secrets

Documentation

Overview

package secrets provides utilities to derive short-term and long-term secrets. These secrets are used during and after platform provisioning.

Index

• Constants
• func Reader(secret []byte, label string, context uint) io.Reader
• type Entropy
  • func NewEntropy() (*Entropy, error)
• type OneTimePassword
  • func NewOneTimePassword(secret string) (*OneTimePassword, error)
  • func (otp *OneTimePassword) BasicAuthPassword() (string, error)
  • func (otp OneTimePassword) TLSCertificate(ip net.IP) (*tls.Certificate, error)
  • func (otp *OneTimePassword) X509Certificate(ip net.IP) (*x509.Certificate, error)
• type UniqueDeviceSecret
  • func NewUniqueDeviceSecret(ext *Entropy) (*UniqueDeviceSecret, error)
  • func (uds *UniqueDeviceSecret) Authentication() (*Entropy, error)
  • func (uds *UniqueDeviceSecret) Identity() (*Entropy, error)
  • func (uds *UniqueDeviceSecret) SSH() (*ssh.HostKey, error)

Constants

const DummyServerName = "stprov"

const EntropyBytes = 32 // 256 bits

Functions

func Reader

func Reader(secret []byte, label string, context uint) io.Reader

Reader generates randomness using HKDF with SHA256 as the hash function

Types

type Entropy

type Entropy [EntropyBytes]byte

Entropy is a buffer storing 256 bits of entropy

func NewEntropy

func NewEntropy() (*Entropy, error)

NewEntropy generates entropy using crypto/rand

type OneTimePassword

type OneTimePassword Entropy

OneTimePassword is a one time password used to bootstrap mutually authenticated HTTPS. TLS 1.3 and a proper PSK mode should replace this in the future if the standard Go library adds such support.

func NewOneTimePassword

func NewOneTimePassword(secret string) (*OneTimePassword, error)

NewOneTimePassword derives a one-time password from a shared secret

func (*OneTimePassword) BasicAuthPassword

func (otp *OneTimePassword) BasicAuthPassword() (string, error)

BasicAuthPassword derives a basic auth password

func (OneTimePassword) TLSCertificate

func (otp OneTimePassword) TLSCertificate(ip net.IP) (*tls.Certificate, error)

TLSCertificate derives a TLS certificate struct containing a private key and the same public X.509 certificate that is derived by X509Certificate()

func (*OneTimePassword) X509Certificate

func (otp *OneTimePassword) X509Certificate(ip net.IP) (*x509.Certificate, error)

X509 derives an X509 certificate for a given IP address

type UniqueDeviceSecret

type UniqueDeviceSecret Entropy

UniqueDeviceSecret is secret used to derive other long-term secrets

func NewUniqueDeviceSecret

func NewUniqueDeviceSecret(ext *Entropy) (*UniqueDeviceSecret, error)

NewUniqueDeviceSecret generates a unique device secret by mixing entropy from an external and an internal source

func (*UniqueDeviceSecret) Authentication

func (uds *UniqueDeviceSecret) Authentication() (*Entropy, error)

Authentication derives a platform's authentication parameter, see https://github.com/system-transparency/system-transparency#authentication---json-string-or-null

func (*UniqueDeviceSecret) Identity

func (uds *UniqueDeviceSecret) Identity() (*Entropy, error)

Identity derives a platform's identity parameter, see https://github.com/system-transparency/system-transparency#identity---json-string-or-null

func (*UniqueDeviceSecret) SSH

func (uds *UniqueDeviceSecret) SSH() (*ssh.HostKey, error)

SSH derives a platform's Ed25519 host key (not a general ST parameter)