verify

package
v0.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2023 License: Apache-2.0 Imports: 14 Imported by: 7

Documentation

Overview

Package verify includes logic and embedded AMD keys to check attestation report signatures.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAttestationFromReport added in v0.2.4 

func GetAttestationFromReport(report *spb.Report, getter trust.HTTPSGetter) (*spb.Attestation, error)

GetAttestationFromReport uses AMD's Key Distribution Service (KDS) to download the certificate chain for the VCEK that supposedly signed the given report, and returns the Attestation representation of their combination. If getter is nil, uses Golang's http.Get.

func GetCrlAndCheckRoot added in v0.4.0 

func GetCrlAndCheckRoot(r *trust.AMDRootCerts, getter trust.HTTPSGetter) (*x509.RevocationList, error)

GetCrlAndCheckRoot downloads the given cert's CRL from one of the distribution points and verifies that the CRL is valid and doesn't revoke an intermediate key.

func RawSnpReport added in v0.2.4 

func RawSnpReport(rawReport []byte, options *Options) error

RawSnpReport verifies the raw bytes representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.

func SnpAttestation 

func SnpAttestation(attestation *spb.Attestation, options *Options) error

SnpAttestation verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo, provided the certificate chain is valid.

func SnpProtoReportSignature 

func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error

SnpProtoReportSignature verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo.

func SnpReport added in v0.2.4 

func SnpReport(report *spb.Report, options *Options) error

SnpReport verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.

func SnpReportSignature 

func SnpReportSignature(report []byte, vcek *x509.Certificate) error

SnpReportSignature verifies the attestation report's signature based on the report's SignatureAlgo.

func ValidateArkSev added in v0.4.0 

func ValidateArkSev(r *trust.AMDRootCerts) error

ValidateArkSev checks ARK certificate validity according to AMD SEV API Appendix B.3 This covers steps 5, 6, 9, and 11.

func ValidateArkX509 added in v0.4.0 

func ValidateArkX509(r *trust.AMDRootCerts) error

ValidateArkX509 checks expected metadata about the ARK X.509 certificate. It does not verify the cryptographic signatures.

func ValidateAskSev added in v0.4.0 

func ValidateAskSev(r *trust.AMDRootCerts) error

ValidateAskSev checks ASK SEV format certificate validity according to AMD SEV API Appendix B.3 This covers steps 1, 2, and 5

func ValidateAskX509 added in v0.4.0 

func ValidateAskX509(r *trust.AMDRootCerts) error

ValidateAskX509 checks expected metadata about the ASK X.509 certificate. It does not verify the cryptographic signatures.

func ValidateVcekCertIssuer added in v0.4.0 

func ValidateVcekCertIssuer(r *trust.AMDRootCerts, issuer pkix.Name) error

ValidateVcekCertIssuer checks KDS-specified values of the issuer metadata of the AMD certificate.

func ValidateVcekCertSubject 

func ValidateVcekCertSubject(subject pkix.Name) error

ValidateVcekCertSubject checks KDS-specified values of the subject metadata of the AMD certificate.

func ValidateVcekExtensions 

func ValidateVcekExtensions(exts *kds.VcekExtensions) error

ValidateVcekExtensions checks if the certificate extensions match wellformedness expectations.

func ValidateX509 added in v0.4.0 

func ValidateX509(r *trust.AMDRootCerts) error

ValidateX509 will validate the x509 certificates of the ASK and ARK.

func VcekDER 

func VcekDER(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certificate, *trust.AMDRootCerts, error)

VcekDER checks that the VCEK certificate matches expected fields from the KDS specification and also that its certificate chain matches hardcoded trusted root certificates from AMD.

func VcekNotRevoked added in v0.4.0 

func VcekNotRevoked(r *trust.AMDRootCerts, getter trust.HTTPSGetter, cert *x509.Certificate) error

VcekNotRevoked will consult the online CRL listed in the VCEK certificate for whether this cert has been revoked. Returns nil if not revoked, error on any problem.

Types

type AttestationRecreationErr added in v0.2.4 

type AttestationRecreationErr struct {
	// contains filtered or unexported fields
}

AttestationRecreationErr represents a problem with fetching or interpreting associated certificates for a given attestation report. This is typically due to network unreliability.

type CRLUnavailableErr 

type CRLUnavailableErr struct {
	// contains filtered or unexported fields
}

CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html

type Options 

type Options struct {
	// CheckRevocations set to true if the verifier should retrieve the CRL from the network and check
	// if the VCEK or ASK have been revoked according to the ARK.
	CheckRevocations bool
	// DisableCertFetching set to true if SnpAttestation should not connect to the AMD KDS to fill in
	// any missing certificates in an attestation's certificate chain. Uses Getter if false.
	DisableCertFetching bool
	// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns
	// the body.
	Getter trust.HTTPSGetter
	// TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil,
	// then verification will fall back on embedded AMD-published root certificates.
	// Maps the product name to an array of allowed roots.
	TrustedRoots map[string][]*trust.AMDRootCerts
}

Options represents verification options for an SEV-SNP attestation report.

func RootOfTrustToOptions added in v0.3.0 

func RootOfTrustToOptions(rot *cpb.RootOfTrust) (*Options, error)

RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.

Source Files

View all Source files

Directories

Path Synopsis
Package trust defines core trust types and values for attestation verification.
 Package trust defines core trust types and values for attestation verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.