Minor fixes and additions (#207)

* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible * drop handle() from the ak interface: it is unnecessary * add Blobs() to attest.Key: to allow agnostic key marshaling
2025-02-21 01:11:21 +00:00 · 2021-04-01 19:29:45 -07:00 · 2021-04-01 19:29:45 -07:00 · 1bbba0bdfd
commit 1bbba0bdfd
parent 611c6598b2
5 changed files with 20 additions and 30 deletions
--- a/attest/application_key.go
+++ b/attest/application_key.go
@ -28,6 +28,7 @@ type key interface {
 	certificationParameters() CertificationParameters
 	sign(tpmBase, []byte) ([]byte, error)
 	decrypt(tpmBase, []byte) ([]byte, error)
+	blobs() ([]byte, []byte, error)
 }

 // Key represents a key which can be used for signing and decrypting
@ -101,3 +102,8 @@ func (k *Key) Marshal() ([]byte, error) {
 func (k *Key) CertificationParameters() CertificationParameters {
 	return k.key.certificationParameters()
 }
+
+// Blobs returns public and private blobs to be used by tpm2.Load().
+func (k *Key) Blobs() (pub, priv []byte, err error) {
+	return k.key.blobs()
+}
--- a/attest/attest.go
+++ b/attest/attest.go
@ -24,7 +24,6 @@ import (
 	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/go-tpm/tpm"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpmutil"
 )

 // TPMVersion is used to configure a preference in
@ -104,7 +103,6 @@ type ak interface {
 	activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error)
 	quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error)
 	attestationParameters() AttestationParameters
-	handle() (tpmutil.Handle, error)
 }

 // AK represents a key which can be used for attestation.
--- a/attest/key_linux.go
+++ b/attest/key_linux.go
@ -19,7 +19,6 @@ package attest
 import (
 	"fmt"

-	"github.com/google/go-tpm/tpmutil"
 	"github.com/google/go-tspi/attestation"
 )

@ -92,7 +91,3 @@ func (k *trousersKey12) attestationParameters() AttestationParameters {
 		UseTCSDActivationFormat: true,
 	}
 }
-
-func (k *trousersKey12) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}
--- a/attest/key_windows.go
+++ b/attest/key_windows.go
@ -20,7 +20,6 @@ import (
 	"fmt"

 	tpm1 "github.com/google/go-tpm/tpm"
-	"github.com/google/go-tpm/tpmutil"
 )

 // windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
@ -112,10 +111,6 @@ func (k *windowsKey12) attestationParameters() AttestationParameters {
 	}
 }

-func (k *windowsKey12) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}
-
 // windowsKey20 represents a key bound to a TPM 2.0.
 type windowsKey20 struct {
 	hnd uintptr
@ -189,7 +184,3 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
 		CreateSignature:   k.createSignature,
 	}
 }
-
-func (k *windowsKey20) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}
--- a/attest/wrapped_tpm20.go
+++ b/attest/wrapped_tpm20.go
@ -159,9 +159,9 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) {

 func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 	// TODO(szp): TODO(jsonp): Abstract choice of hierarchy & parent.
-	certifierHandle, err := ak.ak.handle()
-	if err != nil {
-		return nil, fmt.Errorf("cannot get AK's handle: %v", err)
+	k, ok := ak.ak.(*wrappedKey20)
+	if !ok {
+		return nil, fmt.Errorf("expected *wrappedKey20, got: %T", k)
 	}

 	srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
@ -185,7 +185,7 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 	}()

 	// Certify application key by AK
-	attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, certifierHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
+	attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, k.hnd, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
 	if err != nil {
 		return nil, fmt.Errorf("CertifyCreation failed: %v", err)
 	}
@ -195,13 +195,13 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 		return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err)
 	}

-	tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, keyHandle)
+	tpmPub, err := tpm2.DecodePublic(pub)
 	if err != nil {
-		return nil, fmt.Errorf("read public blob: %v", err)
+		return nil, fmt.Errorf("decode public key: %v", err)
 	}
 	pubKey, err := tpmPub.Key()
 	if err != nil {
-		return nil, fmt.Errorf("decode public key: %v", err)
+		return nil, fmt.Errorf("access public key: %v", err)
 	}
 	return &Key{key: newWrappedKey20(keyHandle, blob, pub, creationData, attestation, signature), pub: pubKey, tpm: t}, nil
 }
@ -239,13 +239,13 @@ func (t *wrappedTPM20) loadKey(opaqueBlob []byte) (*Key, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot load signing key: %v", err)
 	}
-	tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, hnd)
+	tpmPub, err := tpm2.DecodePublic(sKey.Public)
 	if err != nil {
-		return nil, fmt.Errorf("read public blob: %v", err)
+		return nil, fmt.Errorf("decode public blob: %v", err)
 	}
 	pub, err := tpmPub.Key()
 	if err != nil {
-		return nil, fmt.Errorf("decode public key: %v", err)
+		return nil, fmt.Errorf("access public key: %v", err)
 	}
 	return &Key{key: newWrappedKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature), pub: pub, tpm: t}, nil
 }
@ -396,10 +396,6 @@ func (k *wrappedKey20) certificationParameters() CertificationParameters {
 	}
 }

-func (k *wrappedKey20) handle() (tpmutil.Handle, error) {
-	return k.hnd, nil
-}
-
 func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
 	t, ok := tb.(*wrappedTPM20)
 	if !ok {
@ -424,3 +420,7 @@ func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
 func (k *wrappedKey20) decrypt(tb tpmBase, ctxt []byte) ([]byte, error) {
 	return nil, fmt.Errorf("not implemented")
 }
+
+func (k *wrappedKey20) blobs() ([]byte, []byte, error) {
+	return k.public, k.blob, nil
+}