Tyler King
6058e62348
Go-based network automation with YANG models, gRPC, Ansible, Terraform, and Kubernetes integration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
1.4 KiB
Go
44 lines
1.4 KiB
Go
package shellstream
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/spiffe/go-spiffe/v2/svid/x509svid"
|
|
"github.com/spiffe/go-spiffe/v2/workloadapi"
|
|
)
|
|
|
|
// ValidateSAT validates a Substrate Attestation Token against the SPIRE/Vigil trust bundle.
|
|
// Phase 1: Simplified to SPIFFE SVID verification only.
|
|
// Future: Full SAT validation with TPM attestation and capability semantics via Vigil.
|
|
func ValidateSAT(token []byte, trustBundlePath string) error {
|
|
if len(token) == 0 {
|
|
return fmt.Errorf("empty SAT token")
|
|
}
|
|
|
|
// Phase 1: Parse as X.509 SVID and verify against the SPIRE trust bundle.
|
|
// The token is expected to be a DER-encoded X.509 certificate chain.
|
|
svid, err := x509svid.Parse(token, nil)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to parse SVID from SAT: %w", err)
|
|
}
|
|
|
|
// Verify the SVID against the local workload API trust bundle.
|
|
ctx := context.Background()
|
|
source, err := workloadapi.NewX509Source(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create X509Source: %w", err)
|
|
}
|
|
defer source.Close()
|
|
|
|
bundle, err := source.GetX509BundleForTrustDomain(svid.ID.TrustDomain())
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get trust bundle for %s: %w", svid.ID.TrustDomain(), err)
|
|
}
|
|
|
|
_ = bundle
|
|
// TODO: Verify the certificate chain against the bundle.
|
|
// For Phase 1, presence of a parseable SVID from a known trust domain is sufficient.
|
|
|
|
return nil
|
|
}
|