github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/utils/keys/hardwaresigner.go (about) 1 /* 2 Copyright 2022 Gravitational, Inc. 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 http://www.apache.org/licenses/LICENSE-2.0 7 Unless required by applicable law or agreed to in writing, software 8 distributed under the License is distributed on an "AS IS" BASIS, 9 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 See the License for the specific language governing permissions and 11 limitations under the License. 12 */ 13 14 package keys 15 16 import ( 17 "bytes" 18 "crypto" 19 20 "github.com/gogo/protobuf/jsonpb" 21 "github.com/gravitational/trace" 22 23 attestation "github.com/gravitational/teleport/api/gen/proto/go/attestation/v1" 24 ) 25 26 // HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key. 27 // This enables the ability to enforce hardware key private key policies. 28 type HardwareSigner interface { 29 crypto.Signer 30 31 // GetAttestationStatement returns an AttestationStatement for this private key. 32 GetAttestationStatement() *AttestationStatement 33 34 // GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key. 35 GetPrivateKeyPolicy() PrivateKeyPolicy 36 } 37 38 // GetAttestationStatement returns this key's AttestationStatement. If the key is 39 // not a hardware-backed key, this method returns nil. 40 func (k *PrivateKey) GetAttestationStatement() *AttestationStatement { 41 if attestedPriv, ok := k.Signer.(HardwareSigner); ok { 42 return attestedPriv.GetAttestationStatement() 43 } 44 // Just return a nil attestation statement and let this key fail any attestation checks. 45 return nil 46 } 47 48 // GetPrivateKeyPolicy returns this key's PrivateKeyPolicy. 49 func (k *PrivateKey) GetPrivateKeyPolicy() PrivateKeyPolicy { 50 if attestedPriv, ok := k.Signer.(HardwareSigner); ok { 51 return attestedPriv.GetPrivateKeyPolicy() 52 } 53 return PrivateKeyPolicyNone 54 } 55 56 // AttestationStatement is an attestation statement for a hardware private key 57 // that supports json marshaling through the standard json/encoding package. 58 type AttestationStatement attestation.AttestationStatement 59 60 // ToProto converts this AttestationStatement to its protobuf form. 61 func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement { 62 return (*attestation.AttestationStatement)(ar) 63 } 64 65 // AttestationStatementFromProto converts an AttestationStatement from its protobuf form. 66 func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement { 67 return (*AttestationStatement)(att) 68 } 69 70 // MarshalJSON implements custom protobuf json marshaling. 71 func (ar *AttestationStatement) MarshalJSON() ([]byte, error) { 72 buf := new(bytes.Buffer) 73 err := (&jsonpb.Marshaler{}).Marshal(buf, ar.ToProto()) 74 return buf.Bytes(), trace.Wrap(err) 75 } 76 77 // UnmarshalJSON implements custom protobuf json unmarshaling. 78 func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error { 79 return jsonpb.Unmarshal(bytes.NewReader(buf), ar.ToProto()) 80 } 81 82 // AttestationData is verified attestation data for a public key. 83 type AttestationData struct { 84 // PublicKeyDER is the public key in PKIX, ASN.1 DER form. 85 PublicKeyDER []byte `json:"public_key"` 86 // PrivateKeyPolicy specifies the private key policy supported by the associated private key. 87 PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"` 88 // SerialNumber is the serial number of the Attested hardware key. 89 SerialNumber uint32 `json:"serial_number"` 90 }