verify

package
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2024 License: Apache-2.0 Imports: 24 Imported by: 1

Documentation

Overview

Package verify provides the library functions to verify a TDX quote

Index

Constants

This section is empty.

Variables

View Source 
var (

	// ErrOptionsNil error returned when options parameter is empty
	ErrOptionsNil = errors.New("options parameter is empty")
	// ErrPCKCertChainNil error returned when PCK certificate chain field is empty in quote
	ErrPCKCertChainNil = errors.New("PCK certificate chain is empty")
	// ErrPCKCertChainInvalid error returned when PCK certificate chain has incomplete certificates
	ErrPCKCertChainInvalid = errors.New("incomplete PCK Certificate chain found, should contain 3 concatenated PEM-formatted 'CERTIFICATE'-type block (PCK Leaf Cert||Intermediate CA Cert||Root CA Cert)")
	// ErrRootCertNil error returned when Root CA certificate is empty
	ErrRootCertNil = errors.New("root certificate is empty")
	// ErrPCKCertNil error returned when PCK leaf certificate is empty
	ErrPCKCertNil = errors.New("PCK certificate is empty")
	// ErrIntermediateCertNil error returned when Intermediate CA certificate is empty
	ErrIntermediateCertNil = errors.New("intermediate certificate is empty")
	// ErrCertPubKeyType error returned when certificate public key is not of type ecdsa
	ErrCertPubKeyType = errors.New("certificate public key is not of type ecdsa public key")
	// ErrPublicKeySize error returned when public key bytes are of unexpected size
	ErrPublicKeySize = errors.New("public key is of unexpected size")
	// ErrKeyMismatch error returned when trusted public key is different from root CA certificate's public key
	ErrKeyMismatch = errors.New("root certificate's public key does not match with trusted public key")
	// ErrHashVerificationFail error returned when message digest verification failed using quote's
	ErrHashVerificationFail = errors.New("unable to verify message digest using quote's signature and ecdsa attestation key")
	// ErrSHA56VerificationFail error returned when sha256 verification fails
	ErrSHA56VerificationFail = errors.New("QE Report Data does not match with value of SHA 256 calculated over the concatenation of ECDSA Attestation Key and QE Authenticated Data")
	// ErrPckCertCANil error returned when CA is missing in PCK Certificate
	ErrPckCertCANil = errors.New("could not find CA from PCK certificate")
	// ErrEmptyRootCRLUrl error returned when QE identity issuer's chain root certificate has empty CRL distribution points
	ErrEmptyRootCRLUrl = errors.New("empty url found in QeIdentity issuer's chain which is required to receive ROOT CA CRL")
	// ErrCollateralNil error returned when collaterals are missing
	ErrCollateralNil = errors.New("collateral received is an empty structure")
	// ErrMissingPckCrl error returned when PCK CRL is missing
	ErrMissingPckCrl = errors.New("missing PCK CRL in the collaterals obtained")
	// ErrMissingRootCaCrl error returned when Root CA CRL CRL is missing
	ErrMissingRootCaCrl = errors.New("missing ROOT CA CRL in the collaterals obtained")
	// ErrMissingTcbInfoBody error returned when TCB info body is missing
	ErrMissingTcbInfoBody = errors.New("missing tcbInfo body in the collaterals obtained")
	// ErrMissingEnclaveIdentityBody error returned when Enclave Identity body is missing
	ErrMissingEnclaveIdentityBody = errors.New("missing enclaveIdentity body in the collaterals obtained")
	// ErrTcbInfoNil error returned when tcbInfo response structure is missing
	ErrTcbInfoNil = errors.New("tcbInfo is empty in collaterals")
	// ErrQeIdentityNil error returned when QeIdentity response structure is missing
	ErrQeIdentityNil = errors.New("QeIdentity is empty in collaterals")
	// ErrMissingPCKCrlSigningCert error returned when signing certificate is missing in issuer chain of PCK CRL
	ErrMissingPCKCrlSigningCert = errors.New("missing signing certificate in the issuer chain of PCK CRL")
	// ErrMissingPCKCrlRootCert error returned when root certificate is missing in issuer chain of PCK CRL
	ErrMissingPCKCrlRootCert = errors.New("missing root certificate in the issuer chain of PCK CRL")
	// ErrMissingTcbInfoSigningCert error returned when signing certificate is missing in issuer chain of tcbInfo
	ErrMissingTcbInfoSigningCert = errors.New("missing signing certificate in the issuer chain of tcbInfo")
	// ErrMissingTcbInfoRootCert error returned when root certificate is missing in issuer chain of tcbInfo
	ErrMissingTcbInfoRootCert = errors.New("missing root certificate in the issuer chain of tcbInfo")
	// ErrMissingQeIdentitySigningCert error returned when signing certificate is missing in issuer chain of QeIdentity
	ErrMissingQeIdentitySigningCert = errors.New("missing signing certificate in the issuer chain of QeIdentity")
	// ErrMissingQeIdentityRootCert error returned when root certificate is missing in issuer chain of QeIdentity
	ErrMissingQeIdentityRootCert = errors.New("missing root certificate in the issuer chain of QeIdentity")
	// ErrRootCaCrlExpired error returned when Root CA CRL is expired
	ErrRootCaCrlExpired = errors.New("root CA CRL has expired")
	// ErrPCKCrlExpired error returned when PCK CRL is expired
	ErrPCKCrlExpired = errors.New("PCK CRL has expired")
	// ErrTcbInfoExpired error returned when tcbInfo response is expired
	ErrTcbInfoExpired = errors.New("tcbInfo has expired")
	// ErrQeIdentityExpired error returned when QeIdentity response is expired
	ErrQeIdentityExpired = errors.New("QeIdentity has expired")
	// ErrPCKCrlSigningCertExpired error returned when PCK CRL signing certificate is expired
	ErrPCKCrlSigningCertExpired = errors.New("PCK CRL signing certificate has expired")
	// ErrPCKCrlRootCertExpired error returned when PCK CRL root certificate is expired
	ErrPCKCrlRootCertExpired = errors.New("PCK CRL root certificate has expired")
	// ErrTcbInfoSigningCertExpired error returned when tcbInfo signing certificate is expired
	ErrTcbInfoSigningCertExpired = errors.New("tcbInfo signing certificate has expired")
	// ErrTcbInfoRootCertExpired error returned when tcbInfo root certificate is expired
	ErrTcbInfoRootCertExpired = errors.New("tcbInfo root certificate has expired")
	// ErrQeIdentitySigningCertExpired error returned when QeIdentity signing certificate is expired
	ErrQeIdentitySigningCertExpired = errors.New("QeIdentity signing certificate has expired")
	// ErrQeIdentityRootCertExpired error returned when QeIdentity root certificate is expired
	ErrQeIdentityRootCertExpired = errors.New("QeIdentity root certificate has expired")
	// ErrCrlEmpty error returned when Certificate Revocation list is empty
	ErrCrlEmpty = errors.New("CRL is empty")
	// ErrTrustedCertEmpty error returned when no trusted certificate is provided for verification
	ErrTrustedCertEmpty = errors.New("trusted certificate is empty")
	// ErrRevocationCheckFailed error returned when CheckRevocations parameter is set to true and GetCollateral is set to false
	ErrRevocationCheckFailed = errors.New("unable to check for certificate revocation as GetCollateral parameter in the options is set to false")
	// ErrTcbInfoTcbLevelsMissing error returned when TCBLevels array in TCB info is of length 0
	ErrTcbInfoTcbLevelsMissing = errors.New("tcbInfo contains empty TcbLevels")
	// ErrQeIdentityTcbLevelsMissing error returned when TCBLevels array in QE Identity is of length 0
	ErrQeIdentityTcbLevelsMissing = errors.New("QeIdentity contains empty TcbLevels")
	// ErrPckLeafCertExpired error returned when PCK Leaf certificate has expired
	ErrPckLeafCertExpired = errors.New("PCK leaf certificate in PCK certificate chain has expired")
	// ErrRootCaCertExpired error returned when Root CA certificate has expired
	ErrRootCaCertExpired = errors.New("root CA certificate in PCK certificate chain has expired")
	// ErrIntermediateCaCertExpired error returned when Intermediate CA certificate has expired
	ErrIntermediateCaCertExpired = errors.New("intermediate CA certificate in PCK certificate chain has expired")
	// ErrTcbStatus error returned when TCB status is out of date
	ErrTcbStatus = errors.New("unable to find latest status of TCB, it is now OutOfDate")
	// ErrCertNil error returned when certificate is not provided
	ErrCertNil = errors.New("certificate is nil")
	// ErrParentCertNil error returned when parent certificate is not provided
	ErrParentCertNil = errors.New("parent certificate is nil")
)

Functions

func RawTdxQuote added in v0.2.1 

func RawTdxQuote(raw []byte, options *Options) error

RawTdxQuote verifies the raw bytes representation of an attestation quote

func TdxQuote added in v0.2.1 

func TdxQuote(quote any, options *Options) error

TdxQuote verifies the protobuf representation of an attestation quote's signature based on the quote's SignatureAlgo, provided the certificate chain is valid for formats - QuoteV4.

Types

type CRLUnavailableErr 

type CRLUnavailableErr struct {
	// contains filtered or unexported fields
}

CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html

type Collateral 

type Collateral struct {
	PckCrlIssuerIntermediateCertificate     *x509.Certificate
	PckCrlIssuerRootCertificate             *x509.Certificate
	PckCrl                                  *x509.RevocationList
	TcbInfoIssuerIntermediateCertificate    *x509.Certificate
	TcbInfoIssuerRootCertificate            *x509.Certificate
	TdxTcbInfo                              pcs.TdxTcbInfo
	TcbInfoBody                             []byte
	QeIdentityIssuerIntermediateCertificate *x509.Certificate
	QeIdentityIssuerRootCertificate         *x509.Certificate
	QeIdentity                              pcs.QeIdentity
	EnclaveIdentityBody                     []byte
	RootCaCrl                               *x509.RevocationList
}

Collateral contains information received from Intel PCS API service

type Options 

type Options struct {
	// CheckRevocations set to true if the verifier should retrieve the CRL from the network and check
	// if the PCK certificate chain have been revoked.
	CheckRevocations bool
	// GetCollateral set to true if the verifier should retrieve the collaterals from the network using PCS.
	GetCollateral bool
	// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns the header and body
	Getter trust.HTTPSGetter
	// Now is the time at which to verify the validity of certificates and collaterals. If unset, uses time.Now().
	Now time.Time
	// TrustedRoots specifies the root CertPool to trust when verifying PCK certificate chain.
	// If nil, embedded certificate will be used
	TrustedRoots *x509.CertPool
	// contains filtered or unexported fields
}

Options represents verification options for a TDX attestation quote.

func DefaultOptions added in v0.1.1 

func DefaultOptions() *Options

DefaultOptions returns a useful default verification option setting

func RootOfTrustToOptions added in v0.3.0 

func RootOfTrustToOptions(rot *ccpb.RootOfTrust) (*Options, error)

RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.

type PCKCertificateChain 

type PCKCertificateChain struct {
	PCKCertificate          *x509.Certificate // PCK Leaf certificate
	RootCertificate         *x509.Certificate // Root CA certificate
	IntermediateCertificate *x509.Certificate // Intermediate CA certificate
}

PCKCertificateChain contains certificate chains

Source Files

View all Source files

Directories

Path Synopsis
Package trust defines core trust types and values for attestation verification.
 Package trust defines core trust types and values for attestation verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.