domain_service

package
v0.0.0-...-b5aa0b6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 30, 2017 License: Apache-2.0 Imports: 17 Imported by: 0

README

This is the full function version of the Domain service. It consists of two services.

The Program Key Domain Service receives attestations from CP programs and signs ProgramKeys. Before signing Program keys the service: (1) Checks the program identity against the domain program database; (2) Checks that the endorsement cert valid and that neither the endorsement key or its signer key has been revoked; (3) Retrieves machine characteristics based on endorsement cert; (4) Checks that the security characteristics for the machine meets domain policy; (5) Retrieves the validity period for the domain; (6) Adds policy characteristics based on the machine and location to the Program cert.

The Revocation Service returns information about revoked certificates previously issued by the Program Key Domain Service.

Both services implement logs of all requests and responses.

Documentation

Overview

Package domain_service is a generated protocol buffer package.

It is generated from these files: 

service.proto

It has these top-level messages: 

DomainServiceRequest
DomainServiceResponse
TrustedEntities

Index

Constants

This section is empty.

Variables

View Source 
var DomainServiceRequestRequestType_name = map[int32]string{
	1: "DOMAIN_CERT_REQUEST",
	2: "MANAGE_POLICY",
	3: "REVOKE_CERTIFICATE",
	4: "GET_CRL",
}
View Source 
var DomainServiceRequestRequestType_value = map[string]int32{
	"DOMAIN_CERT_REQUEST": 1,
	"MANAGE_POLICY":       2,
	"REVOKE_CERTIFICATE":  3,
	"GET_CRL":             4,
}

Functions

func GenerateProgramCert 

func GenerateProgramCert(domain *tao.Domain, serialNumber int, programPrin *auth.Prin,
	verifier *tao.Verifier, now, expiry time.Time) (*x509.Certificate, error)

This function generates a Program Certificate. In particular, it generates an attestation signed by the domain policy key, with a statement of the form 'policyKey says programCert speaksFor program' where programCert is a X509 cert signed by the policy key with subject CommonName being the Tao name of the program and subject public key being programKey. Certificate expiration time is one year from issuing time.

func InitAcls 

func InitAcls(domain *tao.Domain, trustedEntitiesPath string) error

This function reads in trusted entities from a file at trustedEntitiesPath. In particular, this file contains the text representation of a trusted_entities proto message, which contains the Tao names of trusted programs and hosts, information about trusted machines and trusted machine certificates. For each such trusted entity, this function adds ACL rules to the domain guard, and saves the changes before returning.

func RequestCrl 

func RequestCrl(network, addr string) (*pkix.CertificateList, error)

This function sends a DomainServiceRequest of the type GET_CRL to the domain service, and deserializes the response into a pkix.CertificateList containing the revoked certificates.

func RequestProgramCert 

func RequestProgramCert(hostAtt *tao.Attestation, verifier *tao.Verifier,
	network string, addr string) (*x509.Certificate, error)

This function packages a host attestation into a DomainServiceRequest of the type DOMAIN_CERT_REQUEST, sends it to the domain service and deserializes the response into an attestation that contains the domain program certificate.

func RequestRevokeCertificate 

func RequestRevokeCertificate(att *tao.Attestation, network, addr string) error

This function packages a certificate revoke request into a DomainServiceRequest of type REVOKE_CERTIFICATE and sends it to the domain service. It expects att to be an attestation signed by the domain policy key with a statement of the form: policyKey says revoke certificateSerialNumber

func RevokeCertificate 

func RevokeCertificate(serAtt []byte, revokedCerts []pkix.RevokedCertificate,
	domain *tao.Domain) ([]pkix.RevokedCertificate, error)

This function helps process a certificate revocation request. It expects serAtt to be a serialized attestation signed by the domain policy key, with a statement of the form: policyKey says revoke certificateSerialNumber This function gets a list of revoked certificates, updates it if the cert revocation request is valid, and returns the updated list.

func VerifyAttestation 

func VerifyAttestation(serializedHostAttestation []byte, domain *tao.Domain) (*auth.Prin,
	*auth.Prin, *auth.Prin, error)

func VerifyHostAttestation 

func VerifyHostAttestation(serializedHostAttestation []byte, domain *tao.Domain,
	rootCerts *x509.CertPool) (*auth.Prin, *auth.Prin, *auth.Prin, error)

This function makes the following checks (1) Checks if the attestation signature is valid and the statement is of the form 

'Speaker says Key speaks for Program'.

(2) Checks that 'Program' in the above statement is allowed to Execute in the domain policy. 

In particular, the policy should allow the predicate:
Authorized(ProgramTaoName, "Execute")

(3) Checks that 'Speaker' in the above statement is a key principal endorsed by the policy key, 

or rootCerts, via an endorsement chain. Each endorsement in this chain endorses the key
signing the previous endorsement (starting with the 'Speaker' key).

An endorsement endorses either a host key, in which case it is an attestation,
or the root hardware key, in which case it is certificate.
This function also checks that each host or root hardware encoutered along this endorsement
chain is allowed as per domain policy. In particular the policy should allow the predicates
Authorized(HostTaoName, "Host") and Authorized(EncodedMachineInformation, "Root")

A valid attestation chain must either end in a attestation signed by the policy key
or a certificate signed by one of the rootCerts.

If all above checks go through, the function returns the principals: Speaker, Key, Program.

Types

type DomainServiceRequest 

type DomainServiceRequest struct {
	Type *DomainServiceRequestRequestType `protobuf:"varint,1,opt,name=type,enum=domain_service.DomainServiceRequestRequestType" json:"type,omitempty"`
	// Fields for type: DOMAIN_CERT_REQUEST.
	SerializedHostAttestation []byte `protobuf:"bytes,2,opt,name=serialized_host_attestation" json:"serialized_host_attestation,omitempty"`
	// The program key, serialized in the format that
	// auth.NewKeyPrin() accepts.
	ProgramKey []byte `protobuf:"bytes,3,opt,name=program_key" json:"program_key,omitempty"`
	// Fields for type: REVOKE_CERTIFICATE.
	// This is an attestation signed by the policy key with the statement:
	// policyKey says revoke certificateSerialNumber
	SerializedPolicyAttestation []byte `protobuf:"bytes,4,opt,name=serialized_policy_attestation" json:"serialized_policy_attestation,omitempty"`
	XXX_unrecognized            []byte `json:"-"`
}

func (*DomainServiceRequest) Descriptor 

func (*DomainServiceRequest) Descriptor() ([]byte, []int)

func (*DomainServiceRequest) GetProgramKey 

func (m *DomainServiceRequest) GetProgramKey() []byte

func (*DomainServiceRequest) GetSerializedHostAttestation 

func (m *DomainServiceRequest) GetSerializedHostAttestation() []byte

func (*DomainServiceRequest) GetSerializedPolicyAttestation 

func (m *DomainServiceRequest) GetSerializedPolicyAttestation() []byte

func (*DomainServiceRequest) GetType 

func (m *DomainServiceRequest) GetType() DomainServiceRequestRequestType

func (*DomainServiceRequest) ProtoMessage 

func (*DomainServiceRequest) ProtoMessage()

func (*DomainServiceRequest) Reset 

func (m *DomainServiceRequest) Reset()

func (*DomainServiceRequest) String 

func (m *DomainServiceRequest) String() string

type DomainServiceRequestRequestType 

type DomainServiceRequestRequestType int32

TODO: explain different types 

const (
	DomainServiceRequest_DOMAIN_CERT_REQUEST DomainServiceRequestRequestType = 1
	DomainServiceRequest_MANAGE_POLICY       DomainServiceRequestRequestType = 2
	DomainServiceRequest_REVOKE_CERTIFICATE  DomainServiceRequestRequestType = 3
	DomainServiceRequest_GET_CRL             DomainServiceRequestRequestType = 4
)

func (DomainServiceRequestRequestType) Enum 

func (x DomainServiceRequestRequestType) Enum() *DomainServiceRequestRequestType

func (DomainServiceRequestRequestType) EnumDescriptor 

func (DomainServiceRequestRequestType) EnumDescriptor() ([]byte, []int)

func (DomainServiceRequestRequestType) String 

func (x DomainServiceRequestRequestType) String() string

func (*DomainServiceRequestRequestType) UnmarshalJSON 

func (x *DomainServiceRequestRequestType) UnmarshalJSON(data []byte) error

type DomainServiceResponse 

type DomainServiceResponse struct {
	ErrorMessage *string `protobuf:"bytes,1,opt,name=error_message" json:"error_message,omitempty"`
	// Fields for response to DOMAIN_CERT_REQUEST.
	DerProgramCert []byte `protobuf:"bytes,2,opt,name=der_program_cert" json:"der_program_cert,omitempty"`
	// Fields for response to GET_CRL.
	Crl              []byte `protobuf:"bytes,3,opt,name=crl" json:"crl,omitempty"`
	XXX_unrecognized []byte `json:"-"`
}

func (*DomainServiceResponse) Descriptor 

func (*DomainServiceResponse) Descriptor() ([]byte, []int)

func (*DomainServiceResponse) GetCrl 

func (m *DomainServiceResponse) GetCrl() []byte

func (*DomainServiceResponse) GetDerProgramCert 

func (m *DomainServiceResponse) GetDerProgramCert() []byte

func (*DomainServiceResponse) GetErrorMessage 

func (m *DomainServiceResponse) GetErrorMessage() string

func (*DomainServiceResponse) ProtoMessage 

func (*DomainServiceResponse) ProtoMessage()

func (*DomainServiceResponse) Reset 

func (m *DomainServiceResponse) Reset()

func (*DomainServiceResponse) String 

func (m *DomainServiceResponse) String() string

type TrustedEntities 

type TrustedEntities struct {
	TrustedProgramTaoNames []string `protobuf:"bytes,1,rep,name=trusted_program_tao_names" json:"trusted_program_tao_names,omitempty"`
	TrustedHostTaoNames    []string `protobuf:"bytes,2,rep,name=trusted_host_tao_names" json:"trusted_host_tao_names,omitempty"`
	TrustedMachineInfos    []string `protobuf:"bytes,3,rep,name=trusted_machine_infos" json:"trusted_machine_infos,omitempty"`
	TrustedRootCerts       [][]byte `protobuf:"bytes,4,rep,name=trusted_root_certs" json:"trusted_root_certs,omitempty"`
	XXX_unrecognized       []byte   `json:"-"`
}

func (*TrustedEntities) Descriptor 

func (*TrustedEntities) Descriptor() ([]byte, []int)

func (*TrustedEntities) GetTrustedHostTaoNames 

func (m *TrustedEntities) GetTrustedHostTaoNames() []string

func (*TrustedEntities) GetTrustedMachineInfos 

func (m *TrustedEntities) GetTrustedMachineInfos() []string

func (*TrustedEntities) GetTrustedProgramTaoNames 

func (m *TrustedEntities) GetTrustedProgramTaoNames() []string

func (*TrustedEntities) GetTrustedRootCerts 

func (m *TrustedEntities) GetTrustedRootCerts() [][]byte

func (*TrustedEntities) ProtoMessage 

func (*TrustedEntities) ProtoMessage()

func (*TrustedEntities) Reset 

func (m *TrustedEntities) Reset()

func (*TrustedEntities) String 

func (m *TrustedEntities) String() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.