github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/utils/keys/hardwaresigner.go (about)

     1  /*
     2  Copyright 2022 Gravitational, Inc.
     3  Licensed under the Apache License, Version 2.0 (the "License");
     4  you may not use this file except in compliance with the License.
     5  You may obtain a copy of the License at
     6      http://www.apache.org/licenses/LICENSE-2.0
     7  Unless required by applicable law or agreed to in writing, software
     8  distributed under the License is distributed on an "AS IS" BASIS,
     9  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    10  See the License for the specific language governing permissions and
    11  limitations under the License.
    12  */
    13  
    14  package keys
    15  
    16  import (
    17  	"bytes"
    18  	"crypto"
    19  
    20  	"github.com/gogo/protobuf/jsonpb"
    21  	"github.com/gravitational/trace"
    22  
    23  	attestation "github.com/gravitational/teleport/api/gen/proto/go/attestation/v1"
    24  )
    25  
    26  // HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key.
    27  // This enables the ability to enforce hardware key private key policies.
    28  type HardwareSigner interface {
    29  	crypto.Signer
    30  
    31  	// GetAttestationStatement returns an AttestationStatement for this private key.
    32  	GetAttestationStatement() *AttestationStatement
    33  
    34  	// GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key.
    35  	GetPrivateKeyPolicy() PrivateKeyPolicy
    36  }
    37  
    38  // GetAttestationStatement returns this key's AttestationStatement. If the key is
    39  // not a hardware-backed key, this method returns nil.
    40  func (k *PrivateKey) GetAttestationStatement() *AttestationStatement {
    41  	if attestedPriv, ok := k.Signer.(HardwareSigner); ok {
    42  		return attestedPriv.GetAttestationStatement()
    43  	}
    44  	// Just return a nil attestation statement and let this key fail any attestation checks.
    45  	return nil
    46  }
    47  
    48  // GetPrivateKeyPolicy returns this key's PrivateKeyPolicy.
    49  func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy {
    50  	if attestedPriv, ok := k.Signer.(HardwareSigner); ok {
    51  		return attestedPriv.GetPrivateKeyPolicy()
    52  	}
    53  	return PrivateKeyPolicyNone
    54  }
    55  
    56  // AttestationStatement is an attestation statement for a hardware private key
    57  // that supports json marshaling through the standard json/encoding package.
    58  type AttestationStatement attestation.AttestationStatement
    59  
    60  // ToProto converts this AttestationStatement to its protobuf form.
    61  func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement {
    62  	return (*attestation.AttestationStatement)(ar)
    63  }
    64  
    65  // AttestationStatementFromProto converts an AttestationStatement from its protobuf form.
    66  func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement {
    67  	return (*AttestationStatement)(att)
    68  }
    69  
    70  // MarshalJSON implements custom protobuf json marshaling.
    71  func (ar *AttestationStatement) MarshalJSON() ([]byte, error) {
    72  	buf := new(bytes.Buffer)
    73  	err := (&jsonpb.Marshaler{}).Marshal(buf, ar.ToProto())
    74  	return buf.Bytes(), trace.Wrap(err)
    75  }
    76  
    77  // UnmarshalJSON implements custom protobuf json unmarshaling.
    78  func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error {
    79  	return jsonpb.Unmarshal(bytes.NewReader(buf), ar.ToProto())
    80  }
    81  
    82  // AttestationData is verified attestation data for a public key.
    83  type AttestationData struct {
    84  	// PublicKeyDER is the public key in PKIX, ASN.1 DER form.
    85  	PublicKeyDER []byte `json:"public_key"`
    86  	// PrivateKeyPolicy specifies the private key policy supported by the associated private key.
    87  	PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"`
    88  	// SerialNumber is the serial number of the Attested hardware key.
    89  	SerialNumber uint32 `json:"serial_number"`
    90  }