securechannel

package
v0.0.0-...-b22384a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 14, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (
	MACLength        = 8
	ChallengeLength  = 8
	CryptogramLength = 8
	KeyLength        = 16

	DerivationConstantEncKey  KeyDerivationConstant = 0x04
	DerivationConstantMACKey  KeyDerivationConstant = 0x06
	DerivationConstantRMACKey KeyDerivationConstant = 0x07

	DerivationConstantDeviceCryptogram KeyDerivationConstant = 0x00
	DerivationConstantHostCryptogram   KeyDerivationConstant = 0x01

	SecurityLevelUnauthenticated SecurityLevel = 0
	SecurityLevelAuthenticated   SecurityLevel = 1

	MessageTypeCommand  MessageType = 0
	MessageTypeResponse MessageType = 1

	MaxMessagesPerSession = 10000
)

Variables

View Source
var ErrAuthCryptogram = errors.New("authentication failed: device sent wrong cryptogram")

Functions

This section is empty.

Types

type KeyChain

type KeyChain struct {
	EncKey  []byte
	MACKey  []byte
	RMACKey []byte
}

KeyChain holds session keys

type KeyDerivationConstant

type KeyDerivationConstant byte

KeyDerivationConstant used to derive keys using KDF

type MessageType

type MessageType byte

MessageType indicates whether a message is a command or response

type SecureChannel

type SecureChannel struct {

	// ID is the ID of the session with the HSM
	ID uint8
	// Counter of commands performed on the session
	Counter uint32
	// SecurityLevel is the authentication state of the session
	SecurityLevel SecurityLevel

	// HostChallenge is the auth challenge of the host
	HostChallenge []byte
	// DeviceChallenge is the auth challenge of the device
	DeviceChallenge []byte

	// AuthKey to authenticate against the HSM; must match authKeySlot
	AuthKey authkey.AuthKey

	// MACChainValue is the last MAC to allow MAC chaining
	MACChainValue []byte
	// contains filtered or unexported fields
}

SecureChannel implements a communication channel with a YubiHSM2 as specified in the SCP03 standard

func NewSecureChannel

func NewSecureChannel(connector connector.Connector, authKeySlot uint16, password string) (*SecureChannel, error)

NewSecureChannel initiates a new secure channel to communicate with an HSM using the given authKey Call Authenticate next to establish a session.

func (*SecureChannel) Authenticate

func (s *SecureChannel) Authenticate() error

Authenticate establishes an authenticated session with the HSM

func (*SecureChannel) Close

func (s *SecureChannel) Close() error

func (*SecureChannel) SendCommand

SendCommand sends an unauthenticated command to the HSM and returns the parsed response

func (*SecureChannel) SendEncryptedCommand

func (s *SecureChannel) SendEncryptedCommand(c *commands.CommandMessage) (commands.Response, error)

SendEncryptedCommand sends an encrypted & authenticated command to the HSM and returns the decrypted and parsed response.

type SecurityLevel

type SecurityLevel byte

SecurityLevel indicates an auth state of a session/channel

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL