app

package
v0.0.4-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 27, 2024 License: Apache-2.0 Imports: 32 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrMissingEKWithoutEnabledCA        = errors.New("trusted-platform: EK certificate not found and unable to generate because the certificate authority is not enabled")
	ErrInvalidLocalAttestationSignature = errors.New("trusted-platform: local attestation signature verification failed")

	ENV_DEV     Environment = "dev"
	ENV_PREPROD Environment = "preprod"
	ENV_PROD    Environment = "prod"

	DefaultConfig = App{
		CAConfig:    &ca.DefaultConfig,
		ConfigDir:   "/etc/trusted-platform",
		LogDir:      "trusted-data/log",
		Logger:      logging.DefaultLogger(),
		PlatformDir: "trusted-data",
		Random:      rand.Reader,
		TPMConfig:   tpm2.DefaultConfig,
		WebService:  &webservice.DefaultConfigECDSA,
	}
)
View Source 
var (
	Name,
	Repository,
	Package,
	Version,
	BuildDate,
	BuildUser,
	GitBranch,
	GitTag,
	GitHash,
	Image string
)

Functions

This section is empty.

Types

type App 

type App struct {
	Argon2              argon2.Argon2Config         `yaml:"argon2" json:"argon2" mapstructure:"argon2"`
	AttestationConfig   config.Attestation          `yaml:"attestation" json:"attestation" mapstructure:"attestation"`
	BlobStore           blob.BlobStorer             `yaml:"-" json:"-" mapstructure:"-"`
	CA                  ca.CertificateAuthority     `yaml:"-" json:"-" mapstructure:"-"`
	CAConfig            *ca.Config                  `yaml:"certificate-authority" json:"certificate_authority" mapstructure:"certificate-authority"`
	ConfigDir           string                      `yaml:"config-dir" json:"config_dir" mapstructure:"config-dir"`
	DebugFlag           bool                        `yaml:"debug" json:"debug" mapstructure:"debug"`
	DebugSecretsFlag    bool                        `yaml:"debug-secrets" json:"debug-secrets" mapstructure:"debug-secrets"`
	Domain              string                      `yaml:"domain" json:"domain" mapstructure:"domain"`
	Environment         Environment                 `yaml:"-" json:"-" mapstructure:"-"`
	FS                  afero.Fs                    `yaml:"-" json:"-" mapstructure:"-"`
	Hostname            string                      `yaml:"hostname" json:"hostname" mapstructure:"hostname"`
	Hostmaster          string                      `yaml:"hostmaster" json:"hostmaster" mapstructure:"hostmaster"`
	ListenAddress       string                      `yaml:"listen" json:"listen" mapstructure:"listen"`
	LogDir              string                      `yaml:"log-dir" json:"log_dir" mapstructure:"log-dir"`
	Logger              *logging.Logger             `yaml:"-" json:"-" mapstructure:"-"`
	PlatformDir         string                      `yaml:"platform-dir" json:"platform_dir" mapstructure:"platform-dir"`
	PlatformKS          tpm2ks.PlatformKeyStorer    `yaml:"-" json:"-" mapstructure:"-"`
	PlatformCertStore   certstore.CertificateStorer `yaml:"-" json:"-" mapstructure:"-"`
	Random              io.Reader                   `yaml:"-" json:"-" mapstructure:"-"`
	RuntimeUser         string                      `yaml:"runtime-user" json:"runtime_user" mapstructure:"runtime-user"`
	SignerStore         keystore.SignerStorer       `yaml:"-" json:"-" mapstructure:"-"`
	TPM                 tpm2.TrustedPlatformModule  `yaml:"-" json:"-" mapstructure:"-"`
	TPMConfig           tpm2.Config                 `yaml:"tpm" json:"tpm" mapstructure:"tpm"`
	WebService          *config.WebService          `yaml:"webservice" json:"webservice" mapstructure:"webservice"`
	ServerKeyAttributes *keystore.KeyAttributes     `yaml:"-" json:"-" mapstructure:"-"`
}

func DefaultTestConfig 

func DefaultTestConfig() *App

func NewApp 

func NewApp() *App

func TestConfigWithFS 

func TestConfigWithFS(fs afero.Fs) *App

func (*App) AttestLocal 

func (app *App) AttestLocal(serverAttrs *keystore.KeyAttributes) (tpm2.Quote, []byte, error)

Performs a local TPM 2.0 attestation

func (*App) DropPrivileges 

func (app *App) DropPrivileges()

If started as root, drop the privileges after startup to the lesser privileged app user.

func (*App) FQDN 

func (app *App) FQDN() string

Returns the platform publicly routable Fully Qualified Domain Name

func (*App) ImportEndorsementKeyCertificate 

func (app *App) ImportEndorsementKeyCertificate() (*x509.Certificate, error)

Import TPM Endorsement Certificate - EK Credential Profile. Attempts to import the EK certificate from the TPM into the CA. If an EK certificate is not found, and the ek-gen options are set in the platform configuration file, a new EK certificate will be generated and imported into the TPM or certificate store.

func (*App) Init 

func (app *App) Init(initParams *AppInitParams) (*App, error)

Initialize the platform by loading the platform configuration file and initializing the platform logger.

func (*App) InitCA 

func (app *App) InitCA(
	selectedCA int,
	soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)

Initializes all Certificate Authorities provided in the platform configuration file and returns the selected "Platform CA" as the default CA used for Platform operations.

func (*App) InitIntermediateCA 

func (app *App) InitIntermediateCA(
	caParams *ca.CAParams,
	identity ca.Identity,
	parentCA ca.CertificateAuthority,
	soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)

Initializes an Intermediate Certificate Authority

func (*App) InitLogFile 

func (app *App) InitLogFile(uid, gid int) afero.File

Initialize the platform log file

func (*App) InitPlatformKeyStore 

func (app *App) InitPlatformKeyStore(soPIN, userPIN keystore.Password) error

Returns the Platform key store. This is a TPM 2.0 key store used as a generic key and password store by the platform. The key store will be created and initialized if it doesn't already exist.

func (*App) InitRootCA 

func (app *App) InitRootCA(
	params *ca.CAParams,
	soPIN, userPIN keystore.Password) (ca.CertificateAuthority, error)

Initializes a Root / Parent Certificate Authority

func (*App) InitTPM 

func (app *App) InitTPM(selectedCA int, soPIN, userPIN []byte) error

Initializes the Trusted Platform Module and provisions the platform. If a Security Officer or User PIN is set to the default, new random 32 byte cryptographic PIN will be generated. The random input source for entropy is the Golang runtime rand.Reader. Possibly in the future this will support a HSM TRNG.

func (*App) InitWebServices 

func (app *App) InitWebServices() error

Check the CA for a TLS web server certificate. Create a new certificate if it doesn't exist.

func (*App) KeyringFromConfig 

func (app *App) KeyringFromConfig(
	config *platform.KeyringConfig,
	fs afero.Fs,
	keyDir string,
	soPIN keystore.Password,
	userPIN keystore.Password,
	backend keystore.KeyBackend) (*platform.Keyring, error)

Returns a new platform keychain given a "keystores" config, the key directory, security officer secret and user pin. An optional key backend may be provided to override the default storage location.

func (*App) LoadCA 

func (app *App) LoadCA(userPIN keystore.Password) error

Loads an initialized Certificate Authority

func (*App) NewCertificateStore 

func (app *App) NewCertificateStore(
	blobStore blob.BlobStorer) (certstore.CertificateStorer, error)

Creates a new x509 certificate store, with an optional blob store backend to override the default storage location.

func (*App) OpenTPM 

func (app *App) OpenTPM() error

Opens a connection to the TPM, using an unauthenticated, unverified and un-attested connection. A TPM software simulator is used if enabled in the TPM section of the platform configuration file.

func (*App) ParsePINs 

func (app *App) ParsePINs(soPIN, userPIN []byte) (keystore.Password, keystore.Password, error)

Parses the Security Officer and User PINs and returns a key store password object for each. If the provided PINs are set to the default password, a new AES-256 32 byte key is generated as a password.

func (*App) ProvisionPlatform 

func (app *App) ProvisionPlatform(
	selectedCA int,
	soPIN, userPIN keystore.Password) (*keystore.KeyAttributes, error)

Provisions the TPM per the platform configuration file and TCG provisioning guidance. This operation assumes a new TPM whose hierarchy authorizations are empty. This function clears the TPM, set's the hierarchy authorizations, creates a persistent EK, Shared SRK, and if configured, an IAK and IDevID in accordance with TCG and IEEE 802.1 AR for secure device identification and authentication. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf

func (*App) VerifyLocalQuote 

func (app *App) VerifyLocalQuote(
	akAttrs *keystore.KeyAttributes,
	quote tpm2.Quote,
	nonce []byte) error

Verifies a local TPM 2.0 quote

type AppInitParams 

type AppInitParams struct {
	CADir         string
	ConfigDir     string
	Debug         bool
	DebugSecrets  bool
	Env           string
	EKCert        string
	Initialize    bool
	PlatformCA    int
	PlatformDir   string
	ListenAddress string
	LogDir        string
	Pin           []byte
	RuntimeUser   string
	SOPin         []byte
}

type AppVersion 

type AppVersion struct {
	Name       string `json:"name"`
	Repository string `json:"repository"`
	Package    string `json:"package"`
	Version    string `json:"version"`
	GitBranch  string `json:"gitBranch"`
	GitTag     string `json:"gitTag"`
	GitHash    string `json:"gitHash"`
	BuildDate  string `json:"buildDate"`
	BuildUser  string `json:"buildUser"`
}

func GetVersion 

func GetVersion() *AppVersion

type Environment 

type Environment string

func ParseEnvironment 

func ParseEnvironment(env string) Environment

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.