Documentation
¶
Overview ¶
Package ratls is the CLI's client-side RA-TLS verifier. It connects directly to an enclave (through the gateway's L4 splice), optionally challenges it with a fresh nonce (0xFFBB, requires the Privasys Go fork + -tags ratls), and verifies the attestation quote against the attestation server — so the CLI trusts the enclave's hardware attestation, not the control plane.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type OID ¶
type OID struct {
OID string `json:"oid"`
Label string `json:"label"`
ValueHex string `json:"value_hex"`
}
OID is a parsed certificate OID extension.
type Params ¶
type Params struct {
Host string // enclave gateway FQDN
Port int // usually 443
ServerName string // SNI (the workload hostname)
Challenge []byte // nil => deterministic mode
AttServerURL string // attestation server verify endpoint (quote verification)
AttServerTok string // optional bearer for the attestation server
ExpectMRENCLA string // optional MRENCLAVE pin (hex)
ExpectMRTD string // optional MRTD pin (hex)
}
Params configures a direct verification.
type Result ¶
type Result struct {
Host string `json:"host"`
TLSVersion string `json:"tls_version"`
CipherSuite string `json:"cipher_suite"`
Challenged bool `json:"challenged"`
NonceHex string `json:"nonce_hex,omitempty"`
QuoteType string `json:"quote_type"`
QuoteOID string `json:"quote_oid"`
ReportDataHex string `json:"report_data_hex,omitempty"`
PubKeySHA256 string `json:"pubkey_sha256"`
CustomOIDs []OID `json:"custom_oids,omitempty"`
QuoteStatus string `json:"quote_status,omitempty"`
TcbDate string `json:"tcb_date,omitempty"`
AdvisoryIDs []string `json:"advisory_ids,omitempty"`
Verified bool `json:"verified"`
VerifyError string `json:"verify_error,omitempty"`
CertPEM string `json:"-"`
QuoteRaw []byte `json:"-"`
}
Result is the outcome of a direct, client-side attestation.
Click to show internal directories.
Click to hide internal directories.