Documentation ¶
Index ¶
- Constants
- Variables
- func AddDomainAdmin(authToken string, urlStart string, de common.DomainEntry, cert []byte, ...) error
- func AddDomainAdminReq(authToken string, urlStart string, de common.DomainEntry, cert []byte, ...) (string, error)
- func AddDomainControlPoints(authToken string, urlStart string, de common.DomainEntry, cpsToSet []byte, ...) error
- func AddDomainControlPointsReq(authToken string, urlStart string, de common.DomainEntry, cpsToSet []byte, ...) (string, error)
- func BuildAdminDomainIndex(domainIndex int) []byte
- func ClearCurrentWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) error
- func ClearCurrentWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (string, error)
- func ClearPendingWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) error
- func ClearPendingWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (string, error)
- func CommitPendingWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) error
- func CommitPendingWKReq(authToken string, urlStart string, de common.DomainEntry, vp []byte, ...) (string, error)
- func Create2048RSASignerInfoFields(dataToSign []byte, sigkey string, sigkeySki string, sigkeyToken string) ([][]byte, error)
- func CreateAdminCertP521EC(ecKey ecdsa.PrivateKey, adminName string) ([]byte, error)
- func CreateAdminCertUsingSigningService(ssURL string, sigkey string, sigkeyToken string, adminName string) ([]byte, error)
- func CreateP521ECSignerInfoFields(dataToSign []byte, sigkey string, sigkeySki string, sigkeyToken string) ([][]byte, error)
- func CreateQueryHTPRequest(cryptoModuleIndex int, domainIndex int, adminBlock AdminBlk) string
- func CreateRandomWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (error, []byte)
- func CreateRandomWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (string, error)
- func CreateRecipientInfoP521EC(publicKey []byte, ukm []byte, ski []byte, encryptedKeyPart []byte) ([]byte, error)
- func CreateSignedHTPRequest(authToken string, urlStart string, de common.DomainEntry, adminBlock AdminBlk, ...) (string, error)
- func CreateSignerInfo(dataToSign []byte, sigkeys []string, sigkeySkis []string, ...) ([]byte, error)
- func ExportPendingWK(authToken string, urlStart string, de common.DomainEntry, pfile []byte, ...) ([]byte, error)
- func ExportPendingWKReq(authToken string, urlStart string, de common.DomainEntry, pfile []byte, ...) (string, error)
- func ExportWK(authToken string, urlStart string, de common.DomainEntry, pfile []byte, ...) ([]byte, error)
- func ExportWKParameterFile(kphcert []byte) []byte
- func ExportWKReq(authToken string, urlStart string, de common.DomainEntry, pfile []byte, ...) (string, error)
- func FinalizeWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) error
- func FinalizeWKReq(authToken string, urlStart string, de common.DomainEntry, vp []byte, ...) (string, error)
- func Generate2048RSAImporterKey(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (rsa.PublicKey, []byte, error)
- func Generate2048RSAImporterKeyResponse(htpResponse string, de common.DomainEntry) (rsa.PublicKey, []byte, error)
- func GenerateImporterKeyRequest(authToken string, urlStart string, de common.DomainEntry, ...) (string, error)
- func GenerateP521ECImporterKey(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (ecdsa.PublicKey, []byte, error)
- func GenerateP521ECImporterKeyResponse(htpResponse string, de common.DomainEntry) (ecdsa.PublicKey, []byte, error)
- func GetEP11ErrorMsg(returnCode string, reasonCode string) string
- func GetErrorMsg(errorType string, returnCode string, reasonCode string) string
- func GetRspPayload(theRsp string) ([]byte, error)
- func ImportWK(authToken string, urlStart string, de common.DomainEntry, ...) error
- func IncrementTransactionCounter(original []byte) []byte
- func KPHCert(pubKey ecdsa.PublicKey) []byte
- func NewCPRB(domainIndex int, payloadParm []byte) []byte
- func NewXPNUMRequest(cryptoModuleIndex int, domainIndex int, sequence []byte) string
- func QueryDeviceCertificate(authToken string, urlStart string, de common.DomainEntry, ...) ([]byte, error)
- func QueryDeviceCertificateReq(cryptoModuleIndex int, domainIndex int, certificateIndex uint32) string
- func QueryDomainAdminName(authToken string, urlStart string, de common.DomainEntry, ski []byte) (string, error)
- func QueryDomainAdminRsp(theRsp string, de common.DomainEntry) (AdminRspBlk, Certificate)
- func QueryDomainAdmins(authToken string, urlStart string, de common.DomainEntry) ([][]byte, error)
- func QueryDomainAdminsReq(cryptoModuleIndex int, domainIndex int, aSKI []byte) string
- func QueryDomainAttributes(authToken string, urlStart string, de common.DomainEntry) (DomainAttributes, AdminRspBlk, error)
- func QueryDomainAttributesReq(cryptoModuleIndex int, domainIndex int) string
- func QueryDomainControlPoints(authToken string, urlStart string, de common.DomainEntry) ([]byte, error)
- func QueryDomainControlPointsReq(cryptoModuleIndex int, domainIndex int) string
- func QueryDomainInfoRequest(cryptoModuleIndex int, domainIndex int) string
- func QueryModuleInfoRequest(cryptoModuleIndex int, domainIndex int) string
- func QueryNumberDeviceCertificates(authToken string, urlStart string, de common.DomainEntry) (uint32, error)
- func QueryNumberDeviceCertificatesReq(cryptoModuleIndex int, domainIndex int) string
- func RemoveDomainAdminReq(authToken string, urlStart string, de common.DomainEntry, ski []byte, ...) (string, error)
- func RemoveDomainAdministrator(authToken string, urlStart string, de common.DomainEntry, ski string, ...) error
- func SetDomainAttributes(authToken string, urlStart string, de common.DomainEntry, ...) error
- func SetDomainAttributesReq(authToken string, urlStart string, de common.DomainEntry, ...) (string, error)
- func VerifyCertificate(authToken string, urlStart string, de common.DomainEntry, certIndex uint32, ...) error
- func VerifyOA2Certificate(authToken string, urlStart string, de common.DomainEntry, certIndex uint32, ...) error
- func ZeroizeDomain(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) error
- func ZeroizeDomainReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, ...) (string, error)
- type AdminBlk
- type AdminReq
- type AdminRsp
- type AdminRspBlk
- type AdminRspError
- type AlgID
- type AlgIDRSA2048
- type CPRB
- type CertBody
- type CertBodyRSA2048
- type CertVersion
- type Certificate
- type CertificateRSA2048
- type DomainAttributes
- type DomainInfoRspInfo
- type ECSignature
- type Extensions
- type ModAndExp
- type ModuleInfoRspInfo
- type Name
- type Name2
- type Names
- type OA2CertificateX
- type OACertificateX
- type PublicKey
- type PublicKeyECP521
- type PublicKeyRSA2048
- type RecipientInfo2048
- type RspInfo
- type Seq1
- type Seq2
- type SignerInfo
- type TimeRange
- type VerbError
- type VerbErrorStruct
- type XCPReq
- type XCPRsp
Constants ¶
const CEX6P_PUBLIC_KEY_LENGTH = 133
* Length of the public key in the OA certificate for a CEX6P crypto module
const ECC_BRAINPOOL = 0x01
const ECC_PRIME = 0x00
const OA_ECC = 2
const OA_NEW_CERT = 1
const OA_RSA = 0
const XCP_ADMINT_MODE = 4
* Domain operational mode
const XCP_ADMINT_PERMITS = 3
* Domain permissions
const XCP_ADMINT_REVOKE_THR = 2
* Domain revocation signature threshold
const XCP_ADMINT_SIGN_THR = 1
* Domain signature threshold
const XCP_ADMINT_STD = 5
* Domain security standards compliance
const XCP_IMPRKEY_EC_P521 = 3 //@T390301CLH
Request to generate P521 EC importer key
const XCP_IMPRKEY_RSA_2048 = 0 //@T390301CLH
Request to generate 2048-bit RSA importer key
Variables ¶
var A0_TAG byte = 0xA0
var A1_TAG byte = 0xA1
var ASN1_NULL = []byte{
0x05, 0x00,
}
* ASN.1 representation of NULL
var CK_IBM_XCPQ_DOMAIN = []byte{0x00, 0x00, 0x00, 0x03}
* get_xcp_info subtype to retrieve domain information
var CK_IBM_XCPQ_MODULE = []byte{0x00, 0x00, 0x00, 0x01}
* get_xcp_info subtype to retrieve module information
var CMK_STATUS_VALID int = 1
var FNID_ADMIN = []byte{0x00, 0x01, 0x00, 0x29}
* Function ID for m_admin
var FNID_GET_XCP_INFO = []byte{0x00, 0x01, 0x00, 0x26}
* Function ID for get_xcp_info
var MK_STATUS_EMPTY int = 0
var NMK_STATUS_FULL_COMMITTED int = 3
var NMK_STATUS_FULL_UNCOMMITTED int = 2
var OID_aes256_wrap = []byte{
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2D,
}
* Object identifier for aes256-wrap ( 2 16 840 1 101 3 4 1 45 )
var OID_ecPublicKey = []byte{
0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
}
* Object identifier for ecPublicKey ( 1 2 840 10045 2 1 )
var OID_ecdsaWithSHA512 = []byte{
0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04,
}
* Object identifier for signature algorithm: ecdsaWithSHA512
var OID_rsaEncryption = []byte{
0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
}
* Object identifier for signature algorithm: rsaEncryption
var OID_sha256 = []byte{
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
}
* Object identifier for digest algorithm: SHA-256
var OID_sha512 = []byte{
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
}
#B@T372621CLH * Object identifier for digest algorithm: SHA-512
var OID_stdDH_sha256kdf = []byte{
0x06, 0x06, 0x2B, 0x81, 0x04, 0x01, 0x0B, 0x01,
}
* Object identifier for stdDH-sha156kdf ( 1 3 132 1 11 1 )
var RSAEncryption = []uint{1, 2, 840, 113549, 1, 1, 1} // 1.2.840.113549.1.1.1
var SHA256WithRSAEncryption = []uint{1, 2, 840, 113549, 1, 1, 11} // 1.2.840.113549.1.1.11
var VERSION_3 = []byte{
0x02, 0x01, 0x03,
}
* ASN.1 representation of the integer 3 (to designate version = 3)
var XCP_ADMQ_ADMIN = []byte{0x00, 0x01, 0x00, 0x01}
* Query administrative SKI/certificate
var XCP_ADMQ_ATTRS = []byte{0x00, 0x01, 0x00, 0x09}
* Query card attributes
var XCP_ADMQ_AUDIT_STATE = []byte{0x00, 0x01, 0x00, 0x10}
* Query cloning state
var XCP_ADMQ_CTRLPOINTS = []byte{0x00, 0x01, 0x00, 0x05}
* Query card control points or profile
var XCP_ADMQ_DEVICE_CERT = []byte{0x00, 0x01, 0x00, 0x03}
* Query module CA (OA) certificate
var XCP_ADMQ_DOMADMIN = []byte{0x00, 0x01, 0x00, 0x02}
* Query domain administrative SKI/certificate
var XCP_ADMQ_DOM_ATTRS = []byte{0x00, 0x01, 0x00, 0x0A}
* Query domain attributes
var XCP_ADMQ_DOM_CTRLPOINTS = []byte{0x00, 0x01, 0x00, 0x06}
* Query domain control points or profile
var XCP_ADMQ_FCV = []byte{0x00, 0x01, 0x00, 0x0B}
* Query Function Control Vector
var XCP_ADMQ_IMPORTER_CERT = []byte{0x00, 0x01, 0x00, 0x0F}
* Query current WK importer
var XCP_ADMQ_INTERNAL_STATE = []byte{0x00, 0x01, 0x00, 0x0E}
* Query cloning state
var XCP_ADMQ_NEXT_WK = []byte{0x00, 0x01, 0x00, 0x08}
* Query pending wrapping key
var XCP_ADMQ_RKLIST = []byte{0x00, 0x01, 0x00, 0x0D}
* Query retained keys
var XCP_ADMQ_WK = []byte{0x00, 0x01, 0x00, 0x07}
* Query current wrapping key
var XCP_ADMQ_WK_ORIGINS = []byte{0x00, 0x01, 0x00, 0x0C}
* Query information on original WK
var XCP_ADM_ADMIN_LOGIN = []byte{0x00, 0x00, 0x00, 0x01}
* Add administrator certificate
var XCP_ADM_ADMIN_LOGOUT = []byte{0x00, 0x00, 0x00, 0x03}
* Revoke administrator certificate
var XCP_ADM_ADMIN_REPLACE = []byte{0x00, 0x00, 0x00, 0x05}
* Transition administrator certificate
var XCP_ADM_CLEAR_NEXT_WK = []byte{0x00, 0x00, 0x00, 0x1C}
* Erase pending WK
var XCP_ADM_CLEAR_WK = []byte{0x00, 0x00, 0x00, 0x1B}
* Erase current WK
var XCP_ADM_COMMIT_STATE = []byte{0x00, 0x00, 0x00, 0x20}
* Commit imported state
var XCP_ADM_COMMIT_WK = []byte{0x00, 0x00, 0x00, 0x0D}
* Activate pending WK
var XCP_ADM_CONTROLPOINT_ADD = []byte{0x00, 0x00, 0x00, 0x17}
* Enable control points -- not currently used
var XCP_ADM_CONTROLPOINT_DEL = []byte{0x00, 0x00, 0x00, 0x18}
* Disable control points -- not currently used
var XCP_ADM_CONTROLPOINT_SET = []byte{0x00, 0x00, 0x00, 0x16}
* Fix control points -- not currently used
var XCP_ADM_DOMAINS_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x24}
* Multi-domain zeroize
var XCP_ADM_DOM_ADMIN_LOGIN = []byte{0x00, 0x00, 0x00, 0x02}
* Add domain administrator certificate
var XCP_ADM_DOM_ADMIN_LOGOUT = []byte{0x00, 0x00, 0x00, 0x04}
* Revoke domain administrator certificate
var XCP_ADM_DOM_ADMIN_REPLACE = []byte{0x00, 0x00, 0x00, 0x06}
* Transition domain administrator certificate
var XCP_ADM_DOM_CONTROLPOINT_ADD = []byte{0x00, 0x00, 0x00, 0x12}
* Enable domain control points
var XCP_ADM_DOM_CONTROLPOINT_DEL = []byte{0x00, 0x00, 0x00, 0x13}
* Disable domain control points
var XCP_ADM_DOM_CONTROLPOINT_SET = []byte{0x00, 0x00, 0x00, 0x11}
* Fix domain control points
var XCP_ADM_DOM_SET_ATTR = []byte{0x00, 0x00, 0x00, 0x08}
* Set domain attribute/s
var XCP_ADM_DOM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x10}
* Release CSPs from domain/s
var XCP_ADM_EXPORT_NEXT_WK = []byte{0x00, 0x00, 0x00, 0x26} //@T390301CLH
* wrap+output next WK or parts
var XCP_ADM_EXPORT_STATE = []byte{0x00, 0x00, 0x00, 0x1E}
* Export state
var XCP_ADM_EXPORT_WK = []byte{0x00, 0x00, 0x00, 0x0B}
* Wrap+output WK or parts
var XCP_ADM_FINALIZE_WK = []byte{0x00, 0x00, 0x00, 0x0E}
* Remove previous WK's
var XCP_ADM_GEN_IMPORTER = []byte{0x00, 0x00, 0x00, 0x09}
* Generate new importer (PK) key
var XCP_ADM_GEN_MODULE_IMPORTER = []byte{0x00, 0x00, 0x00, 0x22}
* Generate module imported key
var XCP_ADM_GEN_WK = []byte{0x00, 0x00, 0x00, 0x0A}
* Create random domain WK
var XCP_ADM_IMPORT_STATE = []byte{0x00, 0x00, 0x00, 0x1F}
* Import state (part)
var XCP_ADM_IMPORT_WK = []byte{0x00, 0x00, 0x00, 0x0C}
* Set (set of) WK (parts) to pending
var XCP_ADM_REENCRYPT = []byte{0x00, 0x00, 0x00, 0x19}
* Transform blobs to next WK -- not used by TKE
var XCP_ADM_REMOVE_STATE = []byte{0x00, 0x00, 0x00, 0x21}
* Remove cloning state
var XCP_ADM_RK_REMOVE = []byte{0x00, 0x00, 0x00, 0x1A}
* Remove (semi-) retained key -- not used by TKE
var XCP_ADM_SET_ATTR = []byte{0x00, 0x00, 0x00, 0x07}
* Set card attribute/s
var XCP_ADM_SET_CLOCK = []byte{0x00, 0x00, 0x00, 0x14}
* Set module-internal UTC time
var XCP_ADM_SET_FCV = []byte{0x00, 0x00, 0x00, 0x15}
* Set function-control vector
var XCP_ADM_SET_TRUSTED = []byte{0x00, 0x00, 0x00, 0x23}
* Set trusted attribute on blob/SPKI
var XCP_ADM_SYSTEM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x1D}
* Card zeroize, preserving system key, if it is present (i.e. retaining
- the Support Element administrator)
var XCP_ADM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x0F}
* Release CSPs from entire module
var XCP_DOMAIN_0 = []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
* OCTET STRING representing domain 0 with all zero "instance identifier"
Functions ¶
func AddDomainAdmin ¶
func AddDomainAdmin(authToken string, urlStart string, de common.DomainEntry, cert []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Adds a domain administrator Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain where an administrator is to be added []byte -- certificate containing the public key for the administrator []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func AddDomainAdminReq ¶
func AddDomainAdminReq(authToken string, urlStart string, de common.DomainEntry, cert []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for adding a domain administrator Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose current wrapping key register is to be exported []byte -- certificate containing the public key for the administrator to be added []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func AddDomainControlPoints ¶
func AddDomainControlPoints(authToken string, urlStart string, de common.DomainEntry, cpsToSet []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Adds domain control points Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose attributes are to be set []byte -- bit mask of control points to be enabled. 16 bytes are expected. []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func AddDomainControlPointsReq ¶
func AddDomainControlPointsReq(authToken string, urlStart string, de common.DomainEntry, cpsToSet []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for adding domain control points
----------------------------------------------------------------------------
func BuildAdminDomainIndex ¶
----------------------------------------------------------------------------
Initializes the administrative domain field of an xcpAdminBlk. The first four bytes contains the domain index. The last four bytes contains the domain instance identifier. For unsigned commands and module-level commands, the domain instance identifier can be all zeros. For signed commands to a domain, the domain instance identifier is filled in later using data returned by the Query Domain Attributes command.
----------------------------------------------------------------------------
func ClearCurrentWK ¶
func ClearCurrentWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Clears the current wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose current wrapping key register is to be cleared []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func ClearCurrentWKReq ¶
func ClearCurrentWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for clearing the current wrapping key register
----------------------------------------------------------------------------
func ClearPendingWK ¶
func ClearPendingWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Clears the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be cleared []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func ClearPendingWKReq ¶
func ClearPendingWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for clearing the pending wrapping key register
----------------------------------------------------------------------------
func CommitPendingWK ¶
func CommitPendingWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Commits the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be committed []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func CommitPendingWKReq ¶
func CommitPendingWKReq(authToken string, urlStart string, de common.DomainEntry, vp []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for committing the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be committed []byte -- the verification pattern of the pending wrapping key register to be committed []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func Create2048RSASignerInfoFields ¶
func Create2048RSASignerInfoFields(dataToSign []byte, sigkey string, sigkeySki string, sigkeyToken string) ([][]byte, error)
----------------------------------------------------------------------------
Creates a set of ASN.1 OCTET STRINGS to be made into an ASN.1 sequence that forms the SignerInfo for data signed by a 2048-bit RSA signature key. Inputs: []byte dataToSign -- the data to be signed string sigkey -- identifies the signature key to use string sigkeySki -- Subject Key Identifier for the signature key string sigkeyToken -- authentication token for the signature key Outputs: [][]byte -- a set of ASN.1 OCTET STRINGS that will form SignerInfo containing an RSA signature error -- reports any error encountered
----------------------------------------------------------------------------
func CreateAdminCertP521EC ¶
func CreateAdminCertP521EC(ecKey ecdsa.PrivateKey, adminName string) ([]byte, error)
----------------------------------------------------------------------------
Creates an administrator certificate containing a P521 EC public key. Inputs: ecdsa.PrivateKey ecKey -- the EC private key string adminName -- the administrator name Outputs: []byte -- the administrator certificate error -- reports any error
----------------------------------------------------------------------------
func CreateAdminCertUsingSigningService ¶
func CreateAdminCertUsingSigningService(ssURL string, sigkey string, sigkeyToken string, adminName string) ([]byte, error)
----------------------------------------------------------------------------
Creates an administrator certificate containing a P521 EC public key using a signing service. Inputs: string -- base URL for the signing service string -- identifies the signature key to be used string -- authentication token for the signature key string -- administrator name to be placed in the certificate Outputs: []byte -- an administrator certificate containing the EC public key error -- reports any errors
----------------------------------------------------------------------------
func CreateP521ECSignerInfoFields ¶
func CreateP521ECSignerInfoFields(dataToSign []byte, sigkey string, sigkeySki string, sigkeyToken string) ([][]byte, error)
----------------------------------------------------------------------------
Creates a set of ASN.1 OCTET STRINGS to be made into an ASN.1 sequence that forms the SignerInfo for data signed by a P521 EC signature key. Inputs: []byte dataToSign -- the data to be signed string sigkey -- identifies the signature key to use string sigkeySki -- Subject Key Identifier for the signature key string sigkeyToken -- authentication token for the signature key Outputs: [][]byte -- a set of ASN.1 OCTET STRINGS that will form SignerInfo containing an EC signature error -- reports any error encountered
----------------------------------------------------------------------------
func CreateQueryHTPRequest ¶
----------------------------------------------------------------------------
Creates the HTPRequest string for an unsigned query. For unsigned queries, the administrative domain, the module identifier, and the transaction counter in the xcpAdminReq do not need to be filled in.
----------------------------------------------------------------------------
func CreateRandomWK ¶
func CreateRandomWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (error, []byte)
----------------------------------------------------------------------------
Loads a random value in one of the wrapping key registers. If the current wrapping key register is empty, it is loaded with a random value. If the current wrapping key register is not empty but the pending wrapping key register is empty, the pending wrapping key register is loaded with a random value. If both the current wrapping key register and pending wrapping key register are not empty, an error is returned. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain where a random value is to be loaded in one of the wrapping key registers []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation []byte -- the verification pattern of the generated master key value
----------------------------------------------------------------------------
func CreateRandomWKReq ¶
func CreateRandomWKReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for loading a random value in one of the wrapping key registers Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain where a random value is to be loaded in one of the wrapping key registers []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func CreateRecipientInfoP521EC ¶
func CreateRecipientInfoP521EC(publicKey []byte, ukm []byte, ski []byte, encryptedKeyPart []byte) ([]byte, error)
----------------------------------------------------------------------------
Creates the RecipientInfo needed to import a master key part when a P521 EC importer key is used. Inputs: []byte publicKey -- the P521 EC public key (133 bytes) []byte ukm -- user key material, (40 random bytes) []byte ski -- subject key identifier for the P521 EC public key (32 bytes) []byte encryptedKeyPart -- the encrypted key part (40 bytes) Outputs: []byte -- ASN.1 sequence for the RecipientInfo error -- reports any error encountered
----------------------------------------------------------------------------
func CreateSignedHTPRequest ¶
func CreateSignedHTPRequest(authToken string, urlStart string, de common.DomainEntry, adminBlock AdminBlk, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest string for a signed command. For a signed command, the administrative domain, the module identifier, and the transaction counter are determined by issuing a Query Domain Attributes command. The number of signature keys provided indicates the number of signatures that need to be collected for the command.
----------------------------------------------------------------------------
func CreateSignerInfo ¶
func CreateSignerInfo(dataToSign []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) ([]byte, error)
----------------------------------------------------------------------------
Signs the input data using a set of signature keys. A set of concatenated ASN.1 sequences, one for each signature key, is returned. Inputs: []byte dataToSign -- the data to be signed []string sigkeys -- identifies the signature keys to be used []string sigkeySkis -- the Subject Key Identifiers for the signature keys []string sigkeyTokens -- authentication tokens for the signature keys Outputs: []byte -- a set of concatenated ASN.1 structures, one for each signature error -- reports any error encountered
----------------------------------------------------------------------------
func ExportPendingWK ¶
func ExportPendingWK(authToken string, urlStart string, de common.DomainEntry, pfile []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) ([]byte, error)
----------------------------------------------------------------------------
Exports the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be exported []byte -- parameter file with format described in section 5.3 ("Serialized module state") of the EP11 wire formats document. Contains inputs to the Export WK command, such as the M policy and KPH certificates to use. []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: []byte -- raw encrypted key parts error -- reports any errors for the operation
----------------------------------------------------------------------------
func ExportPendingWKReq ¶
func ExportPendingWKReq(authToken string, urlStart string, de common.DomainEntry, pfile []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for exporting the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be exported []byte -- parameter file with format described in section 5.3 ("Serialized module state") of the EP11 wire formats document. Contains inputs to the Export WK command, such as the M policy and KPH certificates to use. []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func ExportWK ¶
func ExportWK(authToken string, urlStart string, de common.DomainEntry, pfile []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) ([]byte, error)
----------------------------------------------------------------------------
Exports the current wrapping key register using a single key part A more complicated form of this could be written to support multiple key parts, but for our purposes it isn't necessary. The more complicated version would need to have an array of KPH certificates as input, and specify the M policy (number of key parts needed to reconstruct the key). The output would be a concatenated set of RecipientInfo structures. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose current wrapping key register is to be exported []byte -- parameter file with format described in section 5.3 ("Serialized module state") of the EP11 wire formats document. Contains inputs to the Export WK command, such as the M policy and KPH certificates to use. []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: []byte -- single RecipientInfo structure containing the encrypted key part error -- reports any errors for the operation
----------------------------------------------------------------------------
func ExportWKParameterFile ¶
----------------------------------------------------------------------------
Construct a parameter file for the Export WK request. Parameter files are described in section 5.3 "Serialized module state" in the EP11 wire formats document. A parameter file is an ASN.1 sequence of octet strings, where the data in each octet string is a two-byte type, followed by a four-byte index, followed by variable length data. The data may be omitted (have zero length). Input: []byte -- KPH certificate to use to encrypt key parts. Can use the same certificate for multiple key parts. Output: []byte -- the parameter file
----------------------------------------------------------------------------
func ExportWKReq ¶
func ExportWKReq(authToken string, urlStart string, de common.DomainEntry, pfile []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for exporting the current wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose current wrapping key register is to be exported []byte -- parameter file with format described in section 5.3 ("Serialized module state") of the EP11 wire formats document. Contains inputs to the Export WK command, such as the M policy and KPH certificates to use. []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func FinalizeWK ¶
func FinalizeWK(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Finalizes the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be finalized []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func FinalizeWKReq ¶
func FinalizeWKReq(authToken string, urlStart string, de common.DomainEntry, vp []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for finalizing the pending wrapping key register Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose pending wrapping key register is to be finalized []byte -- the verification pattern of the pending wrapping key register to be finalized []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: string -- the HTPRequest string with the signed CPRB for the command error -- reports any errors
----------------------------------------------------------------------------
func Generate2048RSAImporterKey ¶
func Generate2048RSAImporterKey(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (rsa.PublicKey, []byte, error)
----------------------------------------------------------------------------
Generates a 2048-bit RSA importer key. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose attributes are to be set []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: rsa.PublicKey -- the public part of the generated 2048-bit RSA key []byte -- the Subject Key Identifier of the RSA public key error -- reports any errors for the operation
----------------------------------------------------------------------------
func Generate2048RSAImporterKeyResponse ¶
func Generate2048RSAImporterKeyResponse(htpResponse string, de common.DomainEntry) (rsa.PublicKey, []byte, error)
----------------------------------------------------------------------------
Parse a generate importer key response for an RSA 2048 importer key. Returns the RSA public importer key and its SKI, and any error
----------------------------------------------------------------------------
func GenerateImporterKeyRequest ¶
func GenerateImporterKeyRequest(authToken string, urlStart string, de common.DomainEntry, importerKeyType uint32, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for generating a domain importer key
----------------------------------------------------------------------------
func GenerateP521ECImporterKey ¶
func GenerateP521ECImporterKey(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (ecdsa.PublicKey, []byte, error)
----------------------------------------------------------------------------
Generates a P521 EC importer key. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose attributes are to be set []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: ecdsa.PublicKey -- the public part of the generated P521 EC key []byte -- the Subject Key Identifier of the EC public key error -- reports any errors for the operation
----------------------------------------------------------------------------
func GenerateP521ECImporterKeyResponse ¶
func GenerateP521ECImporterKeyResponse(htpResponse string, de common.DomainEntry) (ecdsa.PublicKey, []byte, error)
----------------------------------------------------------------------------
Parse the response from a generate importer key request when a P521 EC key was requested. Returns the EC public importer key, its SKI, and any error
----------------------------------------------------------------------------
func GetEP11ErrorMsg ¶
----------------------------------------------------------------------------
Returns message text for an error reported by an EP11 crypto module. On TKE, the message type for these errors is "3". The EP11 crypto module does not always supply a reason code. When both a return code and a reason code are supplied, look for the specific pair first. If not found, look for just the return code. If no message is found, returns an empty string.
----------------------------------------------------------------------------
func GetRspPayload ¶
Remove the front part of the HTPResponse (including the CPRB) and just return the payload
func ImportWK ¶
func ImportWK(authToken string, urlStart string, de common.DomainEntry, recipientInfo [][]byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Loads the new wrapping key register. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose new wrapping key register is to be loaded. [][]byte -- array of recipient info, one entry per key part []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Only one signature is needed for this command. Output: error -- reports any errors for the operation
----------------------------------------------------------------------------
func IncrementTransactionCounter ¶
----------------------------------------------------------------------------
Increments the transaction counter
----------------------------------------------------------------------------
func KPHCert ¶
----------------------------------------------------------------------------
Construct and return a KPH certificate containing the given P521 EC public key using the proprietary TKE format.
----------------------------------------------------------------------------
func NewCPRB ¶
----------------------------------------------------------------------------
Create a CPRB to send to a host system
----------------------------------------------------------------------------
func NewXPNUMRequest ¶
----------------------------------------------------------------------------
Create a HTPRequest specifying the XPNUM rule
----------------------------------------------------------------------------
func QueryDeviceCertificate ¶
func QueryDeviceCertificate(authToken string, urlStart string, de common.DomainEntry, certificateIndex uint32) ([]byte, error)
----------------------------------------------------------------------------
Reads an OA certificate Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the crypto module and domain to be queried certificateIndex -- index into the certificate chain 0 = currently active epoch key, 1 = its parent, etc. Outputs: []byte -- the returned OA certificate error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDeviceCertificateReq ¶
func QueryDeviceCertificateReq(cryptoModuleIndex int, domainIndex int, certificateIndex uint32) string
----------------------------------------------------------------------------
Creates the HTPRequest to return a specific OA certificate Inputs: cryptoModuleIndex -- identifies the crypto module to be queried domainIndex -- the domain assigned to the user. We know this is a control domain, and it will get past the domain check when the cloud processes the POST /hsms request. certificateIndex -- index into the certificate chain 0 = currently active epoch key, 1 = its parent, etc. Output: string -- hexadecimal string representing the HTPRequest
----------------------------------------------------------------------------
func QueryDomainAdminName ¶
func QueryDomainAdminName(authToken string, urlStart string, de common.DomainEntry, ski []byte) (string, error)
----------------------------------------------------------------------------
Retrieves the name of a domain administrator. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be queried []byte -- Subject Key Identifier of the domain administrator of interest Outputs: string -- name of the domain administrator error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDomainAdminRsp ¶
func QueryDomainAdminRsp(theRsp string, de common.DomainEntry) (AdminRspBlk, Certificate)
Process the response to a query domain administrator request. This function will return the admin response block plus a certificate containing information about the domain administrator.
func QueryDomainAdmins ¶
----------------------------------------------------------------------------
Queries the domain administrators. Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be queried Outputs: [][]byte -- array of Subject Key Identifiers (SKIs), one for each administrator installed in the domain error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDomainAdminsReq ¶
* Create a query domain administrators request. The aSKI parameter may contain the SKI for an administrator or be nil.
func QueryDomainAttributes ¶
func QueryDomainAttributes(authToken string, urlStart string, de common.DomainEntry) (DomainAttributes, AdminRspBlk, error)
----------------------------------------------------------------------------
Queries the domain attributes Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be queried Outputs: DomainAttributes -- structure with the domain attributes AdminRspBlk -- the xcpAdminRspBlk from the query. The Query Domain Attributes command is issued before each signed command to determine the administrative domain, module ID, and transaction counter fields that should be used for the signed command. error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDomainAttributesReq ¶
----------------------------------------------------------------------------
Creates the HTPRequest for querying domain attributes
----------------------------------------------------------------------------
func QueryDomainControlPoints ¶
func QueryDomainControlPoints(authToken string, urlStart string, de common.DomainEntry) ([]byte, error)
----------------------------------------------------------------------------
Queries the domain control points Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be queried Outputs: []byte -- the domain control points (16 bytes long) error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDomainControlPointsReq ¶
----------------------------------------------------------------------------
Creates the HTPRequest for querying domain control points
----------------------------------------------------------------------------
func QueryDomainInfoRequest ¶
func QueryModuleInfoRequest ¶
----------------------------------------------------------------------------
Creates the HTPRequest for get_xcp_info with a request for module information Inputs: cryptoModuleIndex -- identifies the crypto module to be queried domainIndex -- the domain assigned to the user. We know this is a control domain, and it will get past the domain check when the cloud processes the POST /hsms request. Output: string -- hexadecimal string representing the HTPRequest
----------------------------------------------------------------------------
func QueryNumberDeviceCertificates ¶
func QueryNumberDeviceCertificates(authToken string, urlStart string, de common.DomainEntry) (uint32, error)
----------------------------------------------------------------------------
Returns the number of OA certificates in the OA certificate chain Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the crypto module and domain to be queried Outputs: uint32 -- the number of certificates in the OA certificate chain error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryNumberDeviceCertificatesReq ¶
----------------------------------------------------------------------------
Creates the HTPRequest to return the number of OA certificates in the OA certificate chain Inputs: cryptoModuleIndex -- identifies the crypto module to be queried domainIndex -- the domain assigned to the user. We know this is a control domain, and it will get past the domain check when the cloud processes the POST /hsms request. Output: string -- hexadecimal string representing the HTPRequest
----------------------------------------------------------------------------
func RemoveDomainAdminReq ¶
func RemoveDomainAdminReq(authToken string, urlStart string, de common.DomainEntry, ski []byte, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for removing a domain administrator
----------------------------------------------------------------------------
func RemoveDomainAdministrator ¶
func RemoveDomainAdministrator(authToken string, urlStart string, de common.DomainEntry, ski string, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Removes an administrator Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain with the administrator to be removed string -- the Subject Key Identifier of the administator to be removed []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func SetDomainAttributes ¶
func SetDomainAttributes(authToken string, urlStart string, de common.DomainEntry, newAttributes DomainAttributes, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Sets the domain attributes Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain whose attributes are to be set DomainAttributes -- new set of attributes to be loaded in the domain []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func SetDomainAttributesReq ¶
func SetDomainAttributesReq(authToken string, urlStart string, de common.DomainEntry, newAttributes DomainAttributes, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for setting the domain attributes
----------------------------------------------------------------------------
func VerifyCertificate ¶
func VerifyCertificate(authToken string, urlStart string, de common.DomainEntry, certIndex uint32, aCertificate OACertificateX) error
----------------------------------------------------------------------------
Verifies an OA certificate returned by a CEX5P. Adapted from a method of the same name in com.ibm.tke.model.xcp.XCPCryptoModuleClass Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies a domain assigned to the user. The OA certificate chain for the crypto module containing that domain is to be verified. certIndex -- index of the OA certificate to start with. 0 = currently active epoch key, 1 = its parent, etc. This method calls itself recursively to read and verify the entire OA certificate chain. aCertificate -- the OA certificate to be verified Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func VerifyOA2Certificate ¶
func VerifyOA2Certificate(authToken string, urlStart string, de common.DomainEntry, certIndex uint32, aCertificate OA2CertificateX) error
----------------------------------------------------------------------------
Verifies an OA certificate returned by a CEX6P or CEX7P. Adapted from a method of the same name in com.ibm.tke.model.xcp.XCPCryptoModuleClass Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies a domain assigned to the user. The OA certificate chain for the crypto module containing that domain is to be verified. certIndex -- index of the OA certificate to start with. 0 = currently active epoch key, 1 = its parent, etc. This method calls itself recursively to read and verify the entire OA certificate chain. aCertificate -- the OA certificate to be verified Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func ZeroizeDomain ¶
func ZeroizeDomain(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error
----------------------------------------------------------------------------
Zeroizes the domain Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be zeroized []string -- identifies the signature keys to use to sign the command []string -- the Subject Key Identifiers for the signature keys []string -- authentication tokens for the signature keys Outputs: error -- reports any errors for the operation
----------------------------------------------------------------------------
func ZeroizeDomainReq ¶
func ZeroizeDomainReq(authToken string, urlStart string, de common.DomainEntry, sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)
----------------------------------------------------------------------------
Creates the HTPRequest for zeroizing a domain
----------------------------------------------------------------------------
Types ¶
type AdminBlk ¶
type AdminBlk struct { CmdID []byte DomainID []byte ModuleID []byte TransactionCounter []byte CmdInput []byte }
* Represents an EP11 xcpAdminBlk
func BigImportWKRequest ¶
func BigImportWKRequest(domainID []byte, moduleID []byte, transactionCounter []byte, keyPartRequests []byte) AdminBlk
----------------------------------------------------------------------------
Build an import wrapping key request containing all of the inport wrapping requests for each individual key part
----------------------------------------------------------------------------
func ImportWKRequest ¶
func ImportWKRequest(domainID []byte, moduleID []byte, transactionCounter []byte, recipientInfo []byte) AdminBlk
----------------------------------------------------------------------------
Build an import wrapping key request for a single key part
----------------------------------------------------------------------------
type AdminRsp ¶
type AdminRsp struct { CmdID []byte DomainID []byte ReturnCode []byte AdminRspBlk []byte SignerInfo []byte }
* Represents an EP11 xcpAdminRsp (normal case)
type AdminRspBlk ¶
type AdminRspBlk struct { CmdID []byte DomainID []byte ModuleID []byte TransactionCounter []byte ReturnCode []byte CmdOutput []byte }
* Represents an EP11 xcpAdminRspBlk
func ImportWKResponse ¶
func ImportWKResponse(htpResponse string, de common.DomainEntry) (AdminRspBlk, error)
----------------------------------------------------------------------------
Parse an import wrapping key response
----------------------------------------------------------------------------
func QueryDomainAdminsListRsp ¶
func QueryDomainAdminsListRsp(theRsp string, de common.DomainEntry) (AdminRspBlk, [][]byte, error)
* Process the response to a query domain administrators list request. This function will return the admin response block plus an array containing a SKI value for each domain administrator.
func (*AdminRspBlk) GetSerialNumber ¶
func (resp *AdminRspBlk) GetSerialNumber() string
----------------------------------------------------------------------------
Extracts the crypto module serial number from the moduleIdentifier field of an xcpAdminRspBlk.
----------------------------------------------------------------------------
type AdminRspError ¶
* Represents an EP11 xcpAdminRsp (error case)
type AlgIDRSA2048 ¶
type CPRB ¶
type CPRB struct {
// contains filtered or unexported fields
}
* Implements the first 32 bytes of an EP11 CPRB
type CertBody ¶
type CertBody struct { TheVersion CertVersion `asn1:"tag:0"` SerialNumber int Algorithm AlgID TheIssuer Names Validity TimeRange TheSubject Names ThePublicKey PublicKey TheExtensions Extensions `asn1:"tag:3"` }
type CertBodyRSA2048 ¶
type CertBodyRSA2048 struct { TheVersion CertVersion `asn1:"tag:0"` SerialNumber int Algorithm AlgID TheIssuer Names Validity TimeRange TheSubject Names ThePublicKey PublicKeyRSA2048 TheExtensions Extensions `asn1:"tag:3"` }
type CertVersion ¶
type CertVersion struct {
Version int
}
type Certificate ¶
type Certificate struct { TheBody CertBody Algorithm AlgID Signature []byte `asn1:"universal,tag:3"` }
func (Certificate) GetAdminName ¶
func (cert Certificate) GetAdminName() []byte
Get the administrator name out of the certificate
func (Certificate) GetPublicKey ¶
func (cert Certificate) GetPublicKey() []byte
func (Certificate) GetSKI ¶
func (cert Certificate) GetSKI() []byte
func (Certificate) IsTKECertificate ¶
func (cert Certificate) IsTKECertificate() bool
Returns true if the certificate is one associated with TKE operations
type CertificateRSA2048 ¶
type CertificateRSA2048 struct { TheBody CertBodyRSA2048 Algorithm AlgID Signature []byte `asn1:"universal,tag:3"` }
func (*CertificateRSA2048) Initialize ¶
func (cert *CertificateRSA2048) Initialize()
----------------------------------------------------------------------------
Initialize an administrator certificate that will contain a 2048-bit RSA public key. Operates on CertificateRSA2048 (both input and output).
----------------------------------------------------------------------------
func (*CertificateRSA2048) SetAdminName ¶
func (cert *CertificateRSA2048) SetAdminName(newName []byte)
----------------------------------------------------------------------------
Sets the administrator name in an administrator certificate containing a 2048-bit RSA public key. Operates on CertificateRSA2048 (both input and output). Inputs: []byte newName -- the administrator name to be set in the certificate. Can be up to 30 bytes long.
----------------------------------------------------------------------------
func (*CertificateRSA2048) SetPublicKey ¶
func (cert *CertificateRSA2048) SetPublicKey(publicKey []byte)
----------------------------------------------------------------------------
Sets the 2048-bit RSA public key and associated subject key identifier in an administrator certificate. Operates on CertificateRSA2048 (both input and output). Inputs: []byte publicKey -- the RSA public key to be set in the certificate. Actually, just the modulus. The public exponent is assumed to be 65537. Must be 257 bytes long.
----------------------------------------------------------------------------
func (*CertificateRSA2048) SetSignature ¶
func (cert *CertificateRSA2048) SetSignature(rsaKey *rsa.PrivateKey)
----------------------------------------------------------------------------
Sets the signature field in an administrator certificate containing a 2048-bit RSA public key. Operates on CertificateRSA2048 (both input and output). Inputs: rsa.PrivateKey rsaKey -- the RSA private key to use to create the signature.
----------------------------------------------------------------------------
type DomainAttributes ¶
type DomainInfoRspInfo ¶
type DomainInfoRspInfo struct { CurrentMKVP []byte NewMKVP []byte CurrentMKStatus int NewMKStatus int }
func QueryDomainInfo ¶
func QueryDomainInfo(authToken string, urlStart string, de common.DomainEntry) (DomainInfoRspInfo, error)
----------------------------------------------------------------------------
Queries the domain master key register status and verification pattern Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the domain to be queried Outputs: DomainInfoRspInfo -- contains the status and verification patterns of the new and current master key registers error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryDomainInfoRsp ¶
func QueryDomainInfoRsp(theRsp string) (DomainInfoRspInfo, error)
Process the response from get_xcp_info to retrieve domain information.
type ECSignature ¶
* Used to create an ASN.1 sequence representing an EC signature
type Extensions ¶
type Extensions struct {
TheSeq1 Seq1
}
type ModuleInfoRspInfo ¶
type ModuleInfoRspInfo struct { APIOrdinalNumber []byte FirmwareIdentifier []byte APIVersionMajor byte APIVersionMinor byte CSPVersionMajor byte CSPVersionMinor byte FirmwareConfiguration []byte XCPConfiguration []byte SerialNumber []byte // other fields omitted...see section 5.1.1 in XCP wire formats document // for full list SerialNumberString string }
* Output fields from get_xcp_info to retrieve module information
func QueryModuleInfo ¶
func QueryModuleInfo(authToken string, urlStart string, de common.DomainEntry) (ModuleInfoRspInfo, error)
----------------------------------------------------------------------------
Issues get_xcp_info to retrieve module information Inputs: authToken -- the authority token to use for the request urlStart -- the base URL to use for the request DomainEntry -- identifies the crypto module and domain to be queried Outputs: ModuleInfoRspInfo -- returned data from the query error -- reports any errors for the operation
----------------------------------------------------------------------------
func QueryModuleInfoRsp ¶
func QueryModuleInfoRsp(htpResponseString string) (ModuleInfoRspInfo, error)
----------------------------------------------------------------------------
Processes the HTP response from get_xcp_data to retrieve module information. Input: htpResponseString -- HTPResponse string from POST /hsms ModuleInfoRspInfo -- structure containing output fields from the query error -- reports any errors for the operation
----------------------------------------------------------------------------
type OA2CertificateX ¶
type OA2CertificateX struct { Header []byte Info []byte MetaData []byte AuxData []byte Spki []byte SignerInfo []byte HdrMagic byte HdrSpare []byte HdrSectionCount byte HdrByteCount uint32 HdrSectionLengths0 uint32 HdrSectionLengths1 uint32 HdrSectionLengths2 uint32 HdrSectionLengths3 uint32 HdrSectionLengths4 uint32 HdrPadBytes []byte InfoAlgID uint32 InfoPadBytes []byte MetaDataDer1 []byte MetaDataObjVersion uint32 MetaDataDer2 []byte MetaDataRootCA byte MetaDataTrustBits byte MetaDataIssuingSeg byte MetaDataSubjectSeg byte MetaDataDer3 []byte MetaDataAdapterType []byte MetaDataDer4 []byte MetaDataAdapterID []byte MetaDataDer5 []byte MetaDataSourceConfig []byte MetaDataDer6 []byte MetaDataCreationBoot uint32 MetaDataDer7 []byte MetaDataKeyType uint32 MetaDataDer8 []byte MetaDataSubjectSKI []byte MetaDataDer9 []byte MetaDataSignerSKI []byte MetaDataDer10 []byte MetaDataSigningTime []byte MetaDataDer11 []byte MetaDataOAInfo []byte MetaDataPadBytes []byte AuxDataDer1 []byte AuxDataVersion byte AuxDataDer2 []byte AuxDataSegHash []byte AuxDataDer3 []byte AuxDataOwner2 []byte AuxDataDer4 []byte AuxDataOwner3 []byte AuxDataPadBytes []byte SpkiDer1 []byte SpkiOID1 []byte SpkiDer2 []byte SpkiOID2 []byte SpkiDer3 []byte SpkiCompressed byte SpkiXCoordinate []byte SpkiYCoordinate []byte SpkiPadBytes []byte SpkiPublicKey []byte Body []byte // everything except the SignerInfo SignerInfoDer1 []byte SignerInfoVersion byte SignerInfoDer2 []byte SignerInfoSKI []byte SignerInfoDer3 []byte SignerInfoDigestAlgID []byte SignerInfoDer4 []byte SignerInfoSigAlgID []byte SignerInfoDer5 []byte SignerInfoR []byte SignerInfoDer6 []byte SignerInfoS []byte SignerInfoPadByte byte }
func (*OA2CertificateX) Init ¶
func (cert *OA2CertificateX) Init(data []byte) error
----------------------------------------------------------------------------
Initializes an OA2CertificateX structure using data read from a crypto module
----------------------------------------------------------------------------
type OACertificateX ¶
type OACertificateX struct { Header []byte Body []byte PublicKey []byte DescriptorA []byte DescriptorB []byte Signature []byte HeaderIdName byte HeaderIdVersion byte HeaderTData uint32 HeaderVDataOffset uint32 HeaderVDataLen uint32 HeaderVSigOffset uint32 HeaderVSigLen uint32 HeaderTSig uint32 HeaderCkoName []byte HeaderCkoType uint32 HeaderCkoStatus uint32 HeaderParentName []byte BodyIdName byte BodyIdVersion byte BodyTPublic uint32 BodyVPublicOffset uint32 BodyVPublicLen uint32 BodyVDescAOffset uint32 BodyVDescALen uint32 BodyVDescBOffset uint32 BodyVDescBLen uint32 BodyDeviceNameIdName byte BodyDeviceNameIdVersion byte BodyDeviceNameAdapterId []byte BodyCkoName []byte BodyCkoNameNameType uint16 BodyCkoNameIndex uint16 BodyCkoType uint32 BodyParentName []byte BodyParentNameNameType uint16 BodyParentNameIndex uint16 // fields set when the certificate contains an RSA public key PublicKeyType uint32 PublicKeyTokenLength uint32 PublicKeyNBitLength uint32 PublicKeyNLength uint32 PublicKeyELength uint32 PublicKeyNOffset uint32 PublicKeyEOffset uint32 PublicKeyTokenData []byte PublicKeyN []byte PublicKeyE []byte // fields set when the certificate contains an EC public key ECCCurveType uint32 ECCCurveSize uint16 ECCPublicKeyQLen uint16 ECCPublicKeyQ []byte ECCPublicKeyX []byte ECCPublicKeyY []byte // fields set when the certificate contains an EC signature ECCSignatureR []byte ECCSignatureS []byte }
func (*OACertificateX) Init ¶
func (cert *OACertificateX) Init(data []byte) error
----------------------------------------------------------------------------
Initializes an OACertificateX structure using data read from a crypto module
----------------------------------------------------------------------------
type PublicKeyECP521 ¶
#B@T372621CLH
type PublicKeyRSA2048 ¶
type PublicKeyRSA2048 struct { Algorithm AlgIDRSA2048 ThePublicKey []byte `asn1:"universal,tag:3"` }
type RecipientInfo2048 ¶
type RecipientInfo2048 struct { Version int SKI []byte `asn1:"tag:0"` AlgID AlgIDRSA2048 EncryptedKey []byte }
func (*RecipientInfo2048) Initialize ¶
func (info *RecipientInfo2048) Initialize(ski []byte, encrKey []byte)
----------------------------------------------------------------------------
Initializes an RSA 2048 recipient info structure, including the encrypting key's SKI and the encrypted key part.
----------------------------------------------------------------------------
type RspInfo ¶
type RspInfo struct { ErrorType string ReturnCode string ReasonCode string ProgramID string ErrorLocation string ErrorText string }
* Contains error information from the second section of an HTPResponse
func ParseResponse ¶
rsp error type rsp return code rsp reason code ----------------------------------------------------------------------------
Extracts the error information and EP11 response CPRB from an HTPResponse. Only valid for HTPResponses containing an EP11 response CPRB. The HTPResponse string contains three fields, separated by ";". 1. A length field (ignored here) 2. Error information 3. The EP11 response CPRB Inputs: theRsp string -- HTPResponse string from POST /hsms Outputs: RspInfo -- structure containing error information from the HTPResponse string -- the EP11 response CPRB error -- identifies any errors found parsing the HTPResponse
----------------------------------------------------------------------------
type SignerInfo ¶
type SignerInfo struct { Version int SubjectKeyID []byte // 32-byte SKI, without ASN.1 tags or lengths DigestAlgorithmID []byte SignatureAlgorithmID []byte Signature []byte // signature, ECC signatures are represented as an ASN.1 sequence of two INTEGERs SignatureR []byte SignatureS []byte }
* Represents EP11 SignerInfo in xcpAdminRsp with EC OA signature
func DecodeSignerInfo ¶
func DecodeSignerInfo(signerInfoBytes []byte) (SignerInfo, error)
----------------------------------------------------------------------------
Isolates the individual fields of the SignerInfo returned in an xcpAdminRsp. SignerInfo is an ASN.1 sequence but the sequence elements are not all octet strings. asn1.Decode returns with an error when given SignerInfo to process. This function can be called instead of asn1.Decode. Inputs: signerInfoBytes -- the ASN.1 SignerInfo sequence to process Outputs: SignerInfo -- structure with entries for each of the SignerInfo fields error -- identifies any errors found parsing the input sequence
----------------------------------------------------------------------------
type VerbErrorStruct ¶
type VerbErrorStruct struct {
// contains filtered or unexported fields
}
func (*VerbErrorStruct) Error ¶
func (ves *VerbErrorStruct) Error() string
func (*VerbErrorStruct) ReasonCode ¶
func (ves *VerbErrorStruct) ReasonCode() int
func (*VerbErrorStruct) ReturnCode ¶
func (ves *VerbErrorStruct) ReturnCode() int
Source Files ¶
- addDomainAdmin.go
- addDomainControlPoints.go
- adminCertECP521.go
- adminCertRSA2048.go
- clearCurrentWK.go
- clearPendingWK.go
- commitPendingWK.go
- createRandomWK.go
- ep11cprb.go
- exportWK.go
- finalizeWK.go
- generateImporterKey.go
- importWK.go
- oa2CertificateX.go
- oaCertificateX.go
- queryDeviceCertificate.go
- queryDomainAdmins.go
- queryDomainAttributes.go
- queryDomainControlPoints.go
- queryDomainInfo.go
- queryModuleInfo.go
- recipientInfo.go
- removeDomainAdminstrator.go
- setDomainAttributes.go
- signerInfo.go
- tkeHTPErrors.go
- verbError.go
- verifyCertificate.go
- verifyOA2Certificate.go
- zeroizeDomain.go