openconfig · Chounoki · May 21, 2026
diff --git a/server/artifactmanager/BUILD.bazel b/server/artifactmanager/BUILD.bazel
@@ -0,0 +1,27 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "artifactmanager",
+    srcs = ["artifactmanager.go"],
+    importpath = "github.com/openconfig/bootz/server/artifactmanager",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//common/ownership_voucher",
+        "//server/proto:config",
+        "@openconfig_attestz//proto:tpm_enrollz_go",
+    ],
+)
diff --git a/server/artifactmanager/artifactmanager.go b/server/artifactmanager/artifactmanager.go
@@ -0,0 +1,154 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package artifactmanager is an artifact manager that manages artifacts like certificates and keys.
+// The implementation here is an in-memory implementation primarily used for testing and qualification.
+// For production usecase, you should replace this implementation with your own one.
+package artifactmanager
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	ownershipvoucher "github.com/openconfig/bootz/common/ownership_voucher"
+
+	epb "github.com/openconfig/attestz/proto/tpm_enrollz"
+	cpb "github.com/openconfig/bootz/server/proto/config"
+)
+
+// InMemoryArtifactManager provides a simple in memory handler for artifacts.
+type InMemoryArtifactManager struct {
+	trustAnchorCert *x509.Certificate
+	trustAnchorKey  crypto.PrivateKey
+	ownerCert       *x509.Certificate
+	ownerKey        crypto.PrivateKey
+	vendorCAPool    *x509.CertPool
+	controlCards    map[string]*cpb.ControlCard
+}
+
+// BootzServerTrustAnchorKeyPair returns the Bootz server trust anchor. This is the keypair that will generate the server's TLS certificate.
+func (m *InMemoryArtifactManager) BootzServerTrustAnchorKeyPair() (*x509.Certificate, crypto.PrivateKey) {
+	return m.trustAnchorCert, m.trustAnchorKey
+}
+
+// OwnerCertificateKeyPair returns the owner certificate keypair for signing the bootstrap response.
+func (m *InMemoryArtifactManager) OwnerCertificateKeyPair() (*x509.Certificate, crypto.PrivateKey) {
+	return m.ownerCert, m.ownerKey
+}
+
+// OwnershipVoucher returns the ownership voucher for the given serial number and vendor.
+func (m *InMemoryArtifactManager) OwnershipVoucher(ctx context.Context, serial string, vendor string) ([]byte, error) {
+	// We don't use the "vendor" argument because it is empty when the request is a ReportStatusRequest.
+	// For simplicity, we assume the serial numbers are unique within our inventory.
+	// For production usecase, you should maintain a list containing only the chassis that are being bootstrappped and match to that list to prevent serial number collision.
+	if v, ok := m.controlCards[serial]; ok {
+		ov, err := base64.StdEncoding.DecodeString(v.GetOwnershipVoucher())
+		if err != nil {
+			return nil, fmt.Errorf("base64 decoding failed: %v", err)
+		}
+		unmarshaled, err := ownershipvoucher.Unmarshal(ov, m.vendorCAPool)
+		if err != nil {
+			return nil, fmt.Errorf("unmarshalling failed: %v", err)
+		}
+		if !strings.EqualFold(unmarshaled.OV.SerialNumber, serial) {
+			return nil, fmt.Errorf("serial number does not match, got %v, want %v", unmarshaled.OV.SerialNumber, serial)
+		}
+		return ov, nil
+	}
+	return nil, fmt.Errorf("not found for serial number: %v", serial)
+}
+
+// PublicKey retrieves the EK or PPK public key of the chassis for use in the BootstrapStream challenge.
+func (m *InMemoryArtifactManager) PublicKey(ctx context.Context, serial string, vendor string) (crypto.PublicKey, epb.Key, error) {
+	// We don't use the "vendor" argument because it is empty when the request is a ReportStatusRequest.
+	// For simplicity, we assume the serial numbers are unique within our inventory.
+	// For production usecase, you should maintain a list containing only the chassis that are being bootstrappped and match to that list to prevent serial number collision.
+	if v, ok := m.controlCards[serial]; ok {
+		pubBytes, err := base64.StdEncoding.DecodeString(v.GetPublicKey())
+		if err != nil {
+			return nil, epb.Key_KEY_UNSPECIFIED, fmt.Errorf("failed to decode public key: %v", err)
+		}
+		pub, err := x509.ParsePKIXPublicKey(pubBytes)
+		if err != nil {
+			return nil, epb.Key_KEY_UNSPECIFIED, fmt.Errorf("failed to parse public key: %v", err)
+		}
+		return pub, v.GetPublicKeyType(), nil
+	}
+	return nil, epb.Key_KEY_UNSPECIFIED, fmt.Errorf("public key not found for serial number: %v", serial)
+}
+
+// VendorCABundle returns the pool of certificates that the server should use to validate the provided IDevID certificates.
+func (m *InMemoryArtifactManager) VendorCABundle() *x509.CertPool {
+	return m.vendorCAPool
+}
+
+func parseCertKeyPair(pair *cpb.CertKeyPair) (*x509.Certificate, crypto.PrivateKey, error) {
+	if pair == nil {
+		return nil, nil, fmt.Errorf("certificate key pair is nil")
+	}
+	certBytes, err := base64.StdEncoding.DecodeString(pair.GetCert())
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to decode certificate: %v", err)
+	}
+	keyBytes, err := base64.StdEncoding.DecodeString(pair.GetKey())
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to decode private key: %v", err)
+	}
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse certificate: %v", err)
+	}
+	key, err := x509.ParsePKCS8PrivateKey(keyBytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse private key: %v", err)
+	}
+	return cert, key, nil
+}
+
+// New returns a new in-memory artifact manager.
+func New(config *cpb.Config) (*InMemoryArtifactManager, error) {
+	var err error
+	am := &InMemoryArtifactManager{}
+	am.trustAnchorCert, am.trustAnchorKey, err = parseCertKeyPair(config.GetTrustAnchor())
+	if err != nil {
+		return nil, fmt.Errorf("trust anchor error: %v", err)
+	}
+	am.ownerCert, am.ownerKey, err = parseCertKeyPair(config.GetOwnerCertificate())
+	if err != nil {
+		return nil, fmt.Errorf("owner certificate error: %v", err)
+	}
+	am.vendorCAPool = x509.NewCertPool()
+	for _, v := range config.GetVendorCaCerts() {
+		certBytes, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			return nil, fmt.Errorf("failed to decode vendor CA certificate: %v", err)
+		}
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse vendor CA certificate: %v", err)
+		}
+		am.vendorCAPool.AddCert(cert)
+	}
+	am.controlCards = make(map[string]*cpb.ControlCard)
+	for _, c := range config.GetChassis() {
+		for _, cc := range c.GetControlCards() {
+			am.controlCards[cc.GetSerialNumber()] = cc
+		}
+	}
+	return am, nil
+}
diff --git a/server/proto/BUILD.bazel b/server/proto/BUILD.bazel
@@ -0,0 +1,53 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
+
+package(default_visibility = ["//visibility:public"])
+
+proto_library(
+    name = "config_proto",
+    srcs = ["config.proto"],
+    import_prefix = "github.com/openconfig/bootz",
+    deps = [
+        "//proto:bootz_proto",
+        "@openconfig_attestz//proto:tpm_enrollz_proto",
+        "@openconfig_gnsi//authz:authz_proto",
+        "@openconfig_gnsi//pathz:pathz_proto",
+    ],
+)
+
+##############################################################################
+# Go
+##############################################################################
+
+go_proto_library(
+    name = "config_go_proto",
+    importpath = "github.com/openconfig/bootz/server/proto/config",
+    proto = ":config_proto",
+    deps = [
+        "//proto:bootz",
+        "@openconfig_attestz//proto:tpm_enrollz_go",
+        "@openconfig_gnsi//authz",
+        "@openconfig_gnsi//pathz",
+    ],
+)
+
+go_library(
+    name = "config",
+    embed = [":config_go_proto"],
+    importpath = "github.com/openconfig/bootz/server/proto/config",
+)
diff --git a/server/proto/config.proto b/server/proto/config.proto
@@ -0,0 +1,87 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package config;
+
+import "github.com/openconfig/attestz/proto/tpm_enrollz.proto";
+import "github.com/openconfig/bootz/proto/bootz.proto";
+import "github.com/openconfig/gnsi/authz/authz.proto";
+import "github.com/openconfig/gnsi/pathz/pathz.proto";
+
+option go_package = "github.com/openconfig/bootz/server/proto/config";
+
+// A binding configuration for Bootz server.
+message Config {
+  // Bootz server address (IP:port).
+  string server_address = 1;
+  // Bootz server trust anchor cert key pair.
+  CertKeyPair trust_anchor = 2;
+  // Owner certificate key pair.
+  CertKeyPair owner_certificate = 3;
+  // Based64 encoding of ASN.1 DER vendor CA certificates.
+  repeated string vendor_ca_certs = 4;
+  // Chassis owned by the organization.
+  repeated Chassis chassis = 5;
+}
+
+message CertKeyPair {
+  // Base64 encoding of ASN.1 DER certificate.
+  string cert = 1;
+  // Base64 encoding of PKCS#8 DER private key.
+  string key = 2;
+}
+
+message Chassis {
+  // Chassis manufacturer.
+  string manufacturer = 1;
+  // For fixed form factor chassis, populate only 1 control card to represent
+  // the chassis itself. For modular form factor chassis, populate 2 control
+  // cards.
+  repeated ControlCard control_cards = 2;
+  // The intended hostname of the chassis.
+  string hostname = 3;
+  // Boot mode defines the boot mode that can be secure or insecure.
+  bootz.BootMode boot_mode = 4;
+  // Whether Streaming Bootz is supported or not.
+  bool streaming_supported = 5;
+  // Software image to be loaded on the chassis.
+  bootz.SoftwareImage intended_image = 6;
+  // Bootloader password.
+  string boot_password_hash = 7;
+  // Boot config to be loaded on the chassis.
+  bootz.BootConfig boot_config = 8;
+  // Credentials.
+  bootz.Credentials credentials = 9;
+  // Pathz.
+  gnsi.pathz.v1.UploadRequest pathz = 10;
+  // Authz.
+  gnsi.authz.v1.UploadRequest authz = 11;
+  // Certz profiles.
+  bootz.CertzProfiles certz_profiles = 12;
+}
+
+message ControlCard {
+  // Serial number of the control card.
+  string serial_number = 1;
+  // Base64 encoding of ownership voucher.
+  string ownership_voucher = 2;
+  // Base64 encoding of PKIX DER EK/PPK public key.
+  // This field is not populated for control cards having IDevID.
+  string public_key = 3;
+  // Public key type: EK or PPK.
+  // This field is not populated for control cards having IDevID.
+  openconfig.attestz.Key public_key_type = 4;
+}