eclient

package
v1.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2026 License: MPL-2.0 Imports: 6 Imported by: 13

Documentation

Overview

Package eclient provides functionality for Go programs that interact with enclave programs.

Use this package for programs that don't run in an enclave themselves but interact with enclaved programs. Those non-enclaved programs are often called third parties or relying parties.

This package requires libcrypto. On Ubuntu install it with: 

sudo apt install libssl-dev

This package requires the following environment variables to be set during build: 

CGO_CFLAGS=-I/opt/ego/include
CGO_LDFLAGS=-L/opt/ego/lib

Or if using the EGo snap: 

CGO_CFLAGS=-I/snap/ego-dev/current/opt/ego/include
CGO_LDFLAGS=-L/snap/ego-dev/current/opt/ego/lib

For development and testing purposes, you can set the build tag `ego_mock_eclient` instead of setting the environment variables. VerifyRemoteReport will always fail then.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateAttestationClientTLSConfig 

func CreateAttestationClientTLSConfig(verifyReport func(attestation.Report) error, opts ...AttestOption) *tls.Config

CreateAttestationClientTLSConfig creates a tls.Config object that verifies a certificate with embedded report.

The config accepts both EGo and Open Enclave certificates.

verifyReport is called after the certificate has been verified against the report data. The caller must verify either the UniqueID or the tuple (SignerID, ProductID, SecurityVersion, Debug) in the callback.

Example 
// the uniqueID is derived from the binary of the enclaved program
// and can be obtained using `ego uniqueid`
var uniqueID []byte

verifyReport := func(report attestation.Report) error {
	if !bytes.Equal(report.UniqueID, uniqueID) {
		return errors.New("invalid UniqueID")
	}
	return nil
}

tlsConfig := CreateAttestationClientTLSConfig(verifyReport)
client := http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}

// example.com must use a TLS certificate with an embedded report
// EGo's enclave package provides functionality for such server
_, _ = client.Get("https://example.com")

func VerifyRemoteReport 

func VerifyRemoteReport(reportBytes []byte) (attestation.Report, error)

VerifyRemoteReport verifies the integrity of the remote report and its signature.

This function verifies that the report signature is valid. It verifies that the signing authority is rooted to a trusted authority such as the enclave platform manufacturer.

The caller must verify the returned report's content.

Types

type AttestOption added in v1.4.0 

type AttestOption struct {
	// contains filtered or unexported fields
}

AttestOption configures an attestation function.

func WithIgnoreTCBStatus added in v1.4.0 

func WithIgnoreTCBStatus() AttestOption

WithIgnoreTCBStatus ignores an invalid TCB level.

Callers must verify the TCBStatus field in the report themselves.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.