Documentation ¶
Overview ¶
Package biz contains the infra-agnostic business logic of Enrollz Service hosted by the switch owner infra.
Index ¶
- func EnrollControlCard(ctx context.Context, req *EnrollControlCardReq) error
- func RotateOwnerIakCert(ctx context.Context, req *RotateOwnerIakCertReq) error
- func VerifyAndParsePemCert(ctx context.Context, certPem string, certVerificationOpts x509.VerifyOptions) (*x509.Certificate, error)
- func VerifyAndSerializePubKey(ctx context.Context, cert *x509.Certificate) (string, error)
- type DefaultTpmCertVerifier
- type EnrollControlCardReq
- type EnrollzDeviceClient
- type EnrollzInfraDeps
- type IssueOwnerIDevIDCertReq
- type IssueOwnerIDevIDCertResp
- type IssueOwnerIakCertReq
- type IssueOwnerIakCertResp
- type RotateOwnerIakCertReq
- type SwitchOwnerCaClient
- type TpmCertVerifier
- type VerifyIakAndIDevIDCertsReq
- type VerifyIakAndIDevIDCertsResp
- type VerifyTpmCertReq
- type VerifyTpmCertResp
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EnrollControlCard ¶ added in v0.2.0
func EnrollControlCard(ctx context.Context, req *EnrollControlCardReq) error
EnrollControlCard is a "client"/switch-owner side implementation of Enrollz service. This client-side logic is part of the switch owner infra/service and is expected to communicate with a device/switch (hosting enrollz gRPC endpoints) to verify its TPM-based identity and provision it with the switch-owner-issued, TPM-based attestation and TLS certs: Owner IAK and Owner IDevID certs, respectively. Switch owner is expected to TPM-enroll one switch control card at a time, starting with an active card.
More specifically, this function targets initial install/enrollment of the device. This means that the switch is expected to rely on the IDevID cert for establishing a secure TLS connection. Consumers of this function should carefully choose CA trust anchors in `x509.VerifyOptions` to include switch vendor CA root and intermediate certs that signed both IAK and IDevID certs. By the end of the workflow a given control card will obtain its first set of Owner IAK and Owner IDevID certs (signed by the switch owner CA).
func RotateOwnerIakCert ¶ added in v0.2.0
func RotateOwnerIakCert(ctx context.Context, req *RotateOwnerIakCertReq) error
RotateOwnerIakCert is a "client"/switch-owner side implementation of Enrollz service. This client-side logic is part of the switch owner infra/service and is expected to communicate with a device/switch (hosting enrollz gRPC endpoints) to verify its TPM-based identity and provision it with the switch-owner-issued, TPM-based attestation Owner IAK cert. Switch owner is expected to TPM-enroll one switch control card at a time, starting with an active card.
More specifically, this function targets rotation of the Owner IAK cert in a post-install scenario. This means that the switch may NOT be using (o/)IDevID TLS certs anymore, and instead relies on a "real" prod mTLS cert that was issued to the switch after its first successful attestation. Thus, this function only assumes the presence of an IAK cert in the response from the device. Consumers of this function should carefully choose CA trust anchors in `x509.VerifyOptions` to include switch vendor CA root and intermediate certs that signed the IAK cert. By the end of the workflow a given control card will obtain a new (rotated) Owner IAK cert (signed by the switch owner CA).
func VerifyAndParsePemCert ¶ added in v0.2.0
func VerifyAndParsePemCert(ctx context.Context, certPem string, certVerificationOpts x509.VerifyOptions) (*x509.Certificate, error)
VerifyAndParsePemCert parses PEM (IAK or IDevID) cert, verifies it and returns the parsed x509 structure.
func VerifyAndSerializePubKey ¶ added in v0.2.0
VerifyAndSerializePubKey fetches (IAK or IDevID) public key from x509 cert, validates the key and returns it in the PEM format.
Types ¶
type DefaultTpmCertVerifier ¶ added in v0.2.0
type DefaultTpmCertVerifier struct{}
DefaultTpmCertVerifier is the default/reference implementation of TpmCertVerifier.
func (*DefaultTpmCertVerifier) VerifyIakAndIDevIDCerts ¶ added in v0.2.0
func (tcv *DefaultTpmCertVerifier) VerifyIakAndIDevIDCerts(ctx context.Context, req *VerifyIakAndIDevIDCertsReq) (*VerifyIakAndIDevIDCertsResp, error)
VerifyIakAndIDevIDCerts is the default/reference implementation of TpmCertVerifier.VerifyIakAndIDevIDCerts().
func (*DefaultTpmCertVerifier) VerifyTpmCert ¶ added in v0.2.0
func (tcv *DefaultTpmCertVerifier) VerifyTpmCert(ctx context.Context, req *VerifyTpmCertReq) (*VerifyTpmCertResp, error)
VerifyTpmCert is the default/reference implementation of TpmCertVerifier.VerifyTpmCert().
type EnrollControlCardReq ¶ added in v0.2.0
type EnrollControlCardReq struct { // Selection of a specific switch control card. ControlCardSelection *cpb.ControlCardSelection // Infra-specific wired dependencies. Deps EnrollzInfraDeps // Verification options for IAK and IDevID certs. CertVerificationOpts x509.VerifyOptions // SSL profile ID to which newly-issued Owner IDevID cert should be applied. SSLProfileID string }
EnrollControlCardReq is the request to EnrollControlCard().
type EnrollzDeviceClient ¶ added in v0.2.0
type EnrollzDeviceClient interface { // Returns `TpmEnrollzServiceClient.GetIakCert()` response. // // During initial device install scenario, for an active control card IDevID cert *must* come from // the TLS handshake. Even though the device may optionally also specify active card's IDevID cert // in the response payload, as part of this EnrollzDeviceClient.GetIakCert() implementation it is // expected that the caller will overwrite/set this response payload `idevid_cert` field with the // IDevID cert from the TLS handshake. // // As specified in https://github.com/openconfig/attestz README, it is impossible to talk directly to the // standby control card (so all calls to standby card are relayed by the active card), and it is a // responsibility of the active control card to authenticate standby card using IDevID handshake. // Thus, for standby card the best we can do in this case is fetch it's IDevID cert from the response // payload (as opposed to TLS handshake - what we do for an active card enrollment) which active card // is responsible to populate. GetIakCert(ctx context.Context, req *epb.GetIakCertRequest) (*epb.GetIakCertResponse, error) // Returns `TpmEnrollzServiceClient.RotateOIakCert()` response. RotateOIakCert(ctx context.Context, req *epb.RotateOIakCertRequest) (*epb.RotateOIakCertResponse, error) }
EnrollzDeviceClient is a wrapper around gRPC `TpmEnrollzServiceClient` to allow customizable behavior.
During initial install the device is expected to use IDevID cert to secure TLS connection. Once the initial install (includes TPM enrollment and attestation) is completed, the device is expected to obtain a set of "real" prod TLS credentials/certs and only rely on those instead of IDevID/oIDevID certs. This implies that Enrollz client should carefully choose the right/expected TLS trust anchors based on the device state/scenario (e.g. initial install vs oIAK cert rotation).
type EnrollzInfraDeps ¶ added in v0.2.0
type EnrollzInfraDeps interface { // Client to communicate with Switch Owner CA to issue oIAK and oIDevID certs. SwitchOwnerCaClient // Client to communicate with the switch's enrollz endpoints. EnrollzDeviceClient // Parser and verifier of IAK and IDevID certs. TpmCertVerifier }
EnrollzInfraDeps is the infra-specific dependencies of this enrollz business logic lib. A service can create all these dependencies and wire them to the library on server start-up.
type IssueOwnerIDevIDCertReq ¶ added in v0.2.0
type IssueOwnerIDevIDCertReq struct { // Identity fields of a given switch control card. CardID *cpb.ControlCardVendorId // PEM-encoded IDevID public key. IDevIDPubPem string }
IssueOwnerIDevIDCertReq is the request to SwitchOwnerCaClient.IssueOwnerIDevIDCert().
type IssueOwnerIDevIDCertResp ¶ added in v0.2.0
type IssueOwnerIDevIDCertResp struct { // PEM-encoded owner IDevID cert (signed by the switch owner CA). OwnerIDevIDCertPem string }
IssueOwnerIDevIDCertResp is the response to SwitchOwnerCaClient.IssueOwnerIDevIDCert().
type IssueOwnerIakCertReq ¶ added in v0.2.0
type IssueOwnerIakCertReq struct { // Identity fields of a given switch control card. CardID *cpb.ControlCardVendorId // PEM-encoded IAK public key. IakPubPem string }
IssueOwnerIakCertReq is the request to SwitchOwnerCaClient.IssueOwnerIakCert().
type IssueOwnerIakCertResp ¶ added in v0.2.0
type IssueOwnerIakCertResp struct { // PEM-encoded owner IAK cert (signed by the switch owner CA). OwnerIakCertPem string }
IssueOwnerIakCertResp is the response to SwitchOwnerCaClient.IssueOwnerIakCert().
type RotateOwnerIakCertReq ¶ added in v0.2.0
type RotateOwnerIakCertReq struct { // Selection of a specific switch control card. ControlCardSelection *cpb.ControlCardSelection // Infra-specific wired dependencies. Deps EnrollzInfraDeps // Verification options for IAK cert. CertVerificationOpts x509.VerifyOptions }
RotateOwnerIakCertReq is the request to RotateOwnerIakCert().
type SwitchOwnerCaClient ¶ added in v0.2.0
type SwitchOwnerCaClient interface { // For a given switch control card ID, issue an oIAK PEM cert based on IAK public key PEM. IssueOwnerIakCert(ctx context.Context, req *IssueOwnerIakCertReq) (*IssueOwnerIakCertResp, error) // For a given switch control card ID, issue an oIDevID PEM cert based on IDevID public key PEM. IssueOwnerIDevIDCert(ctx context.Context, req *IssueOwnerIDevIDCertReq) (*IssueOwnerIDevIDCertResp, error) }
SwitchOwnerCaClient is the client to communicate with the Switch Owner CA to issue oIAK and oIDevID certs.
type TpmCertVerifier ¶ added in v0.2.0
type TpmCertVerifier interface { // Performs the following: // 1. Validate (signature and expiration) IDevID TLS cert. // 2. Validate (signature and expiration) IAK cert. // 3. Make sure IAK and IDevID cert subject serials match. // 4. Parse IAK pub from IAK cert and validate it (accepted crypto algo and key length). // 5. Parse IDevID pub from IDevID cert and validate it (accepted crypto algo and key length). VerifyIakAndIDevIDCerts(ctx context.Context, req *VerifyIakAndIDevIDCertsReq) (*VerifyIakAndIDevIDCertsResp, error) // Performs the following: // 1. Validate (signature and expiration) a TPM-based cert such as IAK or IDevID. // 2. Parse pub key from the cert and validate it (accepted crypto algo and key length). VerifyTpmCert(ctx context.Context, req *VerifyTpmCertReq) (*VerifyTpmCertResp, error) }
TpmCertVerifier parses and verifies IAK and IDevID certs.
type VerifyIakAndIDevIDCertsReq ¶ added in v0.2.0
type VerifyIakAndIDevIDCertsReq struct { // Identity fields of a given switch control card. ControlCardID *cpb.ControlCardVendorId // Verification options for IAK and IDevID certs. CertVerificationOpts x509.VerifyOptions // PEM-encoded IAK x509 attestation cert. IakCertPem string // PEM-encoded IDevID x509 TLS cert. IDevIDCertPem string }
VerifyIakAndIDevIDCertsReq is the request to VerifyIakAndIDevIDCerts().
type VerifyIakAndIDevIDCertsResp ¶ added in v0.2.0
type VerifyIakAndIDevIDCertsResp struct { // PEM-encoded IAK public key. IakPubPem string // PEM-encoded IDevID public key. IDevIDPubPem string }
VerifyIakAndIDevIDCertsResp is the response from VerifyIakAndIDevIDCerts().
type VerifyTpmCertReq ¶ added in v0.2.0
type VerifyTpmCertReq struct { // Identity fields of a given switch control card. ControlCardID *cpb.ControlCardVendorId // Verification options for a TPM-based cert such as IAK or IDevID. CertVerificationOpts x509.VerifyOptions // PEM-encoded x509 attestation IAK or TLS IDevID cert. CertPem string }
VerifyTpmCertReq is the request to VerifyTpmCert().
type VerifyTpmCertResp ¶ added in v0.2.0
type VerifyTpmCertResp struct { // PEM-encoded public key from x509 attestation IAK or TLS IDevID cert. PubPem string }
VerifyTpmCertResp is the response from VerifyTpmCert().