Documentation ¶
Index ¶
- Constants
- Variables
- type TPMKMS
- func (k *TPMKMS) Close() (err error)
- func (k *TPMKMS) CreateAttestation(req *apiv1.CreateAttestationRequest) (*apiv1.CreateAttestationResponse, error)
- func (k *TPMKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
- func (k *TPMKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
- func (k *TPMKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
- func (k *TPMKMS) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)
- func (k *TPMKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([]*x509.Certificate, error)
- func (k *TPMKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error
- func (k *TPMKMS) StoreCertificateChain(req *apiv1.StoreCertificateChainRequest) error
Constants ¶
const ( // DefaultRSASize is the number of bits of a new RSA key if no size has been // specified. Whereas we're generally defaulting to 3072 bits for new RSA keys, // 2048 is used as the default for the TPMKMS, because we've observed the TPMs // we're testing with to be supporting this as the maximum RSA key size. We might // increase the default in the (near) future, but we want to be more confident // about the supported size for a specific TPM (model) in that case. DefaultRSASize = 2048 )
const Scheme = string(apiv1.TPMKMS)
Scheme is the scheme used in TPM KMS URIs, the string "tpmkms".
Variables ¶
var ( ErrIdentityCertificateNotYetValid = errors.New("AK certificate not yet valid") ErrIdentityCertificateExpired = errors.New("AK certificate has expired") ErrIdentityCertificateIsExpiring = errors.New("AK certificate will expire soon") ErrIdentityCertificateInvalid = errors.New("AK certificate does not contain valid identity") )
Functions ¶
This section is empty.
Types ¶
type TPMKMS ¶
type TPMKMS struct {
// contains filtered or unexported fields
}
TPMKMS is a KMS implementation backed by a TPM.
func New ¶
New initializes a new KMS backed by a TPM.
A new TPMKMS can be initialized with a configuration by providing a URI in the options:
New(ctx, &apiv1.Options{ URI: tpmkms:device=/dev/tpmrm0;storage-directory=/path/to/tpmstorage/directory })
It's also possible to set the storage directory as follows:
New(ctx, &apiv1.Options{ URI: tpmkms:device=/dev/tpmrm0 StorageDirectory: /path/to/tpmstorage/directory })
The default storage location for serialized TPM objects when an instance of TPMKMS is created, is the relative path "tpm".
The system default TPM device will be used when not configured. A specific TPM device can be selected by setting the device:
tpmkms:device=/dev/tpmrm0
By default newly created TPM objects won't be persisted, so can't be readily used. The location for storage can be set using storage-directory:
tpmkms:storage-directory=/path/to/tpmstorage/directory
For attestation use cases that involve the Smallstep Attestation CA or a compatible one, several properties can be set. The following specify the Attestation CA base URL, the path to a bundle of root CAs to trust when setting up a TLS connection to the Attestation CA and disable TLS certificate validation, respectively.
tpmkms:attestation-ca-url=https://my.attestation.ca tpmkms:attestation-ca-root=/path/to/trusted/roots.pem tpmkms:attestation-ca-insecure=true
The system may not always have a PermanentIdentifier assigned, so when initializing the TPMKMS, it's possible to set this value:
tpmkms:permanent-identifier=<some-unique-identifier>
By default, an AK (identity) certificate will be renewed early if it's expiring soon. The default certificate lifetime is 60%, meaning that the renewal for the AK certificate will be kicked off when it's past 60% of its lifetime. It's possible to disable early renewal by setting disable-early-renewal to true:
tpmkms:disable-early-renewal=true
The default lifetime percentage can be changed by setting renewal-percentage:
tpmkms:renewal-percentage=70
Attestation support in the TPMKMS is considered EXPERIMENTAL. It is expected that there will be changes to the configuration that be provided and the attestation flow.
The TPMKMS implementation is backed by an instance of the TPM from the `tpm` package. If the TPMKMS operations aren't sufficient for your use case, use a tpm.TPM instance instead.
func (*TPMKMS) CreateAttestation ¶
func (k *TPMKMS) CreateAttestation(req *apiv1.CreateAttestationRequest) (*apiv1.CreateAttestationResponse, error)
CreateAttestation implements the apiv1.Attester interface for the TPMKMS. It can be used to request the required information to verify that an application key was created in and by a specific TPM.
It is expected that an application key has been attested at creation time by an attestation key (AK) before calling this method. An error will be returned otherwise.
The response will include an attestation key (AK) certificate (chain) issued to the AK that was used to certify creation of the (application) key, as well as the key certification parameters at the time of key creation. Together these can be used by a relying party to attest that the key was created by a specific TPM.
If no valid AK certificate is available when calling CreateAttestation, an enrolment with an instance of the Smallstep Attestation CA is performed. This will use the TPM Endorsement Key and the AK as inputs. The Attestation CA will return an AK certificate chain on success.
When CreateAttestation is called for an AK, the AK certificate chain will be returned. Currently no AK creation parameters are returned.
func (*TPMKMS) CreateKey ¶
func (k *TPMKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
CreateKey generates a new key in the TPM KMS and returns the public key.
The `name` in the apiv1.CreateKeyRequest can be used to specify some key properties. These are as follows:
- name=<name>: specify the name to identify the key with
- ak=true: if set to true, an Attestation Key (AK) will be created instead of an application key
- attest-by=<akName>: attest an application key at creation time with the AK identified by `akName`
- qualifying-data=<random>: hexadecimal coded binary data that can be used to guarantee freshness when attesting creation of a key
Some examples usages:
Create an application key, without attesting it:
tpmkms:name=my-key
Create an Attestation Key (AK):
tpmkms:name=my-ak;ak=true
Create an application key, attested by `my-ak` with "1234" as the Qualifying Data:
tpmkms:name=my-attested-key;attest-by=my-ak;qualifying-data=61626364
func (*TPMKMS) CreateSigner ¶
CreateSigner creates a signer using a key present in the TPM KMS.
func (*TPMKMS) GetPublicKey ¶
GetPublicKey returns the public key ....
func (*TPMKMS) LoadCertificate ¶
func (k *TPMKMS) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)
LoadCertificate loads the certificate for the key identified by name from the TPMKMS.
func (*TPMKMS) LoadCertificateChain ¶
func (k *TPMKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([]*x509.Certificate, error)
LoadCertificateCertificate loads the certificate chain for the key identified by name from the TPMKMS.
func (*TPMKMS) StoreCertificate ¶
func (k *TPMKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error
StoreCertificate stores the certificate for the key identified by name to the TPMKMS.
func (*TPMKMS) StoreCertificateChain ¶
func (k *TPMKMS) StoreCertificateChain(req *apiv1.StoreCertificateChainRequest) error
StoreCertificateChain stores the certificate for the key identified by name to the TPMKMS.