Documentation ¶
Index ¶
- Variables
- type Attest
- type Attestor
- type InsecureAttestor
- type SecureAttestor
- func (s *SecureAttestor) AcceptCertificate(ctx context.Context, in *pb.AcceptCertificateResquest) (*pb.Null, error)
- func (s *SecureAttestor) ActivateCredential(ctx context.Context, in *pb.ActivateCredentialRequest) (*pb.ActivateCredentialResponse, error)
- func (s *SecureAttestor) Close(ctx context.Context, in *pb.Null) (*pb.Null, error)
- func (s *SecureAttestor) GetAK(ctx context.Context, in *pb.Null) (*pb.AKReply, error)
- func (s *SecureAttestor) GetEKCert(ctx context.Context, in *pb.Null) (*pb.EKCertReply, error)
- func (s *SecureAttestor) OnConnect()
- func (s *SecureAttestor) Quote(ctx context.Context, in *pb.QuoteRequest) (*pb.QuoteResponse, error)
- type Session
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidCACertificate = errors.New("attestor: failed to add CA certificate to x509 certificate pool") ErrConnectionFailed = errors.New("attestor: connection failed") ErrUnknownVerifier = errors.New("attestor: unknown attestation verifier") ErrInvalidClientCertPool = errors.New("attestor: invalid verifier certificate pool") )
var (
ErrInternalServerError = errors.New("grpc-secure-server: internal server error")
)
Functions ¶
This section is empty.
Types ¶
type Attest ¶
type Attest struct { Attestor // contains filtered or unexported fields }
func (*Attest) AddVerifierCABundle ¶
Adds a verifier / service provider's CA bundle to the trusted client certificate pool.
func (*Attest) RemoveVerifierCABundle ¶
Removes a verifier / service provider's CA bundle from the in-memory trusted client certificate pool.
type Attestor ¶
type InsecureAttestor ¶
type InsecureAttestor struct { pb.InsecureAttestorServer // contains filtered or unexported fields }
Insecure non TLS encrypted gRPC web service
func (*InsecureAttestor) GetCABundle ¶
func (s *InsecureAttestor) GetCABundle( ctx context.Context, in *pb.CABundleRequest) (*pb.CABundleReply, error)
Provide the Verifier our CA certificate bundle over an insecure connection. This allows the Verifier to add the bundle to their CertPool to verify the certificate used by our gRPC TLS service, effectively "upgrading" to a secure mTLS encrypted gRPC connection. The verifier must be explicitly set in the "allowed-verifiers" configuration variable to be allowed to connect and retrieve the certificate bundle (and perform remote attestation).
func (*InsecureAttestor) SetAttestor ¶
func (a *InsecureAttestor) SetAttestor(attestor Attestor)
type SecureAttestor ¶
type SecureAttestor struct { pb.TLSAttestorClient pb.UnimplementedTLSAttestorServer // contains filtered or unexported fields }
Secure TLS encrypted gRPC web service
func NewSecureAttestor ¶
func NewSecureAttestor(attestor Attestor, app *app.App) *SecureAttestor
func (*SecureAttestor) AcceptCertificate ¶
func (s *SecureAttestor) AcceptCertificate( ctx context.Context, in *pb.AcceptCertificateResquest) (*pb.Null, error)
Accepts an issued Attestation Key (device) certificate from the Verifier
func (*SecureAttestor) ActivateCredential ¶
func (s *SecureAttestor) ActivateCredential( ctx context.Context, in *pb.ActivateCredentialRequest) (*pb.ActivateCredentialResponse, error)
Performs TPM2_ActivateCredential, loading the EK and AK into the TPM with an authorization policy that will only release the AK to decrypt the credential challenge to the salted HMAC session that created the session during the call to create the Attestation Key. The authorization policy is also salted with a TPM generated nonce to protect against replay attacks. If encryption is enabled, the bus between the TPM <-> CPU will be encrypted with AES 128. https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_makecredential.1.md https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_activatecredential.1.md
func (*SecureAttestor) Close ¶
Cleans up the session by removing the Verifier's CA bundle from memory
func (*SecureAttestor) GetAK ¶
Returns the Attestation Key (AK) from the TPM. The AK is generated from the EK.
func (*SecureAttestor) GetEKCert ¶
func (s *SecureAttestor) GetEKCert(ctx context.Context, in *pb.Null) (*pb.EKCertReply, error)
Returns the Attestor TPM Endorsement Key x509 Certificate in raw ASN.1 DER form
func (*SecureAttestor) OnConnect ¶
func (s *SecureAttestor) OnConnect()
Opens a new connection to the TPM if a connection is not already connected
func (*SecureAttestor) Quote ¶
func (s *SecureAttestor) Quote( ctx context.Context, in *pb.QuoteRequest) (*pb.QuoteResponse, error)
Performs a TPM_Quote using the requested PCRs and nonce