Categorygithub.com/foxboron/go-tpm-keyfiles
modulepackage
0.0.0-20240805214234-f870d6f1ff68
Repository: https://github.com/foxboron/go-tpm-keyfiles.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
27
Dependents
18
Files
1.5k SLOC

# README

go-tpm-keyfile

Implements the ASN.1 Specification for TPM 2.0 Key Files.

https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html

Implementation Status

  • Loadable Keys
  • Importable Keys
  • Sealed data

Loadable Keys

With NewLoadableKey

package main

import (
	"os"

	keyfile "github.com/foxboron/go-tpm-keyfiles"

	"github.com/google/go-tpm/tpm2"
	"github.com/google/go-tpm/tpm2/transport/simulator"
)

func main() {
	tpm, _ := simulator.OpenSimulator()
	defer tpm.Close()
	k, _ := keyfile.NewLoadableKey(tpm, tpm2.TPMAlgECC, 256, []byte{},
		keyfile.WithDescription("TPM Key"),
	)
	os.Writefile("key.pem", k.Bytes(), 0640)
}

With NewTPMKey

package main

import (
	"os"

	keyfile "github.com/foxboron/go-tpm-keyfiles"

	"github.com/google/go-tpm/tpm2"
	"github.com/google/go-tpm/tpm2/transport/simulator"
)

func main(){
	tpm, _ := simulator.OpenSimulator()
	defer tpm.Close()

	primary, _ := tpm2.CreatePrimary{
		PrimaryHandle: tpm2.TPMRHOwner,
		InPublic:      tpm2.New2B(tpm2.ECCSRKTemplate),
	}.Execute(tpm)

	eccTemplate := tpm2.TPMTPublic{
		Type:    tpm2.TPMAlgECC,
		NameAlg: sha,
		ObjectAttributes: tpm2.TPMAObject{
			SignEncrypt:         true,
			FixedTPM:            true,
			FixedParent:         true,
			SensitiveDataOrigin: true,
			UserWithAuth:        true,
		},
		Parameters: tpm2.NewTPMUPublicParms(
			tpm2.TPMAlgECC,
			&tpm2.TPMSECCParms{
				CurveID: ecc,
				Scheme: tpm2.TPMTECCScheme{
					Scheme: tpm2.TPMAlgNull,
				},
			},
		),
	}

	eccKeyResponse, := tpm2.CreateLoaded{
		ParentHandle: tpm2.AuthHandle{
			Handle: primary.ObjectHandle,
			Name:   primary.Name,
			Auth:   tpm2.PasswordAuth([]byte(nil)),
		},
		InPublic: tpm2.New2BTemplate(&eccTemplate),
	}.Execute(tpm)

	k := keyfile.NewTPMKey(
		keyfile.OIDOldLoadableKey
		eccKeyResponse.OutPublic,
		eccKeyResponse.OutPrivate,
		keyfile.WithDescription("This is a TPM Key"),
	)

	os.Writefile("key.pem", k.Bytes(), 0640)
}

TPMSigner

go-tpm-keyfile implements a crypto.Signer interface to be used with the keys for easy signature creation and verification.

The TPMKeySigner struct implements a callback-style approach for user auth, owner auth and for TPM fetching for easier implementation towards things that require user-input.

package main

import (
	"crypto"
	"os"

	keyfile "github.com/foxboron/go-tpm-keyfiles"

	"github.com/google/go-tpm/tpm2"
	"github.com/google/go-tpm/tpm2/transport/simulator"
)

func main() {
	tpm, _ := simulator.OpenSimulator()
	defer tpm.Close()

	k, _ := NewLoadableKey(tpm, tpm2.TPMAlgECC, 256, []byte(""))

	signer, _ := k.Signer(tpm, []byte(""), []byte(""))

	h := crypto.SHA256.New()
	h.Write([]byte("message"))
	b := h.Sum(nil)

	sig, _ := signer.Sign((io.Reader)(nil), b[:], crypto.SHA256)

	ok, err := k.Verify(crypto.SHA256, b[:], sig)
	if !ok || err != nil {
		log.Fatalf("invalid signature")
	}
}

# Packages

No description provided by the author
No description provided by the author

# Functions

ChangeAuth changes the object authn header to something else notice this changes the private blob inside the key in-place.
TODO: Private until I'm confident of the API.
Creates a Storage Key, or return the loaded storage key.
No description provided by the author
No description provided by the author
No description provided by the author
Helper to flush handles.
This looks at the passed parent defined in a TPMKey and gives back the appropriate handle to load our TPM key under.
Returns a loadable key.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
NewLoadableKey creates a new LoadableKey.
NewLoadableKeyWithResponse creates a new LoadableKey and returns the tpm2.CreateResponse.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Variables

If a permanent handle (MSO 0x40) is specified then the implementation MUST run TPM2_CreatePrimary on the handle using the TCG specified Elliptic Curve template [TCG-Provision] (section 7.5.1 for the Storage and other seeds or 7.4.1 for the endorsement seed) which refers to the TCG EK Credential Profile [TCG-EK-Profile] .
Errors.
id-importablekey OBJECT IDENTIFIER ::= {id-tpmkey 4}.
id-loadablekey OBJECT IDENTIFIER ::= {id-tpmkey 3}.
No description provided by the author
id-sealedkey OBJECT IDENTIFIER ::= {id-tpmkey 5}.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Structs

No description provided by the author
No description provided by the author
TPMKeySigner implements the crypto.Signer interface for TPMKey It allows passing callbacks for TPM, ownerAuth and user auth.
No description provided by the author
This is a helper to deal with TPM Session encryption.

# Type aliases

No description provided by the author