Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func VerifyIIDSignature ¶
func VerifyIIDSignature(certStore *IIDCertStore, region string, document []byte, signatureB64 string) error
VerifyIIDSignature verifies the PKCS7 signature of an instance identity document using the AWS public certificate for the given region. The signature from IMDS /instance-identity/rsa2048 is a PKCS7/SMIME signed message.
Types ¶
type IIDCertStore ¶
type IIDCertStore struct {
// contains filtered or unexported fields
}
IIDCertStore provides parsed x509 certificates for IID verification.
func NewIIDCertStore ¶
func NewIIDCertStore(l *zap.Logger, certsDir string) (*IIDCertStore, error)
NewIIDCertStore loads IID verification certificates. If certsDir is non-empty and the directory exists, PEM files from it override the embedded defaults.
func (*IIDCertStore) GetCert ¶
func (s *IIDCertStore) GetCert(region string) (*x509.Certificate, error)
GetCert returns the certificate for the given AWS region.
type InstanceIdentityDocument ¶
type InstanceIdentityDocument struct {
AccountID string `json:"accountId"`
Architecture string `json:"architecture"`
AvailabilityZone string `json:"availabilityZone"`
ImageID string `json:"imageId"`
InstanceID string `json:"instanceId"`
InstanceType string `json:"instanceType"`
PendingTime time.Time `json:"pendingTime"`
PrivateIP string `json:"privateIp"`
Region string `json:"region"`
Version string `json:"version"`
}
InstanceIdentityDocument represents the JSON document returned by the EC2 IMDS at /latest/dynamic/instance-identity/document.
func ParseAndValidateIID ¶
func ParseAndValidateIID(document string) (*InstanceIdentityDocument, error)
ParseAndValidateIID parses a raw IID JSON document and validates that required fields are present and well-formed.
Source Files