ea

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	LabelClientAuthenticatorHandshakeContext = "EXPORTER-client authenticator handshake context"
	LabelServerAuthenticatorHandshakeContext = "EXPORTER-server authenticator handshake context"
	LabelClientAuthenticatorFinishedKey      = "EXPORTER-client authenticator finished key"
	LabelServerAuthenticatorFinishedKey      = "EXPORTER-server authenticator finished key"
)
View Source 
const (
	HandshakeTypeCertificate              uint8 = 11
	HandshakeTypeCertificateRequest       uint8 = 13
	HandshakeTypeCertificateVerify        uint8 = 15
	HandshakeTypeClientCertificateRequest uint8 = 17
	HandshakeTypeFinished                 uint8 = 20
)
View Source 
const (
	SignatureAlgorithmsExtensionType     uint16 = 0x000d
	ServerNameExtensionType              uint16 = 0x0000
	CertificateAuthoritiesExtensionType  uint16 = 0x002f
	OIDFiltersExtensionType              uint16 = 0x0030
	SignatureAlgorithmsCertExtensionType uint16 = 0x0032
)
View Source 
const CMWAttestationExtensionType uint16 = 0xFF00

Variables

View Source 
var (
	ErrTruncated                = errors.New("ea: truncated input")
	ErrInvalidLength            = errors.New("ea: invalid length")
	ErrUnsupportedHandshakeType = errors.New("ea: unsupported handshake type")
	ErrNotTLS13                 = errors.New("ea: not TLS 1.3")
	ErrUnknownCipherSuite       = errors.New("ea: unknown cipher suite")
	ErrContextReuse             = errors.New("ea: certificate_request_context already used")
	ErrInvalidRole              = errors.New("ea: invalid authenticator role")

	ErrUnsupportedSignatureScheme = errors.New("ea: unsupported signature scheme")
	ErrSignatureMismatch          = errors.New("ea: CertificateVerify signature mismatch")
	ErrFinishedMismatch           = errors.New("ea: Finished MAC mismatch")
	ErrContextMismatch            = errors.New("ea: certificate_request_context mismatch")
	ErrBadRequest                 = errors.New("ea: bad authenticator request")
)

Functions

func AuthenticatorHashTLS13 

func AuthenticatorHashTLS13(cipherSuite uint16) (crypto.Hash, error)

func CreateAuthenticator 

func CreateAuthenticator(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, identity tls.Certificate, leafEntryExtensions []Extension) ([]byte, error)

func CreateAuthenticatorWithPolicy 

func CreateAuthenticatorWithPolicy(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, identity tls.Certificate, leafEntryExtensions []Extension) ([]byte, error)

func ExportFinishedKey 

func ExportFinishedKey(st *tls.ConnectionState, role Role) ([]byte, crypto.Hash, error)

func ExportHandshakeContext 

func ExportHandshakeContext(st *tls.ConnectionState, role Role) ([]byte, crypto.Hash, error)

func ExtractCMWAttestationFromExtensions 

func ExtractCMWAttestationFromExtensions(exts []Extension) ([]byte, bool, error)

func MarshalExtensions 

func MarshalExtensions(exts []Extension) ([]byte, error)

func MarshalHandshakeMessage 

func MarshalHandshakeMessage(m HandshakeMessage) ([]byte, error)

func NewRandomContext 

func NewRandomContext(n int) ([]byte, error)

func PolicyPermitsCertificateExtension 

func PolicyPermitsCertificateExtension(policy *SpontaneousAuthenticatorPolicy, typ uint16) bool

func RequestPermitsCertificateExtension 

func RequestPermitsCertificateExtension(req *AuthenticatorRequest, typ uint16) bool

func ValidateCMWAttestationPlacement 

func ValidateCMWAttestationPlacement(entries []CertificateEntry) error

Types

type AuthenticatorRequest 

type AuthenticatorRequest struct {
	Type       uint8
	Context    []byte
	Extensions []Extension
}

func UnmarshalAuthenticatorRequest 

func UnmarshalAuthenticatorRequest(handshakeBytes []byte) (AuthenticatorRequest, []byte, error)

func (AuthenticatorRequest) CertificateAuthorities 

func (r AuthenticatorRequest) CertificateAuthorities() ([][]byte, bool)

func (AuthenticatorRequest) Marshal 

func (r AuthenticatorRequest) Marshal() ([]byte, error)

func (AuthenticatorRequest) OIDFilters 

func (r AuthenticatorRequest) OIDFilters() ([]OIDFilter, bool)

func (AuthenticatorRequest) SignatureSchemes 

func (r AuthenticatorRequest) SignatureSchemes() ([]uint16, bool)

func (AuthenticatorRequest) SignatureSchemesCert 

func (r AuthenticatorRequest) SignatureSchemesCert() ([]uint16, bool)

type CertificateEntry 

type CertificateEntry struct {
	CertDER    []byte
	Extensions []Extension
}

type CertificateMessage 

type CertificateMessage struct {
	Context []byte
	Entries []CertificateEntry
}

func UnmarshalCertificateMessage 

func UnmarshalCertificateMessage(handshakeBytes []byte) (CertificateMessage, []byte, error)

func (CertificateMessage) Marshal 

func (m CertificateMessage) Marshal() ([]byte, error)

type CertificateVerifyMessage 

type CertificateVerifyMessage struct {
	Algorithm uint16
	Signature []byte
}

func UnmarshalCertificateVerifyMessage 

func UnmarshalCertificateVerifyMessage(handshakeBytes []byte) (CertificateVerifyMessage, []byte, error)

func (CertificateVerifyMessage) Marshal 

func (m CertificateVerifyMessage) Marshal() ([]byte, error)

type Extension 

type Extension struct {
	Type uint16
	Data []byte
}

func CMWAttestationDataExtension 

func CMWAttestationDataExtension(cmw []byte) (Extension, error)

func CMWAttestationOfferExtension 

func CMWAttestationOfferExtension() Extension

func SignatureAlgorithmsCertExtension 

func SignatureAlgorithmsCertExtension(schemes []uint16) (Extension, error)

func SignatureAlgorithmsExtension 

func SignatureAlgorithmsExtension(schemes []uint16) (Extension, error)

func UnmarshalExtensions 

func UnmarshalExtensions(b []byte) (exts []Extension, rest []byte, err error)

type FinishedMessage 

type FinishedMessage struct {
	VerifyData []byte
}

func UnmarshalFinishedMessage 

func UnmarshalFinishedMessage(handshakeBytes []byte) (FinishedMessage, []byte, error)

func (FinishedMessage) Marshal 

func (m FinishedMessage) Marshal() ([]byte, error)

type HandshakeMessage 

type HandshakeMessage struct {
	Type uint8
	Body []byte
}

func UnmarshalHandshakeMessage 

func UnmarshalHandshakeMessage(b []byte) (msg HandshakeMessage, rest []byte, err error)

type OIDFilter 

type OIDFilter struct {
	OID    asn1.ObjectIdentifier
	Values []byte
}

type Role 

type Role uint8
const (
	RoleClient Role = iota + 1
	RoleServer
)

type Session 

type Session struct {
	// contains filtered or unexported fields
}

func NewSession 

func NewSession() *Session

func (*Session) CreateAuthenticator 

func (s *Session) CreateAuthenticator(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, identity tls.Certificate, leafEntryExtensions []Extension) ([]byte, error)

func (*Session) CreateAuthenticatorWithPolicy 

func (s *Session) CreateAuthenticatorWithPolicy(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, identity tls.Certificate, leafEntryExtensions []Extension) ([]byte, error)

func (*Session) MarkContextUsed 

func (s *Session) MarkContextUsed(ctx []byte) error

func (*Session) ValidateAuthenticator 

func (s *Session) ValidateAuthenticator(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, authBytes []byte, verifyOpts *x509.VerifyOptions) (*ValidationResult, error)

func (*Session) ValidateAuthenticatorWithAttestation 

func (s *Session) ValidateAuthenticatorWithAttestation(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, authBytes []byte, verifyOpts *x509.VerifyOptions, attPolicy eaattestation.VerificationPolicy) (*ValidationResult, error)

func (*Session) ValidateAuthenticatorWithPolicies 

func (s *Session) ValidateAuthenticatorWithPolicies(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, authBytes []byte, verifyOpts *x509.VerifyOptions, attPolicy eaattestation.VerificationPolicy) (*ValidationResult, error)

func (*Session) ValidateAuthenticatorWithPolicy 

func (s *Session) ValidateAuthenticatorWithPolicy(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, authBytes []byte, verifyOpts *x509.VerifyOptions) (*ValidationResult, error)

type SpontaneousAuthenticatorPolicy 

type SpontaneousAuthenticatorPolicy struct {
	AllowedSignatureSchemes      []uint16
	AllowedCertificateExtensions []uint16
}

type ValidationResult 

type ValidationResult struct {
	Context        []byte
	Chain          []*x509.Certificate
	CMWAttestation []byte
	Attestation    *eaattestation.VerifiedPayload
	Empty          bool
}

func ValidateAuthenticator 

func ValidateAuthenticator(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, authBytes []byte, verifyOpts *x509.VerifyOptions) (*ValidationResult, error)

func ValidateAuthenticatorWithAttestation 

func ValidateAuthenticatorWithAttestation(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, authBytes []byte, verifyOpts *x509.VerifyOptions, attPolicy eaattestation.VerificationPolicy) (*ValidationResult, error)

func ValidateAuthenticatorWithPolicies 

func ValidateAuthenticatorWithPolicies(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, authBytes []byte, verifyOpts *x509.VerifyOptions, attPolicy eaattestation.VerificationPolicy) (*ValidationResult, error)

func ValidateAuthenticatorWithPolicy 

func ValidateAuthenticatorWithPolicy(st *tls.ConnectionState, role Role, req *AuthenticatorRequest, policy *SpontaneousAuthenticatorPolicy, authBytes []byte, verifyOpts *x509.VerifyOptions) (*ValidationResult, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.