ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2025-01-30 23:53:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add quote example, add note to Activation.Generate() about use of subtle to prevent timing attacks (#84)

Browse Source
This commit is contained in:
Tom D 2019-08-27 16:15:48 -07:00 committed by GitHub
parent d2afca77f5
commit fefdb7d336
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
attest/activation.go
View File

@ -206,6 +206,11 @@ func (p *ActivationParameters) checkTPM20AIKParameters() error {
// Generate returns a credential activation challenge, which can be provided // Generate returns a credential activation challenge, which can be provided
// to the TPM to verify the AIK parameters given are authentic & the AIK // to the TPM to verify the AIK parameters given are authentic & the AIK
// is present on the same TPM as the EK. // is present on the same TPM as the EK.
//
// The caller is expected to verify the secret returned from the TPM as
// as result of calling ActivateCredential() matches the secret returned here.
// The caller should use subtle.ConstantTimeCompare to avoid potential
// timing attack vectors.
func (p *ActivationParameters) Generate() (secret []byte, ec *EncryptedCredential, err error) { func (p *ActivationParameters) Generate() (secret []byte, ec *EncryptedCredential, err error) {
if err := p.checkAIKParameters(); err != nil { if err := p.checkAIKParameters(); err != nil {
return nil, nil, err return nil, nil, err

35
attest/example_test.go
View File

@ -45,7 +45,7 @@ func ExampleAIK() {
} }
} }
func Example_credentialActivation() { func ExampleAIK_credentialActivation() {
tpm, err := attest.OpenTPM(nil) tpm, err := attest.OpenTPM(nil)
if err != nil { if err != nil {
log.Fatalf("Failed to open TPM: %v", err) log.Fatalf("Failed to open TPM: %v", err)
@ -91,10 +91,41 @@ func Example_credentialActivation() {
} }
} }
func ExampleAIK_quote() {
tpm, err := attest.OpenTPM(nil)
if err != nil {
log.Fatalf("Failed to open TPM: %v", err)
}
defer tpm.Close()
// Create a new AIK.
aik, err := tpm.MintAIK(nil)
if err != nil {
log.Fatalf("Failed to create AIK: %v", err)
}
defer aik.Close(tpm)
// The nonce would typically be provided by the server.
nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8}
// Perform the quote & gather information necessary to verify it.
quote, err := aik.Quote(tpm, nonce, attest.HashSHA1)
if err != nil {
log.Fatalf("Failed to generate quote: %v", err)
}
pcrs, err := tpm.PCRs(attest.HashSHA1)
if err != nil {
log.Fatalf("Failed to collect PCR values: %v", err)
}
log.Printf("quote = %+v", quote)
log.Printf("PCRs = %+v", pcrs)
}
func TestExampleAIK(t *testing.T) { func TestExampleAIK(t *testing.T) {
if !*testExamples { if !*testExamples {
t.SkipNow() t.SkipNow()
} }
ExampleAIK() ExampleAIK()
Example_credentialActivation() ExampleAIK_credentialActivation()
ExampleAIK_quote()
} }