attestation

package
Version: v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 19, 2022 License: MPL-2.0 Imports: 3 Imported by: 3

Documentation

Overview

Package attestation provides attestation data structures.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrEmptyReport is returned by VerifyRemoteReport if reportBytes is empty.
	ErrEmptyReport = errors.New("empty report")

	// ErrTCBLevelInvalid is returned if VerifyRemoteReport succeeded, but the TCB is not considered up-to-date. Check the report's TCBStatus.
	ErrTCBLevelInvalid = errors.New("OE_TCB_LEVEL_INVALID")
)

Functions

This section is empty.

Types

type Report

type Report struct {
	Data            []byte           // The report data that has been included in the report.
	SecurityVersion uint             // Security version of the enclave. For SGX enclaves, this is the ISVSVN value.
	Debug           bool             // If true, the report is for a debug enclave.
	UniqueID        []byte           // The unique ID for the enclave. For SGX enclaves, this is the MRENCLAVE value.
	SignerID        []byte           // The signer ID for the enclave. For SGX enclaves, this is the MRSIGNER value.
	ProductID       []byte           // The Product ID for the enclave. For SGX enclaves, this is the ISVPRODID value.
	TCBStatus       tcbstatus.Status // The status of the enclave's TCB level.
}

Report is a parsed enclave report.

func VerifyAzureAttestationToken added in v0.2.2

func VerifyAzureAttestationToken(token string, providerURL string) (Report, error)

VerifyAzureAttestationToken takes a Microsoft Azure Attestation token in JSON Web Token compact serialization format and verifies the token's public claims and signature. The attestation provider's keys are loaded from providerURL over TLS. The validation is based on the trust in this TLS channel. Note that the token's issuer (iss) has to be equal to the providerURL, and providerURL must use the HTTPS scheme.

The caller must verify the returned report's content.

This function relies on the root CA certificates of the host to verify the TLS connection. Thus, it is currently usable by non-enclaved clients only. A future version of EGo will allow to add root certificates to an enclave.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL