verifier

package
v0.0.4-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 27, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TLS_DEADLINE = time.Minute
)

Variables

View Source 
var (
	ErrInvalidCACertificate    = errors.New("verifier: failed to add CA certificate to x509 certificate pool")
	ErrConnectionFailed        = errors.New("verifier: connection failed")
	ErrImportEKCert            = errors.New("verifier: failed to import Endorsement Key (EK) certificate")
	ErrCertKeyMismatch         = errors.New("verifier: certificate and attestation public key modulus mismatch")
	ErrInvalidPublicKey        = errors.New("verifier: invalid public key")
	ErrInvalidCredential       = errors.New("verifier: attestor failed credential challenge")
	ErrUnexpectedEventLogState = errors.New("verifier: unexpected event log state")
	ErrUnexpectedPCRState      = errors.New("verifier: unexpected PCR state")
)

Functions

This section is empty.

Types

type AttestationKey 

type AttestationKey struct {
	Name           []byte
	CreationHash   []byte
	CreationData   []byte
	CreationTicket []byte
}

type Verification 

type Verification struct {
	Verifier
	// contains filtered or unexported fields
}

func (*Verification) AKProfile 

func (verifier *Verification) AKProfile(
	ekCert *x509.Certificate) (*keystore.KeyAttributes, tpm2.AKProfile, error)

Get the EK pub, AK pub, AK name and signature algorithm and create key attributes for the AK.

func (*Verification) ActivateCredential 

func (verifier *Verification) ActivateCredential(
	makeCredentialResponse makeCredentialResponse) error

Enables the association of a credential with an object in a way that ensures that the TPM has validated the parameters of the credentialed object. In an attestation scheme , this guarantees the registrar that the attestation key belongs to the TPM with a qualified parent key in the TPM. https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_activatecredential.1.md

func (*Verification) Attest 

func (verifier *Verification) Attest() error

Provisions a new device key using the steps outlined in Key Provisioning: https://tpm2-software.github.io/tpm2-tss/getting-started/2019/12/18/Remote-Attestation.html

func (*Verification) Close 

func (verifier *Verification) Close() error

Removing the Verifier's CA bundle from memory

func (*Verification) EKCert 

func (verifier *Verification) EKCert() (*x509.Certificate, error)

Get the Attestor's Endorsement Key (EK) and import into the CA

func (*Verification) IssueCertificate 

func (verifier *Verification) IssueCertificate(
	akAttrs *keystore.KeyAttributes, akPubBytes []byte) error

Generate and send new x509 platform certifiate to the Attestor

func (*Verification) MakeCredential 

func (verifier *Verification) MakeCredential(
	akName libtpm2.TPM2BName) (makeCredentialResponse, error)

Call TPM2_MakeCredential to generate the encrypted secret and privacy data to send to the Attestor for activation. https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_makecredential.1.md

func (*Verification) Quote 

func (verifier *Verification) Quote(
	akAttrs *keystore.KeyAttributes,
	akPub []byte) (tpm2.Quote, []byte, error)

Requests a TPM PCR quote from the Attestor that includes current TPM PCR values, EventLog, and Secure Boot state. If Open Enrollment is enabled, the state is signed and saved to the CA's signed blob storage, an Attestation Certificate is created, imported to the certificate store, and provided to the Attestor.

type Verifier 

type Verifier interface {
	Attest() error
	EKCert() (*x509.Certificate, error)
	AKProfile(ekCert *x509.Certificate) (*keystore.KeyAttributes, tpm2.AKProfile, error)
	MakeCredential(akName libtpm2.TPM2BName) (makeCredentialResponse, error)
	ActivateCredential(makeCredentialResponse makeCredentialResponse) error
	IssueCertificate(keyAttrs *keystore.KeyAttributes, akPubBytes []byte) error
	Quote(akAttrs *keystore.KeyAttributes, akPubBytes []byte) (tpm2.Quote, []byte, error)
	VerifyQuote(
		akAttrs *keystore.KeyAttributes,
		akProfile tpm2.AKProfile,
		quote tpm2.Quote,
		nonce []byte) error
	Close() error
}

func NewVerifier 

func NewVerifier(app *app.App, attestorCN string) (Verifier, error)

Creates a new Remote Attestation Verifier

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.