Skip to content

Instantly share code, notes, and snippets.

View salrashid123's full-sized avatar

salrashid123

224 followers · 1 following
View GitHub Profile
@salrashid123
salrashid123 / ekm.go
Created October 28, 2023 14:59
Extract EKM using golang [RFC5705](https://datatracker.ietf.org/doc/html/rfc5705)
package main
/*
Sample that prints the EKM value for a TLS connection:
https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html
https://github.com/salrashid123/go_mtls_scratchpad/tree/main#exported-key-material
*/
import (
"context"
@salrashid123
salrashid123 / aws_federation_with_tags.md
Last active October 27, 2023 12:26
AWS Session Tags with OIDC Federation

AWS Session Tags with OIDC Federation

Snippet demonstrating how to setup AWS Federation for an OIDC provider which checks "custom claims" as session Tags

With this, you can define an AWS Trust Relationship for a role where you specify a custom claim.

Normally, AWS OIDC federation only allows you to set/use a very limited set of fields like aud:, sub:.

What this allows for is a very limited custom claim validation...i'm saying very limited because you apparently have to use the precise claim name aws looks for...

@salrashid123
salrashid123 / workload_federation_svc_account.go
Last active October 14, 2023 14:16
Access GCP and workspace APIs using GCP Workload Identity Federation usign Service Account Impersonation
package main
import (
"fmt"
"log"
"context"
"cloud.google.com/go/storage"
@salrashid123
salrashid123 / workload_federation_dwd.go
Last active October 13, 2023 16:49
Access GCP and workspace APIs using GCP Workload Identity Federation usign Domain Delegation
package main
import (
"fmt"
"log"
"context"
"cloud.google.com/go/storage"
@salrashid123
salrashid123 / cosign_annotations.md
Last active March 7, 2024 12:58
Cosign sign and verify with annotations
@salrashid123
salrashid123 / bqjwt.go
Last active August 31, 2023 15:18
GCP JWTAccessTokens for BQ APIs
/*
see
https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
for TPM https://github.com/salrashid123/oauth2#usage-tpmtokensource
*/
package main
import (
@salrashid123
salrashid123 / sa_import.md
Last active April 1, 2024 15:02
Importing ServiceAccount Credentials to TPMs

sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs

this procedure will save the key reference to non-volatile memory which will persist through powercycles.

however, there are limited nv slots avaiable (7 per tpm i think).

long term is to allow is to allow full persitence via go-tpm-tools Allow persistence client.Key() and move away from nvram slots

also see

@salrashid123
salrashid123 / gcp-tpm.md
Last active August 29, 2023 00:40
Trusted Platform Module (TPM) based GCP Service Account Key
@salrashid123
salrashid123 / cog_bazel.md
Last active August 18, 2023 11:43
Deterministic builds with cog and bazel (ttps://github.com/replicate/cog/issues/1250)

using bazel to build deterministic cog image

the following will build an image hash of

sha256:3db6542dc746aeabaa39d902570430e1d50c416e7fc20b875c10578aa5e62875

(more or less unless copy+paste from gist may add newline, whitespace to the .py files, sources..;

@salrashid123
salrashid123 / parseIssuer.go
Last active August 13, 2023 13:49
Parse certificate.Issuer from raw DER bytes in golang
/*
Marshall Certificate.Issuer struct from raw DER Bytes
code uses parser from https://go.dev/src/crypto/x509/parser.go
https://lapo.it/asn1js/#MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDQwNzE0MDQwN1oXDTI1MDQwNjE0MDQwN1owRTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UECwwKRW50ZXJwcmlzZTEQMA4GA1UEAwwHbWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGzSU8QxpblEH9igyDzn24R1M3dNU9inBjxPmGFrbzI1HN2oGxVdYSDmTmRwPmuLVxvX3HiFSGuhG3GvjrMskydY6dqvcZmOB8IMcCuw74kXIOevGyBVr8EJN-Z8tLXvZHyZgDe-1bDRkw4IsmhJrgnrWWAoWucyTSKYq8U5ZQt_1f3_nMAtkmt2kI3mrF1E_ibasa_aWngsyjtAVC-y1p2hDznHU8rDLxdgNKIo3X85eDFAOi-wDPMxrO3_vtNP2i1OrKv-GLj_0d1HzGV_4R5sMzNCOVXJ7H7TbbxFceC6ajMwEddZdASB7E4Mc43T4yuQy0_opravLkQQFacuZcCAwEAAaOCARQwggEQMA4GA1UdDwEB_wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRNAL-pKqCVY-RHtsRYG80GoULfLDAfBgNVHSMEGDAWgBSTvRe8TcBkyWIHOosz4S12KzT3wzBEBggrBgEFBQcBAQQ4MDYwNAYI