server

package
v0.0.0-...-ce7e112 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 3, 2024 License: Apache-2.0, BSD-2-Clause, BSD-3-Clause, + 2 more Imports: 28 Imported by: 0

Documentation

Overview

Package server contains the reference server implementation for the CC + EKM integration.

Index

Constants

View Source 
const (
	ServerStateUninitialized = iota
	ServerStateInitiated
	ServerStateHandshakeCompleted
	ServerStateAttestationNegotiated
	ServerStateAttestationAccepted
	ServerStateEnded
	ServerStateFailed
	ServerStateUnknown
)

Constants representing different ClientStates.

View Source 
const (
	// KeyPath1 is the key path for key1 in the reference server, which has
	// no policy requirements.
	KeyPath1 = "key1"

	// KeyPath2 is the key path for key2 in the reference server, which requires
	// a minimum technology of SEV to wrap or unwrap keys.
	KeyPath2 = "key2"

	// TokenMetadataKey metadata key for the JWT.
	TokenMetadataKey = "authorization"
	// TokenPrefix is prepended to the JWT in the HTTP header/context map.
	TokenPrefix = "Bearer "
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Channel 

type Channel struct {
	// contains filtered or unexported fields
}

Channel for connection internals

func NewChannel 

func NewChannel(tlsVersion uint16) (ch *Channel, err error)

NewChannel sets up tls context and network shim

type SecureSessionHTTPService 

type SecureSessionHTTPService struct {
	// contains filtered or unexported fields
}

SecureSessionHTTPService is an HTTP-to-gRPC proxy for SecureSessionService, to be used for local testing only.

func NewSecureSessionHTTPService 

func NewSecureSessionHTTPService(address, authToken string) (*SecureSessionHTTPService, error)

NewSecureSessionHTTPService creates and returns an instance of SecureSessionHTTPService. The Caller should Close using SecureSessionHTTPService.Close() when finished.

func NewSecureSessionHTTPServiceWithFakeClients 

func NewSecureSessionHTTPServiceWithFakeClients(address, authToken string, sessionClient ssgrpc.ConfidentialEkmSessionEstablishmentServiceClient, wrapClient cwgrpc.ConfidentialWrapUnwrapServiceClient) (*SecureSessionHTTPService, error)

NewSecureSessionHTTPServiceWithFakeClients creates and returns an instance of SecureSessionHTTPService with the provided fake clients. The Caller should Close using SecureSessionHTTPService.Close() when finished.

func (*SecureSessionHTTPService) Handler 

func (s *SecureSessionHTTPService) Handler(w http.ResponseWriter, r *http.Request)

Handler acts as a HandlerFunc for HTTP servers.

type SecureSessionService 

type SecureSessionService struct {

	// Necessary to embed these to maintain forward compatibility.
	pb.UnimplementedConfidentialEkmSessionEstablishmentServiceServer
	cwpb.UnimplementedConfidentialWrapUnwrapServiceServer
	// contains filtered or unexported fields
}

SecureSessionService implements the SecureSession interface.

func NewSecureSessionService 

func NewSecureSessionService(tlsVersion uint16, audience string) (srv *SecureSessionService, err error)

NewSecureSessionService creates instance of secure session service

func (*SecureSessionService) BeginSession 

func (s *SecureSessionService) BeginSession(ctx context.Context, req *sspb.BeginSessionRequest) (*sspb.BeginSessionResponse, error)

func (*SecureSessionService) ConfidentialUnwrap 

func (s *SecureSessionService) ConfidentialUnwrap(ctx context.Context, req *cwpb.ConfidentialUnwrapRequest) (*cwpb.ConfidentialUnwrapResponse, error)

ConfidentialUnwrap unwraps the given ciphertext with aad by splitting on the first instance of the requested key. The expected format of the wrapped text is (aad | key | plaintext). If the requested key is not present, or if the first part of the split does not match the aad, the unwrapping fails and returns an error. Otherwise, returns the determined plaintext.

func (*SecureSessionService) ConfidentialWrap 

func (s *SecureSessionService) ConfidentialWrap(ctx context.Context, req *cwpb.ConfidentialWrapRequest) (*cwpb.ConfidentialWrapResponse, error)

ConfidentialWrap wraps the aad and plaintext in the request by concatenating them as (aad | key | plaintext).

func (*SecureSessionService) EndSession 

func (s *SecureSessionService) EndSession(ctx context.Context, req *sspb.EndSessionRequest) (*sspb.EndSessionResponse, error)

func (*SecureSessionService) Finalize 

func (s *SecureSessionService) Finalize(ctx context.Context, req *sspb.FinalizeRequest) (*sspb.FinalizeResponse, error)

func (*SecureSessionService) Handshake 

func (s *SecureSessionService) Handshake(ctx context.Context, req *sspb.HandshakeRequest) (*sspb.HandshakeResponse, error)

func (*SecureSessionService) NegotiateAttestation 

func (s *SecureSessionService) NegotiateAttestation(ctx context.Context, req *sspb.NegotiateAttestationRequest) (*sspb.NegotiateAttestationResponse, error)

func (*SecureSessionService) Wrap 

func (s *SecureSessionService) Wrap(keyURI string, aad, plaintext []byte) []byte

Wrap takes in a keyPath, aad, and plaintext, and outputs the wrapped plaintext that the server returns. Invariant: object must have been created through NewSecureSessionService to set up keys. keyURI must be valid.

type SrvState 

type SrvState int

SrvState is the state of the secure session establishment on the server side.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.