Documentation
¶
Index ¶
- Constants
- func ComputeStructuralCompliance(cert *x509.Certificate) float32
- func ParseEKCertForCompliance(ekCertDER []byte) (*x509.Certificate, error)
- type EKVerifyResult
- type QuoteResult
- type TestVerifier
- func (t *TestVerifier) EKFingerprint(ekCertDER []byte) string
- func (t *TestVerifier) EKPubFingerprint(ekPubDER []byte) string
- func (t *TestVerifier) ExtractEKPublicKey(ekCertDER []byte) (crypto.PublicKey, error)
- func (t *TestVerifier) MakeCredential(ekPubKey crypto.PublicKey, akName []byte, secret []byte) ([]byte, error)
- func (t *TestVerifier) ParseAKPublic(akParams []byte) ([]byte, []byte, error)
- func (t *TestVerifier) ParseEKCert(ekCertDER []byte) (*x509.Certificate, error)
- func (t *TestVerifier) VerifyEKCert(ekCertDER []byte) (*EKVerifyResult, error)
- func (t *TestVerifier) VerifyQuote(akPubKeyDER []byte, nonce []byte, quoteB64 string, pcrValues map[int][]byte) (*QuoteResult, error)
- type Verifier
Constants ¶
View Source
const ( IdentityClassVerified = "verified" IdentityClassCrowdCorroborated = "crowd_corroborated" IdentityClassUnverified = "unverified" )
Variables ¶
This section is empty.
Functions ¶
func ComputeStructuralCompliance ¶ added in v0.1.5
func ComputeStructuralCompliance(cert *x509.Certificate) float32
ComputeStructuralCompliance scores an EK certificate against TCG profile expectations. Returns a score from 0.0 to 1.0 (5 checks, each worth 0.2).
func ParseEKCertForCompliance ¶ added in v0.1.5
func ParseEKCertForCompliance(ekCertDER []byte) (*x509.Certificate, error)
ParseEKCertForCompliance parses a DER-encoded EK certificate for structural compliance scoring.
Types ¶
type EKVerifyResult ¶ added in v0.1.5
type EKVerifyResult struct {
IdentityClass string // "verified" | "unverified"
EKPubKey crypto.PublicKey
IssuerFingerprint string // SHA-256 of issuer SubjectPublicKeyInfo (or issuer DN as fallback)
IssuerSubject string
IssuerPubKeyDER []byte
IssuerIsCA bool
IssuerHasCertSign bool
}
EKVerifyResult contains the results of EK certificate verification.
type QuoteResult ¶ added in v0.1.4
type QuoteResult struct {
// PCRValues contains the verified PCR register values.
// nil if no PCR data was provided in the quote request.
PCRValues map[int][]byte
}
QuoteResult contains the verified results of a TPM quote.
type TestVerifier ¶
type TestVerifier struct {
VerifyEKCertFn func(ekCertDER []byte) (*EKVerifyResult, error)
VerifyQuoteFn func(akPubKeyDER []byte, nonce []byte, quoteB64 string, pcrValues map[int][]byte) (*QuoteResult, error)
MakeCredentialFn func(ekPubKey crypto.PublicKey, akName []byte, secret []byte) ([]byte, error)
ParseAKPublicFn func(akParams []byte) ([]byte, []byte, error)
ExtractEKPubKeyFn func(ekCertDER []byte) (crypto.PublicKey, error)
EKFingerprintFn func(ekCertDER []byte) string
EKPubFingerprintFn func(ekPubDER []byte) string
ParseEKCertFn func(ekCertDER []byte) (*x509.Certificate, error)
}
TestVerifier is a mock TPM verifier for testing.
func (*TestVerifier) EKFingerprint ¶
func (t *TestVerifier) EKFingerprint(ekCertDER []byte) string
func (*TestVerifier) EKPubFingerprint ¶ added in v0.1.6
func (t *TestVerifier) EKPubFingerprint(ekPubDER []byte) string
func (*TestVerifier) ExtractEKPublicKey ¶
func (t *TestVerifier) ExtractEKPublicKey(ekCertDER []byte) (crypto.PublicKey, error)
func (*TestVerifier) MakeCredential ¶
func (*TestVerifier) ParseAKPublic ¶
func (t *TestVerifier) ParseAKPublic(akParams []byte) ([]byte, []byte, error)
func (*TestVerifier) ParseEKCert ¶
func (t *TestVerifier) ParseEKCert(ekCertDER []byte) (*x509.Certificate, error)
func (*TestVerifier) VerifyEKCert ¶
func (t *TestVerifier) VerifyEKCert(ekCertDER []byte) (*EKVerifyResult, error)
func (*TestVerifier) VerifyQuote ¶
func (t *TestVerifier) VerifyQuote(akPubKeyDER []byte, nonce []byte, quoteB64 string, pcrValues map[int][]byte) (*QuoteResult, error)
type Verifier ¶
type Verifier interface {
// VerifyEKCert verifies an EK certificate and returns the verification result
// including identity class and issuer metadata for census tracking.
VerifyEKCert(ekCertDER []byte) (*EKVerifyResult, error)
// VerifyQuote verifies a TPM quote signed by the given AK public key.
// nonce is the raw bytes that were passed to the TPM as qualifyingData.
// When pcrValues is non-nil, the quote's PCR digest is verified against
// the provided values. When nil, PCR validation is skipped.
VerifyQuote(akPubKeyDER []byte, nonce []byte, quoteB64 string, pcrValues map[int][]byte) (*QuoteResult, error)
// MakeCredential creates an encrypted credential challenge for the TPM.
MakeCredential(ekPubKey crypto.PublicKey, akName []byte, secret []byte) ([]byte, error)
// ParseAKPublic parses AK parameters and returns the AK public key DER and AK name.
ParseAKPublic(akParams []byte) (akPubKeyDER []byte, akName []byte, err error)
// ExtractEKPublicKey extracts the public key from an EK certificate.
ExtractEKPublicKey(ekCertDER []byte) (crypto.PublicKey, error)
// EKFingerprint computes a SHA-256 fingerprint from an EK certificate.
// The fingerprint is derived from the PKIX DER-encoded public key extracted
// from the cert (not the cert DER itself), so it matches EKPubFingerprint
// for the same underlying EK.
EKFingerprint(ekCertDER []byte) string
// EKPubFingerprint computes a SHA-256 fingerprint from a PKIX DER-encoded
// EK public key. Used when no EK certificate is available (e.g. vTPMs).
// Produces the same fingerprint as EKFingerprint for the same EK.
EKPubFingerprint(ekPubDER []byte) string
// ParseEKCert parses a DER-encoded EK certificate.
ParseEKCert(ekCertDER []byte) (*x509.Certificate, error)
}
Verifier defines the TPM verification interface.
Source Files
Click to show internal directories.
Click to hide internal directories.