ops

package

v0.0.0-...-5fa9814 Latest Latest Go to latest Published: May 1, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/gce-tcb-verifier

Links

Documentation ¶

Overview ¶

Package ops defines operations for signing and interacting with certificate authorities given the interfaces defined in sign/types.

Index ¶

func CertPool(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.CertPool, error)
func CertificateX509(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
func CreateCertificateFromTemplate(ctx context.Context, req *CertRequest) (*x509.Certificate, error)
func GoogleCertificate(ctx context.Context, req *GoogleCertRequest) (*x509.Certificate, error)
func GoogleCertificateTemplate(tmpl *GoogleCertTemplate) (*x509.Certificate, error)
func IssuerCertFromBundle(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
func NextSigningKeySerial(ctx context.Context) (*big.Int, error)
func RsaPublicKey(ctx context.Context, s styp.Signer, keyVersionName string) (*rsa.PublicKey, error)
func VerifyChain(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, ...) error
func VerifySignature(_ context.Context, signingKeyCert *x509.Certificate, message, signature []byte) error
func VerifySignatureFromCA(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, ...) error
type CertRequest
type GoogleCertRequest
type GoogleCertTemplate

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CertPool ¶

func CertPool(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.CertPool, error)

CertPool returns the Signer's CABundle as an x509.CertPool.

func CertificateX509 ¶

func CertificateX509(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)

CertificateX509 returns the Signer's certificate as an x509.Certificate.

func CreateCertificateFromTemplate ¶

func CreateCertificateFromTemplate(ctx context.Context, req *CertRequest) (*x509.Certificate, error)

CreateCertificateFromTemplate returns a signed certificate of the given template by the key described by parent. The issuer's private key is keyVersionName, to be given to the given Signer instance.

func GoogleCertificate ¶

func GoogleCertificate(ctx context.Context, req *GoogleCertRequest) (*x509.Certificate, error)

GoogleCertificate returns a signed Google-templated certificate with the given serial number for the subject. The certificate's serial number is also set to the subject's serial number, since certificates are not reissued.

func GoogleCertificateTemplate ¶

func GoogleCertificateTemplate(tmpl *GoogleCertTemplate) (*x509.Certificate, error)

GoogleCertificateTemplate returns a Google Cloud Kirkland Engineering certificate template for use in the GCE TCB signing key chain.

func IssuerCertFromBundle ¶

func IssuerCertFromBundle(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)

IssuerCertFromBundle uses the provided certificate authority instance to parse out the given keyVersionName's issuer certificate.

func NextSigningKeySerial ¶

func NextSigningKeySerial(ctx context.Context) (*big.Int, error)

NextSigningKeySerial returns the current signing key's certificate subject serial number plus one.

func RsaPublicKey ¶

func RsaPublicKey(ctx context.Context, s styp.Signer, keyVersionName string) (*rsa.PublicKey, error)

RsaPublicKey returns s.PublicKey interpreted into an rsa.PublicKey

func VerifyChain ¶

func VerifyChain(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, now time.Time) error

VerifyChain returns whether the certificate for keyName is verified by the CABundle.

func VerifySignature ¶

func VerifySignature(_ context.Context, signingKeyCert *x509.Certificate, message, signature []byte) error

VerifySignature returns whether the given signingKeyCert verifies a message's signature.

func VerifySignatureFromCA ¶

func VerifySignatureFromCA(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, now time.Time, message, signature []byte) error

VerifySignatureFromCA verifies a message's signature from keyName as it is rooted from the given certificate authority.

Types ¶

type CertRequest ¶

type CertRequest struct {
	Issuer               *x509.Certificate
	Template             *x509.Certificate
	IssuerKeyVersionName string
	Signer               styp.Signer
	Random               io.Reader
}

CertRequest represents the required components to mint a certificate from a template, provided the context contains a keys.Context.

type GoogleCertRequest ¶

type GoogleCertRequest struct {
	Template             *GoogleCertTemplate
	IssuerKeyVersionName string
	Signer               styp.Signer
	Random               io.Reader
}

GoogleCertRequest represents a request to sign a Google certificate template.

type GoogleCertTemplate ¶

type GoogleCertTemplate struct {
	// Serial is both the subject serial number and the cert serial number, since we don't recertify
	// the same key and don't want to track cert serial numbers.
	Serial            *big.Int
	PublicKey         any
	Issuer            *x509.Certificate
	NotBefore         time.Time
	SubjectCommonName string
}

GoogleCertTemplate represents the configurable components of an x.509 certificate issued for the purposes of confidential computing TCB endorsement.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL