identity-vault: github.com/Lyoncore/identity-vault/service Index | Files

package service

import "github.com/Lyoncore/identity-vault/service"

Index

Package Files

database.go dbkeypairoperator.go handlers.go handlers_app.go handlers_keypairs.go keypairmanager.go keystore.go middleware.go modelmanager.go router.go settingsmanager.go tpm20command.go tpm20keypairoperator.go tpm2manager.go utils.go

Constants

const ModelType = "device"

ModelType is the default type of a model

Variables

var (
    FilesystemStore = KeypairStoreType{"filesystem"}
    DatabaseStore   = KeypairStoreType{"database"}
    TPM20Store      = KeypairStoreType{"tpm2.0"}
)

Understood keypair storage types

var (
    SettingParentContext = "parent"
    SettingKeyContext    = "key"
)

Understood settings codes

var (
    ModeSigning = "signing"
    ModeAdmin   = "admin"
)

Accepted service modes

var (
    ErrorInvalidKeystoreType = errors.New("Invalid keystore type specified")
)

Common error messages.

var ServiceMode string

ServiceMode is whether we are running the user or admin service

func AdminRouter Uses

func AdminRouter(env *Env) *mux.Router

AdminRouter returns the application route handler for administrating the application

func IndexHandler Uses

func IndexHandler(w http.ResponseWriter, r *http.Request)

IndexHandler is the front page of the web application

func KeypairCreateHandler Uses

func KeypairCreateHandler(w http.ResponseWriter, r *http.Request)

KeypairCreateHandler is the API method to create a new keypair that can be used for signing serial assertions. The keypairs are stored in the signing database and the authority-id/key-id is stored in the models database. Models can then be linked to one of the existing signing-keys.

func KeypairDisableHandler Uses

func KeypairDisableHandler(w http.ResponseWriter, r *http.Request)

KeypairDisableHandler disables an existing keypair, which will mean that any linked Models will not be able to be signed. The asserts module does not allow a keypair to be deleted, so the keypair will just be disabled in the local database.

func KeypairEnableHandler Uses

func KeypairEnableHandler(w http.ResponseWriter, r *http.Request)

KeypairEnableHandler enables an existing keypair, which will mean that any linked Models will be able to be signed. The asserts module does not allow a keypair to be deleted, so the keypair will just be enabled in the local database.

func KeypairListHandler Uses

func KeypairListHandler(w http.ResponseWriter, r *http.Request)

KeypairListHandler fetches the available keypairs for display from the database. Only viewable reference data is stored in the database, not the restricted private key.

func Logger Uses

func Logger(start time.Time, r *http.Request)

Logger Handle logging for the web service

func Middleware Uses

func Middleware(inner http.Handler, env *Env) http.Handler

Middleware to pre-process web service requests

func ModelCreateHandler Uses

func ModelCreateHandler(w http.ResponseWriter, r *http.Request)

ModelCreateHandler is the API method to create a new model.

func ModelDeleteHandler Uses

func ModelDeleteHandler(w http.ResponseWriter, r *http.Request)

ModelDeleteHandler is the API method to delete a model.

func ModelGetHandler Uses

func ModelGetHandler(w http.ResponseWriter, r *http.Request)

ModelGetHandler is the API method to get a model by ID.

func ModelUpdateHandler Uses

func ModelUpdateHandler(w http.ResponseWriter, r *http.Request)

ModelUpdateHandler is the API method to update a model.

func ModelsHandler Uses

func ModelsHandler(w http.ResponseWriter, r *http.Request)

ModelsHandler is the API method to list the models

func ParseArgs Uses

func ParseArgs()

ParseArgs checks the command line arguments

func ReadConfig Uses

func ReadConfig(config *ConfigSettings) error

ReadConfig parses the config file

func SignHandler Uses

func SignHandler(w http.ResponseWriter, r *http.Request)

SignHandler is the API method to sign assertions from the device

func SigningRouter Uses

func SigningRouter(env *Env) *mux.Router

SigningRouter returns the application route handler for the user methods

func TPM2InitializeKeystore Uses

func TPM2InitializeKeystore(env Env, command TPM20Command) error

TPM2InitializeKeystore initializes the TPM 2.0 module by taking ownership of the module and generating the key for sealing and unsealing signing keys. The context values provide the TPM 2.0 authentication and these are stored in the database. Main TPM 2.0 operations:

* takeownership
* createprimary

func VersionHandler Uses

func VersionHandler(w http.ResponseWriter, r *http.Request)

VersionHandler is the API method to return the version of the service

type BooleanResponse Uses

type BooleanResponse struct {
    Success      bool   `json:"success"`
    ErrorCode    string `json:"error_code"`
    ErrorSubcode string `json:"error_subcode"`
    ErrorMessage string `json:"message"`
}

BooleanResponse is the JSON response from an API method, indicating success or failure.

type ConfigSettings Uses

type ConfigSettings struct {
    Version        string `yaml:"version"`
    Title          string `yaml:"title"`
               string `yaml:"logo"`
    DocRoot        string `yaml:"docRoot"`
    Driver         string `yaml:"driver"`
    DataSource     string `yaml:"datasource"`
    KeyStoreType   string `yaml:"keystore"`
    KeyStorePath   string `yaml:"keystorePath"`
    KeyStoreSecret string `yaml:"keystoreSecret"`
    Mode           string `yaml:"mode"`
}

ConfigSettings defines the parsed config file settings.

type DB Uses

type DB struct {
    *sql.DB
}

DB local database interface with our custom methods.

func OpenSysDatabase Uses

func OpenSysDatabase(driver, dataSource string) *DB

OpenSysDatabase Return an open database connection

func (*DB) CreateKeypairTable Uses

func (db *DB) CreateKeypairTable() error

CreateKeypairTable creates the database table for a keypair.

func (*DB) CreateModel Uses

func (db *DB) CreateModel(model Model) (Model, string, error)

CreateModel updates the model.

func (*DB) CreateModelTable Uses

func (db *DB) CreateModelTable() error

CreateModelTable creates the database table for a model.

func (*DB) CreateSettingsTable Uses

func (db *DB) CreateSettingsTable() error

CreateSettingsTable creates the database table for a setting.

func (*DB) DeleteModel Uses

func (db *DB) DeleteModel(model Model) (string, error)

DeleteModel deletes a model record.

func (*DB) FindModel Uses

func (db *DB) FindModel(brandID, modelName string, revision int) (Model, error)

FindModel retrieves the model from the database.

func (*DB) GetKeypair Uses

func (db *DB) GetKeypair(keypairID int) (Keypair, error)

GetKeypair fetches a single keypair from the database by ID

func (*DB) GetModel Uses

func (db *DB) GetModel(modelID int) (Model, error)

GetModel retrieves the model from the database by ID.

func (*DB) GetSetting Uses

func (db *DB) GetSetting(code string) (Setting, error)

GetSetting fetches a single setting from the database by code

func (*DB) ListKeypairs Uses

func (db *DB) ListKeypairs() ([]Keypair, error)

ListKeypairs fetches the available keypairs from the database.

func (*DB) ListModels Uses

func (db *DB) ListModels() ([]Model, error)

ListModels fetches the full catalogue of models from the database.

func (*DB) PutKeypair Uses

func (db *DB) PutKeypair(keypair Keypair) (string, error)

PutKeypair stores a keypair in the database

func (*DB) PutSetting Uses

func (db *DB) PutSetting(setting Setting) error

PutSetting stores a setting into the database

func (*DB) UpdateKeypairActive Uses

func (db *DB) UpdateKeypairActive(keypairID int, active bool) error

UpdateKeypairActive sets the active state of a keypair

func (*DB) UpdateModel Uses

func (db *DB) UpdateModel(model Model) (string, error)

UpdateModel updates the model.

type DatabaseKeypairOperator Uses

type DatabaseKeypairOperator struct{}

DatabaseKeypairOperator is the storage container for signing-keys in the database

func (*DatabaseKeypairOperator) ImportKeypair Uses

func (dbStore *DatabaseKeypairOperator) ImportKeypair(authorityID, keyID, base64PrivateKey string) (string, error)

ImportKeypair adds a new signing-key to the database key store. The main operations:

* Use the auth/key-id as the key
* Use HMAC the auth-key
* Use AES symmetric encryption to encrypt the signing-key file
* Encrypt the auth-key and store in the database

func (*DatabaseKeypairOperator) UnsealKeypair Uses

func (dbStore *DatabaseKeypairOperator) UnsealKeypair(authorityID string, keyID string, base64SealedSigningKey string) error

UnsealKeypair unseals a database-stored signing-key and stores it in the memory store

* Decrypt the auth-key
* Decrypt the signing key
* Load into memory store

type Datastore Uses

type Datastore interface {
    ListModels() ([]Model, error)
    FindModel(brandID, modelName string, revision int) (Model, error)
    GetModel(modelID int) (Model, error)
    UpdateModel(model Model) (string, error)
    DeleteModel(model Model) (string, error)
    CreateModel(model Model) (Model, string, error)
    CreateModelTable() error

    ListKeypairs() ([]Keypair, error)
    GetKeypair(keypairID int) (Keypair, error)
    PutKeypair(keypair Keypair) (string, error)
    UpdateKeypairActive(keypairID int, active bool) error
    CreateKeypairTable() error
    CreateSettingsTable() error
    PutSetting(setting Setting) error
    GetSetting(code string) (Setting, error)
}

Datastore interface for the database logic

type DeviceAssertion Uses

type DeviceAssertion struct {
    Type         string `yaml:"type"`
    Brand        string `yaml:"brand-id"`
    Model        string `yaml:"model"`
    SerialNumber string `yaml:"serial"`
    Timestamp    string `yaml:"timestamp"`
    Revision     int    `yaml:"revision"`
    PublicKey    string `yaml:"device-key"`
}

DeviceAssertion defines the device identity.

type Env Uses

type Env struct {
    Config    ConfigSettings
    DB        Datastore
    KeypairDB *KeypairDatabase
}

Env Environment struct that holds the config and data store details.

var Environ *Env

Environ contains the parsed config file settings.

type Keypair Uses

type Keypair struct {
    ID          int
    AuthorityID string
    KeyID       string
    Active      bool
    SealedKey   string
}

Keypair holds the keypair reference details in the local database

type KeypairDatabase Uses

type KeypairDatabase struct {
    KeyStoreType KeypairStoreType
    *asserts.Database
    // contains filtered or unexported fields
}

KeypairDatabase holds the

func GetKeyStore Uses

func GetKeyStore(config ConfigSettings) (*KeypairDatabase, error)

GetKeyStore returns the keystore as defined in the config file

func (*KeypairDatabase) ImportSigningKey Uses

func (kdb *KeypairDatabase) ImportSigningKey(authorityID, base64PrivateKey string) (asserts.PrivateKey, string, error)

ImportSigningKey adds a new signing-key for an authority into the keypair store

func (*KeypairDatabase) SignAssertion Uses

func (kdb *KeypairDatabase) SignAssertion(assertType *asserts.AssertionType, headers map[string]string, body []byte, authorityID string, keyID string, sealedSigningKey string) (asserts.Assertion, error)

SignAssertion signs an assertion using the signing-key from the keypair store

type KeypairOperator Uses

type KeypairOperator interface {
    ImportKeypair(authorityID, keyID, base64PrivateKey string) (string, error)
    UnsealKeypair(authorityID string, keyID string, base64SealedSigningKey string) error
}

KeypairOperator interface used by some keypair stores to seal and unseal signing-keys for storage

type KeypairStore Uses

type KeypairStore interface {
    ImportSigningKey(string, string) (asserts.PrivateKey, string, error)
    SignAssertion(*asserts.AssertionType, map[string]string, []byte, string) (asserts.Assertion, error)
}

KeypairStore interface to wrap the signing-key store interactions for all store types

type KeypairStoreType Uses

type KeypairStoreType struct {
    Name string
}

KeypairStoreType defines the capabilities of a keypair storage method

type KeypairWithPrivateKey Uses

type KeypairWithPrivateKey struct {
    ID          int    `json:"id"`
    AuthorityID string `json:"authority-id"`
    PrivateKey  string `json:"private-key"`
}

KeypairWithPrivateKey is the JSON version of a keypair, including the base64 armored, signing-key

type KeypairsResponse Uses

type KeypairsResponse struct {
    Success      bool      `json:"success"`
    ErrorCode    string    `json:"error_code"`
    ErrorSubcode string    `json:"error_subcode"`
    ErrorMessage string    `json:"message"`
    Keypairs     []Keypair `json:"keypairs"`
}

KeypairsResponse is the JSON response from the API Keypairs method

type Model Uses

type Model struct {
    ID          int
    BrandID     string
    Name        string
    KeypairID   int
    Revision    int
    AuthorityID string // from the keypair
    KeyID       string // from the keypair
    KeyActive   bool   // from the keypair
    SealedKey   string // from the keypair
}

Model holds the model details in the local database

type ModelResponse Uses

type ModelResponse struct {
    Success      bool           `json:"success"`
    ErrorCode    string         `json:"error_code"`
    ErrorSubcode string         `json:"error_subcode"`
    ErrorMessage string         `json:"message"`
    Model        ModelSerialize `json:"model"`
}

ModelResponse is the JSON response from the API Get Model method

type ModelSerialize Uses

type ModelSerialize struct {
    ID          int    `json:"id"`
    BrandID     string `json:"brand-id"`
    Name        string `json:"model"`
    Type        string `json:"type"`
    KeypairID   int    `json:"keypair-id"`
    Revision    int    `json:"revision"`
    AuthorityID string `json:"authority-id"`
    KeyID       string `json:"key-id"`
    KeyActive   bool   `json:"key-active"`
}

ModelSerialize is the JSON version of a model, with the signing key ID

type ModelsResponse Uses

type ModelsResponse struct {
    Success      bool             `json:"success"`
    ErrorCode    string           `json:"error_code"`
    ErrorSubcode string           `json:"error_subcode"`
    ErrorMessage string           `json:"message"`
    Models       []ModelSerialize `json:"models"`
}

ModelsResponse is the JSON response from the API Models method

type Page Uses

type Page struct {
    Title string
      string
}

Page is the page details for the web application

type Setting Uses

type Setting struct {
    ID   int
    Code string
    Data string
}

Setting holds the keypair reference details in the local database

type SignResponse Uses

type SignResponse struct {
    Success      bool   `json:"success"`
    ErrorCode    string `json:"error_code"`
    ErrorSubcode string `json:"error_subcode"`
    ErrorMessage string `json:"message"`
    Signature    string `json:"identity"`
}

SignResponse is the JSON response from the API Sign method

type TPM20Command Uses

type TPM20Command interface {
    // contains filtered or unexported methods
}

TPM20Command is an interface for wrapping the TPM2.0 shell commands

type TPM20KeypairOperator Uses

type TPM20KeypairOperator struct {
    // contains filtered or unexported fields
}

TPM20KeypairOperator is the operator that handles interactions with the TPM2.0 device and signing-keys

func (*TPM20KeypairOperator) ImportKeypair Uses

func (tpmStore *TPM20KeypairOperator) ImportKeypair(authorityID, keyID, base64PrivateKey string) (string, error)

ImportKeypair adds a new signing-key to the TPM2.0 store. The main TPM2.0 operations:

* Use the auth/key-id as the key
* Create an KeyedHash key for context
* Use TPM to HMAC the auth-key (using KeyedHash context)
* Use AES symmetric encryption to encrypt the signing-key file (using Go)
* Encrypt the auth-key and store in the database (using Go)

func (*TPM20KeypairOperator) UnsealKeypair Uses

func (tpmStore *TPM20KeypairOperator) UnsealKeypair(authorityID string, keyID string, base64SealedSigningKey string) error

UnsealKeypair unseals a TPM-sealed signing-key and stores it in the memory store

* Decrypt the auth-key
* Decrypt the signing key
* Load into memory store

type VersionResponse Uses

type VersionResponse struct {
    Version string `json:"version"`
}

VersionResponse is the JSON response from the API Version method

Package service imports 28 packages (graph). Updated 2017-03-14. Refresh now. Tools for package owners.