tpm

package module
v0.0.0-...-f7a3fcc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 23, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

README

tpm-helpers

A fork of https://github.com/rancher-sandbox/go-tpm with additional capabilities for TPM

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var EmulatedHostSeed = func() Option {
	return func(c *config) error {
		c.seed = tokenize()
		return nil
	}
}

EmulatedHostSeed generates a seed based on the hostname

Functions

func AuthRequest 

func AuthRequest(r *http.Request, conn *websocket.Conn) error

func Authenticate 

func Authenticate(akBytes []byte, channel io.ReadWriter, opts ...Option) error

Authenticate will read from the passed channel, expecting a challenge from the attestation server, will compute a challenge response via the TPM using the passed Attestation Key (AK) and will send it back to the attestation server.

func CloseEmulatedDevice 

func CloseEmulatedDevice()

func Connection 

func Connection(url string, opts ...Option) (*websocket.Conn, error)

Connection returns a connection to the endpoint which suathenticated already. The server side needs to call AuthRequest on the http request in order to authenticate and refuse connections

func DecodeEK 

func DecodeEK(pemBytes []byte) (*attest.EK, error)

DecodeEK decodes EK pem bytes to attest.EK

func DecodePubHash 

func DecodePubHash(ek *attest.EK) (string, error)

DecodePubHash returns the public key from an attestation EK

func DecryptBlob 

func DecryptBlob(blob []byte, opts ...TPMOption) ([]byte, error)

DecryptBlob decrypts a blob using a key stored in the TPM

func EncryptBlob 

func EncryptBlob(blob []byte, opts ...TPMOption) ([]byte, error)

func GenerateChallenge 

func GenerateChallenge(ek *attest.EK, attestationData *AttestationData) ([]byte, []byte, error)

GenerateChallenge generates a challenge from attestation data and a public endorsed key

func Get 

func Get(url string, opts ...Option) ([]byte, error)

Get retrieves a message from a remote ws server after a successfully process of the TPM challenge

func GetAuthToken 

func GetAuthToken(opts ...Option) (string, []byte, error)

GetAuthToken generates an authentication token from the host TPM. It will return the token as a string and the generated AK that should be saved by the caller for later Authentication.

func GetPubHash 

func GetPubHash(opts ...Option) (string, error)

GetPubHash returns the EK's pub hash

func ReadBlob 

func ReadBlob(opts ...TPMOption) ([]byte, error)

func ResolveToken 

func ResolveToken(token string, opts ...Option) (bool, string, error)

ResolveToken is just syntax sugar around GetPubHash. If the token provided is in EK's form it just returns it, otherwise retrieves the pubhash

func StoreBlob 

func StoreBlob(blob []byte, opts ...TPMOption) error

func ValidateChallenge 

func ValidateChallenge(secret, resp []byte) error

ValidateChallenge validates a challange against a secret

Types

type AttestationData 

type AttestationData struct {
	EK []byte
	AK *attest.AttestationParameters
}

AttestationData is used to generate challanges from EKs

func GetAttestationData 

func GetAttestationData(header string) (*attest.EK, *AttestationData, error)

GetAttestationData returns attestation data from a TPM bearer token

type Challenge 

type Challenge struct {
	EC *attest.EncryptedCredential
}

Challenge represent the struct returned from the ws server, used to resolve the TPM challenge.

type ChallengeResponse 

type ChallengeResponse struct {
	Secret []byte
}

ChallengeResponse represent the struct returned to the ws server as a challenge response.

type Option 

type Option func(c *config) error

Option is a generic option for TPM configuration 

var AppendCustomCAToSystemCA Option = func(c *config) error {
	c.systemfallback = true
	return nil
}

AppendCustomCAToSystemCA uses the system CA pool as a fallback, appending the custom CA to it. 

var Emulated Option = func(c *config) error {
	c.emulated = true
	return nil
}

Emulated sets an emulated device in place of a real native TPM device. Note, the emulated device is embedded and it is unsafe. Should just be used for testing.

func WithAdditionalHeader 

func WithAdditionalHeader(k, v string) Option

WithAdditionalHeader adds a key to the request

func WithCAs 

func WithCAs(ca []byte) Option

WithCAs sets the root CAs for the request

func WithCommandChannel 

func WithCommandChannel(cc attest.CommandChannelTPM20) Option

WithCommandChannel overrides the TPM command channel

func WithHeader 

func WithHeader(header http.Header) Option

WithHeader sets a specific header for the request

func WithSeed 

func WithSeed(s int64) Option

WithSeed sets a permanent seed. Used with TPM emulated device.

type TPMOption 

type TPMOption func(t *TPMOptions) error
var EmulatedTPM TPMOption = func(t *TPMOptions) error {
	t.emulated = true
	return nil
}

func WithAttributes 

func WithAttributes(s string) TPMOption

func WithDevice 

func WithDevice(s string) TPMOption

func WithHash 

func WithHash(c crypto.Hash) TPMOption

func WithIndex 

func WithIndex(s string) TPMOption

func WithNVAttributes 

func WithNVAttributes(s string) TPMOption

func WithPassword 

func WithPassword(s string) TPMOption

type TPMOptions 

type TPMOptions struct {
	// contains filtered or unexported fields
}

func DefaultTPMOption 

func DefaultTPMOption(opts ...TPMOption) (*TPMOptions, error)

func (*TPMOptions) Apply 

func (t *TPMOptions) Apply(opts ...TPMOption) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.