attestor

package

v0.0.0-...-2745bd0 Latest Latest Go to latest Published: Jul 18, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jeremyhahn/go-trusted-platform

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Attest
- func (attestor *Attest) AddVerifierCABundle(verifier string, bundle []byte) error
- func (attestor *Attest) RemoveVerifierCABundle(verifier string)
type Attestor
- func NewAttestor(app *app.App) (Attestor, error)
type InsecureAttestor
- func (s *InsecureAttestor) GetCABundle(ctx context.Context, in *pb.CABundleRequest) (*pb.CABundleReply, error)
- func (a *InsecureAttestor) SetAttestor(attestor Attestor)
type SecureAttestor
- func NewSecureAttestor(attestor Attestor, app *app.App) *SecureAttestor
type Session

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidCACertificate  = errors.New("attestor: failed to add CA certificate to x509 certificate pool")
	ErrConnectionFailed      = errors.New("attestor: connection failed")
	ErrUnknownVerifier       = errors.New("attestor: unknown attestation verifier")
	ErrInvalidClientCertPool = errors.New("attestor: invalid verifier certificate pool")
)

View Source

var (
	ErrInternalServerError = errors.New("grpc-secure-server: internal server error")
)

Functions ¶

This section is empty.

Types ¶

type Attest ¶

type Attest struct {
	Attestor
	// contains filtered or unexported fields
}

func (*Attest) AddVerifierCABundle ¶

func (attestor *Attest) AddVerifierCABundle(verifier string, bundle []byte) error

Adds a verifier / service provider's CA bundle to the trusted client certificate pool.

func (*Attest) RemoveVerifierCABundle ¶

func (attestor *Attest) RemoveVerifierCABundle(verifier string)

Removes a verifier / service provider's CA bundle from the in-memory trusted client certificate pool.

type Attestor ¶

type Attestor interface {
	Run() error
	AddVerifierCABundle(verifier string, bundle []byte) error
	RemoveVerifierCABundle(verifier string)
}

type InsecureAttestor ¶

type InsecureAttestor struct {
	pb.InsecureAttestorServer
	// contains filtered or unexported fields
}

Insecure non TLS encrypted gRPC web service

func (*InsecureAttestor) GetCABundle ¶

func (s *InsecureAttestor) GetCABundle(
	ctx context.Context,
	in *pb.CABundleRequest) (*pb.CABundleReply, error)

Provide the Verifier our CA certificate bundle over an insecure connection. This allows the Verifier to add the bundle to their CertPool to verify the certificate used by our gRPC TLS service, effectively "upgrading" to a secure mTLS encrypted gRPC connection. The verifier must be explicitly set in the "allowed-verifiers" configuration variable to be allowed to connect and retrieve the certificate bundle (and perform remote attestation).

func (*InsecureAttestor) SetAttestor ¶

func (a *InsecureAttestor) SetAttestor(attestor Attestor)

type SecureAttestor ¶

type SecureAttestor struct {
	pb.TLSAttestorClient
	pb.UnimplementedTLSAttestorServer
	// contains filtered or unexported fields
}

Secure TLS encrypted gRPC web service

func NewSecureAttestor ¶

func NewSecureAttestor(attestor Attestor, app *app.App) *SecureAttestor

func (*SecureAttestor) AcceptCertificate ¶

func (s *SecureAttestor) AcceptCertificate(
	ctx context.Context,
	in *pb.AcceptCertificateResquest) (*pb.Null, error)

Accepts an issued Attestation Key (device) certificate from the Verifier

func (*SecureAttestor) ActivateCredential ¶

func (s *SecureAttestor) ActivateCredential(
	ctx context.Context,
	in *pb.ActivateCredentialRequest) (*pb.ActivateCredentialResponse, error)

Performs TPM2_ActivateCredential, loading the EK and AK into the TPM with an authorization policy that will only release the AK to decrypt the credential challenge to the salted HMAC session that created the session during the call to create the Attestation Key. The authorization policy is also salted with a TPM generated nonce to protect against replay attacks. If encryption is enabled, the bus between the TPM <-> CPU will be encrypted with AES 128. https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_makecredential.1.md https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_activatecredential.1.md

func (*SecureAttestor) Close ¶

func (s *SecureAttestor) Close(ctx context.Context, in *pb.Null) (*pb.Null, error)

Cleans up the session by removing the Verifier's CA bundle from memory

func (*SecureAttestor) GetAK ¶

func (s *SecureAttestor) GetAK(ctx context.Context, in *pb.Null) (*pb.AKReply, error)

Returns the Attestation Key (AK) from the TPM. The AK is generated from the EK.

func (*SecureAttestor) GetEKCert ¶

func (s *SecureAttestor) GetEKCert(ctx context.Context, in *pb.Null) (*pb.EKCertReply, error)

Returns the Attestor TPM Endorsement Key x509 Certificate in raw ASN.1 DER form

func (*SecureAttestor) OnConnect ¶

func (s *SecureAttestor) OnConnect()

Opens a new connection to the TPM if a connection is not already connected

func (*SecureAttestor) Quote ¶

func (s *SecureAttestor) Quote(
	ctx context.Context,
	in *pb.QuoteRequest) (*pb.QuoteResponse, error)

Performs a TPM_Quote using the requested PCRs and nonce

type Session ¶

type Session struct {
	// contains filtered or unexported fields
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL