trust

package
v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 19, 2024 License: Apache-2.0 Imports: 15 Imported by: 2

Documentation

Overview

Package trust defines core trust types and values for attestation verification.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here
	// https://download.amd.com/developer/eula/sev/ask_ark_milan.cert
	DefaultRootCerts map[string]*AMDRootCerts
)

Functions

func ClearProductCertCache added in v0.5.0 

func ClearProductCertCache()

ClearProductCertCache clears the product certificate cache. This is useful for testing with multiple roots of trust.

func ParseCert added in v0.7.1 

func ParseCert(cert []byte) (*x509.Certificate, error)

ParseCert returns an X.509 Certificate type for a PEM[CERTIFICATE]- or DER-encoded cert.

Types

type AMDRootCerts 

type AMDRootCerts struct {
	// Product is the expected CPU product line, e.g., Milan, Turin, Genoa.
	//
	// Deprecated: Use ProductLine.
	Product string
	// Product is the expected CPU product line, e.g., Milan, Turin, Genoa.
	ProductLine string
	// ProductCerts contains the root key and signing key devoted to a given product line.
	ProductCerts *ProductCerts
	// AskSev is the AMD certificate representation of the AMD signing key that certifies
	// versioned chip endoresement keys. If present, the information must match AskX509.
	AskSev *abi.AskCert
	// ArkSev is the AMD certificate representation of the self-signed AMD root key that
	// certifies the AMD signing key. If present, the information must match ArkX509.
	ArkSev *abi.AskCert
	// Mu protects concurrent accesses to CRL.
	Mu sync.Mutex
	// CRL is the certificate revocation list for this AMD product. Populated once, only when a
	// revocation is checked.
	CRL *x509.RevocationList
}

AMDRootCerts encapsulates the certificates that represent root of trust in AMD.

func AMDRootCertsProduct added in v0.11.1 

func AMDRootCertsProduct(productLine string) *AMDRootCerts

AMDRootCertsProduct returns a new *AMDRootCerts for a given product line.

func (*AMDRootCerts) Decode added in v0.7.1 

func (r *AMDRootCerts) Decode(ask []byte, ark []byte) error

Decode populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.

func (*AMDRootCerts) FromKDSCert 

func (r *AMDRootCerts) FromKDSCert(path string) error

FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*AMDRootCerts) FromKDSCertBytes 

func (r *AMDRootCerts) FromKDSCertBytes(data []byte) error

FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*AMDRootCerts) GetProductLine added in v0.11.1 

func (r *AMDRootCerts) GetProductLine() string

GetProductLine returns the product line the certificate chain is associated with.

func (*AMDRootCerts) Unmarshal 

func (r *AMDRootCerts) Unmarshal(data []byte) error

Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.

func (*AMDRootCerts) X509Options 

func (r *AMDRootCerts) X509Options(now time.Time, key abi.ReportSigner) *x509.VerifyOptions

X509Options returns the AS[V]K and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r. Choice between ASK and ASVK is determined by key.

type AttestationRecreationErr added in v0.5.0 

type AttestationRecreationErr struct {
	Msg string
}

AttestationRecreationErr represents a problem with fetching or interpreting associated certificates for a given attestation report. This is typically due to network unreliability.

func (*AttestationRecreationErr) Error added in v0.5.0 

func (e *AttestationRecreationErr) Error() string

type HTTPSGetter 

type HTTPSGetter interface {
	Get(url string) ([]byte, error)
}

HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL. Used particularly for fetching certificates.

func DefaultHTTPSGetter added in v0.4.1 

func DefaultHTTPSGetter() HTTPSGetter

DefaultHTTPSGetter returns the library's default getter implementation. It will retry slowly due to the AMD KDS's rate limiting.

type ProductCerts added in v0.5.0 

type ProductCerts struct {
	Ask  *x509.Certificate
	Asvk *x509.Certificate
	Ark  *x509.Certificate
}

ProductCerts contains the root key and signing key devoted to a given product line.

func GetProductChain added in v0.5.0 

func GetProductChain(productLine string, s abi.ReportSigner, getter HTTPSGetter) (*ProductCerts, error)

GetProductChain returns the ASK and ARK certificates of the given product line, either from getter or from a cache of the results from the last successful call.

func (*ProductCerts) Decode added in v0.7.1 

func (r *ProductCerts) Decode(ask []byte, ark []byte) error

Decode populates the ProductCerts from DER-formatted certificates for both the AS[V]K and the ARK.

func (*ProductCerts) FromKDSCert added in v0.5.0 

func (r *ProductCerts) FromKDSCert(path string) error

FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*ProductCerts) FromKDSCertBytes added in v0.5.0 

func (r *ProductCerts) FromKDSCertBytes(data []byte) error

FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded certificates in data. This is the format the Key Distribution Service (KDS) uses, e.g., https://kdsintf.amd.com/vcek/v1/Milan/cert_chain

func (*ProductCerts) X509Options added in v0.5.0 

func (r *ProductCerts) X509Options(now time.Time, key abi.ReportSigner) *x509.VerifyOptions

X509Options returns the AS[V]K and ARK as the only intermediate and root certificates of an x509 verification options object, or nil if either key's x509 certificate is not present in r. The choice between ASK and ASVK is determined bey key.

type RetryHTTPSGetter added in v0.4.1 

type RetryHTTPSGetter struct {
	// Timeout is how long to retry before failure.
	Timeout time.Duration
	// MaxRetryDelay is the maximum amount of time to wait between retries.
	MaxRetryDelay time.Duration
	// Getter is the non-retrying way of getting a URL.
	Getter HTTPSGetter
}

RetryHTTPSGetter is a meta-HTTPS getter that will retry on failure a given number of times.

func (*RetryHTTPSGetter) Get added in v0.4.1 

func (n *RetryHTTPSGetter) Get(url string) ([]byte, error)

Get fetches the body of the URL, retrying a given amount of times on failure.

type SimpleHTTPSGetter added in v0.4.1 

type SimpleHTTPSGetter struct{}

SimpleHTTPSGetter implements the HTTPSGetter interface with http.Get.

func (*SimpleHTTPSGetter) Get added in v0.4.1 

func (n *SimpleHTTPSGetter) Get(url string) ([]byte, error)

Get uses http.Get to return the HTTPS response body as a byte array.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.