handler

package
v0.0.0-...-4e66fdd Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

README

This package defines IEvidenceHandler, IEndorsementHandler and IStoreHandler pluggable interfaces and associated RPC channels. These are used to add new attestation scheme to Veraison services. Additionally, the package defines a couple of wrappers around plugin.RegisterImplementation for registering implementations of these three interfaces.

Documentation

Overview

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2021-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source 
const (
	EndorsementType_UNSPECIFIED      string = "unspecified"
	EndorsementType_REFERENCE_VALUE  string = "reference value"
	EndorsementType_VERIFICATION_KEY string = "trust anchor"
)

Variables

View Source 
var EndorsementHandlerRPC = &plugin.RPCChannel[IEndorsementHandler]{
	GetClient: getEndorsementClient,
	GetServer: geEndorsementtServer,
}
View Source 
var EvidenceHandlerRPC = &plugin.RPCChannel[IEvidenceHandler]{
	GetClient: getClient,
	GetServer: getServer,
}
View Source 
var StoreHandlerRPC = &plugin.RPCChannel[IStoreHandler]{
	GetClient: getStoreClient,
	GetServer: getStoreServer,
}

Functions

func BadEvidence 

func BadEvidence(args ...interface{}) error

BadEvidence creates a new BadEvidenceError instance using the provided args to construct the detail. If no args are specified, the generic detail of "invalid" is used. If exactly one argument is specified, it is used as the detial. If more than one ergument is specified, the behavior depends on the type of the first argument. When args[0] is a string a new error is created using fmt.Errorf, using args[0] as the format, and that error is used as the detail. Otherwise, the entire args slice is used as the detail.

func CreateAttestationResult 

func CreateAttestationResult(submodName string) *ear.AttestationResult

func ParseError 

func ParseError(err error) error

func RegisterEndorsementHandler 

func RegisterEndorsementHandler(i IEndorsementHandler)

func RegisterEvidenceHandler 

func RegisterEvidenceHandler(i IEvidenceHandler)

func RegisterStoreHandler 

func RegisterStoreHandler(i IStoreHandler)

Types

type AppraiseEvidenceArgs 

type AppraiseEvidenceArgs struct {
	Evidence     []byte
	Endorsements []string
}

type BadEvidenceError 

type BadEvidenceError struct {
	Detail interface{}
}

BadEvidenceError represents an error due a problem with the received evidence. IEvidenceHandler implementations should return an instance of this (constructed using BadEvidence() below) if they could not process the provided evidence token.

func (BadEvidenceError) Error 

func (o BadEvidenceError) Error() string

func (BadEvidenceError) Is 

func (o BadEvidenceError) Is(other error) bool

func (BadEvidenceError) MarshalJSON 

func (o BadEvidenceError) MarshalJSON() ([]byte, error)

func (BadEvidenceError) ToString 

func (o BadEvidenceError) ToString() string

func (*BadEvidenceError) UnmarshalJSON 

func (o *BadEvidenceError) UnmarshalJSON(data []byte) error

func (BadEvidenceError) Unwrap 

func (o BadEvidenceError) Unwrap() error

type Endorsement 

type Endorsement struct {
	Scheme string `json:"scheme"`
	Type   string `json:"type"`

	SubType    string          `json:"subType"`
	Attributes json.RawMessage `json:"attributes"`
}

type EndorsementHandlerParams 

type EndorsementHandlerParams map[string]interface{}

EndorsementHandlerParams are passed to IEndorsementHandler.Init() They are implementation-specific.

type EndorsementHandlerResponse 

type EndorsementHandlerResponse struct {
	ReferenceValues []Endorsement
	TrustAnchors    []Endorsement
}

type EndorsementRPCClient 

type EndorsementRPCClient struct {
	// contains filtered or unexported fields
}

func (EndorsementRPCClient) Close 

func (c EndorsementRPCClient) Close() error

func (EndorsementRPCClient) Decode 

func (c EndorsementRPCClient) Decode(data []byte) (*EndorsementHandlerResponse, error)

func (EndorsementRPCClient) GetAttestationScheme 

func (c EndorsementRPCClient) GetAttestationScheme() string

func (EndorsementRPCClient) GetName 

func (c EndorsementRPCClient) GetName() string

func (EndorsementRPCClient) GetSupportedMediaTypes 

func (c EndorsementRPCClient) GetSupportedMediaTypes() []string

func (EndorsementRPCClient) Init 

func (c EndorsementRPCClient) Init(params EndorsementHandlerParams) error

type EndorsementRPCServer 

type EndorsementRPCServer struct {
	Impl IEndorsementHandler
}

func (EndorsementRPCServer) Close 

func (s EndorsementRPCServer) Close(unused0 interface{}, unused1 interface{}) error

func (EndorsementRPCServer) Decode 

func (s EndorsementRPCServer) Decode(data []byte, resp *[]byte) error

func (*EndorsementRPCServer) GetAttestationScheme 

func (s *EndorsementRPCServer) GetAttestationScheme(args interface{}, resp *string) error

func (*EndorsementRPCServer) GetName 

func (s *EndorsementRPCServer) GetName(args interface{}, resp *string) error

func (*EndorsementRPCServer) GetSupportedMediaTypes 

func (s *EndorsementRPCServer) GetSupportedMediaTypes(args interface{}, resp *[]string) error

func (*EndorsementRPCServer) Init 

func (s *EndorsementRPCServer) Init(params EndorsementHandlerParams, unused interface{}) error

type ExtractClaimsArgs 

type ExtractClaimsArgs struct {
	Token        []byte
	TrustAnchors []string
}

type GetRefValueIDsArgs 

type GetRefValueIDsArgs struct {
	TenantID     string
	TrustAnchors []string
	Claims       []byte
}

type IDecoderManager 

type IDecoderManager interface {
	Init(dir string, logger *zap.SugaredLogger) error
	Close() error
	Dispatch(mediaType string, data []byte) (*EndorsementHandlerResponse, error)
	IsSupportedMediaType(mediaType string) bool
	GetSupportedMediaTypes() []string
}

type IEndorsementHandler 

type IEndorsementHandler interface {
	plugin.IPluggable

	// Init() initializes the handler.
	Init(params EndorsementHandlerParams) error

	// Close the decoder, finalizing any state it may contain.
	Close() error

	// Decode the endorsements from the provided []byte.
	Decode([]byte) (*EndorsementHandlerResponse, error)
}

IEndorsementHandler defines the interface to functionality for working with attestation scheme specific endorsement provisioning tokens (typically, CoRIM's).

type IEvidenceHandler 

type IEvidenceHandler interface {
	plugin.IPluggable

	// ExtractClaims parses the attestation token and returns claims
	// extracted therefrom.
	ExtractClaims(
		token *proto.AttestationToken,
		trustAnchors []string,
	) (map[string]interface{}, error)

	// ValidateEvidenceIntegrity verifies the structural integrity and validity of the
	// token. The exact checks performed are scheme-specific, but they
	// would typically involve, at the least, verifying the token's
	// signature using the provided trust anchors and endorsements. If the
	// validation fails, an error detailing what went wrong is returned.
	// Note: key material required to  validate the token would typically be
	//       provisioned as a Trust Anchor. However, depending on the
	//       requirements of the Scheme, it maybe be provisioned as an
	//       Endorsement instead, or in addition to the Trust Anchor. E.g.,
	//       if the validation is performed via an x.509 cert chain, the
	//       root cert may be provisioned as a Trust Anchor, while
	//       intermediate certs may be provisioned as Endorsements (at a
	//       different point in time, by a different actor).
	// TODO(setrofim): no distinction is currently made between validation
	// failing due to an internal error, and it failing due to bad input
	// (i.e. signature not matching).
	ValidateEvidenceIntegrity(
		token *proto.AttestationToken,
		trustAnchors []string,
		endorsementsStrings []string,
	) error

	// AppraiseEvidence evaluates the specified EvidenceContext against
	// the specified endorsements, and returns an AttestationResult.
	AppraiseEvidence(
		ec *proto.EvidenceContext,
		endorsements []string,
	) (*ear.AttestationResult, error)
}

IEvidenceHandler defines the interface to functionality for working with attestation scheme specific evidence tokens. This includes validating token integrity, extracting and appraising claims.

type IStoreHandler 

type IStoreHandler interface {
	plugin.IPluggable

	// GetTrustAnchorIDs returns a slice of trust anchor identifiers used
	// to retrieve the trust anchors associated with this token. The trust anchors may be necessary to validate the
	// entire token and/or extract its claims (if it is encrypted).
	GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)

	// GetRefValueIDs returns a slice of identifiers used to retrieve
	// reference values for an attestation scheme, using the claims
	// extracted from attestation token and the associated trust anchors.
	GetRefValueIDs(
		tenantID string,
		trustAnchors []string,
		claims map[string]interface{},
	) ([]string, error)

	// SynthKeysFromRefValue synthesizes lookup key(s) for the
	// provided reference value endorsement.
	SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error)

	// SynthKeysFromTrustAnchor synthesizes lookup key(s) for the provided
	// trust anchor.
	SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error)
}

IStoreHandler defines the interfaces for creating and obtaining keys to access objects in the Veraison storage layer. This includes obtaining Trust Anchor IDs from evidence and synthesizing Reference Value and TrustAnchor keys from endorsements

type RPCClient 

type RPCClient struct {
	// contains filtered or unexported fields
}

func (*RPCClient) AppraiseEvidence 

func (s *RPCClient) AppraiseEvidence(ec *proto.EvidenceContext, endorsements []string) (*ear.AttestationResult, error)

func (*RPCClient) ExtractClaims 

func (s *RPCClient) ExtractClaims(
	token *proto.AttestationToken,
	trustAnchors []string,
) (map[string]interface{}, error)

func (*RPCClient) ExtractEvidence 

func (s *RPCClient) ExtractEvidence(
	token *proto.AttestationToken,
	trustAnchors []string,
) (map[string]interface{}, error)

func (*RPCClient) GetAttestationScheme 

func (s *RPCClient) GetAttestationScheme() string

func (*RPCClient) GetName 

func (s *RPCClient) GetName() string

func (*RPCClient) GetSupportedMediaTypes 

func (s *RPCClient) GetSupportedMediaTypes() []string

func (*RPCClient) ValidateEvidenceIntegrity 

func (s *RPCClient) ValidateEvidenceIntegrity(
	token *proto.AttestationToken,
	trustAnchors []string,
	endorsements []string,
) error

type RPCServer 

type RPCServer struct {
	Impl IEvidenceHandler
}

func (*RPCServer) AppraiseEvidence 

func (s *RPCServer) AppraiseEvidence(args AppraiseEvidenceArgs, resp *[]byte) error

func (*RPCServer) ExtractClaims 

func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error

func (*RPCServer) GetAttestationScheme 

func (s *RPCServer) GetAttestationScheme(args interface{}, resp *string) error

func (*RPCServer) GetName 

func (s *RPCServer) GetName(args interface{}, resp *string) error

func (*RPCServer) GetSupportedMediaTypes 

func (s *RPCServer) GetSupportedMediaTypes(args interface{}, resp *[]string) error

func (*RPCServer) ValidateEvidenceIntegrity 

func (s *RPCServer) ValidateEvidenceIntegrity(args ValidateEvidenceIntegrityArgs, resp *[]byte) error

type StoreRPCClient 

type StoreRPCClient struct {
	// contains filtered or unexported fields
}

func (StoreRPCClient) Close 

func (c StoreRPCClient) Close() error

func (StoreRPCClient) GetAttestationScheme 

func (c StoreRPCClient) GetAttestationScheme() string

func (StoreRPCClient) GetName 

func (c StoreRPCClient) GetName() string

func (*StoreRPCClient) GetRefValueIDs 

func (s *StoreRPCClient) GetRefValueIDs(
	tenantID string,
	trustAnchors []string,
	claims map[string]interface{},
) ([]string, error)

func (StoreRPCClient) GetSupportedMediaTypes 

func (c StoreRPCClient) GetSupportedMediaTypes() []string

func (*StoreRPCClient) GetTrustAnchorIDs 

func (s *StoreRPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)

func (*StoreRPCClient) SynthKeysFromRefValue 

func (s *StoreRPCClient) SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error)

func (*StoreRPCClient) SynthKeysFromTrustAnchor 

func (s *StoreRPCClient) SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error)

type StoreRPCServer 

type StoreRPCServer struct {
	Impl IStoreHandler
}

func (*StoreRPCServer) GetAttestationScheme 

func (s *StoreRPCServer) GetAttestationScheme(args interface{}, resp *string) error

func (*StoreRPCServer) GetName 

func (s *StoreRPCServer) GetName(args interface{}, resp *string) error

func (*StoreRPCServer) GetRefValueIDs 

func (s *StoreRPCServer) GetRefValueIDs(args GetRefValueIDsArgs, resp *[]string) error

func (*StoreRPCServer) GetSupportedMediaTypes 

func (s *StoreRPCServer) GetSupportedMediaTypes(args interface{}, resp *[]string) error

func (*StoreRPCServer) GetTrustAnchorIDs 

func (s *StoreRPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error

func (*StoreRPCServer) SynthKeysFromRefValue 

func (s *StoreRPCServer) SynthKeysFromRefValue(args SynthKeysArgs, resp *[]string) error

func (*StoreRPCServer) SynthKeysFromTrustAnchor 

func (s *StoreRPCServer) SynthKeysFromTrustAnchor(args SynthKeysArgs, resp *[]string) error

type SynthKeysArgs 

type SynthKeysArgs struct {
	TenantID        string
	EndorsementJSON []byte
}

type ValidateEvidenceIntegrityArgs 

type ValidateEvidenceIntegrityArgs struct {
	Token        []byte
	TrustAnchors []string
	Endorsements []string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.