From 1bbba0bdfd84dc1845819cbefd1c0702500d43ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Sza=C5=82achowski?= Date: Thu, 1 Apr 2021 19:29:45 -0700 Subject: [PATCH] Minor fixes and additions (#207) * replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible * drop handle() from the ak interface: it is unnecessary * add Blobs() to attest.Key: to allow agnostic key marshaling --- attest/application_key.go | 6 ++++++ attest/attest.go | 2 -- attest/key_linux.go | 5 ----- attest/key_windows.go | 9 --------- attest/wrapped_tpm20.go | 28 ++++++++++++++-------------- 5 files changed, 20 insertions(+), 30 deletions(-) diff --git a/attest/application_key.go b/attest/application_key.go index c39ccd94..8b6a8b4a 100644 --- a/attest/application_key.go +++ b/attest/application_key.go @@ -28,6 +28,7 @@ type key interface { certificationParameters() CertificationParameters sign(tpmBase, []byte) ([]byte, error) decrypt(tpmBase, []byte) ([]byte, error) + blobs() ([]byte, []byte, error) } // Key represents a key which can be used for signing and decrypting @@ -101,3 +102,8 @@ func (k *Key) Marshal() ([]byte, error) { func (k *Key) CertificationParameters() CertificationParameters { return k.key.certificationParameters() } + +// Blobs returns public and private blobs to be used by tpm2.Load(). +func (k *Key) Blobs() (pub, priv []byte, err error) { + return k.key.blobs() +} diff --git a/attest/attest.go b/attest/attest.go index c83bcad6..3e629d89 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -24,7 +24,6 @@ import ( "github.com/google/certificate-transparency-go/x509" "github.com/google/go-tpm/tpm" "github.com/google/go-tpm/tpm2" - "github.com/google/go-tpm/tpmutil" ) // TPMVersion is used to configure a preference in @@ -104,7 +103,6 @@ type ak interface { activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error) quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error) attestationParameters() AttestationParameters - handle() (tpmutil.Handle, error) } // AK represents a key which can be used for attestation. diff --git a/attest/key_linux.go b/attest/key_linux.go index 65de77fc..d61061f1 100644 --- a/attest/key_linux.go +++ b/attest/key_linux.go @@ -19,7 +19,6 @@ package attest import ( "fmt" - "github.com/google/go-tpm/tpmutil" "github.com/google/go-tspi/attestation" ) @@ -92,7 +91,3 @@ func (k *trousersKey12) attestationParameters() AttestationParameters { UseTCSDActivationFormat: true, } } - -func (k *trousersKey12) handle() (tpmutil.Handle, error) { - return 0, fmt.Errorf("not implemented") -} diff --git a/attest/key_windows.go b/attest/key_windows.go index 0349ada3..e1f47b8e 100644 --- a/attest/key_windows.go +++ b/attest/key_windows.go @@ -20,7 +20,6 @@ import ( "fmt" tpm1 "github.com/google/go-tpm/tpm" - "github.com/google/go-tpm/tpmutil" ) // windowsKey12 represents a Windows-managed key on a TPM1.2 TPM. @@ -112,10 +111,6 @@ func (k *windowsKey12) attestationParameters() AttestationParameters { } } -func (k *windowsKey12) handle() (tpmutil.Handle, error) { - return 0, fmt.Errorf("not implemented") -} - // windowsKey20 represents a key bound to a TPM 2.0. type windowsKey20 struct { hnd uintptr @@ -189,7 +184,3 @@ func (k *windowsKey20) attestationParameters() AttestationParameters { CreateSignature: k.createSignature, } } - -func (k *windowsKey20) handle() (tpmutil.Handle, error) { - return 0, fmt.Errorf("not implemented") -} diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go index 459faab2..68f3cf61 100644 --- a/attest/wrapped_tpm20.go +++ b/attest/wrapped_tpm20.go @@ -159,9 +159,9 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) { func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) { // TODO(szp): TODO(jsonp): Abstract choice of hierarchy & parent. - certifierHandle, err := ak.ak.handle() - if err != nil { - return nil, fmt.Errorf("cannot get AK's handle: %v", err) + k, ok := ak.ak.(*wrappedKey20) + if !ok { + return nil, fmt.Errorf("expected *wrappedKey20, got: %T", k) } srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle) @@ -185,7 +185,7 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) { }() // Certify application key by AK - attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, certifierHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix) + attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, k.hnd, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix) if err != nil { return nil, fmt.Errorf("CertifyCreation failed: %v", err) } @@ -195,13 +195,13 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) { return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err) } - tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, keyHandle) + tpmPub, err := tpm2.DecodePublic(pub) if err != nil { - return nil, fmt.Errorf("read public blob: %v", err) + return nil, fmt.Errorf("decode public key: %v", err) } pubKey, err := tpmPub.Key() if err != nil { - return nil, fmt.Errorf("decode public key: %v", err) + return nil, fmt.Errorf("access public key: %v", err) } return &Key{key: newWrappedKey20(keyHandle, blob, pub, creationData, attestation, signature), pub: pubKey, tpm: t}, nil } @@ -239,13 +239,13 @@ func (t *wrappedTPM20) loadKey(opaqueBlob []byte) (*Key, error) { if err != nil { return nil, fmt.Errorf("cannot load signing key: %v", err) } - tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, hnd) + tpmPub, err := tpm2.DecodePublic(sKey.Public) if err != nil { - return nil, fmt.Errorf("read public blob: %v", err) + return nil, fmt.Errorf("decode public blob: %v", err) } pub, err := tpmPub.Key() if err != nil { - return nil, fmt.Errorf("decode public key: %v", err) + return nil, fmt.Errorf("access public key: %v", err) } return &Key{key: newWrappedKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature), pub: pub, tpm: t}, nil } @@ -396,10 +396,6 @@ func (k *wrappedKey20) certificationParameters() CertificationParameters { } } -func (k *wrappedKey20) handle() (tpmutil.Handle, error) { - return k.hnd, nil -} - func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) { t, ok := tb.(*wrappedTPM20) if !ok { @@ -424,3 +420,7 @@ func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) { func (k *wrappedKey20) decrypt(tb tpmBase, ctxt []byte) ([]byte, error) { return nil, fmt.Errorf("not implemented") } + +func (k *wrappedKey20) blobs() ([]byte, []byte, error) { + return k.public, k.blob, nil +}