Affected by GO-2025-3455 and 3 other vulnerabilities

GO-2025-3455: Contrast's unauthenticated recovery allows Coordinator impersonation in github.com/edgelesssys/contrast

GO-2025-3718: Contrast workload secrets leak to logs on INFO level in github.com/edgelesssys/contrast

GO-2025-3807: Contrast vulnerability allows arbitrary host data Injection into container VOLUME mount points in github.com/edgelesssys/contrast

GO-2025-4078: Contrast has insecure LUKS2 persistent storage partitions may be opened and used in github.com/edgelesssys/contrast

atls

package

v1.1.0 Latest Latest Go to latest Published: Oct 9, 2024 License: AGPL-3.0 Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/contrast

Links

Open Source Insights

Documentation ¶

Overview ¶

aTLS provides config generation functions to bootstrap attested TLS connections.

Index ¶

Variables
func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator, privKey *ecdsa.PrivateKey) (*tls.Config, error)
func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator, attestationFailures prometheus.Counter) (*tls.Config, error)
type FakeAttestationDoc
type FakeIssuer
- func NewFakeIssuer(oid Getter) *FakeIssuer
- func (FakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byte, error)
type FakeValidator
- func NewFakeValidator(oid Getter) *FakeValidator
- func (v FakeValidator) Validate(attDoc []byte, nonce []byte, _ []byte) error
type Getter
type Issuer
- func PlatformIssuer(log *slog.Logger) (Issuer, error)
type Validator
- func NewFakeValidators(oid Getter) []Validator

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// NoValidators skips validation of the server's attestation document.
	NoValidators = []Validator{}
	// NoIssuer skips embedding the client's attestation document.
	NoIssuer Issuer
	// NoMetrics skips collecting metrics for attestation failures.
	NoMetrics prometheus.Counter

	// ErrNoValidAttestationExtensions is returned when no valid attestation document certificate extensions are found.
	ErrNoValidAttestationExtensions = errors.New("no valid attestation document certificate extensions found")
	// ErrNoMatchingValidators is returned when no validator matches the attestation document.
	ErrNoMatchingValidators = errors.New("no matching validators found")
)

Functions ¶

func CreateAttestationClientTLSConfig ¶

func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator, privKey *ecdsa.PrivateKey) (*tls.Config, error)

CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with an embedded attestation document.

ATTENTION: The tls.Config ensures freshness of the server's attestation only for the first connection it is used for. If freshness is required, you must create a new tls.Config for each connection or ensure freshness on the protocol level. If freshness is not required, you can reuse this tls.Config.

If no validators are set, the server's attestation document will not be verified. If issuer is nil, the client will be unable to perform mutual aTLS.

func CreateAttestationServerTLSConfig ¶

func CreateAttestationServerTLSConfig(issuer Issuer, validators []Validator, attestationFailures prometheus.Counter) (*tls.Config, error)

CreateAttestationServerTLSConfig creates a tls.Config object with a self-signed certificate and an embedded attestation document. Pass a list of validators to enable mutual aTLS. If issuer is nil, no attestation will be embedded.

Types ¶

type FakeAttestationDoc ¶

type FakeAttestationDoc struct {
	UserData []byte
	Nonce    []byte
}

FakeAttestationDoc is a fake attestation document used for testing.

type FakeIssuer ¶

type FakeIssuer struct {
	Getter
}

FakeIssuer fakes an issuer and can be used for tests.

func NewFakeIssuer ¶

func NewFakeIssuer(oid Getter) *FakeIssuer

NewFakeIssuer creates a new FakeIssuer with the given OID.

func (FakeIssuer) Issue ¶

func (FakeIssuer) Issue(_ context.Context, userData []byte, nonce []byte) ([]byte, error)

Issue marshals the user data and returns it.

type FakeValidator ¶

type FakeValidator struct {
	Getter
	// contains filtered or unexported fields
}

FakeValidator fakes a validator and can be used for tests.

func NewFakeValidator ¶

func NewFakeValidator(oid Getter) *FakeValidator

NewFakeValidator creates a new FakeValidator with the given OID.

func (FakeValidator) Validate ¶

func (v FakeValidator) Validate(attDoc []byte, nonce []byte, _ []byte) error

Validate unmarshals the attestation document and verifies the nonce.

type Getter ¶

type Getter interface {
	OID() asn1.ObjectIdentifier
}

Getter returns an ASN.1 Object Identifier.

type Issuer ¶

type Issuer interface {
	Getter
	Issue(ctx context.Context, userData []byte, nonce []byte) (quote []byte, err error)
}

Issuer issues an attestation document.

func PlatformIssuer ¶ added in v0.9.0

func PlatformIssuer(log *slog.Logger) (Issuer, error)

PlatformIssuer creates an attestation issuer for the current platform.

type Validator ¶

type Validator interface {
	Getter
	Validate(attDoc []byte, nonce []byte, peerPublicKey []byte) error
}

Validator is able to validate an attestation document.

func NewFakeValidators ¶

func NewFakeValidators(oid Getter) []Validator

NewFakeValidators returns a slice with a single FakeValidator.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL