eat

package module
v0.0.0-...-ddaf59d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2022 License: Apache-2.0 Imports: 13 Imported by: 18

README

Entity Attestation Token

The eat package provides a golang API for manipulating Entity Attestation Tokens defined in draft-ietf-rats-eat.

Documentation

Overview

Package eat provides an API for creating and interacting with Entity Attestation Tokens defined by draft-ietf-rats-eat.

Index

Examples

Constants

View Source 
const (
	// DebugNotDisabled is asserted if any debug facility, even manufacturer
	// hardware diagnostics, is currently enabled
	DebugNotDisabled = iota

	// DebugDisabled indicates all debug facilities are currently disabled. It
	// may be possible to enable them in the future, and it may also be possible
	// that they were enabled in the past after the target device/sub-system
	// booted/started, but they are currently disabled.
	DebugDisabled

	// DebugDisabledSinceBoot indicates all debug facilities are currently
	// disabled and have been so since the target device/sub-system
	// booted/started.
	DebugDisabledSinceBoot

	// DebugPermanentDisable indicates all non-manufacturer facilities are
	// permanently disabled such that no end user or developer cannot enable
	// them. Only the manufacturer indicated in the OEMID claim can enable them.
	// This also indicates that all debug facilities are currently disabled and
	// have been so since boot/start.
	DebugPermanentDisable

	// DebugFullPermanentDisable indicates that all debug capabilities for the
	// target device/sub-module are permanently disabled.
	DebugFullPermanentDisable
)
View Source 
const (
	MinNonceSize = 8
	MaxNonceSize = 64
)

nonce-type = bstr .size (8..64)

View Source 
const (
	// MaxASN1OIDLen is the maximum OID length accepted by the implementation
	MaxASN1OIDLen = 255
	// MinNumOIDArcs represents the minimum required arcs for a valid OID
	MinNumOIDArcs = 3
)
View Source 
const (
	// There is some expectation that implementer will protect the
	// attestation signing keys at this level.  Otherwise, the EAT
	// provides no meaningful security assurance.
	SecLevelUnrestricted = iota

	// Enties at this level should not be general-purpose operating
	// environments that host features such as app download systems, web
	// browsers, and complex productivity applications. It is akin to the
	// Secure Restricted level (see below) without the security orientation.
	// E.g. a Wi-Fi subsystem, an IoT camera, or a sensor device.
	SecLevelRestricted

	// Entities at this level must meet the criteria defined by FIDO
	// Allowed Restricted Operating Environments [1]. Examples include TEE's
	// and schemes using virtualization-based security. Like the FIDO
	// security goal, security at this level is aimed defending well
	// against large-scale network / remote attacks against the device.
	//
	// [1] https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/fido-authenticator-allowed-restricted-operating-environments-list_20170524.pdf
	SecLevelSecureRestricted

	// Entities at this level must include substantial defense against
	// physical or electrical attacks against the device itself. It is
	// assumed any potential attacker has captured the device and can
	// disassemble it. Examples include TPMs and Secure Elements.
	SecLevelHardware
)

security-level-type = &( 

unrestricted: 1,
restricted: 2,
secure-restricted: 3,
hardware: 4

)

View Source 
const (
	UEIDTypeInvalid = iota

	// This is a 128, 192 or 256 bit random number generated once and
	// stored in the device. This may be constructed by concatenating
	// enough identifiers to make up an equivalent number of random bits
	// and then feeding the concatenation through a cryptographic hash
	// function. It may also be a cryptographic quality random number
	// generated once at the beginning of the life of the device and
	// stored. It may not be smaller than 128 bits.
	UEIDTypeRAND

	// This makes use of the IEEE company identification registry. An EUI
	// is either an EUI-48, EUI-60 or EUI-64 and made up of an OUI, OUI-36
	// or a CID, different registered company identifiers, and some unique
	// per-device identifier. EUIs are often the same as or similar to MAC
	// addresses. This type includes MAC-48, an obsolete name for EUI-48.
	// (Note that while devices with multiple network interfaces may have
	// multiple MAC addresses, there is only one UEID for a device)
	UEIDTypeEUI

	// This is a 14-digit identifier consisting of an 8-digit Type
	// Allocation Code and a 6-digit serial number allocated by the
	// manufacturer, which SHALL be encoded as byte string of length 14
	// with each byte as the digit's value (not the ASCII encoding of the
	// digit; the digit 3 encodes as 0x03, not 0x33). The IMEI value
	// encoded SHALL NOT include Luhn checksum or SVN information.
	UEIDTypeIMEI
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Audience 

type Audience []StringOrURI

In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value.

func (Audience) MarshalCBOR 

func (a Audience) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes Audience as a StringOrURI, in case there is only one, or an array of StringOrURI's if there are multiple.

func (Audience) MarshalJSON 

func (a Audience) MarshalJSON() ([]byte, error)

MarshalJSON encodes the receiver Audience as a JSON string

func (*Audience) UnmarshalCBOR 

func (a *Audience) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes audience claim data. This may be a single StringOrURI, or an array of such.

func (*Audience) UnmarshalJSON 

func (a *Audience) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes a JSON string into the receiver Audience

type CWTClaims 

type CWTClaims struct {
	Issuer     *string      `cbor:"1,keyasint,omitempty" json:"iss,omitempty"`
	Subject    *string      `cbor:"2,keyasint,omitempty" json:"sub,omitempty"`
	Audience   *Audience    `cbor:"3,keyasint,omitempty" json:"aud,omitempty"`
	Expiration *NumericDate `cbor:"4,keyasint,omitempty" json:"exp,omitempty"`
	NotBefore  *NumericDate `cbor:"5,keyasint,omitempty" json:"nbf,omitempty"`
	IssuedAt   *NumericDate `cbor:"6,keyasint,omitempty" json:"iat,omitempty"`
	CwtID      *[]byte      `cbor:"7,keyasint,omitempty" json:"cti,omitempty"`
}

Defined by RFC8392

type Debug 

type Debug uint

Debug models the debug-disable type

func (Debug) Validate 

func (d Debug) Validate() error

Validate makes sure that the receiver is a valid Debug claim

type Eat 

type Eat struct {
	Nonce         *Nonce         `cbor:"10,keyasint,omitempty" json:"nonce,omitempty"`
	UEID          *UEID          `cbor:"11,keyasint,omitempty" json:"ueid,omitempty"`
	Origination   *StringOrURI   `cbor:"12,keyasint,omitempty" json:"origination,omitempty"`
	OemID         *[]byte        `cbor:"13,keyasint,omitempty" json:"oemid,omitempty"`
	SecurityLevel *SecurityLevel `cbor:"14,keyasint,omitempty" json:"security-level,omitempty"`
	SecureBoot    *bool          `cbor:"15,keyasint,omitempty" json:"secure-boot,omitempty"`
	Debug         *Debug         `cbor:"16,keyasint,omitempty" json:"debug-disable,omitempty"`
	Location      *Location      `cbor:"17,keyasint,omitempty" json:"location,omitempty"`
	Profile       *Profile       `cbor:"18,keyasint,omitempty" json:"eat-profile,omitempty"`
	Uptime        *uint          `cbor:"19,keyasint,omitempty" json:"uptime,omitempty"`
	Submods       *Submods       `cbor:"20,keyasint,omitempty" json:"submods,omitempty"`

	CWTClaims
}

Eat is the internal representation of a EAT token

func (*Eat) FromCBOR 

func (e *Eat) FromCBOR(data []byte) error

FromCBOR deserializes the supplied CBOR encoded EAT into the receiver Eat

func (*Eat) FromJSON 

func (e *Eat) FromJSON(data []byte) error

FromJSON deserializes the supplied JSON encoded EAT into the receiver Eat

Example 
t := Eat{}

data := []byte(`{"nonce":"AAAAAAAAAAA="}`)

if err := t.FromJSON(data); err != nil {
	panic(err)
}

if err := t.Nonce.Validate(); err != nil {
	panic(err)
}

fmt.Printf("nonces found: %d\n", t.Nonce.Len())
fmt.Printf("nonce: %x\n", t.Nonce.GetI(0))

Output:

nonces found: 1
nonce: 0000000000000000

func (Eat) ToCBOR 

func (e Eat) ToCBOR() ([]byte, error)

ToCBOR serializes the receiver Eat into CBOR encoded EAT

func (Eat) ToJSON 

func (e Eat) ToJSON() ([]byte, error)

ToJSON serializes the receiver Eat into CBOR encoded EAT

Example 
nonce := Nonce{}

if err := nonce.AddHex("0000000000000000"); err != nil {
	panic(err)
}

// if required by the use case, add more nonces

t := Eat{
	Nonce: &nonce,
}

j, err := t.ToJSON()
if err != nil {
	panic(err)
}

fmt.Println(string(j))

Output:

{"nonce":"AAAAAAAAAAA="}

type Location 

type Location struct {
	Latitude         Number       `cbor:"1,keyasint" json:"lat"`
	Longitude        Number       `cbor:"2,keyasint" json:"long"`
	Altitude         *Number      `cbor:"3,keyasint,omitempty" json:"alt,omitempty"`
	Accuracy         *Number      `cbor:"4,keyasint,omitempty" json:"accry,omitempty"`
	AltitudeAccuracy *Number      `cbor:"5,keyasint,omitempty" json:"alt-accry,omitempty"`
	Heading          *Number      `cbor:"6,keyasint,omitempty" json:"heading,omitempty"`
	Speed            *Number      `cbor:"7,keyasint,omitempty" json:"speed,omitempty"`
	Timestamp        *NumericDate `cbor:"8,keyasint,omitempty" json:"timestamp,omitempty"`
	Age              *uint        `cbor:"9,keyasint,omitempty" json:"age,omitempty"`
}

Location models the location claim

type Nonce 

type Nonce []nonce

A nonce-claim may be single Nonce or an array of two or more. 

nonce-claim = (
    nonce => nonce-type / [ 2* nonce-type ]
)

func (*Nonce) Add 

func (ns *Nonce) Add(v []byte) error

Add the supplied nonce, provided as a byte array, to the Nonce receiver.

func (*Nonce) AddHex 

func (ns *Nonce) AddHex(text string) error

AddHex provides the same functionality as Add except it takes the nonce value as a hex-encoded string.

func (Nonce) GetI 

func (ns Nonce) GetI(index int) []byte

GetI returns the nonce found at the supplied index (counting from 0) or nil if the index is out of bounds.

func (Nonce) Len 

func (ns Nonce) Len() int

Len returns the number of nonce values carried in the Nonce receiver.

func (Nonce) MarshalCBOR 

func (ns Nonce) MarshalCBOR() ([]byte, error)

MarshalCBOR provides a suitable CBOR encoding for the receiver Nonce. In case there is only one nonce, the encoded produces a single bstr. If there are multiple, the encoder produces an array of bstr, one for each nonce.

func (Nonce) MarshalJSON 

func (ns Nonce) MarshalJSON() ([]byte, error)

MarshalJSON encodes the receiver Nonce as either a JSON string containing the base64 encoding of the binary nonce (if the array comprises only one element) or as an array of base64-encoded JSON strings.

func (*Nonce) UnmarshalCBOR 

func (ns *Nonce) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes a EAT nonce. This may be a single byte string between 8 and 64 bytes long, or an array of two or more such strings.

func (*Nonce) UnmarshalJSON 

func (ns *Nonce) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes a EAT nonce in JSON format.

func (Nonce) Validate 

func (ns Nonce) Validate() error

Validate checks that all nonce values (of which there must be at least one) stored in the Nonce receiver are valid according to the EAT syntax.

type Number 

type Number float64

Number models a CDDL number, i.e.: 

uint / nint / float16 / float32 / float64

func (Number) MarshalCBOR 

func (n Number) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes a Number using the smallest possible encoding. Note that choosing the smallest fitting float variant is decided by the encoding mode defined in cbor.go which is configured to use ShortestFloat == ShortestFloat16. What remains to be done here is intercepting the uint / nint cases and dispatch them to the default int marshaler.

type NumericDate 

type NumericDate time.Time

NumericDate models RFC7519 NumericDate, i.e., the number of seconds since UNIX epoch

func (NumericDate) MarshalCBOR 

func (nd NumericDate) MarshalCBOR() ([]byte, error)

MarshalCBOR unwraps the receiver NumericDate exposing its underlying Time and dispatches it to our custom encoding mode, which automatically adds the required tag (TimeTag == cbor.EncTagRequired)

func (NumericDate) MarshalJSON 

func (nd NumericDate) MarshalJSON() ([]byte, error)

MarshalJSON unwraps the receiver NumericDate exposing its underlying Time and converts it to UNIX time.

func (*NumericDate) UnmarshalCBOR 

func (nd *NumericDate) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes the data into a Time and sets the receiver NumericDate to the decoded value.

func (*NumericDate) UnmarshalJSON 

func (nd *NumericDate) UnmarshalJSON(data []byte) error

UnmarshalJSON populates the receiver NumericDate by interpreting the supplied data as UTF-8-encoded Unix timestamp.

type Profile 

type Profile struct {
	// contains filtered or unexported fields
}

Profile is either an absolute URI (RFC3986) or an ASN.1 Object Identifier

func NewProfile 

func NewProfile(urlOrOID string) (*Profile, error)

NewProfile instantiates a Profile object from the given input string The string can either be an absolute URI or an ASN.1 Object Identifier in dotted-decimal notation. Relative Object Identifiers (e.g., .1.1.29) are not accepted.

func (Profile) Get 

func (s Profile) Get() (string, error)

Get returns the profile as string (URI or dotted-decimal OID)

func (Profile) IsOID 

func (s Profile) IsOID() bool

IsOID checks whether a stored profile is an OID

func (Profile) IsURI 

func (s Profile) IsURI() bool

IsURI checks whether a stored profile is a URI

func (Profile) MarshalCBOR 

func (s Profile) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the Profile object as a CBOR text string (if it is a URL), or as CBOR byte string (if it is an ASN.1 OID)

func (Profile) MarshalJSON 

func (s Profile) MarshalJSON() ([]byte, error)

MarshalJSON encodes the receiver Profile into a JSON string

func (*Profile) Set 

func (s *Profile) Set(urlOrOID string) error

Set sets the internal value of the Profile object to the given urlOrOID string

func (*Profile) UnmarshalCBOR 

func (s *Profile) UnmarshalCBOR(data []byte) error

UnmarshalCBOR attempts to initialize the Profile from the presented CBOR data. The data must be a CBOR text string, representing a URL or a CBOR byte string representing an Object Identifier

func (*Profile) UnmarshalJSON 

func (s *Profile) UnmarshalJSON(data []byte) error

UnmarshalJSON attempts at decoding the supplied JSON data into the receiver Profile

type SecurityLevel 

type SecurityLevel uint

Security Level claim type

func (SecurityLevel) Validate 

func (s SecurityLevel) Validate() error

Validate SecLevel to make sure is with thin bounds allowed by the spec.

type StringOrURI 

type StringOrURI struct {
	// contains filtered or unexported fields
}

StringOrURI is either an arbitrary text string or a RFC3986 compliant URI. 

string-or-uri = tstr / uri

func (*StringOrURI) FromString 

func (s *StringOrURI) FromString(value string) error

FromString initializes the StringOrURI value from the specified string, overwriting any existing value. If the value contains a colon (":"), then an attempt will be made to parse it as a URI (see RFC7519, section 2), otherwise, the value is assumed to be a non-URI string.

func (*StringOrURI) FromURL 

func (s *StringOrURI) FromURL(value *url.URL)

FromURL initializes the StringOrURI value from the specified url.URL, overwriting any existing value.

func (StringOrURI) IsURI 

func (s StringOrURI) IsURI() bool

IsURI returns true iff the underlying value is a URI and not a string. NOTE: this only indicates whether the value was set as such -- it possible 

that the arbitrary string value happens to be a valid URI, however, if
it was not set as such, this will return false.

func (StringOrURI) MarshalCBOR 

func (s StringOrURI) MarshalCBOR() ([]byte, error)

MarshalCBOR will encode the StringOrURI value as a CBOR text string, wrapping it in Tag 32, if it's a URI. See RFC7049, Section 2.4.4.3.

func (StringOrURI) MarshalJSON 

func (s StringOrURI) MarshalJSON() ([]byte, error)

MarshalJSON encodes the receiver StringOrURI into a JSON string

func (StringOrURI) String 

func (s StringOrURI) String() string

String returns the string representation of the StringOrURI value.

func (StringOrURI) ToURL 

func (s StringOrURI) ToURL() (*url.URL, error)

ToURL will return the url.URL representation of the underlying value, if possible. This will attempt to parse the underlying string value as a URL if it isn't one already.

func (*StringOrURI) UnmarshalCBOR 

func (s *StringOrURI) UnmarshalCBOR(data []byte) error

UnmarshalCBOR attempts to initializes the StringOrURI from the presented CBOR data. The data must be a text string, possibly wrapped in a Tag with the value 32 (URI). See RFC7049, Section 2.4.4.3.

func (*StringOrURI) UnmarshalJSON 

func (s *StringOrURI) UnmarshalJSON(data []byte) error

UnmarshalJSON attempts at decoding the supplied JSON data into the receiver StringOrURI

type Submod 

type Submod struct {
	// contains filtered or unexported fields
}

Submod is the type of a submod: either a raw EAT (wrapped in a Sign1 CWT), or a map of EAT claims

func (Submod) MarshalCBOR 

func (s Submod) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the submod value wrapped in the Submod receiver to CBOR

func (Submod) MarshalJSON 

func (s Submod) MarshalJSON() ([]byte, error)

MarshalJSON encodes the submod value wrapped in the Submod receiver to JSON

func (*Submod) UnmarshalCBOR 

func (s *Submod) UnmarshalCBOR(data []byte) error

UnmarshalCBOR attempts to decode the supplied CBOR data into the Submod receiver, peeking into the stream to choose between one of the two target formats (i.e., eat-token or eat-claims)

func (*Submod) UnmarshalJSON 

func (s *Submod) UnmarshalJSON(data []byte) error

UnmarshalJSON attempts to decode the supplied JSON data into the Submod receiver, peeking into the stream to choose between one of the two target formats (i.e., eat-token or eat-claims)

type Submods 

type Submods map[string]Submod

Submods models the submods type

func (*Submods) Add 

func (s *Submods) Add(name string, submod interface{}) error

Add inserts the named submod in the Submods container. The supplied name must be of type string or int64

func (Submods) Get 

func (s Submods) Get(name string) interface{}

Get retrieves a submod by name (either int64 or string)

type UEID 

type UEID []byte

ueid-type = bstr .size (7..33)

func (UEID) Validate 

func (u UEID) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.