Documentation
¶
Index ¶
- Variables
- func VerifyFromATCJSON(repo string, sigstoreTrustedRootJSON []byte) (string, error)
- func VerifyFromATCURLJSON(attestationBundleURL, repo string, sigstoreTrustedRootJSON []byte) (string, error)
- func VerifyFromBundleJSON(bundleJSON []byte, repo string, sigstoreTrustedRootJSON []byte) (string, error)
- func VerifyJSON(enclave, repo string, sigstoreTrustedRootJSON []byte) (string, error)
- type GroundTruth
- type Response
- type SecureClient
- func (s *SecureClient) Enclave() string
- func (s *SecureClient) Get(url string, headers map[string]string) (*Response, error)
- func (s *SecureClient) GroundTruth() *GroundTruth
- func (s *SecureClient) GroundTruthJSON() (string, error)
- func (s *SecureClient) HTTPClient() (*http.Client, error)
- func (s *SecureClient) Post(url string, headers map[string]string, body []byte) (*Response, error)
- func (s *SecureClient) Repo() string
- func (s *SecureClient) Verify() (*GroundTruth, error)
- func (s *SecureClient) VerifyFromBundle(bundle *attestation.Bundle) (*GroundTruth, error)
- type TLSBoundRoundTripper
Constants ¶
This section is empty.
Variables ¶
Functions ¶
func VerifyFromATCJSON ¶ added in v0.10.20
VerifyFromATCJSON fetches an attestation bundle from the default ATC endpoint and verifies it. Returns the verification data as a JSON string.
func VerifyFromATCURLJSON ¶ added in v0.10.20
func VerifyFromATCURLJSON(attestationBundleURL, repo string, sigstoreTrustedRootJSON []byte) (string, error)
VerifyFromATCURLJSON fetches an attestation bundle from a custom URL and verifies it. If attestationBundleURL is empty, defaults to https://atc.tinfoil.sh. Returns the verification data as a JSON string.
Types ¶
type GroundTruth ¶ added in v0.0.17
type GroundTruth struct {
EnclaveHost string `json:"enclave_host,omitempty"`
TLSPublicKey string `json:"tls_public_key,omitempty"`
HPKEPublicKey string `json:"hpke_public_key,omitempty"`
Digest string `json:"digest"`
CodeMeasurement *attestation.Measurement `json:"code_measurement"`
EnclaveMeasurement *attestation.Measurement `json:"enclave_measurement"`
HardwareMeasurement *attestation.HardwareMeasurement `json:"hardware_measurement,omitempty"`
CodeFingerprint string `json:"code_fingerprint"`
EnclaveFingerprint string `json:"enclave_fingerprint"`
}
GroundTruth represents the "known good" verified of the enclave
type SecureClient ¶
type SecureClient struct {
// contains filtered or unexported fields
}
func NewDefaultClient ¶ added in v0.10.0
func NewDefaultClient() (*SecureClient, error)
NewDefaultSecureClient creates a new secure client with fallback mechanism. It tries to fetch routers from the router service, attempts to verify each one, and falls back to inference.tinfoil.sh if all routers fail.
func NewPinnedSecureClient ¶ added in v0.1.18
func NewPinnedSecureClient(enclave string, codeMeasurement *attestation.Measurement, hardwareMeasurements []*attestation.HardwareMeasurement) *SecureClient
NewPinnedSecureClient creates a new secure client with a given enclave and fixed measurements
func NewSecureClient ¶
func NewSecureClient(enclave, repo string) *SecureClient
NewSecureClient creates a new secure client with a given repo and enclave
func (*SecureClient) Enclave ¶ added in v0.1.16
func (s *SecureClient) Enclave() string
Enclave returns the enclave URL
func (*SecureClient) GroundTruth ¶ added in v0.0.17
func (s *SecureClient) GroundTruth() *GroundTruth
GroundTruth returns the last verified enclave state
func (*SecureClient) GroundTruthJSON ¶ added in v0.1.17
func (s *SecureClient) GroundTruthJSON() (string, error)
GroundTruthJSON returns the ground truth as a JSON string
func (*SecureClient) HTTPClient ¶
func (s *SecureClient) HTTPClient() (*http.Client, error)
HTTPClient returns an HTTP client that only accepts TLS connections to the verified enclave
func (*SecureClient) Repo ¶ added in v0.1.16
func (s *SecureClient) Repo() string
Repo returns the repository URL
func (*SecureClient) Verify ¶
func (s *SecureClient) Verify() (*GroundTruth, error)
Verify fetches the latest verification information from GitHub and Sigstore and stores the ground truth results in the client
func (*SecureClient) VerifyFromBundle ¶ added in v0.10.20
func (s *SecureClient) VerifyFromBundle(bundle *attestation.Bundle) (*GroundTruth, error)
VerifyFromBundle verifies using a pre-fetched attestation bundle from ATC (single-request verification)