Documentation ¶
Overview ¶
Package verify provides the library functions to verify a TDX quote
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrOptionsNil error returned when options parameter is empty ErrOptionsNil = errors.New("options parameter is empty") // ErrPCKCertChainNil error returned when PCK certificate chain field is empty in quote ErrPCKCertChainNil = errors.New("PCK certificate chain is empty") // ErrPCKCertChainInvalid error returned when PCK certificate chain has incomplete certificates ErrPCKCertChainInvalid = errors.New("incomplete PCK Certificate chain found, should contain 3 concatenated PEM-formatted 'CERTIFICATE'-type block (PCK Leaf Cert||Intermediate CA Cert||Root CA Cert)") // ErrRootCertNil error returned when Root CA certificate is empty ErrRootCertNil = errors.New("root certificate is empty") // ErrPCKCertNil error returned when PCK leaf certificate is empty ErrPCKCertNil = errors.New("PCK certificate is empty") // ErrIntermediateCertNil error returned when Intermediate CA certificate is empty ErrIntermediateCertNil = errors.New("intermediate certificate is empty") // ErrCertPubKeyType error returned when certificate public key is not of type ecdsa ErrCertPubKeyType = errors.New("certificate public key is not of type ecdsa public key") // ErrPublicKeySize error returned when public key bytes are of unexpected size ErrPublicKeySize = errors.New("public key is of unexpected size") // ErrKeyMismatch error returned when trusted public key is different from root CA certificate's public key ErrKeyMismatch = errors.New("root certificate's public key does not match with trusted public key") // ErrHashVerificationFail error returned when message digest verification failed using quote's ErrHashVerificationFail = errors.New("unable to verify message digest using quote's signature and ecdsa attestation key") // ErrSHA56VerificationFail error returned when sha256 verification fails ErrSHA56VerificationFail = errors.New("QE Report Data does not match with value of SHA 256 calculated over the concatenation of ECDSA Attestation Key and QE Authenticated Data") // ErrPckCertCANil error returned when CA is missing in PCK Certificate ErrPckCertCANil = errors.New("could not find CA from PCK certificate") // ErrEmptyRootCRLUrl error returned when QE identity issuer's chain root certificate has empty CRL distribution points ErrEmptyRootCRLUrl = errors.New("empty url found in QeIdentity issuer's chain which is required to receive ROOT CA CRL") // ErrCollateralNil error returned when collaterals are missing ErrCollateralNil = errors.New("collateral received is an empty structure") // ErrMissingPckCrl error returned when PCK CRL is missing ErrMissingPckCrl = errors.New("missing PCK CRL in the collaterals obtained") // ErrMissingRootCaCrl error returned when Root CA CRL CRL is missing ErrMissingRootCaCrl = errors.New("missing ROOT CA CRL in the collaterals obtained") // ErrMissingTcbInfoBody error returned when TCB info body is missing ErrMissingTcbInfoBody = errors.New("missing tcbInfo body in the collaterals obtained") // ErrMissingEnclaveIdentityBody error returned when Enclave Identity body is missing ErrMissingEnclaveIdentityBody = errors.New("missing enclaveIdentity body in the collaterals obtained") // ErrTcbInfoNil error returned when tcbInfo response structure is missing ErrTcbInfoNil = errors.New("tcbInfo is empty in collaterals") // ErrQeIdentityNil error returned when QeIdentity response structure is missing ErrQeIdentityNil = errors.New("QeIdentity is empty in collaterals") // ErrMissingPCKCrlSigningCert error returned when signing certificate is missing in issuer chain of PCK CRL ErrMissingPCKCrlSigningCert = errors.New("missing signing certificate in the issuer chain of PCK CRL") // ErrMissingPCKCrlRootCert error returned when root certificate is missing in issuer chain of PCK CRL ErrMissingPCKCrlRootCert = errors.New("missing root certificate in the issuer chain of PCK CRL") // ErrMissingTcbInfoSigningCert error returned when signing certificate is missing in issuer chain of tcbInfo ErrMissingTcbInfoSigningCert = errors.New("missing signing certificate in the issuer chain of tcbInfo") // ErrMissingTcbInfoRootCert error returned when root certificate is missing in issuer chain of tcbInfo ErrMissingTcbInfoRootCert = errors.New("missing root certificate in the issuer chain of tcbInfo") // ErrMissingQeIdentitySigningCert error returned when signing certificate is missing in issuer chain of QeIdentity ErrMissingQeIdentitySigningCert = errors.New("missing signing certificate in the issuer chain of QeIdentity") // ErrMissingQeIdentityRootCert error returned when root certificate is missing in issuer chain of QeIdentity ErrMissingQeIdentityRootCert = errors.New("missing root certificate in the issuer chain of QeIdentity") // ErrRootCaCrlExpired error returned when Root CA CRL is expired ErrRootCaCrlExpired = errors.New("root CA CRL has expired") // ErrPCKCrlExpired error returned when PCK CRL is expired ErrPCKCrlExpired = errors.New("PCK CRL has expired") // ErrTcbInfoExpired error returned when tcbInfo response is expired ErrTcbInfoExpired = errors.New("tcbInfo has expired") // ErrQeIdentityExpired error returned when QeIdentity response is expired ErrQeIdentityExpired = errors.New("QeIdentity has expired") // ErrPCKCrlSigningCertExpired error returned when PCK CRL signing certificate is expired ErrPCKCrlSigningCertExpired = errors.New("PCK CRL signing certificate has expired") // ErrPCKCrlRootCertExpired error returned when PCK CRL root certificate is expired ErrPCKCrlRootCertExpired = errors.New("PCK CRL root certificate has expired") // ErrTcbInfoSigningCertExpired error returned when tcbInfo signing certificate is expired ErrTcbInfoSigningCertExpired = errors.New("tcbInfo signing certificate has expired") // ErrTcbInfoRootCertExpired error returned when tcbInfo root certificate is expired ErrTcbInfoRootCertExpired = errors.New("tcbInfo root certificate has expired") // ErrQeIdentitySigningCertExpired error returned when QeIdentity signing certificate is expired ErrQeIdentitySigningCertExpired = errors.New("QeIdentity signing certificate has expired") // ErrQeIdentityRootCertExpired error returned when QeIdentity root certificate is expired ErrQeIdentityRootCertExpired = errors.New("QeIdentity root certificate has expired") // ErrCrlEmpty error returned when Certificate Revocation list is empty ErrCrlEmpty = errors.New("CRL is empty") // ErrTrustedCertEmpty error returned when no trusted certificate is provided for verification ErrTrustedCertEmpty = errors.New("trusted certificate is empty") // ErrRevocationCheckFailed error returned when CheckRevocations parameter is set to true and GetCollateral is set to false ErrRevocationCheckFailed = errors.New("unable to check for certificate revocation as GetCollateral parameter in the options is set to false") // ErrTcbInfoTcbLevelsMissing error returned when TCBLevels array in TCB info is of length 0 ErrTcbInfoTcbLevelsMissing = errors.New("tcbInfo contains empty TcbLevels") // ErrQeIdentityTcbLevelsMissing error returned when TCBLevels array in QE Identity is of length 0 ErrQeIdentityTcbLevelsMissing = errors.New("QeIdentity contains empty TcbLevels") // ErrPckLeafCertExpired error returned when PCK Leaf certificate has expired ErrPckLeafCertExpired = errors.New("PCK leaf certificate in PCK certificate chain has expired") // ErrRootCaCertExpired error returned when Root CA certificate has expired ErrRootCaCertExpired = errors.New("root CA certificate in PCK certificate chain has expired") // ErrIntermediateCaCertExpired error returned when Intermediate CA certificate has expired ErrIntermediateCaCertExpired = errors.New("intermediate CA certificate in PCK certificate chain has expired") // ErrTcbStatus error returned when TCB status is out of date ErrTcbStatus = errors.New("unable to find latest status of TCB, it is now OutOfDate") // ErrCertNil error returned when certificate is not provided ErrCertNil = errors.New("certificate is nil") // ErrParentCertNil error returned when parent certificate is not provided ErrParentCertNil = errors.New("parent certificate is nil") )
Functions ¶
func RawTdxQuote ¶ added in v0.2.1
RawTdxQuote verifies the raw bytes representation of an attestation quote
Types ¶
type CRLUnavailableErr ¶
type CRLUnavailableErr struct {
// contains filtered or unexported fields
}
CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html
type Collateral ¶
type Collateral struct { PckCrlIssuerIntermediateCertificate *x509.Certificate PckCrlIssuerRootCertificate *x509.Certificate PckCrl *x509.RevocationList TcbInfoIssuerIntermediateCertificate *x509.Certificate TcbInfoIssuerRootCertificate *x509.Certificate TdxTcbInfo pcs.TdxTcbInfo TcbInfoBody []byte QeIdentityIssuerIntermediateCertificate *x509.Certificate QeIdentityIssuerRootCertificate *x509.Certificate QeIdentity pcs.QeIdentity EnclaveIdentityBody []byte RootCaCrl *x509.RevocationList }
Collateral contains information received from Intel PCS API service
type Options ¶
type Options struct { // CheckRevocations set to true if the verifier should retrieve the CRL from the network and check // if the PCK certificate chain have been revoked. CheckRevocations bool // GetCollateral set to true if the verifier should retrieve the collaterals from the network using PCS. GetCollateral bool // Getter takes a URL and returns the body of its contents. By default uses http.Get and returns the header and body Getter trust.HTTPSGetter // Now is the time at which to verify the validity of certificates and collaterals. If unset, uses time.Now(). Now time.Time // TrustedRoots specifies the root CertPool to trust when verifying PCK certificate chain. // If nil, embedded certificate will be used TrustedRoots *x509.CertPool // contains filtered or unexported fields }
Options represents verification options for a TDX attestation quote.
func DefaultOptions ¶ added in v0.1.1
func DefaultOptions() *Options
DefaultOptions returns a useful default verification option setting
func RootOfTrustToOptions ¶ added in v0.3.0
func RootOfTrustToOptions(rot *ccpb.RootOfTrust) (*Options, error)
RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.
type PCKCertificateChain ¶
type PCKCertificateChain struct { PCKCertificate *x509.Certificate // PCK Leaf certificate RootCertificate *x509.Certificate // Root CA certificate IntermediateCertificate *x509.Certificate // Intermediate CA certificate }
PCKCertificateChain contains certificate chains