Documentation
¶
Overview ¶
Package verifier contains clients for various attestation verifiers. It is meant for launcher use and testing; the API is not stable.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AttestClients ¶
AttestClients contains clients for supported verifier services that can be used to get attestation tokens.
func (*AttestClients) HasThirdPartyClient ¶
func (ac *AttestClients) HasThirdPartyClient() bool
HasThirdPartyClient returns true if AttestClients contains an initialzied third-party verifier client.
type Challenge ¶
type Challenge struct {
// Used as audience for GCP credential tokens.
Name string
// Used to generate attestation.
Nonce []byte
ConnID string
Val []byte
Iat []byte
Signature []byte
}
Challenge is the response for CreateChallenge. It is used in the get challenge part of a remote attestation protocol. The challenge will be verified as part of VerifyAttestation.
type Client ¶
type Client interface {
CreateChallenge(ctx context.Context) (*Challenge, error)
VerifyAttestation(ctx context.Context, request VerifyAttestationRequest) (*VerifyAttestationResponse, error)
VerifyConfidentialSpace(ctx context.Context, request VerifyAttestationRequest) (*VerifyAttestationResponse, error)
}
Client is a common interface to various attestation verifiers.
type ContainerSignature ¶
type TDCCELAttestation ¶
type TDCCELAttestation struct {
CcelAcpiTable []byte
CcelData []byte
CanonicalEventLog []byte
TdQuote []byte
// still needs following two for GCE info
AkCert []byte
IntermediateCerts [][]byte
NvidiaAttestation *csattestpb.NvidiaAttestationReport
}
type VerifyAttestationRequest ¶
type VerifyAttestationRequest struct {
Challenge *Challenge
GcpCredentials [][]byte
// Attestation is for TPM attestation
Attestation *attestpb.Attestation
ContainerImageSignatures []*ContainerSignature
TokenOptions *models.TokenOptions
// TDCCELAttestation is for TDX CCEL RTMR attestation
TDCCELAttestation *TDCCELAttestation
}
VerifyAttestationRequest is passed in on VerifyAttestation. It contains the Challenge from CreateChallenge, optional GcpCredentials linked to the attestation, the Attestation generated from the TPM, and optional container image signatures associated with the workload.
type VerifyAttestationResponse ¶
VerifyAttestationResponse is the response from a successful VerifyAttestation call.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package fake is a fake implementation of the Client interface for testing.
|
Package fake is a fake implementation of the Client interface for testing. |
|
Package models contains models needed in client and server
|
Package models contains models needed in client and server |
|
Package oci contains functionalities to interact with OCI image signatures.
|
Package oci contains functionalities to interact with OCI image signatures. |
|
cosign
Package cosign contains functionalities to interact with signatures generated by cosign.
|
Package cosign contains functionalities to interact with signatures generated by cosign. |
|
Package rest contains the code to use the REST-based Google API
|
Package rest contains the code to use the REST-based Google API |
|
Package util provides helper funtions to prepare materials for talking to attestation verifiers.
|
Package util provides helper funtions to prepare materials for talking to attestation verifiers. |