constellation/internal/attestation/attestation.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

/*
This package deals with the low level attestation and verification logic of Constellation nodes.

General tpm attestation code that is not subjective to a single platform should go into the vtpm package.
Since attestation capabilities can differ between platforms, the attestation code should go into a subpackage for that respective platform.

We commonly implement the following two interfaces for a platform:

	// Issuer issues an attestation document.
	type Issuer interface {
	    oid.Getter
	    Issue(userData []byte, nonce []byte) (quote []byte, err error)
	}

	// Validator is able to validate an attestation document.
	type Validator interface {
	    oid.Getter
	    Validate(attDoc []byte, nonce []byte) ([]byte, error)
	}

Attestation code for new platforms needs to implement these two interfaces.
*/
package attestation

import (
	"github.com/edgelesssys/constellation/v2/internal/crypto"
)

const (
	// clusterIDContext is the value to use for info when deriving the cluster ID.
	clusterIDContext = "clusterID"
	// MeasurementSecretContext is the value to use for info
	// when deriving the measurement secret from the master secret.
	MeasurementSecretContext = "measurementSecret"
)

// DeriveClusterID derives the cluster ID from a salt and secret value.
func DeriveClusterID(secret, salt []byte) ([]byte, error) {
	return crypto.DeriveKey(secret, salt, []byte(crypto.DEKPrefix+clusterIDContext), crypto.DerivedKeyLengthDefault)
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 07:06:08 +00:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

dev-docs: Go package docs (#958) * Remove unused package * Add Go package docs to most packages Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Fabian Kammel <fk@edgeless.systems> Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Fabian Kammel <fk@edgeless.systems> 2023-01-19 14:57:50 +00:00			`/*`
			`This package deals with the low level attestation and verification logic of Constellation nodes.`

			`General tpm attestation code that is not subjective to a single platform should go into the vtpm package.`
			`Since attestation capabilities can differ between platforms, the attestation code should go into a subpackage for that respective platform.`

			`We commonly implement the following two interfaces for a platform:`

			`// Issuer issues an attestation document.`
			`type Issuer interface {`
			`oid.Getter`
			`Issue(userData []byte, nonce []byte) (quote []byte, err error)`
			`}`

			`// Validator is able to validate an attestation document.`
			`type Validator interface {`
			`oid.Getter`
			`Validate(attDoc []byte, nonce []byte) ([]byte, error)`
			`}`

			`Attestation code for new platforms needs to implement these two interfaces.`
			`*/`
AB#2200 Merge Owner and Cluster ID (#282) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-26 08:58:39 +00:00			`package attestation`

			`import (`
Upgrade go module to v2 2022-09-21 11:47:57 +00:00			`"github.com/edgelesssys/constellation/v2/internal/crypto"`
AB#2200 Merge Owner and Cluster ID (#282) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-26 08:58:39 +00:00			`)`

			`const (`
			`// clusterIDContext is the value to use for info when deriving the cluster ID.`
			`clusterIDContext = "clusterID"`
			`// MeasurementSecretContext is the value to use for info`
			`// when deriving the measurement secret from the master secret.`
			`MeasurementSecretContext = "measurementSecret"`
			`)`

			`// DeriveClusterID derives the cluster ID from a salt and secret value.`
Generate random salt for key derivation on init (#309) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-29 07:52:47 +00:00			`func DeriveClusterID(secret, salt []byte) ([]byte, error) {`
Refactor init/recovery to use kms URI So far the masterSecret was sent to the initial bootstrapper on init/recovery. With this commit this information is encoded in the kmsURI that is sent during init. For recover, the communication with the recoveryserver is changed. Before a streaming gRPC call was used to exchanges UUID for measurementSecret and state disk key. Now a standard gRPC is made that includes the same kmsURI & storageURI that are sent during init. 2023-01-16 10:19:03 +00:00			`return crypto.DeriveKey(secret, salt, []byte(crypto.DEKPrefix+clusterIDContext), crypto.DerivedKeyLengthDefault)`
AB#2200 Merge Owner and Cluster ID (#282) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-26 08:58:39 +00:00			`}`