.
	CheckRevocations bool
	// DisableCertFetching set to true if SnpAttestation should not connect to the AMD KDS to fill in
	// any missing certificates in an attestation's certificate chain. Uses Getter if false.
	DisableCertFetching bool
	// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns
	// the body.
	Getter trust.HTTPSGetter
	// Now is the time at which to verify the validity of certificates. If unset, uses time.Now().
	Now time.Time
	// TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil,
	// then verification will fall back on embedded AMD-published root certificates.
	// Maps the product name to an array of allowed roots.
	TrustedRoots map[string][]*trust.AMDRootCerts
	// Product is a forced value for the attestation product name when verifying or retrieving
	// VCEK certificates. An attestation should carry the product of the reporting
	// machine. Only used for v2 attestation reports.
	Product *spb.SevProduct
}

Options represents verification options for an SEV-SNP attestation report.

func DefaultOptions added in v0.6.0

func DefaultOptions() *Options

DefaultOptions returns a useful default verification option setting

func RootOfTrustToOptions added in v0.3.0

func RootOfTrustToOptions(rot *cpb.RootOfTrust) (*Options, error)

RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.

Directories

Path Synopsis
Package trust defines core trust types and values for attestation verification.
Package trust defines core trust types and values for attestation verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL