Skip to content

Commit

Permalink
Minor fixes and additions (#207)
Browse files Browse the repository at this point in the history
* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible
* drop handle() from the ak interface: it is unnecessary
* add Blobs() to attest.Key: to allow agnostic key marshaling
  • Loading branch information
pszal authored Apr 2, 2021
1 parent 611c659 commit 1bbba0b
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 30 deletions.
6 changes: 6 additions & 0 deletions attest/application_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ type key interface {
certificationParameters() CertificationParameters
sign(tpmBase, []byte) ([]byte, error)
decrypt(tpmBase, []byte) ([]byte, error)
blobs() ([]byte, []byte, error)
}

// Key represents a key which can be used for signing and decrypting
Expand Down Expand Up @@ -101,3 +102,8 @@ func (k *Key) Marshal() ([]byte, error) {
func (k *Key) CertificationParameters() CertificationParameters {
return k.key.certificationParameters()
}

// Blobs returns public and private blobs to be used by tpm2.Load().
func (k *Key) Blobs() (pub, priv []byte, err error) {
return k.key.blobs()
}
2 changes: 0 additions & 2 deletions attest/attest.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"github.com/google/certificate-transparency-go/x509"
"github.com/google/go-tpm/tpm"
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
)

// TPMVersion is used to configure a preference in
Expand Down Expand Up @@ -104,7 +103,6 @@ type ak interface {
activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error)
quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error)
attestationParameters() AttestationParameters
handle() (tpmutil.Handle, error)
}

// AK represents a key which can be used for attestation.
Expand Down
5 changes: 0 additions & 5 deletions attest/key_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ package attest
import (
"fmt"

"github.com/google/go-tpm/tpmutil"
"github.com/google/go-tspi/attestation"
)

Expand Down Expand Up @@ -92,7 +91,3 @@ func (k *trousersKey12) attestationParameters() AttestationParameters {
UseTCSDActivationFormat: true,
}
}

func (k *trousersKey12) handle() (tpmutil.Handle, error) {
return 0, fmt.Errorf("not implemented")
}
9 changes: 0 additions & 9 deletions attest/key_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"fmt"

tpm1 "github.com/google/go-tpm/tpm"
"github.com/google/go-tpm/tpmutil"
)

// windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
Expand Down Expand Up @@ -112,10 +111,6 @@ func (k *windowsKey12) attestationParameters() AttestationParameters {
}
}

func (k *windowsKey12) handle() (tpmutil.Handle, error) {
return 0, fmt.Errorf("not implemented")
}

// windowsKey20 represents a key bound to a TPM 2.0.
type windowsKey20 struct {
hnd uintptr
Expand Down Expand Up @@ -189,7 +184,3 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
CreateSignature: k.createSignature,
}
}

func (k *windowsKey20) handle() (tpmutil.Handle, error) {
return 0, fmt.Errorf("not implemented")
}
28 changes: 14 additions & 14 deletions attest/wrapped_tpm20.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,9 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) {

func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
// TODO(szp): TODO(jsonp): Abstract choice of hierarchy & parent.
certifierHandle, err := ak.ak.handle()
if err != nil {
return nil, fmt.Errorf("cannot get AK's handle: %v", err)
k, ok := ak.ak.(*wrappedKey20)
if !ok {
return nil, fmt.Errorf("expected *wrappedKey20, got: %T", k)
}

srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
Expand All @@ -185,7 +185,7 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
}()

// Certify application key by AK
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, certifierHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, k.hnd, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
if err != nil {
return nil, fmt.Errorf("CertifyCreation failed: %v", err)
}
Expand All @@ -195,13 +195,13 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err)
}

tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, keyHandle)
tpmPub, err := tpm2.DecodePublic(pub)
if err != nil {
return nil, fmt.Errorf("read public blob: %v", err)
return nil, fmt.Errorf("decode public key: %v", err)
}
pubKey, err := tpmPub.Key()
if err != nil {
return nil, fmt.Errorf("decode public key: %v", err)
return nil, fmt.Errorf("access public key: %v", err)
}
return &Key{key: newWrappedKey20(keyHandle, blob, pub, creationData, attestation, signature), pub: pubKey, tpm: t}, nil
}
Expand Down Expand Up @@ -239,13 +239,13 @@ func (t *wrappedTPM20) loadKey(opaqueBlob []byte) (*Key, error) {
if err != nil {
return nil, fmt.Errorf("cannot load signing key: %v", err)
}
tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, hnd)
tpmPub, err := tpm2.DecodePublic(sKey.Public)
if err != nil {
return nil, fmt.Errorf("read public blob: %v", err)
return nil, fmt.Errorf("decode public blob: %v", err)
}
pub, err := tpmPub.Key()
if err != nil {
return nil, fmt.Errorf("decode public key: %v", err)
return nil, fmt.Errorf("access public key: %v", err)
}
return &Key{key: newWrappedKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature), pub: pub, tpm: t}, nil
}
Expand Down Expand Up @@ -396,10 +396,6 @@ func (k *wrappedKey20) certificationParameters() CertificationParameters {
}
}

func (k *wrappedKey20) handle() (tpmutil.Handle, error) {
return k.hnd, nil
}

func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
t, ok := tb.(*wrappedTPM20)
if !ok {
Expand All @@ -424,3 +420,7 @@ func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
func (k *wrappedKey20) decrypt(tb tpmBase, ctxt []byte) ([]byte, error) {
return nil, fmt.Errorf("not implemented")
}

func (k *wrappedKey20) blobs() ([]byte, []byte, error) {
return k.public, k.blob, nil
}

0 comments on commit 1bbba0b

Please sign in to comment.