ca

package
v0.0.6-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 3, 2024 License: Apache-2.0 Imports: 34 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidConfig                = errors.New("certificate-authority: invalid configuration")
	ErrCertFuture                   = errors.New("certificate-authority: certificate issued in the future")
	ErrCertExpired                  = errors.New("certificate-authority: certificate expired")
	ErrDistributionPointExists      = errors.New("certificate-authority: distribution point already exists")
	ErrEncodingPEM                  = errors.New("certificate-authority: error encoding to PEM")
	ErrInvalidSignature             = errors.New("certificate-authority: invalid signature")
	ErrInvalidSignatureAlgorithm    = errors.New("certificate-authority: invalid signature algorithm")
	ErrCRLAlreadyExists             = errors.New("certificate-authority: revocation list already exists")
	ErrNoIssuingCA                  = errors.New("certificate-authority: no issuing CAs found in certificate")
	ErrCertNotSupported             = errors.New("certificate-authority: certificate contains unsupported configuration")
	ErrInvalidPublicKey             = errors.New("certificate-authority: invalid public key")
	ErrInvalidCurve                 = errors.New("certificate-authority: invalid ECC Curve")
	ErrPrivateKeyPasswordRequired   = errors.New("certificate-authority: private key password required")
	ErrNotInitialized               = errors.New("certificate-authority: not initialized")
	ErrAlreadyInitialized           = errors.New("certificate-authority: already initialized")
	ErrInvalidIntermediateSelection = errors.New("certificate-authority: invalid intermediate certificate authority selection")
	ErrUnsupportedHashAlgorithm     = errors.New("certificate-authority: unsupported hashing algorithm")
	ErrUnsupportedRSAScheme         = errors.New("certificate-authority: unsupported RSA padding scheme")
	ErrInvalidAttestationBlobType   = errors.New("certificate-authority: invalid attestation blob type")
	ErrParentCertificatesNotFound   = errors.New("certificate-authority: parent CA certificates not found in certificate store")
	ErrUnknownCA                    = errors.New("certificate-authority: unknown certificate authority")
	ErrMissingIssuerURL             = errors.New("certificate-authority: missing Issuing CA URL in certificate")
	ErrInvalidIssuer                = errors.New("certificate-authority: invalid certificate issuer")

	WarnNoSigningPassword = errors.New("certificate-authority: signing with an insecure private key")
)
View Source 
var (

	// Default PKCS #8, PKCS #11, and TPM 2.0 key stores
	DefaultPKCS11Config = Config{
		AutoImportIssuingCA:   true,
		RequireKeyPassword:    true,
		PlatformCA:            1,
		DefaultValidityPeriod: 10,
		IncludeLocalhostSANS:  true,
		SystemCertPool:        false,
		Identity: []Identity{

			{
				Valid: 1,
				Subject: Subject{
					CommonName:   "root-ca",
					Organization: "Example Corporation",
					Country:      "US",
					Locality:     "Miami",
					Address:      "123 acme street",
					PostalCode:   "12345"},
				SANS: &SubjectAlternativeNames{
					DNS: []string{
						"root-ca",
						"root-ca.localhost",
						"root-ca.localhost.localdomain",
					},
					IPs: []string{
						"127.0.0.1",
					},
					Email: []string{
						"root@localhost",
						"root@test.com",
					},
				},
				KeyringConfig: pkcs11Keyring,
				Keys:          append(keys, pkcs11Keys...),
			},

			{
				Valid: 1,
				Subject: Subject{
					CommonName:   "intermediate-ca",
					Organization: "Example Corporation",
					Country:      "US",
					Locality:     "Miami",
					Address:      "123 acme street",
					PostalCode:   "12345"},
				SANS: &SubjectAlternativeNames{
					DNS: []string{
						"intermediate-ca",
						"intermediate-ca.localhost",
						"intermediate-ca.localhost.localdomain",
					},
					IPs: []string{
						"127.0.0.1",
					},
					Email: []string{
						"root@localhost",
						"root@test.com",
					},
				},
				KeyringConfig: pkcs11Keyring,
				Keys:          append(keys, pkcs11Keys...),
			}},
	}

	// Default PKCS #8 and TPM 2.0 key store configuration
	DefaultConfig = Config{
		AutoImportIssuingCA:   true,
		RequireKeyPassword:    true,
		PlatformCA:            1,
		DefaultValidityPeriod: 10,
		IncludeLocalhostSANS:  true,
		SystemCertPool:        false,
		Identity: []Identity{

			{
				Valid: 1,
				Subject: Subject{
					CommonName:   "root-ca",
					Organization: "Example Corporation",
					Country:      "US",
					Locality:     "Miami",
					Address:      "123 acme street",
					PostalCode:   "12345"},
				SANS: &SubjectAlternativeNames{
					DNS: []string{
						"root-ca",
						"root-ca.localhost",
						"root-ca.localhost.localdomain",
					},
					IPs: []string{
						"127.0.0.1",
					},
					Email: []string{
						"root@localhost",
						"root@test.com",
					},
				},
				KeyringConfig: keyring,
				Keys:          keys,
			},

			{
				Valid: 1,
				Subject: Subject{
					CommonName:   "intermediate-ca",
					Organization: "Example Corporation",
					Country:      "US",
					Locality:     "Miami",
					Address:      "123 acme street",
					PostalCode:   "12345"},
				SANS: &SubjectAlternativeNames{
					DNS: []string{
						"intermediate-ca",
						"intermediate-ca.localhost",
						"intermediate-ca.localhost.localdomain",
					},
					IPs: []string{
						"127.0.0.1",
					},
					Email: []string{
						"root@localhost",
						"root@test.com",
					},
				},
				KeyringConfig: keyring,
				Keys:          keys,
			}},
	}
)
View Source 
var (
	ErrInvalidIssuingURL = errors.New("certificate-authority: invalid issuing URL")
	ErrUnsealFailure     = errors.New("certificate-authority: key unseal operation failed")

	InfoUsingDefaultCAKey = errors.New("certificate-authority: no matching key algorithm, using default CA key")

	ATTEST_BLOB_ROOT     string = "tpm2"
	ATTEST_BLOB_QUOTE           = "quote"
	ATTEST_BLOB_EVENTLOG        = "eventlog"
	ATTEST_BLOB_PCRS            = "pcrs"
)

Functions

func DebugCipherSuites 

func DebugCipherSuites(logger *logging.Logger)

Debug prints the secure, supported TLD cipher suites

func DebugInsecureCipherSuites 

func DebugInsecureCipherSuites(logger *logging.Logger)

Debug prints the insecure, unsupported TLs cipher suites

func DecodeCSR 

func DecodeCSR(csrPEM []byte) (*x509.CertificateRequest, error)

Decodes CSR bytes to x509.CertificateRequest

func DecodePEM 

func DecodePEM(bytes []byte) (*x509.Certificate, error)

Decodes PEM bytes to *x509.Certificate

func EncodeCSR 

func EncodeCSR(csr []byte) ([]byte, error)

Encodes a Certificate Signing Request to PEM form

func EncodePEM 

func EncodePEM(derCert []byte) ([]byte, error)

Encodes a raw DER byte array as a PEM byte array

func HomeDirectory 

func HomeDirectory(fs afero.Fs, platformDir, cn string) string

Parses the home directory for the provided CA parameters and platform root directory.

func NewCA 

func NewCA(params *CAParams) (CertificateAuthority, CertificateAuthority, error)

This function creates new Root and Intermediate x509 Certifiate Authorities according to the platform configuration file. First, an attempt is made to load them from a pre-existing initilization. If the CA hasn't been initialized, (missing CA public/private keys from the key store(s)), the Root and Intermediate CAs will be returned along with ErrNotInitalized.

ErrNotInitialized signals that Init needs to be called to initialize the CA key store(s). After initialization, subsequent invocations will load and return the CAs ready to use.

Types

type CA 

type CA struct {
	CertificateAuthority
	// contains filtered or unexported fields
}

func (*CA) Blob 

func (ca *CA) Blob(key []byte) ([]byte, error)

Returns the requested blob from the blob store

func (*CA) CABundle 

func (ca *CA) CABundle(
	storeType *keystore.StoreType,
	keyAlgorithm *x509.PublicKeyAlgorithm) ([]byte, error)

Returns the CA bundle for an Intermediate Certificate Authority

func (*CA) CABundleCertPool 

func (ca *CA) CABundleCertPool(
	storeType *keystore.StoreType,
	keyAlgorithm *x509.PublicKeyAlgorithm) (*(x509.CertPool), error)

Returns a x509.CertPool with the CA certificates bundled, If a key algorithm is not provided, the default CA key algorithm is used.

func (*CA) CAKeyAttributes 

func (ca *CA) CAKeyAttributes(
	storeType keystore.StoreType,
	keyAlgorithm x509.PublicKeyAlgorithm) (*keystore.KeyAttributes, error)

Returns the CA key attributes for the requested algorithm

func (*CA) CASigner 

func (ca *CA) CASigner(
	storeType *keystore.StoreType,
	algorithm *x509.PublicKeyAlgorithm) (crypto.Signer, error)

Returns a CA crypto.Signer for the provided algorithm. If an algorithm is not provided, the default CA key algorithm is used.

func (*CA) Certificate 

func (ca *CA) Certificate(keyAttrs *keystore.KeyAttributes) (*x509.Certificate, error)

Returns a validated x509 certificate from the certificate store

func (*CA) CertificateStore 

func (ca *CA) CertificateStore() certstore.CertificateStorer

Returns the CA's x509 certificate store

func (*CA) Checksum 

func (ca *CA) Checksum(key []byte) (bool, error)

Returns a blob checksum (hex)

func (*CA) CreateCSR 

func (ca *CA) CreateCSR(request CertificateRequest) ([]byte, error)

Creates a new Certificate Signing Request (CSR) and return it in ASN.1 DER form.

func (*CA) CrossSignedPEM 

func (ca *CA) CrossSignedPEM(attrs *keystore.KeyAttributes) ([]byte, error)

Returns a PEM certificate signed / issued by an external CA in conjunction with the local CA.

func (*CA) DefaultKeyAlgorithm 

func (ca *CA) DefaultKeyAlgorithm() x509.PublicKeyAlgorithm

Returns the CA's default key algorithm

func (*CA) DefaultSignatureAlgorithm 

func (ca *CA) DefaultSignatureAlgorithm() x509.SignatureAlgorithm

Returns the CA's default signature algorithm

func (*CA) DefaultValidityPeriod 

func (ca *CA) DefaultValidityPeriod() int

Returns the default number of days certificates issued by the CA are valid.

func (*CA) EndorsementKeyCertificate 

func (ca *CA) EndorsementKeyCertificate() ([]byte, error)

Returns the local TPM Endorsement Key x509 Certificate in PEM form

func (*CA) Exists 

func (ca *CA) Exists(cn string, algorithm x509.PublicKeyAlgorithm) bool

Returns true if the provided common name can be located in the certificate store.

func (*CA) Hash 

func (ca *CA) Hash() crypto.Hash

Returns the CA's default hash function

func (*CA) Identity 

func (ca *CA) Identity() Identity

Returns the Certificate Authority identity configuration

func (*CA) ImportAttestation 

func (ca *CA) ImportAttestation(
	akAttrs *keystore.KeyAttributes,
	blobType string,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested blob type using the CA public key and saves the signature, digest and blob to the signed blob keystore.

func (*CA) ImportAttestationEventLog 

func (ca *CA) ImportAttestationEventLog(
	signerAttrs *keystore.KeyAttributes,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested event log using the CA public key and saves the signature, digest and event log to the signed blob keystore.

func (*CA) ImportAttestationKeyCertificate 

func (ca *CA) ImportAttestationKeyCertificate(
	attrs *keystore.KeyAttributes, akDER []byte) error

Imports a TPM Attestation Key x509 certificate to the TPM blob storage partition in DER form.

func (*CA) ImportAttestationPCRs 

func (ca *CA) ImportAttestationPCRs(
	signerAttrs *keystore.KeyAttributes,
	pcrs []byte,
	backend keystore.KeyBackend) error

Signs the requested PCR list using the CA public key and saves the signature, digest and PCR list to the signed blob keystore.

func (*CA) ImportAttestationQuote 

func (ca *CA) ImportAttestationQuote(
	signerAttrs *keystore.KeyAttributes,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested quote using the CA public key and saves the signature, digest and quote to the signed blob keystore.

func (*CA) ImportBlob 

func (ca *CA) ImportBlob(key, data []byte) error

Saves a new blob to the blob store

func (*CA) ImportCertificate 

func (ca *CA) ImportCertificate(certificate *x509.Certificate) error

Import a x509 certificate to the certificate store

func (*CA) ImportCertificatePEM 

func (ca *CA) ImportCertificatePEM(attrs *keystore.KeyAttributes, pemBytes []byte) error

Import a PEM certificate to the certificate store. The certificate is parsed and verified prior to import to ensure it's valid.

func (*CA) ImportDistrbutionCRLs 

func (ca *CA) ImportDistrbutionCRLs(certificate *x509.Certificate) error

Download, verify and import all Distribution Point CRLs listed in the certificate The CRL(s) are added to the Certificate Authority 3rd party CRL store and used during certificate verifications.

func (*CA) ImportEndorsementKeyCertificate 

func (ca *CA) ImportEndorsementKeyCertificate(
	ekAttrs *keystore.KeyAttributes, ekCertBytes []byte) error

Imports a new TPM PEM encoded Endorsement Key into the certificate store

func (*CA) ImportIssuingCAs 

func (ca *CA) ImportIssuingCAs(cert *x509.Certificate) error

Download, verify and import all "CA Issuers" listed in the certificate and it's CRL into the Certificate Authority. The certificate(s) are added to the trusted certpool, but not installed to the operating system trust store.

func (*CA) ImportLocalAttestation 

func (ca *CA) ImportLocalAttestation(
	keyAttrs *keystore.KeyAttributes,
	quote tpm2.Quote,
	backend keystore.KeyBackend) error

func (*CA) ImportXSignedCertificate 

func (ca *CA) ImportXSignedCertificate(issuerCN string, certificate *x509.Certificate) error

Import a cross-signed certificae to the certificate store

func (*CA) Init 

func (ca *CA) Init(parentCA CertificateAuthority) error

The first time the Certificate Authority is run, it needs to be initialized. This process creates new Root and Intermediate CA(s) private / public key pairs and x509 signing certificate and saves them to the certificate store.

Subsequent calls to the CA can call Load(). The caller should check IsInitalized first to be certain the key and certificate store(s) are accessible and ready to service requests.

Certificates are saved to the certificate store in DER form. Other formats can be exported from the stores after they've been saved.

func (*CA) IsAutoImportingIssuerCAs 

func (ca *CA) IsAutoImportingIssuerCAs() bool

Returns true if auto-importing of CA certificates are enabled

func (*CA) IsInitialized 

func (ca *CA) IsInitialized() (bool, error)

Returns true if the Certificate Authority's configured keys are available to start servicing requests. A successful response indicates the Load() method is ready to be called. An unsuccessful response intidates Init() must be called to initialize the key and certificate store(s).

func (*CA) IsSigned 

func (ca *CA) IsSigned(key string) (bool, error)

Returns true if the specified blob key has a stored signature

func (*CA) IssueAKCertificate 

func (ca *CA) IssueAKCertificate(
	request CertificateRequest,
	pubKey crypto.PublicKey) (*x509.Certificate, error)

Creates a new private / public key pair for the purposes of an Attestation Key Certificate (AK Credential Profile), in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate. https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf

func (*CA) IssueCertificate 

func (ca *CA) IssueCertificate(request CertificateRequest) ([]byte, error)

Generate a new private / public key pair and x509 certificate and import it to the certificate store in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate.

func (*CA) IssueEKCertificate 

func (ca *CA) IssueEKCertificate(
	request CertificateRequest,
	ekPubKey crypto.PublicKey) (*x509.Certificate, error)

Creates a new private / public key pair for the purposes of a TPM Endorsement Certificate (EK Credential Profile), in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate. https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf

func (*CA) Issued 

func (ca *CA) Issued(cn string) bool

Returns true if the provided common name has an issued certificate

func (*CA) Key 

func (ca *CA) Key(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Returns the Certificate Authority's key chain

func (*CA) Keyring 

func (ca *CA) Keyring() *platform.Keyring

Returns the Certificate Authority identity configuration

func (*CA) Load 

func (ca *CA) Load() error

Load CA key attributes.

func (*CA) OSTrustStore 

func (ca *CA) OSTrustStore() OSTrustStore

Returns the operating system's CA trusted certificates store provider

func (*CA) PEM 

func (ca *CA) PEM(attrs *keystore.KeyAttributes) ([]byte, error)

Returns a PEM certifcate from the cert store as []byte or ErrCertNotFound if the certificate does not exist.

func (*CA) ParseBundle 

func (ca *CA) ParseBundle(bundle []byte) ([]*x509.Certificate, error)

Parses a PEM encoded CA bundle with multiple certificates and returns and array of x509 certificates that can be used for verification or creating a CertPool.

func (*CA) PubKey 

func (ca *CA) PubKey(attrs *keystore.KeyAttributes) (crypto.PublicKey, error)

Loads and parses a PKIX, ASN.1 DER RSA public key from the certificate store

func (*CA) Public 

func (ca *CA) Public() crypto.PublicKey

Returns the CA's default public key Implements crypto.PrivateKey Implements crypto.Decrypter

func (*CA) QuantumSafeTLSConfig 

func (ca *CA) QuantumSafeTLSConfig(attrs *keystore.KeyAttributes) (*tls.Config, error)

Returns a tls.Config for the requested common name populated with the Certificate Authority, cross-signed intermediates if any, and the end entity leaf certificate, defaulting to a hybrid, quantum-safe X25519 / Kyber768 key exchange.

func (*CA) Revoke 

func (ca *CA) Revoke(certificate *x509.Certificate, deleteKeys bool) error

Revoke a certificate

func (*CA) RootCertificate 

func (ca *CA) RootCertificate(cert *x509.Certificate) (*x509.Certificate, error)

Returns a cert pool initialized with the root certificate for the provided certificate.

func (*CA) Sign 

func (ca *CA) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements crypto.Signer Signs a digest using the Certificate Authority public key. SignerOpts may be provided to override the signing key as well as perist blob storage.

func (*CA) SignCSR 

func (ca *CA) SignCSR(csrPEM []byte, request *CertificateRequest) (*x509.Certificate, error)

Signs a Certificate Signing Request (CSR) and save it to the cert store in DER and PEM form. This method returns the raw DER encoded []byte array as returned from x509.CreateCertificate.

func (*CA) SignTCGCSRIDevID 

func (ca *CA) SignTCGCSRIDevID(
	tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
	request *CertificateRequest) (iakDER []byte, idevidDER []byte, err error)

Signs a TCG-CSR-IDEVID Certificate Signing Request (CSR) and imports it to the certificate store in DER form. This method returns the raw DER encoded []byte array as returned from x509.CreateCertificate.

The TCG-CSR-IDEVID structure doesn't define a common name or any PKIX subject fields. If a nil CertificateRequest parameter is passed, the certificate generated from the TCG-CSR-IDEVID request uses the CA certificate PKIX subject configuration. The caller can use the StoreType parameter in the passed request parameter's key attributes to control which key store module the CA uses to sign the request. The CA must own a key in the requested key store, with a matching algorithm.

func (*CA) SignTCGCSRIDevIDBytes 

func (ca *CA) SignTCGCSRIDevIDBytes(
	tcgCSRIDevIDBytes []byte,
	request *CertificateRequest) (iakDER []byte, idevidDER []byte, err error)

func (*CA) Signature 

func (ca *CA) Signature(key string) ([]byte, error)

Returns a stored signature from the signed blob store

func (*CA) SignedBlob 

func (ca *CA) SignedBlob(key []byte) ([]byte, error)

Returns signed data from the signed blob store

func (*CA) SignedDigest 

func (ca *CA) SignedDigest(key string, hash crypto.Hash) (bool, error)

Returns a blob's signed digest from blob storage

func (*CA) Signer 

func (ca *CA) Signer(attrs *keystore.KeyAttributes) (crypto.Signer, error)

Returns a crypto.Signer for an issued certificate

func (*CA) TLSBundle 

func (ca *CA) TLSBundle(attrs *keystore.KeyAttributes) ([][]byte, *x509.Certificate, error)

Creates a TLS "bundle" containing the requested leaf certificate, the Certificate Authority's certificate, and any cross-signed certificates in ASN.1 DER form, and returns the certificate bundle and leaf.

func (*CA) TLSBundleWithCrossSigner 

func (ca *CA) TLSBundleWithCrossSigner(
	attrs *keystore.KeyAttributes, issuerCN string) ([][]byte, *x509.Certificate, error)

Creates a TLS "bundle" containing the requested leaf certificate, the Certificate Authority's certificate, and any cross-signed certificates in ASN.1 DER form, and returns the certificate bundle and leaf.

func (*CA) TLSCertificate 

func (ca *CA) TLSCertificate(attrs *keystore.KeyAttributes) (tls.Certificate, error)

Returns an x509 certificate KeyPair suited for tls.Config

func (*CA) TLSConfig 

func (ca *CA) TLSConfig(attrs *keystore.KeyAttributes) (*tls.Config, error)

Returns a tls.Config for the requested common name populated with the Certificate Authority, cross-signed intermediates if any, and the end entity leaf certificate.

func (*CA) TLSConfigWithXSigner 

func (ca *CA) TLSConfigWithXSigner(
	attrs *keystore.KeyAttributes, issuerCN string) (*tls.Config, error)

Returns a tls.Config for the requested common name populated with the Certificate Authority, cross-signed intermediates if any, and the end entity leaf certificate.

func (*CA) TrustedIntermediateCertPool 

func (ca *CA) TrustedIntermediateCertPool(
	certificate *x509.Certificate, xsignerCN *string) (*x509.CertPool, error)

Returns a cert pool initialized with the intermediate certificate for the provided leaf certificate. An optional cross-signing CA may be provided to include it's intermediate certificates in the returned CertPool.

func (*CA) TrustedRootCertPool 

func (ca *CA) TrustedRootCertPool(
	certificate *x509.Certificate, xsignerCN *string) (*x509.CertPool, error)

Returns a cert pool initialized with the root certificate for the provided certificate. An optional cross signing CA may be provided to include that CA's root certificate in the returned CertPool.

func (*CA) Verify 

func (ca *CA) Verify(certificate *x509.Certificate, xsignerCN *string) error

Verifies a certificate by checking the CA revocation list and loading it's issuer certificates from the private trusted root and intermediate certificate store if they exist. Issuer certificates will be automatically downloaded and installed to the appropriate certificate store partition if auto-import is enabled in the platform configuration file. An optional cross signer common name may be provided to include that external CA's root and intermediate certificates in the CertPool used to validate the provided certificate.

func (*CA) VerifyAttestationEventLog 

func (ca *CA) VerifyAttestationEventLog(akAttrs *keystore.KeyAttributes, eventLog []byte) error

func (*CA) VerifyAttestationPCRs 

func (ca *CA) VerifyAttestationPCRs(akAttrs *keystore.KeyAttributes, pcrs []byte) error

func (*CA) VerifyAttestationQuote 

func (ca *CA) VerifyAttestationQuote(akAttrs *keystore.KeyAttributes, quote []byte) error

func (*CA) VerifyQuote 

func (ca *CA) VerifyQuote(akAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error

Verifies a TPM 2.0 quote using a previously captured event log and PCR state that's been signed and stored in the CA signed blob store.

Rather than parsing and replaying the event log, a more simplistic approach is taken, which verifies the current event log and secure boot state blobs with the state stored in the CA signed blob store captured during device enrollment or local attestation. This may change in the future. The rationale for this is partly due to the event log not being a reliable source for integrity checking to begin with: https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md

func (*CA) VerifySignature 

func (ca *CA) VerifySignature(digest, signature []byte, opts *keystore.VerifyOpts) error

Verifies a RSA PKCS1v15, RSA-PSS, ECDSA or Ed25519 digest

func (*CA) VerifyTCG_CSR_IDevID 

func (ca *CA) VerifyTCG_CSR_IDevID(
	tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
	signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)

Verifies a TCG_CSR_IDEVID Certificate Signing Request (CSR) per TCG TPM 2.0 Keys for Identity and Attestation - Section 6 - Identity Provisioning, using one of the supported strategies. The CA issues a challenge to the device to validate that the TPM has the EK matching the certificate in step 2b and that the IAK whose public area is included in 2c is loaded in the device�s TPM. The challenge data blob is created using the following procedure: a. Calculate the cryptographic Name of the IAK, by hashing its public area with its associated hash algorithm, prepended with the Algorithm ID of the hashing algorithm. Refer to TPM 2.0 Library Specification [2], Part 1, Section 16 (�Names�). b. Using the sequence described in TPM 2.0 Library Specification, Part 3, section 12.6.3 (�TPM2_MakeCredential Detailed Actions�), create the encrypted �credential� structure to be sent to the device. When building this encrypted structure, objectName is the Name of the IAK calculated in step �a� and Certificate (which is the payload field) holds a nonce (whose size matches the Name hash). Retain the nonce for use in later steps. c. The CA sends the encrypted �credential� blob to the enrolling TPM device.

func (*CA) VerifyTCG_CSR_IDevIDBytes 

func (ca *CA) VerifyTCG_CSR_IDevIDBytes(
	tcgCSRIDevIDBytes []byte,
	signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)

func (*CA) XSignedCertificate 

func (ca *CA) XSignedCertificate(issuerCN string, keyAttrs *keystore.KeyAttributes) (*x509.Certificate, error)

Returns a cross-signed certificate from the certificate store

func (*CA) XSignedIntermediateCertificates 

func (ca *CA) XSignedIntermediateCertificates(
	issuerCN string, cert *x509.Certificate) ([]*x509.Certificate, error)

Retrieves all intermediate CA certificates for the provided cross signing issuer's common name and leaf certificate.

func (*CA) XSignedRootCertificate 

func (ca *CA) XSignedRootCertificate(issuerCN string, cert *x509.Certificate) (*x509.Certificate, error)

Retrieves the root certificate for a cross signing CA

type CAParams 

type CAParams struct {
	Backend      keystore.KeyBackend
	BlobStore    blobstore.BlobStorer
	CertStore    certstore.CertificateStorer
	Config       Config
	Debug        bool
	DebugSecrets bool
	Fs           afero.Fs
	Home         string
	Identity     Identity
	Keyring      *platform.Keyring
	Logger       *logging.Logger
	Random       io.Reader
	SelectedCA   int
	SignerStore  keystore.SignerStorer
	TPM          tpm2.TrustedPlatformModule
}

type CertificateAuthority 

type CertificateAuthority interface {
	// AttestLocal(signerAttrs *keystore.KeyAttributes) error
	// AttestationEventLog(cn string) ([]byte, error)
	// AttestationPCRs(cn string) (map[string][][]byte, error)
	// AttestationQuote(cn string) ([]byte, error)
	// AttestationSignature(cn, blobType string) ([]byte, error)
	CABundle(storeType *keystore.StoreType, keyAlgorithm *x509.PublicKeyAlgorithm) ([]byte, error)
	CABundleCertPool(*keystore.StoreType, *x509.PublicKeyAlgorithm) (*x509.CertPool, error)
	CAKeyAttributes(
		storeType keystore.StoreType,
		keyAlgorithm x509.PublicKeyAlgorithm) (*keystore.KeyAttributes, error)
	CASigner(storeType *keystore.StoreType, algorithm *x509.PublicKeyAlgorithm) (crypto.Signer, error)
	Certificate(keyAttrs *keystore.KeyAttributes) (*x509.Certificate, error)
	CertificateStore() certstore.CertificateStorer
	Checksum(key []byte) (bool, error)
	CreateCSR(request CertificateRequest) ([]byte, error)
	CrossSignedPEM(attrs *keystore.KeyAttributes) ([]byte, error)
	DefaultKeyAlgorithm() x509.PublicKeyAlgorithm
	DefaultSignatureAlgorithm() x509.SignatureAlgorithm
	DefaultValidityPeriod() int
	EndorsementKeyCertificate() ([]byte, error)
	Exists(cn string, algorithm x509.PublicKeyAlgorithm) bool
	Hash() crypto.Hash
	Identity() Identity
	Init(parentCA CertificateAuthority) error
	IsAutoImportingIssuerCAs() bool
	IsInitialized() (bool, error)
	ImportAttestation(attestatomAttrs *keystore.KeyAttributes, blobType string, data []byte, backend keystore.KeyBackend) error
	ImportAttestationKeyCertificate(attrs *keystore.KeyAttributes, akDER []byte) error
	ImportAttestationEventLog(attestatomAttrs *keystore.KeyAttributes, data []byte, backend keystore.KeyBackend) error
	ImportAttestationPCRs(attestatomAttrs *keystore.KeyAttributes, pcrs []byte, backend keystore.KeyBackend) error
	ImportAttestationQuote(attestatomAttrs *keystore.KeyAttributes, data []byte, backend keystore.KeyBackend) error
	ImportCertificate(certificate *x509.Certificate) error
	ImportXSignedCertificate(issuerCN string, certificate *x509.Certificate) error
	ImportDistrbutionCRLs(cert *x509.Certificate) error
	ImportEndorsementKeyCertificate(attrs *keystore.KeyAttributes, ekCertBytes []byte) error
	ImportLocalAttestation(keyAttrs *keystore.KeyAttributes, quote tpm2.Quote, backend keystore.KeyBackend) error
	ImportIssuingCAs(certificate *x509.Certificate) error
	IssueCertificate(request CertificateRequest) ([]byte, error)
	Issued(cn string) bool
	ImportCertificatePEM(attrs *keystore.KeyAttributes, pemBytes []byte) error
	IssueAKCertificate(request CertificateRequest, pubKey crypto.PublicKey) (*x509.Certificate, error)
	IssueEKCertificate(request CertificateRequest, ekPubKey crypto.PublicKey) (*x509.Certificate, error)
	Load() error
	Key(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
	Keyring() *platform.Keyring
	ParseBundle(bundle []byte) ([]*x509.Certificate, error)
	PEM(attrs *keystore.KeyAttributes) ([]byte, error)
	Public() crypto.PublicKey
	Revoke(certificate *x509.Certificate, deleteKeys bool) error
	RootCertificate(child *x509.Certificate) (*x509.Certificate, error)
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	SignedBlob(key []byte) ([]byte, error)
	Signature(key string) ([]byte, error)
	IsSigned(key string) (bool, error)
	SignCSR(csrPEM []byte, request *CertificateRequest) (*x509.Certificate, error)
	SignedDigest(key string, hash crypto.Hash) (bool, error)
	Signer(attrs *keystore.KeyAttributes) (crypto.Signer, error)

	SignTCGCSRIDevID(
		tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
		request *CertificateRequest) (iakDER []byte, idevidDER []byte, err error)
	SignTCGCSRIDevIDBytes(
		tcgCSRIDevIDBytes []byte,
		request *CertificateRequest) (iakDER []byte, idevidDER []byte, err error)

	TLSCertificate(attrs *keystore.KeyAttributes) (tls.Certificate, error)
	TLSBundle(attrs *keystore.KeyAttributes) ([][]byte, *x509.Certificate, error)
	TLSConfig(attrs *keystore.KeyAttributes) (*tls.Config, error)
	TLSConfigWithXSigner(attrs *keystore.KeyAttributes, issuerCN string) (*tls.Config, error)
	OSTrustStore() OSTrustStore
	TrustedRootCertPool(certificate *x509.Certificate, xsignerCN *string) (*x509.CertPool, error)
	TrustedIntermediateCertPool(certificate *x509.Certificate, xsignerCN *string) (*x509.CertPool, error)
	Verify(certificate *x509.Certificate, xsignerCN *string) error
	VerifyAttestationEventLog(signerAttrs *keystore.KeyAttributes, eventLog []byte) error
	VerifyAttestationPCRs(signerAttrs *keystore.KeyAttributes, pcrs []byte) error
	VerifyAttestationQuote(signerAttrs *keystore.KeyAttributes, quote []byte) error
	VerifySignature(digest []byte, signature []byte, opts *keystore.VerifyOpts) error
	VerifyTCG_CSR_IDevID(
		tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
		signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)
	VerifyTCG_CSR_IDevIDBytes(
		tcgCSRIDevIDBytes []byte,
		signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)
	VerifyQuote(keyAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error
	XSignedIntermediateCertificates(issuerCN string, cert *x509.Certificate) ([]*x509.Certificate, error)
}

func NewIntermediateCA 

func NewIntermediateCA(params *CAParams) (CertificateAuthority, error)

Create a new x509 Intermediate Certificate Authority.

func NewParentCA 

func NewParentCA(params *CAParams) (CertificateAuthority, error)

Creates a new x509 Root or Parent x509 Certificate Authority

type CertificateRequest 

type CertificateRequest struct {
	PermanentID   string                   `yaml:"permanent-id" json:"permanent_id" mapstructure:"permanent-id"`
	ProdModel     string                   `yaml:"prod-model" json:"prod_model" mapstructure:"prod-model"`
	ProdSerial    string                   `yaml:"prod-serial" json:"prod_serial" mapstructure:"prod-serial"`
	SANS          *SubjectAlternativeNames `yaml:"sans" json:"sans" mapstructure:"sans"`
	Subject       Subject                  `yaml:"subject" json:"subject" mapstructure:"subject"`
	Valid         int                      `yaml:"valid" json:"valid" mapstructure:"valid"`
	KeyAttributes *keystore.KeyAttributes  `yaml:"-" json:"-" mapstructure:"-"`
}

type Config 

type Config struct {
	AutoImportIssuingCA   bool       `yaml:"auto-import-issuing-ca" json:"auto_import_issuing_ca" mapstructure:"auto-import-issuing-ca"`
	DefaultValidityPeriod int        `yaml:"default-validity" json:"default_validity" mapstructure:"default-validity"`
	Identity              []Identity `yaml:"identity" json:"identity" mapstructure:"identity"`
	IncludeLocalhostSANS  bool       `yaml:"sans-include-localhost" json:"sans_include_localhost" mapstructure:"sans-include-localhost"`
	PlatformCA            int        `yaml:"platform-ca" json:"platform_ca" mapstructure:"platform-ca"`
	RequireKeyPassword    bool       `yaml:"require-password" json:"require-password" mapstructure:"require-password"`
	SystemCertPool        bool       `yaml:"system-cert-pool" json:"system_cert_pool" mapstructure:"system-cert-pool"`
	QuantumSafe           bool       `yaml:"quantum-safe" json:"quantum_safe" mapstructure:"quantum-safe"`
}

type DebianTrustStore 

type DebianTrustStore struct {
	OSTrustStore
	// contains filtered or unexported fields
}

func (*DebianTrustStore) Install 

func (store *DebianTrustStore) Install(cn string) error

func (*DebianTrustStore) Uninstall 

func (store *DebianTrustStore) Uninstall(cn string) error

func (*DebianTrustStore) UpdateCerts 

func (store *DebianTrustStore) UpdateCerts() error

type Identity 

type Identity struct {
	KeyringConfig *platform.KeyringConfig  `yaml:"keystores" json:"keystores" mapstructure:"keystores"`
	Keys          []*keystore.KeyConfig    `yaml:"keys" json:"keys" mapstructure:"keys"`
	SANS          *SubjectAlternativeNames `yaml:"sans" json:"sans" mapstructure:"sans"`
	Subject       Subject                  `yaml:"subject" json:"subject" mapstructure:"subject"`
	Valid         int                      `yaml:"valid" json:"valid" mapstructure:"valid"`
}

type OSTrustStore 

type OSTrustStore interface {
	Install(cn string) error
	Uninstall(cn string) error
}

func NewDebianTrustStore 

func NewDebianTrustStore(logger *logging.Logger, fs afero.Fs, certDir string) OSTrustStore

type Subject 

type Subject struct {
	CommonName         string `yaml:"cn" json:"cn" mapstructure:"cn"`
	Organization       string `yaml:"organization" json:"organization" mapstructure:"organization"`
	OrganizationalUnit string `yaml:"organizational-unit" json:"organizational_unit" mapstructure:"organizational-unit"`
	Country            string `yaml:"country" json:"country" mapstructure:"country"`
	Province           string `yaml:"province" json:"province" mapstructure:"province"`
	Locality           string `yaml:"locality" json:"locality" mapstructure:"locality"`
	Address            string `yaml:"address" json:"address" mapstructure:"address"`
	PostalCode         string `yaml:"postal-code" json:"postal_code" mapstructure:"postal-code"`
}

type SubjectAlternativeNames 

type SubjectAlternativeNames struct {
	DNS   []string `yaml:"dns" json:"dns" mapstructure:"dns"`
	IPs   []string `yaml:"ips" json:"ips" mapstructure:"ips"`
	Email []string `yaml:"email" json:"email" mapstructure:"email"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.