ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2024-12-18 20:47:57 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix Intel EK certificate URL (#310)

Browse Source 
* Fix Intel EK certificate URL

To download the certificate for an Intel TPM, the base64 padding
in the URL needs to be replaced with `%3D`. If it's not replaced,
requesting the URL will result in HTTP 403 Forbidden.

* Use `url.QueryEscape` to escape base64 padding
This commit is contained in:
Herman Slatman 2023-06-02 18:17:59 +02:00 committed by GitHub
parent b474b712d4
commit 89884d0a74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
attest/tpm.go
View File

@ -24,6 +24,7 @@ import (
"encoding/binary" "encoding/binary"
"fmt" "fmt"
"io" "io"
"net/url"
"strings" "strings"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
@ -219,7 +220,7 @@ func intelEKURL(ekPub *rsa.PublicKey) string {
pubHash.Write(ekPub.N.Bytes()) pubHash.Write(ekPub.N.Bytes())
pubHash.Write([]byte{0x1, 0x00, 0x01}) pubHash.Write([]byte{0x1, 0x00, 0x01})
return intelEKCertServiceURL + base64.URLEncoding.EncodeToString(pubHash.Sum(nil)) return intelEKCertServiceURL + url.QueryEscape(base64.URLEncoding.EncodeToString(pubHash.Sum(nil)))
} }
func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) { func readEKCertFromNVRAM20(tpm io.ReadWriter) (*x509.Certificate, error) {

25
attest/tpm_test.go
View File

@ -8,17 +8,22 @@ import (
"testing" "testing"
) )
// Generated using the following command: // Created by downloading the base64-url encoded PEM data from
// https://ekop.intel.com/ekcertservice/WVEG2rRwkQ7m3RpXlUphgo6Y2HLxl18h6ZZkkOAdnBE%3D,
// extracting its public key, and formatting it to PEM using
// //
// openssl genrsa 2048|openssl rsa -outform PEM -pubout // openssl x509 -in ekcert.pem -pubkey
//
// This is the public key from the EK cert that's used for testing tpm2-tools:
// https://github.com/tpm2-software/tpm2-tools/blob/master/test/integration/tests/getekcertificate.sh
var testRSAKey = mustParseRSAKey(`-----BEGIN PUBLIC KEY----- var testRSAKey = mustParseRSAKey(`-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8zyTXCjVALZzjS8wgNH MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyDi8kSoYBqs8+AdJsZl
nAVdt4ZGM3N450xOnLplx/RbCVwXyu83SWh0B3Ka+92aocqcHzo+j6e6Urppre/I JJk1Vi3h2hl+nn8HbEaWE8+2U+mOwsOG/B0TPyyMbMM4tzLwsgi9g4qHej5bvD4d
+7VVKTdUAr8t5gxgSLGvo+ev+zv70GF4DmJthb8JNheHCmk3RnoSFs5TnDuSdvGb QIToNcfIkGocBbTS0w/b68HbrZUPprFlvUtqhkYDFGFkwMT1nUiQEe8fko3upukA
KcSzas0186LQyxvwfFjTxLweGrZKh/CTewD0/f5ozXmbTtJpl+qYrMi9GJamGlg6 YfPTdeVkYnMVHvYiJSCYvhpKsB3AoSInxgn9rOsRWvQI1Gk6b0mRl3RpWwwSvBih
N6EsWKh1xos8J/cEmS2vbyCGGADyBwRV8Zkto5EU1HJaEli10HVZf0D06vuKzzxM /3EgpzN7L7XxlR2Lt/CU1bVUwRyVI7MHKf5keH0KE7nmMEiNq039hmNKUnDscvzF
+6W7LzGqzAPeaWvHi07ezShqdr5q5y1KKhFJcy8HOpwN8iFfIw70y3FtMlrMprrU pE3GeajzKTjdgZfina6Dn1tMoPXeJ8lSLCPFThws5XhZUlEYvURwsYGA7veK5CZ7
twIDAQAB zQIDAQAB
-----END PUBLIC KEY-----`) -----END PUBLIC KEY-----`)
func mustParseRSAKey(data string) *rsa.PublicKey { func mustParseRSAKey(data string) *rsa.PublicKey {
@ -45,7 +50,7 @@ func parseRSAKey(data string) (*rsa.PublicKey, error) {
} }
func TestIntelEKURL(t *testing.T) { func TestIntelEKURL(t *testing.T) {
want := "https://ekop.intel.com/ekcertservice/7YtWV2nT3LpvSCfJt7ENIznN1R1jYkj_3S6mez3yyzg=" want := "https://ekop.intel.com/ekcertservice/WVEG2rRwkQ7m3RpXlUphgo6Y2HLxl18h6ZZkkOAdnBE%3D"
got := intelEKURL(testRSAKey) got := intelEKURL(testRSAKey)
if got != want { if got != want {
t.Fatalf("intelEKURL(), got=%q, want=%q", got, want) t.Fatalf("intelEKURL(), got=%q, want=%q", got, want)