Documentation
¶
Index ¶
- Variables
- type App
- func (app *App) AttestLocal(serverAttrs *keystore.KeyAttributes) (tpm2.Quote, []byte, error)
- func (app *App) DropPrivileges()
- func (app *App) FQDN() string
- func (app *App) ImportEndorsementKeyCertificate() (*x509.Certificate, error)
- func (app *App) Init(initParams *AppInitParams) (*App, error)
- func (app *App) InitACMEClient(initialize bool) error
- func (app *App) InitCA(soPIN, userPIN keystore.Password, initParams *AppInitParams) (ca.CertificateAuthority, error)
- func (app *App) InitIntermediateCA(caParams *ca.CAParams, identity ca.Identity, parentCA ca.CertificateAuthority, ...) (ca.CertificateAuthority, error)
- func (app *App) InitLogFile(uid, gid int) afero.File
- func (app *App) InitPlatformKeyStore(soPIN, userPIN keystore.Password) error
- func (app *App) InitRootCA(params *ca.CAParams, soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)
- func (app *App) InitTPM(soPIN, userPIN keystore.Password, initParams *AppInitParams) error
- func (app *App) InitWebServer() error
- func (app *App) KeyringFromConfig(config *platform.KeyringConfig, fs afero.Fs, keyDir string, ...) (*platform.Keyring, error)
- func (app *App) LoadCA(soPIN, userPIN keystore.Password) error
- func (app *App) NewACMECrossSigner(crossSigner acme.CrossSign, initialize bool) (*acme.Client, error)
- func (app *App) NewCertificateStore(blobStore blob.BlobStorer) (certstore.CertificateStorer, error)
- func (app *App) OpenTPM(initialize bool) error
- func (app *App) ParsePINs(soPIN, userPIN []byte) (keystore.Password, keystore.Password, error)
- func (app *App) ProvisionPlatform(soPIN, userPIN keystore.Password, initParams *AppInitParams) (*keystore.KeyAttributes, error)
- func (app *App) ServiceRegistry() *service.Registry
- func (app *App) StartDNS()
- func (app *App) VerifyLocalQuote(akAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error
- type AppInitParams
- type AppVersion
- type Environment
Constants ¶
This section is empty.
Variables ¶
var ( ErrMissingEKWithoutEnabledCA = errors.New("trusted-platform: EK certificate not found and unable to generate because the certificate authority is not enabled") ErrInvalidLocalAttestationSignature = errors.New("trusted-platform: local attestation signature verification failed") EnvDev Environment = "dev" EnvPreProd Environment = "preprod" EnvProd Environment = "prod" EnvTest Environment = "test" DefaultConfig = App{ DebugFlag: true, DebugSecretsFlag: true, CAConfig: &ca.DefaultConfig, ConfigDir: "/etc/trusted-platform", DatastoreConfig: &datastore.Config{ Backend: datastore.BackendAferoMemory.String(), ConsistencyLevel: datastore.ConsistencyLevelLocal.String(), ReadBufferSize: 50, RootDir: "trusted-data/datastore", Serializer: serializer.SERIALIZER_YAML.String(), }, LogDir: "trusted-data/log", Logger: logging.DefaultLogger(), PlatformDir: "trusted-data", Random: rand.Reader, TPMConfig: tpm2.DefaultConfig, WebServiceConfig: &webservice.DefaultConfigECDSA, } )
var ( Name, Repository, Package, Version, BuildDate, BuildUser, GitBranch, GitTag, GitHash, Image string )
Functions ¶
This section is empty.
Types ¶
type App ¶
type App struct {
ACMEConfig *acme.Config `yaml:"acme" json:"acme" mapstructure:"acme"`
ACMEClient *acme.Client `yaml:"-" json:"-" mapstructure:"-"`
Argon2 argon2.Argon2Config `yaml:"argon2" json:"argon2" mapstructure:"argon2"`
AttestationConfig config.Attestation `yaml:"attestation" json:"attestation" mapstructure:"attestation"`
BlobStore blob.BlobStorer `yaml:"-" json:"-" mapstructure:"-"`
CA ca.CertificateAuthority `yaml:"-" json:"-" mapstructure:"-"`
CAConfig *ca.Config `yaml:"certificate-authority" json:"certificate_authority" mapstructure:"certificate-authority"`
ConfigDir string `yaml:"config-dir" json:"config_dir" mapstructure:"config-dir"`
DatastoreConfig *datastore.Config `yaml:"datastore" json:"datastore" mapstructure:"datastore"`
DebugFlag bool `yaml:"debug" json:"debug" mapstructure:"debug"`
DebugSecretsFlag bool `yaml:"debug-secrets" json:"debug-secrets" mapstructure:"debug-secrets"`
DNSConfig *dns.Config `yaml:"dns" json:"dns" mapstructure:"dns"`
DNSService *dns.Service `yaml:"-" json:"-" mapstructure:"-"`
Domain string `yaml:"domain" json:"domain" mapstructure:"domain"`
Environment Environment `yaml:"-" json:"-" mapstructure:"-"`
FS afero.Fs `yaml:"-" json:"-" mapstructure:"-"`
Hostname string `yaml:"hostname" json:"hostname" mapstructure:"hostname"`
Hostmaster string `yaml:"hostmaster" json:"hostmaster" mapstructure:"hostmaster"`
LogDir string `yaml:"log-dir" json:"log_dir" mapstructure:"log-dir"`
Logger *logging.Logger `yaml:"-" json:"-" mapstructure:"-"`
PlatformDir string `yaml:"platform-dir" json:"platform_dir" mapstructure:"platform-dir"`
PlatformKS tpm2ks.PlatformKeyStorer `yaml:"-" json:"-" mapstructure:"-"`
PlatformCertStore certstore.CertificateStorer `yaml:"-" json:"-" mapstructure:"-"`
PublicIPv4 net.IP `yaml:"-" json:"-" mapstructure:"-"`
PublicIPv6 net.IP `yaml:"-" json:"-" mapstructure:"-"`
PrivateIPv4 net.IP `yaml:"-" json:"-" mapstructure:"-"`
PrivateIPv6 net.IP `yaml:"-" json:"-" mapstructure:"-"`
Random io.Reader `yaml:"-" json:"-" mapstructure:"-"`
RuntimeUser string `yaml:"runtime-user" json:"runtime_user" mapstructure:"runtime-user"`
SignerStore keystore.SignerStorer `yaml:"-" json:"-" mapstructure:"-"`
ShutdownChan chan bool `yaml:"-" json:"-" mapstructure:"-"`
TPM tpm2.TrustedPlatformModule `yaml:"-" json:"-" mapstructure:"-"`
TPMConfig tpm2.Config `yaml:"tpm" json:"tpm" mapstructure:"tpm"`
WebServiceConfig *v1.Config `yaml:"webservice" json:"webservice" mapstructure:"webservice"`
ServerKeyAttributes *keystore.KeyAttributes `yaml:"-" json:"-" mapstructure:"-"`
// contains filtered or unexported fields
}
func DefaultTestConfig ¶
func DefaultTestConfig() *App
func TestConfigWithFS ¶
func (*App) AttestLocal ¶
Performs a local TPM 2.0 attestation
func (*App) DropPrivileges ¶
func (app *App) DropPrivileges()
If started as root, drop the privileges after startup to the lesser privileged app user.
func (*App) ImportEndorsementKeyCertificate ¶
func (app *App) ImportEndorsementKeyCertificate() (*x509.Certificate, error)
Import TPM Endorsement Certificate - EK Credential Profile. Attempts to import the EK certificate from the TPM into the CA. If an EK certificate is not found, and the ek-gen options are set in the platform configuration file, a new EK certificate will be generated and imported into the TPM or certificate store. If the ACME client is configured, the EK certificate is requested from the Enterprise CA, otherwise, the EK certificate is generated using the local CA.
func (*App) Init ¶
func (app *App) Init(initParams *AppInitParams) (*App, error)
Initialize and start the platform based on the provided initialization parameters.
func (*App) InitACMEClient ¶
Initializes a new ACME client using the account email provided in the platform configuration.
func (*App) InitCA ¶
func (app *App) InitCA(soPIN, userPIN keystore.Password, initParams *AppInitParams) (ca.CertificateAuthority, error)
Initializes all Certificate Authorities provided in the platform configuration file and returns the selected "Platform CA" as the default CA used for Platform operations.
func (*App) InitIntermediateCA ¶
func (app *App) InitIntermediateCA( caParams *ca.CAParams, identity ca.Identity, parentCA ca.CertificateAuthority, soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)
Initializes an Intermediate Certificate Authority
func (*App) InitLogFile ¶
Initialize the platform log file
func (*App) InitPlatformKeyStore ¶
Returns the Platform key store. This is a TPM 2.0 key store used as a generic key and password store by the platform. The key store will be created and initialized if it doesn't already exist.
func (*App) InitRootCA ¶
func (app *App) InitRootCA( params *ca.CAParams, soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)
Initializes a Root / Parent Certificate Authority
func (*App) InitTPM ¶
func (app *App) InitTPM(soPIN, userPIN keystore.Password, initParams *AppInitParams) error
Initializes the Trusted Platform Module and provisions the platform. If a Security Officer or User PIN is set to the default, new random 32 byte cryptographic PIN will be generated. The random input source for entropy is the Golang runtime rand.Reader. Possibly in the future this will support a HSM TRNG.
func (*App) InitWebServer ¶
Starts the embedded web server. When the initialize parameter is true, the the web server's TLS certificate configuration is used to generate a new pre-configured TLS cert for the web server. If the common name matches the common name of the IDevID key attributes, then the IDevID key is used to generate the TLS certiicate, otherwise, a new key will be generated whose common name matches the common name configured in the web server's TLS certificate configuration. If an ACME client section has been provided in the platform configuration, the ACME directory specified in this block will be used to sign the generated CSR. If an ACME cross-sign configuration is also present in the certificate configuration, the ACME directory provided in the cross-signing configuration will be used to cross-sign the certificate.
func (*App) KeyringFromConfig ¶
func (app *App) KeyringFromConfig( config *platform.KeyringConfig, fs afero.Fs, keyDir string, soPIN keystore.Password, userPIN keystore.Password, backend keystore.KeyBackend) (*platform.Keyring, error)
Returns a new platform keychain given a "keystores" config, the key directory, security officer secret and user pin. An optional key backend may be provided to override the default storage location.
func (*App) NewACMECrossSigner ¶
func (app *App) NewACMECrossSigner(crossSigner acme.CrossSign, initialize bool) (*acme.Client, error)
Initializes a new ACME cross-signer client using the account email provided in the platform configuration.
func (*App) NewCertificateStore ¶
func (app *App) NewCertificateStore( blobStore blob.BlobStorer) (certstore.CertificateStorer, error)
Creates a new x509 certificate store, with an optional blob store backend to override the default storage location.
func (*App) OpenTPM ¶
Opens a connection to the TPM, using an unauthenticated, unverified and un-attested connection. A TPM software simulator is used if enabled in the TPM section of the platform configuration file.
func (*App) ParsePINs ¶
Parses the Security Officer and User PINs and returns a key store password object for each. If the provided PINs are set to the default password, a new AES-256 32 byte key is generated as a password.
func (*App) ProvisionPlatform ¶
func (app *App) ProvisionPlatform( soPIN, userPIN keystore.Password, initParams *AppInitParams) (*keystore.KeyAttributes, error)
Provisions the TPM per the platform configuration file and TCG provisioning guidance. This operation assumes a new TPM whose hierarchy authorizations are empty. This function clears the TPM, set's the hierarchy authorizations, creates a persistent EK, Shared SRK, and if configured, an IAK and IDevID in accordance with TCG and IEEE 802.1 AR for secure device identification and authentication. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
func (*App) ServiceRegistry ¶
Returns a singleton instance of the platform service registry
func (*App) VerifyLocalQuote ¶
func (app *App) VerifyLocalQuote( akAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error
Verifies a local TPM 2.0 quote
type AppInitParams ¶
type AppVersion ¶
type AppVersion struct {
Name string `json:"name"`
Repository string `json:"repository"`
Package string `json:"package"`
Version string `json:"version"`
GitBranch string `json:"gitBranch"`
GitTag string `json:"gitTag"`
GitHash string `json:"gitHash"`
BuildDate string `json:"buildDate"`
BuildUser string `json:"buildUser"`
}
func GetVersion ¶
func GetVersion() *AppVersion
type Environment ¶
type Environment string
func ParseEnvironment ¶
func ParseEnvironment(env string) Environment
func (Environment) String ¶
func (e Environment) String() string
Source Files