salrashid123 / ocsp_parse_cert.md

Last active August 1, 2023 04:13

Extract OCSP Request Parametres from certificate

simple demo on how to create extract the ocsprequest parameters from an issuing ca cert

## start ocsp server
git clone https://github.com/salrashid123/go_mtls_scratchpad

cd go_mtls_scratchpad/ca1/ca_scratchpad

salrashid123 / bq_diff_privacy.md

Created July 20, 2023 13:03

BQ Differential Privacy using AEAD and GCP Confidential Space

Snippet which shows how a de-privleged operator can execute BQ Differetnial privacy functions of encrypted data.

In the following, there are three parties:

2 hospitals
1 pharma company

salrashid123 / getshieldedIdentity.md

Last active July 3, 2023 12:56

Using GCE APIs to retrieve EKPub

Snippet which uses GCE Compute API to retrieve the ekCert encryption and signing keys per

The idea is that a remote verifier would first use the GCE API to retrieve the ekPub key and use that as a trust anchor for remote attestation.

salrashid123 / gce_eventlog.md

Last active October 20, 2023 10:16

TPM EventLog value for GCE Confidential VMs (SEV)

Snippet used to confirm if AMD-SEV is enabled or not on a GCE VM using TPM PCR0 values.

GCE Shielded VM that have TPMs enabled asserts that PCR0 surfaces the following encoded measurements

0: Contains the value for PCR0, which contains information about firmware components and the memory encryption technology that is active. This PCR diverges from the TCG PCClient platform firmware profile in that it measures only the following events:

salrashid123 / tpm_ca.md

Last active September 14, 2024 05:56

Issue CA-signed certificate for TPM public key using (-force_pubkey)

Issue CA-signed certificate using TPM public key

Rough procedure to force sign/issue a CA signed certificate that is tied to a TPM's public key.

This procedure uses the -force_pubkey key parameter for openssl

salrashid123 / tpm_ek_rasp_pi.md

Last active June 14, 2023 01:59

Reading the EKCert from a raspberry pi

Read EKCert RSA from NV on a raspberry pi

from pg 13 of TCG EK Credential Profile

2.2.1.4 Low Range
The Low Range is at NV Indices 0x01c00002 - 0x01c0000c.
0x01c00002 RSA 2048 EK Certificate
0x01c00003 RSA 2048 EK Nonce
0x01c00004 RSA 2048 EK Template

salrashid123 / kubernetes_tokenreviews.md

Last active July 7, 2023 17:22

Using kubernetes TokenReviews go api on pod

Simple go app that reads and validates a kubernetes service accounts token using the TokenReviews API.

also see https://github.com/salrashid123/k8s_tokenreview

to use make a copy of all the files and run

minikube start

$ kubectl apply -f app.yaml

salrashid123 / tpm_remote.md

Last active June 9, 2023 22:05

tpm remote attestation on gke with https://github.com/salrashid123/go_tpm_remote_attestation

deploying the Attestor component of https://github.com/salrashid123/go_tpm_remote_attestation on gke....(you're free to reimplement both components using go-tpm-tools and go-attestation (ref)

note, gke pods DO NOT have access to the /dev/tpm0 and is only made available in privleged mode

attestor on gke

gcloud container clusters create cluster-1 \

salrashid123 / envoy_proxy.md

Last active June 7, 2023 12:36

envoy https_proxy (https://github.com/salrashid123/squid_proxy)

https CONNECT proxy for envoy

to use download all the files below, then run

./envoy -c basic.yaml -l debug

cat /etc/hosts
127.0.0.1 squid.yourdomain.com

salrashid123 / gcp_secure_web_gateway_demo.md

Last active June 2, 2023 19:40

End to end demo of GCP Secure Web Gateway (https://cloud.google.com/secure-web-gateway/docs/initial-setup-steps)

demo to setup a sample GCP Secure Web Gateway

first step is to make a copy of all the files in this repo and follow the steps below.

edit the yaml file and replace YOUR_PROJECT_ID with our projectid

gateway.yaml
policy.yaml