certlib

package
v0.0.0-...-444b889 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2023 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddFactFromSignedClaim 

func AddFactFromSignedClaim(signedClaim *certprotos.SignedClaimMessage,
	alreadyProved *certprotos.ProvedStatements) bool

func AddKeySeen 

func AddKeySeen(list *CertSeenList, k *certprotos.KeyMessage) bool

func Asn1ToX509 

func Asn1ToX509(in []byte) *x509.Certificate

func Attest 

func Attest(eType string, toSay []byte) []byte

func AuthenticatedDecrypt 

func AuthenticatedDecrypt(in []byte, key []byte) []byte

func AuthenticatedEncrypt 

func AuthenticatedEncrypt(in []byte, key []byte, iv []byte) []byte

func BytesToUint64 

func BytesToUint64(b []byte) uint64

func CheckTimeRange 

func CheckTimeRange(nb *string, na *string) bool

func CompareTimePoints 

func CompareTimePoints(t1 *certprotos.TimePoint, t2 *certprotos.TimePoint) int

if t1 is later than t2, return 1 if t1 the same as t2, return 0 if t1 is earlier than t2, return -1

func ConstructEnclaveKeySpeaksForMeasurement 

func ConstructEnclaveKeySpeaksForMeasurement(k *certprotos.KeyMessage, m []byte) *certprotos.VseClause

func ConstructGramineClaim 

func ConstructGramineClaim(enclaveKey *certprotos.KeyMessage,
	measurement []byte) *certprotos.VseClause

func ConstructGramineIsEnvironmentClaim 

func ConstructGramineIsEnvironmentClaim(measurement []byte, attestation []byte) *certprotos.VseClause

func ConstructGramineSpeaksForClaim 

func ConstructGramineSpeaksForClaim(enclaveKey *certprotos.KeyMessage,
	env *certprotos.EntityMessage) *certprotos.VseClause

func ConstructIsletSpeaksForMeasurementStatement 

func ConstructIsletSpeaksForMeasurementStatement(attestKey *certprotos.KeyMessage, enclaveKey *certprotos.KeyMessage,
	mEnt *certprotos.EntityMessage) *certprotos.VseClause

attestKey says enclaveKey speaksfor environment

func ConstructKeyForProtect 

func ConstructKeyForProtect(keyName string, keyType string) *certprotos.KeyMessage

func ConstructKeystoneSpeaksForMeasurementStatement 

func ConstructKeystoneSpeaksForMeasurementStatement(attestKey *certprotos.KeyMessage, enclaveKey *certprotos.KeyMessage,
	mEnt *certprotos.EntityMessage) *certprotos.VseClause

attestKey says enclaveKey speaksfor environment

func ConstructOESpeaksForStatement 

func ConstructOESpeaksForStatement(vcertKey *certprotos.KeyMessage, enclaveKey *certprotos.KeyMessage, measurement []byte) *certprotos.VseClause

func ConstructPlatformEvidencePackage 

func ConstructPlatformEvidencePackage(attestingEnclaveType string, evList *certprotos.EvidenceList, serializedAttestation []byte) *certprotos.EvidencePackage

func ConstructProofFromExtendedGramineEvidence 

func ConstructProofFromExtendedGramineEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string,
	alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

Incoming evidence:

  1. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] is-trusted
  2. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says Key[rsa, platformKey, cdc8112d97fce6767143811f0ed5fb6c21aee424] is-trusted-for-attestation
  3. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says Measurement[0001020304050607...] is-trusted
  4. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says platform has-trusted-platform-property
  5. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says Key[rsa, platformKey, cdc8112d97fce6767143811f0ed5fb6c21aee424] is-trusted-for-attestation
  6. environment(platform, measurement) is-environment
  7. enclaveKey speaks-for Measurement[00010203...]

Produced proof should be:

  1. Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] is-trusted AND Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says Measurement[0001020304050607...] is-trusted --> Measurement[0001020304050607...] is-trusted
  2. policy-key is-trusted AND policy-key says platform has-trusted-platform-property --> platform has-trusted-platform-property (r3)
  3. environment(platform, measurement) is-environment AND platform[amd-sev-snp, no-debug,...] has-trusted-platform-property --> environment(platform, measurement) environment-platform-is-trusted [3, ]
  4. environment(platform, measurement) is-environment AND measurement is-trusted --> environment(platform, measurement) environment-measurement-is-trusted
  5. environment(platform, measurement) environment-platform-is-trusted" AND environment(platform, measurement) environment-measurement-is-trusted" --> environment(platform, measurement) is-trusted
  6. environment is-trusted and enclaveKey speaks-for environment --> enclaveKey is-trusted-for-authentication

func ConstructProofFromGramineEvidence 

func ConstructProofFromGramineEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string,
	alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromInternalPlatformEvidence 

func ConstructProofFromInternalPlatformEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string, alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

This is used for simulated enclave and the application enclave

func ConstructProofFromIsletEvidence 

func ConstructProofFromIsletEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string,
	alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromKeystoneEvidence 

func ConstructProofFromKeystoneEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string,
	alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromOeEvidence 

func ConstructProofFromOeEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string, alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromOeEvidenceWithEndorsement 

func ConstructProofFromOeEvidenceWithEndorsement(publicPolicyKey *certprotos.KeyMessage, purpose string, alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromOeEvidenceWithoutEndorsement 

func ConstructProofFromOeEvidenceWithoutEndorsement(publicPolicyKey *certprotos.KeyMessage, purpose string, alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructProofFromSevPlatformEvidence 

func ConstructProofFromSevPlatformEvidence(publicPolicyKey *certprotos.KeyMessage, purpose string, alreadyProved *certprotos.ProvedStatements) (*certprotos.VseClause, *certprotos.Proof)

func ConstructSevIsEnvironmentStatement 

func ConstructSevIsEnvironmentStatement(vcekKey *certprotos.KeyMessage, binSevAttest []byte) *certprotos.VseClause

vcek says environment is-environment

func ConstructSevSpeaksForEnvironmentStatement 

func ConstructSevSpeaksForEnvironmentStatement(vcekKey *certprotos.KeyMessage, enclaveKey *certprotos.KeyMessage,
	env *certprotos.EntityMessage) *certprotos.VseClause

vcekKey says enclaveKey speaksfor environment

func ConstructVseAttestClaim 

func ConstructVseAttestClaim(attestKey *certprotos.KeyMessage, enclaveKey *certprotos.KeyMessage,
	measurement []byte) *certprotos.VseClause

func ConstructVseAttestationFromCert 

func ConstructVseAttestationFromCert(subjKey *certprotos.KeyMessage, signerKey *certprotos.KeyMessage) *certprotos.VseClause

func DecapsulateData 

func DecapsulateData(ek *certprotos.KeyMessage, edm *certprotos.EncapsulatedDataMessage) []byte

func Decrypt 

func Decrypt(in []byte, key []byte) []byte

func Depad 

func Depad(in []byte) []byte

func Digest 

func Digest(in []byte) [32]byte

func Dominates 

func Dominates(root *PredicateDominance, parent string, descendant string) bool

func EncapsulateData 

func EncapsulateData(ek *certprotos.KeyMessage, alg string, data []byte, edm *certprotos.EncapsulatedDataMessage) bool

func Encrypt 

func Encrypt(in []byte, key []byte, iv []byte) []byte

func FakeRsaSha256Verify 

func FakeRsaSha256Verify(r *rsa.PublicKey, in []byte, sig []byte) bool

func FilterExtendedGraminePolicy 

func FilterExtendedGraminePolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

Filtered policy should be 

     Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] is-trusted
     Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says
             Key[rsa, platformKey, cdc8112d97fce6767143811f0ed5fb6c21aee424] is-trusted-for-attestation
     Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says
             Measurement[0001020304050607...] is-trusted
	Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says
         platform has-trusted-platform-property

Filter out irrelevant platforms and measurements

func FilterGraminePolicy 

func FilterGraminePolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

Filtered policy should be 

Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] is-trusted
Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says
        Key[rsa, platformKey, cdc8112d97fce6767143811f0ed5fb6c21aee424] is-trusted-for-attestation
Key[rsa, policyKey, d240a7e9489e8adc4eb5261166a0b080f4f5f4d0] says
        Measurement[0001020304050607...] is-trusted

func FilterInternalPolicy 

func FilterInternalPolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

Filtered Policy should be 

0: "policyKey is-trusted"
1: "policyKey says platformKey is-trusted-for-attestation"
2: "policyKey says measurement is-trusted"

func FilterIsletPolicy 

func FilterIsletPolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

func FilterKeystonePolicy 

func FilterKeystonePolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

func FilterOePolicy 

func FilterOePolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

Filtered OePolicy should be 

     00: "policyKey is-trusted"
     01: "Key[rsa, policyKey, f2663e9ca042fcd261ab051b3a4e3ac83d79afdd] says
		Key[rsa, VSE, cbfced04cfc0f1f55df8cbe437c3aba79af1657a] is-trusted-for-attestation"
     02: "policyKey says measurement is-trusted"

func FilterSevPolicy 

func FilterSevPolicy(policyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool) *certprotos.ProvedStatements

Filtered Policy should be 

	00 Key[rsa, policyKey, f91d6331b1fd99b3fa8641fd16dcd4c272a92b8a] is-trusted
	01 Key[rsa, policyKey, f91d6331b1fd99b3fa8641fd16dcd4c272a92b8a] says
	Key[rsa, ARKKey, c36d3343d69d9d8000d32d0979adff876e98ec79] is-trusted-for-attestation
	02 Key[rsa, policyKey, f91d6331b1fd99b3fa8641fd16dcd4c272a92b8a] says
     Measurement[010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708] is-trusted
	03 Key[rsa, policyKey, f91d6331b1fd99b3fa8641fd16dcd4c272a92b8a] says
	platform[amd-sev-snp, debug: no, migrate: no, api-major: >=0, api-minor: >=0, key-share: no,
		tcb-version: >=0] has-trusted-platform-property

func FindKeySeen 

func FindKeySeen(list *CertSeenList, name string) *certprotos.KeyMessage

func FindPolicyStoreEntry 

func FindPolicyStoreEntry(ps *certprotos.PolicyStoreMessage, tag string, valueType string) int

func FindProperty 

func FindProperty(propName string, p []*certprotos.Property) *certprotos.Property

func GeneralAuthenticatedDecrypt 

func GeneralAuthenticatedDecrypt(alg string, in []byte, key []byte) []byte

func GeneralAuthenticatedEncrypt 

func GeneralAuthenticatedEncrypt(alg string, in []byte, key []byte, iv []byte) []byte

Todo: implement the others

func GetEccKeysFromInternal 

func GetEccKeysFromInternal(k *certprotos.KeyMessage) (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)

func GetGramineMeasurementFromAttestation 

func GetGramineMeasurementFromAttestation(evBuf []byte) []byte

func GetInternalKeyFromEccPublicKey 

func GetInternalKeyFromEccPublicKey(name string, PK *ecdsa.PublicKey, km *certprotos.KeyMessage) bool

func GetInternalKeyFromRsaPrivateKey 

func GetInternalKeyFromRsaPrivateKey(name string, pK *rsa.PrivateKey, km *certprotos.KeyMessage) bool

func GetInternalKeyFromRsaPublicKey 

func GetInternalKeyFromRsaPublicKey(name string, PK *rsa.PublicKey, km *certprotos.KeyMessage) bool

func GetIsletMeasurementFromAttestation 

func GetIsletMeasurementFromAttestation(evBuf []byte) []byte

func GetIssuerKey 

func GetIssuerKey(cert *x509.Certificate) *certprotos.KeyMessage

func GetIssuerNameFromCert 

func GetIssuerNameFromCert(cert *x509.Certificate) string

func GetKeystoneMeasurementFromAttestation 

func GetKeystoneMeasurementFromAttestation(evBuf []byte) []byte

func GetMeasurement 

func GetMeasurement(eType string, id string) []byte

func GetMeasurementEntityFromSevAttest 

func GetMeasurementEntityFromSevAttest(binSevAttest []byte) *certprotos.EntityMessage

func GetMeasurementFromSevAttest 

func GetMeasurementFromSevAttest(binSevAttest []byte) []byte

func GetOeMeasurementFromAttestation 

func GetOeMeasurementFromAttestation(prevEvidence *certprotos.Evidence,
	curEvidence *certprotos.Evidence) []byte

func GetPlatformAttributesFromGramineAttest 

func GetPlatformAttributesFromGramineAttest(binGramineAttest []byte) (uint16, uint16, []byte, bool, bool)

The returned quantities are sort of described in the Intel Architecure manual in chapter 38 but not in detail. They are: 

qesvm: The quoting enclave security version number (16 bits).
pceSvn: The provisioning enclave security version number (16 bits).
cpuSvn: The cpu security version number (128 bits) which consists of
	"small integers describing the version numbers of compnents".
debug: Whether the enclave is debugable.
mode64bit: Running as x64 (rather than i32).

The last two come from the attributes field.

func GetPlatformFromGramineAttest 

func GetPlatformFromGramineAttest(binAttest []byte) *certprotos.Platform

func GetPlatformFromSevAttest 

func GetPlatformFromSevAttest(binSevAttest []byte) *certprotos.Platform

Policy byte: 

Bit 3: Guest can be activated on multiple sockets.
Bit 2: Debugging disallowed if 0
Bit 1: Migration disallowed if 0
Bit 0: SMT disallowed if 0

func GetRelevantMeasurementPolicy 

func GetRelevantMeasurementPolicy(pool *PolicyPool, evType string,
	evp *certprotos.EvidencePackage) *certprotos.VseClause

Returns the single policy statement naming the relevant measurement policy statement for a this evidence package

func GetRelevantPlatformFeaturePolicy 

func GetRelevantPlatformFeaturePolicy(pool *PolicyPool, evType string,
	evp *certprotos.EvidencePackage) *certprotos.VseClause

Returns the single policy statement naming the relevant trusted-platform policy statement for a this evidence package

func GetRelevantPlatformKeyPolicy 

func GetRelevantPlatformKeyPolicy(pool *PolicyPool, evType string,
	evp *certprotos.EvidencePackage) *certprotos.VseClause

Returns the single policy statement naming the relevant platform key policy statement for a this evidence package

func GetRsaKeysFromInternal 

func GetRsaKeysFromInternal(k *certprotos.KeyMessage, pK *rsa.PrivateKey, PK *rsa.PublicKey) bool

func GetSevMeasurementFromAttestation 

func GetSevMeasurementFromAttestation(evBuf []byte) []byte

func GetSubjectKey 

func GetSubjectKey(cert *x509.Certificate) *certprotos.KeyMessage

func GetSubjectNameFromCert 

func GetSubjectNameFromCert(cert *x509.Certificate) *string

func GetTcbVersionFromSevAttest 

func GetTcbVersionFromSevAttest(binSevAttest []byte) uint64

func GetUserDataHashFromSevAttest 

func GetUserDataHashFromSevAttest(binSevAttest []byte) []byte

Caution: This can change if attestation.h below changes 

struct attestation_report {
  uint32_t    version;                  // 0x000
  uint32_t    guest_svn;                // 0x004
  uint64_t    policy;                   // 0x008
  uint8_t     family_id[16];            // 0x010
  uint8_t     image_id[16];             // 0x020
  uint32_t    vmpl;                     // 0x030
  uint32_t    signature_algo;           // 0x034
  union tcb_version platform_version;   // 0x038
  uint64_t    platform_info;            // 0x040
  uint32_t    flags;                    // 0x048
  uint32_t    reserved0;                // 0x04C
  uint8_t     report_data[64];          // 0x050
  uint8_t     measurement[48];          // 0x090
  uint8_t     host_data[32];            // 0x0C0
  uint8_t     id_key_digest[48];        // 0x0E0
  uint8_t     author_key_digest[48];    // 0x110
  uint8_t     report_id[32];            // 0x140
  uint8_t     report_id_ma[32];         // 0x160
  union tcb_version reported_tcb;       // 0x180
  uint8_t     reserved1[24];            // 0x188
  uint8_t     chip_id[64];              // 0x1A0
  uint8_t     reserved2[192];           // 0x1E0
  struct signature  signature;          // 0x2A0
};

func GetVcekExtValue 

func GetVcekExtValue(ext pkix.Extension) (uint8, error)

func GetVseFromSignedClaim 

func GetVseFromSignedClaim(sc *certprotos.SignedClaimMessage) *certprotos.VseClause

func GetVseMeasurementFromAttestation 

func GetVseMeasurementFromAttestation(evBuf []byte) []byte

func InitAxiom 

func InitAxiom(pk certprotos.KeyMessage, ps *certprotos.ProvedStatements) bool

func InitCerifierRules 

func InitCerifierRules(cr *certprotos.CertifierRules) bool

func InitDominance 

func InitDominance(root *PredicateDominance) bool

func InitPolicy 

func InitPolicy(publicPolicyKey *certprotos.KeyMessage, signedPolicy *certprotos.SignedClaimSequence,
	alreadyProved *certprotos.ProvedStatements) bool

func InitPolicyPool 

func InitPolicyPool(pool *PolicyPool, original *certprotos.ProvedStatements) bool

func InitProvedStatements 

func InitProvedStatements(pk certprotos.KeyMessage, evidenceList []*certprotos.Evidence,
	ps *certprotos.ProvedStatements) bool

func InitSimulatedEnclave 

func InitSimulatedEnclave() bool

func Insert 

func Insert(r *PredicateDominance, parent string, descendant string) bool

func InsertOrUpdatePolicyStoreEntry 

func InsertOrUpdatePolicyStoreEntry(ps *certprotos.PolicyStoreMessage, tag string, valueType string, value []byte) bool

func InternalPublicFromPrivateKey 

func InternalPublicFromPrivateKey(privateKey *certprotos.KeyMessage) *certprotos.KeyMessage

func IsChild 

func IsChild(r *PredicateDominance, descendant string) bool

func KeyFromPemFormat 

func KeyFromPemFormat(pem string) *certprotos.KeyMessage

func LittleToBigEndian 

func LittleToBigEndian(in []byte) []byte

func MakeClaim 

func MakeClaim(serialized []byte, format string, desc string, nb string, na string) *certprotos.ClaimMessage

func MakeEnvironment 

func MakeEnvironment(pl *certprotos.Platform, measurement []byte) *certprotos.Environment

func MakeEnvironmentEntity 

func MakeEnvironmentEntity(e *certprotos.Environment) *certprotos.EntityMessage

func MakeIndirectVseClause 

func MakeIndirectVseClause(subject *certprotos.EntityMessage, verb *string, cl *certprotos.VseClause) *certprotos.VseClause

func MakeKeyEntity 

func MakeKeyEntity(k *certprotos.KeyMessage) *certprotos.EntityMessage

func MakeMeasurementEntity 

func MakeMeasurementEntity(m []byte) *certprotos.EntityMessage

func MakePlatform 

func MakePlatform(t string, k *certprotos.KeyMessage, props *certprotos.Properties) *certprotos.Platform

func MakePlatformEntity 

func MakePlatformEntity(pl *certprotos.Platform) *certprotos.EntityMessage

func MakeProperty 

func MakeProperty(name string, t string, sv *string, c *string, iv *uint64) *certprotos.Property

func MakeRsaKey 

func MakeRsaKey(n int) *rsa.PrivateKey

func MakeSignedClaim 

func MakeSignedClaim(s *certprotos.ClaimMessage, k *certprotos.KeyMessage) *certprotos.SignedClaimMessage

func MakeSimpleVseClause 

func MakeSimpleVseClause(subject *certprotos.EntityMessage, verb *string, object *certprotos.EntityMessage) *certprotos.VseClause

func MakeUnaryVseClause 

func MakeUnaryVseClause(subject *certprotos.EntityMessage, verb *string) *certprotos.VseClause

func MakeVseRsaKey 

func MakeVseRsaKey(n int) *certprotos.KeyMessage

func NewPolicyStore 

func NewPolicyStore(maxEnts int) *certprotos.PolicyStoreMessage

func NewPolicyStoreEntry 

func NewPolicyStoreEntry(tag string, valueType string, value []byte) *certprotos.PolicyStoreEntry

func Pad 

func Pad(in []byte) []byte

func PolicyStoreDeleteEntry 

func PolicyStoreDeleteEntry(ent int)

func PolicyStoreNumEntries 

func PolicyStoreNumEntries(ps *certprotos.PolicyStoreMessage) int

func PrintAttestationUserData 

func PrintAttestationUserData(sr *certprotos.AttestationUserData)

func PrintBytes 

func PrintBytes(b []byte)

func PrintClaim 

func PrintClaim(c *certprotos.ClaimMessage)

func PrintDominanceNode 

func PrintDominanceNode(ind int, node *PredicateDominance)

func PrintDominanceTree 

func PrintDominanceTree(ind int, tree *PredicateDominance)

func PrintEccKey 

func PrintEccKey(e *certprotos.EccMessage)

func PrintEntity 

func PrintEntity(e *certprotos.EntityMessage)

func PrintEntityDescriptor 

func PrintEntityDescriptor(e *certprotos.EntityMessage)

func PrintEnvironment 

func PrintEnvironment(e *certprotos.Environment)

func PrintEnvironmentDescriptor 

func PrintEnvironmentDescriptor(e *certprotos.Environment)

func PrintEvidence 

func PrintEvidence(ev *certprotos.Evidence)

func PrintEvidencePackage 

func PrintEvidencePackage(evp *certprotos.EvidencePackage, printAll bool)

func PrintKey 

func PrintKey(k *certprotos.KeyMessage)

func PrintKeyDescriptor 

func PrintKeyDescriptor(k *certprotos.KeyMessage)

func PrintKeyRequestMessage 

func PrintKeyRequestMessage(kr *certprotos.KeyRequestMessage)

func PrintKeyResponseMessage 

func PrintKeyResponseMessage(kr *certprotos.KeyResponseMessage)

func PrintPlatform 

func PrintPlatform(p *certprotos.Platform)

func PrintPlatformDescriptor 

func PrintPlatformDescriptor(p *certprotos.Platform)

func PrintPolicyStore 

func PrintPolicyStore(ps *certprotos.PolicyStoreMessage)

func PrintPolicyStoreEntry 

func PrintPolicyStoreEntry(e *certprotos.PolicyStoreEntry)

func PrintProof 

func PrintProof(pf *certprotos.Proof)

func PrintProofStep 

func PrintProofStep(prefix string, step *certprotos.ProofStep)

func PrintProperties 

func PrintProperties(p *certprotos.Properties)

func PrintProperty 

func PrintProperty(p *certprotos.Property)

func PrintPropertyDescriptor 

func PrintPropertyDescriptor(p *certprotos.Property)

func PrintProvedStatements 

func PrintProvedStatements(ps *certprotos.ProvedStatements)

func PrintRsaKey 

func PrintRsaKey(r *certprotos.RsaMessage)

func PrintSignedClaim 

func PrintSignedClaim(s *certprotos.SignedClaimMessage)

func PrintSignedReport 

func PrintSignedReport(sr *certprotos.SignedReport)

func PrintTimePoint 

func PrintTimePoint(tp *certprotos.TimePoint)

func PrintTrustReponse 

func PrintTrustReponse(res *certprotos.TrustResponseMessage)

func PrintTrustRequest 

func PrintTrustRequest(req *certprotos.TrustRequestMessage)

func PrintVseAttestationReportInfo 

func PrintVseAttestationReportInfo(info *certprotos.VseAttestationReportInfo)

func PrintVseClause 

func PrintVseClause(c *certprotos.VseClause)

func PrintX509Cert 

func PrintX509Cert(cert *x509.Certificate)

func ProduceAdmissionCert 

func ProduceAdmissionCert(remoteIP string, issuerKey *certprotos.KeyMessage, issuerCert *x509.Certificate,
	subjKey *certprotos.KeyMessage, subjName string, subjOrg string,
	serialNumber uint64, durationSeconds float64) *x509.Certificate

func ProducePlatformRule 

func ProducePlatformRule(issuerKey *certprotos.KeyMessage, issuerCert *x509.Certificate,
	subjKey *certprotos.KeyMessage, durationSeconds float64) []byte

func ProtectBlob 

func ProtectBlob(enclaveType string, k *certprotos.KeyMessage, buffer []byte) []byte

func RecoverPolicyStore 

func RecoverPolicyStore(enclaveType string, fileName string, ps *certprotos.PolicyStoreMessage) bool

func RsaPrivateDecrypt 

func RsaPrivateDecrypt(r *rsa.PrivateKey, in []byte) []byte

func RsaPublicEncrypt 

func RsaPublicEncrypt(r *rsa.PublicKey, in []byte) []byte

func RsaSha256Sign 

func RsaSha256Sign(r *rsa.PrivateKey, in []byte) []byte

func RsaSha256Verify 

func RsaSha256Verify(r *rsa.PublicKey, in []byte, sig []byte) bool

func SameEntity 

func SameEntity(e1 *certprotos.EntityMessage, e2 *certprotos.EntityMessage) bool

func SameEnvironment 

func SameEnvironment(p1 *certprotos.Environment, p2 *certprotos.Environment) bool

func SameKey 

func SameKey(k1 *certprotos.KeyMessage, k2 *certprotos.KeyMessage) bool

func SameMeasurement 

func SameMeasurement(m1 []byte, m2 []byte) bool

func SamePlatform 

func SamePlatform(p1 *certprotos.Platform, p2 *certprotos.Platform) bool

func SamePoint 

func SamePoint(p1 *certprotos.PointMessage, p2 *certprotos.PointMessage) bool

func SameProperties 

func SameProperties(p1 *certprotos.Properties, p2 *certprotos.Properties) bool

func SameProperty 

func SameProperty(p1 *certprotos.Property, p2 *certprotos.Property) bool

func SameVseClause 

func SameVseClause(c1 *certprotos.VseClause, c2 *certprotos.VseClause) bool

func SatisfyingProperties 

func SatisfyingProperties(p1 *certprotos.Properties, p2 *certprotos.Properties) bool

func SatisfyingProperty 

func SatisfyingProperty(p1 *certprotos.Property, p2 *certprotos.Property) bool

func SavePolicyStore 

func SavePolicyStore(enclaveType string, ps *certprotos.PolicyStoreMessage, fileName string) bool

func Seal 

func Seal(eType string, eId string, toSeal []byte) []byte

func SizedSocketRead 

func SizedSocketRead(conn net.Conn) []byte

func SizedSocketWrite 

func SizedSocketWrite(conn net.Conn, b []byte) bool

func Spaces 

func Spaces(i int)

func StatementAlreadyProved 

func StatementAlreadyProved(c1 *certprotos.VseClause, ps *certprotos.ProvedStatements) bool

func StringToTimePoint 

func StringToTimePoint(s string) *certprotos.TimePoint

func StripPemHeaderAndTrailer 

func StripPemHeaderAndTrailer(pem string) *string

func TEEAttest 

func TEEAttest(enclave_type string, what_to_say []byte) ([]byte, error)

func TEESeal 

func TEESeal(enclave_type string, enclave_id string, in []byte, outMax int) ([]byte, error)

func TEESimulatedInit 

func TEESimulatedInit(asn1_policy_cert string, attest_key_file string, measurement_file string, attest_key_signed_claim_file string) error

func TEEUnSeal 

func TEEUnSeal(enclave_type string, enclave_id string, in []byte, outMax int) ([]byte, error)

func TimePointNow 

func TimePointNow() *certprotos.TimePoint

func TimePointPlus 

func TimePointPlus(t *certprotos.TimePoint, d float64) *certprotos.TimePoint

func TimePointToString 

func TimePointToString(tp *certprotos.TimePoint) string

func UnprotectBlob 

func UnprotectBlob(enclaveType string, k *certprotos.KeyMessage, blob []byte) []byte

func Unseal 

func Unseal(eType string, eId string, toUnseal []byte) []byte

func ValidateExtendedGramineEvidence 

func ValidateExtendedGramineEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateGramineEvidence 

func ValidateGramineEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateInternalEvidence 

func ValidateInternalEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateIsletEvidence 

func ValidateIsletEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateKeystoneEvidence 

func ValidateKeystoneEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateOeEvidence 

func ValidateOeEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func ValidateSevEvidence 

func ValidateSevEvidence(pubPolicyKey *certprotos.KeyMessage, evp *certprotos.EvidencePackage,
	policyPool *PolicyPool, purpose string) (bool,
	*certprotos.VseClause, []byte)

returns success, toProve, measurement

func VerifyAdmissionCert 

func VerifyAdmissionCert(policyCert *x509.Certificate, cert *x509.Certificate) bool

func VerifyExternalProofStep 

func VerifyExternalProofStep(tree *PredicateDominance, step *certprotos.ProofStep) bool

func VerifyGramineAttestation 

func VerifyGramineAttestation(serializedEvidence []byte) (bool, []byte, []byte, error)

func VerifyInternalProofStep 

func VerifyInternalProofStep(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause,
	c *certprotos.VseClause, rule int) bool

func VerifyIsletAttestation 

func VerifyIsletAttestation(serialized []byte, k *certprotos.KeyMessage) []byte

Returns measurement serialized is the serialized islet_attestation_message

func VerifyKeystoneAttestation 

func VerifyKeystoneAttestation(serialized []byte, k *certprotos.KeyMessage) []byte

Returns measurement serialized is the serialized keystone_attestation_message

func VerifyProof 

func VerifyProof(policyKey *certprotos.KeyMessage, toProve *certprotos.VseClause,
	p *certprotos.Proof, ps *certprotos.ProvedStatements) bool

func VerifyReport 

func VerifyReport(etype string, pk *certprotos.KeyMessage, serialized []byte) bool

func VerifyRule1 

func VerifyRule1(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R1: If measurement is-trusted and key1 speaks-for measurement then key1 is-trusted-for-authentication. R1: If environment is-trusted and key1 speaks-for environment then key1 is-trusted-for-authentication.

func VerifyRule10 

func VerifyRule10(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R10: If environment[platform, measurement] environment-platform-is-trusted AND 

environment[platform, measurement] environment-measurement-is-trusted then
environment[platform, measurement] is-trusted

func VerifyRule11 

func VerifyRule11(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R11: if measurement is-trusted 

 and
	key speaks-for measurement then
 key is-trusted-for-key-provision

func VerifyRule2 

func VerifyRule2(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R2: If key2 speaks-for key1 and key3 speaks-for key2 then key3 speaks-for key1

func VerifyRule3 

func VerifyRule3(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R3: If key1 is-trusted and key1 says X, then X is true

func VerifyRule4 

func VerifyRule4(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R4: If key2 speaks-for key1 and key1 is-trusted then key2 is-trusted

func VerifyRule5 

func VerifyRule5(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R5: If key1 is-trustedXXX and key1 says key2 is-trustedYYY then key2 is-trustedYYY provided is-trustedXXX dominates is-trustedYYY

func VerifyRule6 

func VerifyRule6(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R6: if key1 is-trustedXXX 

 and
	key1 says key2 speaks-for measurement then
	key2 speaks-for measurement provided is-trustedXXX dominates is-trusted-for-attestation
 OR
	key1 says key2 speaks-for environment then key2 speaks-for environment provided is-trustedXXX dominates is-trusted-for-attestation
 OR
	key1 says env is-environment then is-trustedXXX dominates is-trusted-for-attestation

func VerifyRule7 

func VerifyRule7(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R7: If measurement is-trusted and key1 speaks-for measurement then key1 is-trusted-for-attestation OR 

If environment is-trusted and key1 speaks-for environment then key1 is-trusted-for-sttestation

func VerifyRule8 

func VerifyRule8(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R8: If environment[platform, measurement] is-environment AND platform-template 

has-trusted-platform-property then environment[platform, measurement]

func VerifyRule9 

func VerifyRule9(tree *PredicateDominance, c1 *certprotos.VseClause, c2 *certprotos.VseClause, c *certprotos.VseClause) bool

R9: If environment[platform, measurement] is-environment AND measurement is-trusted then 

environment[platform, measurement] environment-measurement is-trusted

func VerifySevAttestation 

func VerifySevAttestation(serialized []byte, k *certprotos.KeyMessage) []byte

Returns measurement serialized is the serialized sev_attestation_message

func VerifySignedAssertion 

func VerifySignedAssertion(scm certprotos.SignedClaimMessage, k *certprotos.KeyMessage, vseClause *certprotos.VseClause) bool

func VerifySignedClaim 

func VerifySignedClaim(c *certprotos.SignedClaimMessage, k *certprotos.KeyMessage) bool

func X509ToAsn1 

func X509ToAsn1(cert *x509.Certificate) []byte

Types

type CertKeysSeen 

type CertKeysSeen struct {
	// contains filtered or unexported fields
}

type CertSeenList 

type CertSeenList struct {
	// contains filtered or unexported fields
}

type PolicyPool 

type PolicyPool struct {
	Initialized bool
	// Contains all the policy statements
	AllPolicy *certprotos.ProvedStatements
	// Contains platform key policy statements
	PlatformKeyPolicy *certprotos.ProvedStatements
	// Contains trusted measurement statements
	MeasurementPolicy *certprotos.ProvedStatements
	// Contains platform features statements
	PlatformFeaturePolicy *certprotos.ProvedStatements
}

type PredicateDominance 

type PredicateDominance struct {
	Predicate  string
	FirstChild *PredicateDominance
	Next       *PredicateDominance
}

func FindNode 

func FindNode(node *PredicateDominance, pred string) *PredicateDominance

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.