ratls

Documentation

Overview

Package ratls is the CLI's client-side RA-TLS verifier. It connects directly to an enclave (through the gateway's L4 splice), optionally challenges it with a fresh nonce (0xFFBB, requires the Privasys Go fork + -tags ratls), and verifies the attestation quote against the attestation server — so the CLI trusts the enclave's hardware attestation, not the control plane.

Index

• func Call(ctx context.Context, p CallParams, out io.Writer) (int, error)
• func NewNonce() []byte
• type CallParams
• type OID
• type Params
• type Result
  • func Verify(ctx context.Context, p Params) (*Result, error)

Functions

func Call

func Call(ctx context.Context, p CallParams, out io.Writer) (int, error)

Call verifies the enclave (RA-TLS challenge + report-data binding; plus a remote quote verification when AttServerURL/Tok are set) and, only if verification passes, sends the request directly to the app — the control plane is never in the data path. Container responses (incl. chunked/SSE) stream to out; the response status is returned.

func NewNonce

func NewNonce() []byte

NewNonce returns a 32-byte random challenge nonce.

Types

type CallParams

type CallParams struct {
	Host         string // enclave gateway FQDN
	ServerName   string // SNI + Host header (the workload hostname)
	AppName      string // wasm app name (connect_call.app)
	AppType      string // "container" or "wasm"
	Function     string
	Path         string // container endpoint path (default "/"+Function)
	Body         []byte // raw JSON request body (may be nil)
	AppToken     string // user JWT presented as app_auth / Bearer
	Challenge    []byte // verify-before-send nonce
	AttServerURL string // set (with AttServerTok) to verify the quote remotely
	AttServerTok string
}

CallParams configures a direct app call.

type OID

type OID struct {
	OID      string `json:"oid"`
	Label    string `json:"label"`
	ValueHex string `json:"value_hex"`
}

OID is a parsed certificate OID extension.

type Params

type Params struct {
	Host          string // enclave gateway FQDN
	Port          int    // usually 443
	ServerName    string // SNI (the workload hostname)
	Challenge     []byte // nil => deterministic mode
	AttServerURL  string // attestation server verify endpoint (quote verification)
	AttServerTok  string // optional bearer for the attestation server
	ExpectMRENCLA string // optional MRENCLAVE pin (hex)
	ExpectMRTD    string // optional MRTD pin (hex)
}

Params configures a direct verification.

type Result

type Result struct {
	Host          string   `json:"host"`
	TLSVersion    string   `json:"tls_version"`
	CipherSuite   string   `json:"cipher_suite"`
	Challenged    bool     `json:"challenged"`
	NonceHex      string   `json:"nonce_hex,omitempty"`
	QuoteType     string   `json:"quote_type"`
	QuoteOID      string   `json:"quote_oid"`
	ReportDataHex string   `json:"report_data_hex,omitempty"`
	PubKeySHA256  string   `json:"pubkey_sha256"`
	CustomOIDs    []OID    `json:"custom_oids,omitempty"`
	QuoteStatus   string   `json:"quote_status,omitempty"`
	TcbDate       string   `json:"tcb_date,omitempty"`
	AdvisoryIDs   []string `json:"advisory_ids,omitempty"`
	Verified      bool     `json:"verified"`
	VerifyError   string   `json:"verify_error,omitempty"`
	CertPEM       string   `json:"-"`
	QuoteRaw      []byte   `json:"-"`
}

Result is the outcome of a direct, client-side attestation.

func Verify

func Verify(ctx context.Context, p Params) (*Result, error)

Verify connects to the enclave, (optionally) challenges it, and verifies its RA-TLS certificate. The returned Result is populated even when verification fails (VerifyError set, Verified false) so callers can show what was seen.