ca

package
v0.0.1-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 4, 2024 License: Apache-2.0 Imports: 30 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidConfig                = errors.New("certificate-authority: invalid configuration")
	ErrCertFuture                   = errors.New("certificate-authority: certificate issued in the future")
	ErrCertExpired                  = errors.New("certificate-authority: certificate expired")
	ErrDistributionPointExists      = errors.New("certificate-authority: distribution point already exists")
	ErrInvalidSignature             = errors.New("certificate-authority: invalid signature")
	ErrInvalidSignatureAlgorithm    = errors.New("certificate-authority: invalid signature algorithm")
	ErrCRLAlreadyExists             = errors.New("certificate-authority: revocation list already exists")
	ErrNoIssuingCA                  = errors.New("certificate-authority: no issuing CAs found in certificate")
	ErrCertNotSupported             = errors.New("certificate-authority: certificate contains unsupported configuration")
	ErrInvalidPublicKey             = errors.New("certificate-authority: invalid public key")
	ErrInvalidCurve                 = errors.New("certificate-authority: invalid ECC Curve")
	ErrPrivateKeyPasswordRequired   = errors.New("certificate-authority: private key password required")
	ErrNotInitialized               = errors.New("certificate-authority: not initialized")
	ErrAlreadyInitialized           = errors.New("certificate-authority: already initialized")
	ErrInvalidIntermediateSelection = errors.New("certificate-authority: invalid intermediate certificate authority selection")
	ErrUnsupportedHashAlgorithm     = errors.New("certificate-authority: unsupported hashing algorithm")
	ErrUnsupportedRSAScheme         = errors.New("certificate-authority: unsupported RSA padding scheme")
	ErrInvalidAttestationBlobType   = errors.New("certificate-authority: invalid attestation blob type")
	ErrParentCertificatesNotFound   = errors.New("certificate-authority: parent CA certificates not found in certificate store")
	ErrUnknownCA                    = errors.New("certificate-authority: unknown certificate authority")
	ErrMissingIssuerURL             = errors.New("certificate-authority: missing Issuing CA URL in certificate")
	ErrInvalidIssuer                = errors.New("certificate-authority: invalid certificate issuer")

	WarnNoSigningPassword = errors.New("certificate-authority: signing with an insecure private key")
)
View Source 
var (
	ErrInvalidIssuingURL = errors.New("certificate-authority: invalid issuing URL")
	ErrUnsealFailure     = errors.New("certificate-authority: key unseal operation failed")

	ATTEST_BLOB_ROOT     string = "tpm"
	ATTEST_AK_NAME              = "ak"
	ATTEST_BLOB_QUOTE           = "quote"
	ATTEST_BLOB_EVENTLOG        = "eventlog"
	ATTEST_BLOB_PCRS            = "pcrs"
	ATTEST_EK_CERT_NAME         = "ek"
)

Functions

func DebugCipherSuites 

func DebugCipherSuites(logger *logging.Logger)

Debug prints the secure, supported TLD cipher suites

func DebugInsecureCipherSuites 

func DebugInsecureCipherSuites(logger *logging.Logger)

Debug prints the insecure, unsupported TLs cipher suites

func DecodeCSR 

func DecodeCSR(bytes []byte) (*x509.CertificateRequest, error)

Decodes CSR bytes to x509.CertificateRequest

func DecodePEM 

func DecodePEM(bytes []byte) (*x509.Certificate, error)

Decodes PEM bytes to *x509.Certificate

func EncodeCSR 

func EncodeCSR(csr []byte) ([]byte, error)

Encodes a Certificate Signing Request to PEM form

func EncodePEM 

func EncodePEM(derCert []byte) ([]byte, error)

Encodes a raw DER byte array as a PEM byte array

func HomeDirectory 

func HomeDirectory(platformDir, cn string) string

Parses the home directory for the provided CA parameters and platform root directory.

func NewCA 

func NewCA(params *CAParams) (CertificateAuthority, CertificateAuthority, error)

This function creates new Root and Intermediate x509 Certifiate Authorities according to the platform configuration file. First, an attempt is made to load them from a pre-existing initilization. If the CA hasn't been initialized, (missing CA public/private keys from the key store(s)), the Root and Intermediate CAs will be returned along with ErrNotInitalized.

ErrNotInitialized signals that Init needs to be called to initialize the CA key store(s). After initialization, subsequent invocations will load and return the CAs ready to use.

Types

type CA 

type CA struct {
	CertificateAuthority
	// contains filtered or unexported fields
}

func (*CA) Blob 

func (ca *CA) Blob(key []byte) ([]byte, error)

Returns the requested blob from the blob store

func (*CA) CABundle 

func (ca *CA) CABundle(
	storeType *keystore.StoreType,
	keyAlgorithm *x509.PublicKeyAlgorithm) ([]byte, error)

Returns the CA bundle for an Intermediate Certificate Authority

func (*CA) CABundleCertPool 

func (ca *CA) CABundleCertPool(
	storeType *keystore.StoreType,
	keyAlgorithm *x509.PublicKeyAlgorithm) (*(x509.CertPool), error)

Returns a x509.CertPool with the CA certificates bundled, If a key algorithm is not provided, the default CA key algorithm is used.

func (*CA) CAKeyAttributes 

func (ca *CA) CAKeyAttributes(
	storeType *keystore.StoreType,
	keyAlgorithm *x509.PublicKeyAlgorithm) (*keystore.KeyAttributes, error)

Returns the CA key attributes for the requested algorithm

func (*CA) CASigner 

func (ca *CA) CASigner(
	storeType *keystore.StoreType,
	algorithm *x509.PublicKeyAlgorithm) (crypto.Signer, error)

Returns a CA crypto.Signer for the provided algorithm. If an algorithm is not provided, the default CA key algorithm is used.

func (*CA) Certificate 

func (ca *CA) Certificate(keyAttrs *keystore.KeyAttributes) (*x509.Certificate, error)

Returns a validated x509 certificate from the certificate store

func (*CA) Checksum 

func (ca *CA) Checksum(key []byte) (bool, error)

Returns a blob checksum (hex)

func (*CA) CreateCSR 

func (ca *CA) CreateCSR(request CertificateRequest) ([]byte, error)

Creates a new Certificate Signing Request (CSR)

func (*CA) DefaultKeyAlgorithm 

func (ca *CA) DefaultKeyAlgorithm() x509.PublicKeyAlgorithm

Returns the CA's default key algorithm

func (*CA) DefaultValidityPeriod 

func (ca *CA) DefaultValidityPeriod() int

Returns the default number of days certificates issued by the CA are valid.

func (*CA) EndorsementKeyCertificate 

func (ca *CA) EndorsementKeyCertificate() ([]byte, error)

Returns the local TPM Endorsement Key x509 Certificate in PEM form

func (*CA) Hash 

func (ca *CA) Hash() crypto.Hash

Returns the CA's default hash function

func (*CA) Identity 

func (ca *CA) Identity() Identity

Returns the Certificate Authority identity configuration

func (*CA) ImportAttestation 

func (ca *CA) ImportAttestation(
	akAttrs *keystore.KeyAttributes,
	blobType string,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested blob type using the CA public key and saves the signature, digest and blob to the signed blob keystore.

func (*CA) ImportAttestationEventLog 

func (ca *CA) ImportAttestationEventLog(
	signerAttrs *keystore.KeyAttributes,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested event log using the CA public key and saves the signature, digest and event log to the signed blob keystore.

func (*CA) ImportAttestationKeyCertificate 

func (ca *CA) ImportAttestationKeyCertificate(
	attrs *keystore.KeyAttributes, akDER []byte) error

Imports a TPM Attestation Key x509 certificate to the TPM blob storage partition in DER form.

func (*CA) ImportAttestationPCRs 

func (ca *CA) ImportAttestationPCRs(
	signerAttrs *keystore.KeyAttributes,
	pcrs []byte,
	backend keystore.KeyBackend) error

Signs the requested PCR list using the CA public key and saves the signature, digest and PCR list to the signed blob keystore.

func (*CA) ImportAttestationQuote 

func (ca *CA) ImportAttestationQuote(
	signerAttrs *keystore.KeyAttributes,
	data []byte,
	backend keystore.KeyBackend) error

Signs the requested quote using the CA public key and saves the signature, digest and quote to the signed blob keystore.

func (*CA) ImportBlob 

func (ca *CA) ImportBlob(key, data []byte) error

Saves a new blob to the blob store

func (*CA) ImportCertificate 

func (ca *CA) ImportCertificate(certificate *x509.Certificate) error

Import a x509 certificate and save it to the certificate store

func (*CA) ImportCertificatePEM 

func (ca *CA) ImportCertificatePEM(attrs *keystore.KeyAttributes, pemBytes []byte) error

Import a PEM certificate to the certificate store. The certificate is parsed and verified prior to import to ensure it's valid.

func (*CA) ImportDistrbutionCRLs 

func (ca *CA) ImportDistrbutionCRLs(certificate *x509.Certificate) error

Download, verify and import all Distribution Point CRLs listed in the certificate The CRL(s) are added to the Certificate Authority 3rd party CRL store and used during certificate verifications.

func (*CA) ImportEndorsementKeyCertificate 

func (ca *CA) ImportEndorsementKeyCertificate(
	ekAttrs *keystore.KeyAttributes, ekCertBytes []byte) error

Imports a new TPM PEM encoded Endorsement Key into the certificate store

func (*CA) ImportIssuingCAs 

func (ca *CA) ImportIssuingCAs(cert *x509.Certificate) error

Download, verify and import all "CA Issuers" listed in the certificate and it's CRL into the Certificate Authority. The certificate(s) are added to the trusted certpool, but not installed to the operating system trust store.

func (*CA) ImportLocalAttestation 

func (ca *CA) ImportLocalAttestation(
	keyAttrs *keystore.KeyAttributes,
	quote tpm2.Quote,
	backend keystore.KeyBackend) error

func (*CA) Init 

func (ca *CA) Init(parentCA CertificateAuthority) error

The first time the Certificate Authority is run, it needs to be initialized. This process creates new Root and Intermediate CA(s) private / public key pairs and x509 signing certificate and saves them to the certificate store.

Subsequent calls to the CA can call Load(). The caller should check IsInitalized first to be certain the key and certificate store(s) are accessible and ready to service requests.

Certificates are saved to the certificate store in DER form. Other formats can be exported from the stores after they've been saved.

func (*CA) IsAutoImportingIssuerCAs 

func (ca *CA) IsAutoImportingIssuerCAs() bool

Returns true if auto-importing of CA certificates are enabled

func (*CA) IsInitialized 

func (ca *CA) IsInitialized() (bool, error)

Returns true if the Certificate Authority's configured keys are available to start servicing requests. A successful response indicates the Load() method is ready to be called. An unsuccessful response intidates Init() must be called to initialize the key and certificate store(s).

func (*CA) IsSigned 

func (ca *CA) IsSigned(key string) (bool, error)

Returns true if the specified blob key has a stored signature

func (*CA) IssueAKCertificate 

func (ca *CA) IssueAKCertificate(
	request CertificateRequest,
	pubKey crypto.PublicKey) (*x509.Certificate, error)

Creates a new private / public key pair for the purposes of an Attestation Key Certificate (AK Credential Profile), in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate. https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf

func (*CA) IssueCertificate 

func (ca *CA) IssueCertificate(request CertificateRequest) ([]byte, error)

Generate a new private / public key pair and x509 certificate and import it to the certificate store in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate.

func (*CA) IssueEKCertificate 

func (ca *CA) IssueEKCertificate(
	request CertificateRequest,
	ekPubKey crypto.PublicKey) (*x509.Certificate, error)

Creates a new private / public key pair for the purposes of a TPM Endorsement Certificate (EK Credential Profile), in DER form. This method returns the raw DER encoded []byte as returned from x509.CreateCertificate. https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf

func (*CA) Key 

func (ca *CA) Key(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Returns the Certificate Authority's key chain

func (*CA) Load 

func (ca *CA) Load() error

Load CA key attributes. Any errors during Load are treated as Fatal.

func (*CA) OSTrustStore 

func (ca *CA) OSTrustStore() OSTrustStore

Returns the operating system's CA trusted certificates store provider

func (*CA) PEM 

func (ca *CA) PEM(attrs *keystore.KeyAttributes) ([]byte, error)

Returns a PEM certifcate from the cert store as []byte or ErrCertNotFound if the certificate does not exist.

func (*CA) ParseCABundle 

func (ca *CA) ParseCABundle(bundle []byte) ([]*x509.Certificate, error)

Parses a PEM encoded CA bundle with multiple certificates and returns and array of x509 certificates that can be used for verification or creating a CertPool.

func (*CA) PubKey 

func (ca *CA) PubKey(attrs *keystore.KeyAttributes) (crypto.PublicKey, error)

Loads and parses a PKIX, ASN.1 DER RSA public key from the certificate store

func (*CA) Public 

func (ca *CA) Public() crypto.PublicKey

Implements crypto.PrivateKey Implements crypto.Decrypter

func (*CA) Revoke 

func (ca *CA) Revoke(certificate *x509.Certificate) error

Revoke a certificate

func (*CA) Sign 

func (ca *CA) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements crypto.Signer Signs a digest using the Certificate Authority public key. SignerOpts may be provided to override the signing key as well as perist blob storage.

func (*CA) SignCSR 

func (ca *CA) SignCSR(csrBytes []byte, request CertificateRequest) ([]byte, error)

Signs a Certificate Signing Request (CSR) and save it to the cert store in DER and PEM form. This method returns the raw DER encoded []byte array as returned from x509.CreateCertificate.

func (*CA) SignTCGCSRIDevID 

func (ca *CA) SignTCGCSRIDevID(
	cn string,
	tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
	request *CertificateRequest) ([]byte, error)

Signs a TCG-CSR-IDEVID Certificate Signing Request (CSR) and imports it to the certificate store in DER form. This method returns the raw DER encoded []byte array as returned from x509.CreateCertificate.

The TCG-CSR-IDEVID structure doesn't define a common name or any PKIX subject fields. If a nil CertificateRequest parameter is passed, the certificate generated from the TCG-CSR-IDEVID request uses the CA certificate PKIX subject configuration. The caller can use the StoreType parameter in the passed request parameter's key attributes to control which key store module the CA uses to sign the request. The CA must own a key in the requested key store, with a matching algorithm.

func (*CA) Signature 

func (ca *CA) Signature(key string) ([]byte, error)

Returns a stored signature from the signed blob store

func (*CA) SignedBlob 

func (ca *CA) SignedBlob(key []byte) ([]byte, error)

Returns signed data from the signed blob store

func (*CA) SignedDigest 

func (ca *CA) SignedDigest(key string, hash crypto.Hash) (bool, error)

Returns a blob's signed digest from blob storage

func (*CA) Signer 

func (ca *CA) Signer(attrs *keystore.KeyAttributes) (crypto.Signer, error)

Returns a crypto.Signer for an issued certificate

func (*CA) TLSBundle 

func (ca *CA) TLSBundle(attrs *keystore.KeyAttributes) ([][]byte, *x509.Certificate, error)

Creates a TLS "bundle" containing the requested leaf certificate, the Certificate Authority's certificate, and any cross-signed certificates in ASN.1 DER form, and returns the certificate bundle and leaf.

func (*CA) TLSBundlePEM 

func (ca *CA) TLSBundlePEM(attrs *keystore.KeyAttributes) ([]byte, error)

Creates a TLS "bundle" containing the requested leaf certificate, the Certificate Authority's certificate, and any cross-signed certificates in ASN.1 DER form, and returns the certificate bundle and leaf.

func (*CA) TLSCertificate 

func (ca *CA) TLSCertificate(attrs *keystore.KeyAttributes) (tls.Certificate, error)

Returns an x509 certificate KeyPair suited for tls.Config

func (*CA) TLSConfig 

func (ca *CA) TLSConfig(attrs *keystore.KeyAttributes) (*tls.Config, error)

Returns a tls.Config for the requested common name populated with the Certificate Authority, cross-signed intermediates if any, and the end entity leaf certificate.

func (*CA) TrustedIntermediateCertPool 

func (ca *CA) TrustedIntermediateCertPool(
	certificate *x509.Certificate) (*x509.CertPool, error)

Returns a cert pool initialized with the root certificate for the provided certificate.

func (*CA) TrustedRootCertPool 

func (ca *CA) TrustedRootCertPool(
	certificate *x509.Certificate) (*x509.CertPool, error)

Returns a cert pool initialized with the root certificate for the provided certificate.

func (*CA) Verify 

func (ca *CA) Verify(certificate *x509.Certificate) error

Verify a certificate using the CA's private trusted root and intermediate certificates.

func (*CA) VerifyAttestationEventLog 

func (ca *CA) VerifyAttestationEventLog(akAttrs *keystore.KeyAttributes, eventLog []byte) error

func (*CA) VerifyAttestationPCRs 

func (ca *CA) VerifyAttestationPCRs(akAttrs *keystore.KeyAttributes, pcrs []byte) error

func (*CA) VerifyAttestationQuote 

func (ca *CA) VerifyAttestationQuote(akAttrs *keystore.KeyAttributes, quote []byte) error

func (*CA) VerifyQuote 

func (ca *CA) VerifyQuote(akAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error

Verifies a TPM 2.0 quote using a previously captured event log and PCR state that's been signed and stored in the CA signed blob store.

Rather than parsing and replaying the event log, a more simplistic approach is taken, which verifies the current event log and secure boot state blobs with the state stored in the CA signed blob store captured during device enrollment or local attestation. This may change in the future. The rationale for this is partly due to the event log not being a reliable source for integrity checking to begin with: https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md

func (*CA) VerifySignature 

func (ca *CA) VerifySignature(digest, signature []byte, opts *keystore.VerifyOpts) error

Verifies a RSA PKCS1v15, RSA-PSS, ECDSA or Ed25519 digest

func (*CA) VerifyTCGCSRIDevID 

func (ca *CA) VerifyTCGCSRIDevID(
	tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
	signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)

Verifies a TCG_CSR_IDEVID Certificate Signing Request (CSR) per TCG TPM 2.0 Keys for Identity and Attestation - Section 6.1.2 - Procedure. The CA issues a challenge to the device to validate that the TPM has the EK matching the certificate in step 2b and that the IAK whose public area is included in 2c is loaded in the device’s TPM. The challenge data blob is created using the following procedure: a. Calculate the cryptographic Name of the IAK, by hashing its public area with its associated hash algorithm, prepended with the Algorithm ID of the hashing algorithm. Refer to TPM 2.0 Library Specification [2], Part 1, Section 16 (“Names”). b. Using the sequence described in TPM 2.0 Library Specification, Part 3, section 12.6.3 (“TPM2_MakeCredential Detailed Actions”), create the encrypted “credential” structure to be sent to the device. When building this encrypted structure, objectName is the Name of the IAK calculated in step ‘a’ and Certificate (which is the payload field) holds a nonce (whose size matches the Name hash). Retain the nonce for use in later steps. c. The CA sends the encrypted “credential” blob to the enrolling TPM device.

type CAParams 

type CAParams struct {
	Backend      keystore.KeyBackend
	BlobStore    blobstore.BlobStorer
	CertStore    certstore.CertificateStorer
	Config       Config
	Debug        bool
	DebugSecrets bool
	Home         string
	Identity     Identity
	KeyChain     *platform.KeyChain
	Logger       *logging.Logger
	Random       io.Reader
	SelectedCA   int
	SignerStore  keystore.SignerStorer
	TPM          tpm2.TrustedPlatformModule
}

type CertificateAuthority 

type CertificateAuthority interface {
	// AttestLocal(signerAttrs *keystore.KeyAttributes) error
	// AttestationEventLog(cn string) ([]byte, error)
	// AttestationPCRs(cn string) (map[string][][]byte, error)
	// AttestationQuote(cn string) ([]byte, error)
	// AttestationSignature(cn, blobType string) ([]byte, error)
	CABundle(storeType *keystore.StoreType, keyAlgorithm *x509.PublicKeyAlgorithm) ([]byte, error)
	CABundleCertPool(*keystore.StoreType, *x509.PublicKeyAlgorithm) (*x509.CertPool, error)
	CAKeyAttributes(
		storeType *keystore.StoreType,
		algo *x509.PublicKeyAlgorithm) (*keystore.KeyAttributes, error)
	CASigner(storeType *keystore.StoreType, algorithm *x509.PublicKeyAlgorithm) (crypto.Signer, error)
	Certificate(keyAttrs *keystore.KeyAttributes) (*x509.Certificate, error)
	Checksum(key []byte) (bool, error)
	CreateCSR(request CertificateRequest) ([]byte, error)
	DefaultKeyAlgorithm() x509.PublicKeyAlgorithm
	DefaultValidityPeriod() int
	EndorsementKeyCertificate() ([]byte, error)
	Hash() crypto.Hash
	Identity() Identity
	Init(parentCA CertificateAuthority) error
	IsAutoImportingIssuerCAs() bool
	IsInitialized() (bool, error)
	ImportAttestation(attestatomAttrs *keystore.KeyAttributes, blobType string, data []byte, backend keystore.KeyBackend) error
	ImportAttestationKeyCertificate(attrs *keystore.KeyAttributes, akDER []byte) error
	ImportAttestationEventLog(attestatomAttrs *keystore.KeyAttributes, data []byte, backend keystore.KeyBackend) error
	ImportAttestationPCRs(attestatomAttrs *keystore.KeyAttributes, pcrs []byte, backend keystore.KeyBackend) error
	ImportAttestationQuote(attestatomAttrs *keystore.KeyAttributes, data []byte, backend keystore.KeyBackend) error
	ImportCertificate(certificate *x509.Certificate) error
	ImportDistrbutionCRLs(cert *x509.Certificate) error
	ImportEndorsementKeyCertificate(attrs *keystore.KeyAttributes, ekCertBytes []byte) error
	ImportLocalAttestation(keyAttrs *keystore.KeyAttributes, quote tpm2.Quote, backend keystore.KeyBackend) error
	ImportIssuingCAs(certificate *x509.Certificate) error
	IssueCertificate(request CertificateRequest) ([]byte, error)
	ImportCertificatePEM(attrs *keystore.KeyAttributes, pemBytes []byte) error
	IssueAKCertificate(request CertificateRequest, pubKey crypto.PublicKey) (*x509.Certificate, error)
	IssueEKCertificate(request CertificateRequest, ekPubKey crypto.PublicKey) (*x509.Certificate, error)
	Load() error
	Key(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
	ParseCABundle(bundle []byte) ([]*x509.Certificate, error)
	PEM(attrs *keystore.KeyAttributes) ([]byte, error)
	Public() crypto.PublicKey
	Revoke(certificate *x509.Certificate) error
	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
	SignedBlob(key []byte) ([]byte, error)
	Signature(key string) ([]byte, error)
	IsSigned(key string) (bool, error)
	SignCSR(csrBytes []byte, request CertificateRequest) ([]byte, error)
	SignedDigest(key string, hash crypto.Hash) (bool, error)
	Signer(attrs *keystore.KeyAttributes) (crypto.Signer, error)
	SignTCGCSRIDevID(
		cn string,
		tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
		request *CertificateRequest) ([]byte, error)
	TLSCertificate(attrs *keystore.KeyAttributes) (tls.Certificate, error)
	TLSBundle(attrs *keystore.KeyAttributes) ([][]byte, *x509.Certificate, error)
	TLSBundlePEM(attrs *keystore.KeyAttributes) ([]byte, error)
	TLSConfig(attrs *keystore.KeyAttributes) (*tls.Config, error)
	TrustStore() OSTrustStore
	TrustedRootCertPool(certificate *x509.Certificate) (*x509.CertPool, error)
	TrustedIntermediateCertPool(certificate *x509.Certificate) (*x509.CertPool, error)
	Verify(certificate *x509.Certificate) error
	VerifyAttestationEventLog(signerAttrs *keystore.KeyAttributes, eventLog []byte) error
	VerifyAttestationPCRs(signerAttrs *keystore.KeyAttributes, pcrs []byte) error
	VerifyAttestationQuote(signerAttrs *keystore.KeyAttributes, quote []byte) error
	VerifySignature(digest []byte, signature []byte, opts *keystore.VerifyOpts) error
	VerifyTCGCSRIDevID(
		tcgCSRIDevID *tpm2.TCG_CSR_IDEVID,
		signatureAlgorithm x509.SignatureAlgorithm) ([]byte, []byte, []byte, error)
	VerifyQuote(keyAttrs *keystore.KeyAttributes, quote tpm2.Quote, nonce []byte) error
}

func NewIntermediateCA 

func NewIntermediateCA(params *CAParams) (CertificateAuthority, error)

Create a new x509 Intermediate Certificate Authority.

func NewParentCA 

func NewParentCA(params *CAParams) (CertificateAuthority, error)

Creates a new x509 Root or Parent x509 Certificate Authority

type CertificateRequest 

type CertificateRequest struct {
	SANS          *SubjectAlternativeNames `yaml:"sans" json:"sans" mapstructure:"sans"`
	Subject       Subject                  `yaml:"subject" json:"subject" mapstructure:"subject"`
	Valid         int                      `yaml:"valid" json:"valid" mapstructure:"valid"`
	KeyAttributes *keystore.KeyAttributes  `yaml:"-" json:"-" mapstructure:"-"`
}

type Config 

type Config struct {
	AutoImportIssuingCA   bool       `yaml:"auto-import-issuing-ca" json:"auto_import_issuing_ca" mapstructure:"auto-import-issuing-ca"`
	DefaultValidityPeriod int        `yaml:"default-validity" json:"default_validity" mapstructure:"default-validity"`
	DefaultIDevIDCN       string     `yaml:"default-idevid-cn" json:"default_idevid_cn" mapstructure:"default-idevid-cn"`
	Identity              []Identity `yaml:"identity" json:"identity" mapstructure:"identity"`
	IncludeLocalhostSANS  bool       `yaml:"sans-include-localhost" json:"sans_include_localhost" mapstructure:"sans-include-localhost"`
	PlatformCA            int        `yaml:"platform-ca" json:"platform_ca" mapstructure:"platform-ca"`
	RequireKeyPassword    bool       `yaml:"require-password" json:"require-password" mapstructure:"require-password"`
	SystemCertPool        bool       `yaml:"system-cert-pool" json:"system_cert_pool" mapstructure:"system-cert-pool"`
}

func DefaultConfigECDSA 

func DefaultConfigECDSA(rootIdentity, intermediateIdentity Identity) Config

Returns a default ECDSA config

func DefaultConfigEd25119 

func DefaultConfigEd25119(rootIdentity, intermediateIdentity Identity) Config

Returns a default Ed25519 config

func DefaultConfigRSA 

func DefaultConfigRSA(rootIdentity, intermediateIdentity Identity) Config

Returns a default RSA config

func MinimalConfigECDSA 

func MinimalConfigECDSA(rootIdentity, intermediateIdentity Identity) Config

Returns a minimal ECDSA config with ECDSA configured as the only signing algorithm

func MinimalConfigEd25119 

func MinimalConfigEd25119(rootIdentity, intermediateIdentity Identity) Config

Returns a minimal Ed25519 config with Ed25119 configured as the only signing algorithm

func MinimalConfigRSA 

func MinimalConfigRSA(rootIdentity, intermediateIdentity Identity) Config

Returns a minimal RSA config with RSA configured as the only signing algorithm

type DebianTrustStore 

type DebianTrustStore struct {
	OSTrustStore
	// contains filtered or unexported fields
}

func (*DebianTrustStore) Install 

func (store *DebianTrustStore) Install(cn string) error

func (*DebianTrustStore) Uninstall 

func (store *DebianTrustStore) Uninstall(cn string) error

func (*DebianTrustStore) UpdateCerts 

func (store *DebianTrustStore) UpdateCerts() error

type IDevIDCertificateRequest 

type IDevIDCertificateRequest struct {
	CertificateRequest
	PermanentID string `yaml:"permanent-id" json:"permanent_id" mapstructure:"permanent-id"`
	ProdModel   string `yaml:"prod-model" json:"prod_model" mapstructure:"prod-model"`
	ProdSerial  string `yaml:"prod-serial" json:"prod_serial" mapstructure:"prod-serial"`
}

type Identity 

type Identity struct {
	KeyChainConfig *platform.KeyChainConfig `yaml:"keystores" json:"keystores" mapstructure:"keystores"`
	Keys           []*keystore.KeyConfig    `yaml:"keys" json:"keys" mapstructure:"keys"`
	SANS           *SubjectAlternativeNames `yaml:"sans" json:"sans" mapstructure:"sans"`
	Subject        Subject                  `yaml:"subject" json:"subject" mapstructure:"subject"`
	Valid          int                      `yaml:"valid" json:"valid" mapstructure:"valid"`
}

type OSTrustStore 

type OSTrustStore interface {
	Install(cn string) error
	Uninstall(cn string) error
}

func NewDebianTrustStore 

func NewDebianTrustStore(logger *logging.Logger, certDir string) OSTrustStore

type Subject 

type Subject struct {
	CommonName         string `yaml:"cn" json:"cn" mapstructure:"cn"`
	Organization       string `yaml:"organization" json:"organization" mapstructure:"organization"`
	OrganizationalUnit string `yaml:"organizational-unit" json:"organizational_unit" mapstructure:"organizational-unit"`
	Country            string `yaml:"country" json:"country" mapstructure:"country"`
	Province           string `yaml:"province" json:"province" mapstructure:"province"`
	Locality           string `yaml:"locality" json:"locality" mapstructure:"locality"`
	Address            string `yaml:"address" json:"address" mapstructure:"address"`
	PostalCode         string `yaml:"postal-code" json:"postal_code" mapstructure:"postal-code"`
}

type SubjectAlternativeNames 

type SubjectAlternativeNames struct {
	DNS   []string `yaml:"dns" json:"dns" mapstructure:"dns"`
	IPs   []string `yaml:"ips" json:"ips" mapstructure:"ips"`
	Email []string `yaml:"email" json:"email" mapstructure:"email"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.