mirror of
https://github.com/google/go-attestation.git
synced 2024-12-21 13:57:55 +00:00
Implement new credential activation scheme for windows (#33)
* Implement new credential activation scheme for windows
This commit is contained in:
parent
70c839779d
commit
5b7e00554a
@ -183,89 +183,42 @@ func (k *Key) Marshal() ([]byte, error) {
|
||||
return json.Marshal(k)
|
||||
}
|
||||
|
||||
func decodeTrousersCredential(secretKey, blob []byte) ([]byte, error) {
|
||||
var header struct {
|
||||
Credsize uint32
|
||||
AlgID uint32
|
||||
EncScheme uint16
|
||||
SigScheme uint16
|
||||
Parmsize uint32
|
||||
}
|
||||
func decryptCredential(secretKey, blob []byte) ([]byte, error) {
|
||||
var scheme uint32
|
||||
symbuf := bytes.NewReader(blob)
|
||||
if err := binary.Read(symbuf, binary.BigEndian, &header); err != nil {
|
||||
return nil, err
|
||||
if err := binary.Read(symbuf, binary.BigEndian, &scheme); err != nil {
|
||||
return nil, fmt.Errorf("reading scheme: %v", err)
|
||||
}
|
||||
// Unload the symmetric key parameters.
|
||||
parms := make([]byte, header.Parmsize)
|
||||
if err := binary.Read(symbuf, binary.BigEndian, parms); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Unpack the symmetrically encrypted secret.
|
||||
cred := make([]byte, header.Credsize)
|
||||
if err := binary.Read(symbuf, binary.BigEndian, cred); err != nil {
|
||||
return nil, err
|
||||
if scheme != 0x00000002 {
|
||||
return nil, fmt.Errorf("can only handle CBC schemes")
|
||||
}
|
||||
|
||||
// A TPM representation of a symmetric key, which is the
|
||||
// format of the blob returned from TPM_ActivateIdentity.
|
||||
var k struct {
|
||||
AlgID uint32
|
||||
EncScheme uint16
|
||||
Key []byte
|
||||
}
|
||||
in := bytes.NewReader(secretKey)
|
||||
if err := binary.Read(in, binary.BigEndian, &k.AlgID); err != nil {
|
||||
iv := make([]byte, 16)
|
||||
if err := binary.Read(symbuf, binary.BigEndian, &iv); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := binary.Read(in, binary.BigEndian, &k.EncScheme); err != nil {
|
||||
return nil, err
|
||||
cipherText := make([]byte, len(blob)-20)
|
||||
if err := binary.Read(symbuf, binary.BigEndian, &cipherText); err != nil {
|
||||
return nil, fmt.Errorf("reading ciphertext: %v", err)
|
||||
}
|
||||
var size uint16
|
||||
if err := binary.Read(in, binary.BigEndian, &size); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
key := make([]byte, size)
|
||||
if err := binary.Read(in, binary.BigEndian, &key); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
k.Key = key
|
||||
|
||||
// Decrypt the credential.
|
||||
var (
|
||||
block cipher.Block
|
||||
iv []byte
|
||||
ciphertxt []byte
|
||||
secret []byte
|
||||
err error
|
||||
)
|
||||
switch id := k.AlgID; id {
|
||||
case 6: // algAES128
|
||||
block, err = aes.NewCipher(k.Key)
|
||||
block, err = aes.NewCipher(secretKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("aes.NewCipher failed: %v", err)
|
||||
}
|
||||
iv = cred[:aes.BlockSize]
|
||||
ciphertxt = cred[aes.BlockSize:]
|
||||
secret = ciphertxt
|
||||
default:
|
||||
return nil, fmt.Errorf("%v is not a supported session key algorithm", id)
|
||||
}
|
||||
switch es := k.EncScheme; es {
|
||||
case 4: // esSymCTR
|
||||
stream := cipher.NewCTR(block, iv)
|
||||
stream.XORKeyStream(secret, ciphertxt)
|
||||
case 5: // esSymOFB
|
||||
stream := cipher.NewOFB(block, iv)
|
||||
stream.XORKeyStream(secret, ciphertxt)
|
||||
case 0xff: // esSymCBCPKCS5 - tcsd specific
|
||||
secret = cipherText
|
||||
|
||||
mode := cipher.NewCBCDecrypter(block, iv)
|
||||
mode.CryptBlocks(secret, ciphertxt)
|
||||
mode.CryptBlocks(secret, cipherText)
|
||||
// Remove PKCS5 padding.
|
||||
padlen := int(secret[len(secret)-1])
|
||||
secret = secret[:len(secret)-padlen]
|
||||
default:
|
||||
return nil, fmt.Errorf("%v is not a supported encryption scheme", es)
|
||||
}
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
@ -283,7 +236,7 @@ func (k *Key) ActivateCredential(tpm *TPM, in EncryptedCredential) ([]byte, erro
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return decodeTrousersCredential(secretKey, in.Secret)
|
||||
return decryptCredential(secretKey, in.Secret)
|
||||
case TPMVersion20:
|
||||
return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...))
|
||||
default:
|
||||
|
Loading…
Reference in New Issue
Block a user