mirror of
https://github.com/google/go-attestation.git
synced 2024-12-18 20:47:57 +00:00
330 lines
8.4 KiB
Go
330 lines
8.4 KiB
Go
// Copyright 2019 Google Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
// use this file except in compliance with the License. You may obtain a copy of
|
|
// the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
// License for the specific language governing permissions and limitations under
|
|
// the License.
|
|
|
|
//go:build (!localtest || !tpm12) && cgo && !gofuzz
|
|
// +build !localtest !tpm12
|
|
// +build cgo
|
|
// +build !gofuzz
|
|
|
|
// NOTE: simulator requires cgo, hence the build tag.
|
|
|
|
package attest
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"testing"
|
|
|
|
"github.com/google/go-tpm-tools/simulator"
|
|
)
|
|
|
|
func setupSimulatedTPM(t *testing.T) (*simulator.Simulator, *TPM) {
|
|
t.Helper()
|
|
tpm, err := simulator.Get()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
attestTPM, err := OpenTPM(&OpenConfig{CommandChannel: &fakeCmdChannel{tpm}})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return tpm, attestTPM
|
|
}
|
|
|
|
func TestSimTPM20EK(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
eks, err := tpm.EKs()
|
|
if err != nil {
|
|
t.Errorf("EKs() failed: %v", err)
|
|
}
|
|
if len(eks) == 0 || (eks[0].Public == nil) {
|
|
t.Errorf("EKs() = %v, want at least 1 EK with populated fields", eks)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20Info(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
if _, err := tpm.Info(); err != nil {
|
|
t.Errorf("tpm.Info() failed: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20AKCreateAndLoad(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
ak, err := tpm.NewAK(nil)
|
|
if err != nil {
|
|
t.Fatalf("NewAK() failed: %v", err)
|
|
}
|
|
|
|
enc, err := ak.Marshal()
|
|
if err != nil {
|
|
ak.Close(tpm)
|
|
t.Fatalf("ak.Marshal() failed: %v", err)
|
|
}
|
|
if err := ak.Close(tpm); err != nil {
|
|
t.Fatalf("ak.Close() failed: %v", err)
|
|
}
|
|
|
|
loaded, err := tpm.LoadAK(enc)
|
|
if err != nil {
|
|
t.Fatalf("LoadKey() failed: %v", err)
|
|
}
|
|
defer loaded.Close(tpm)
|
|
|
|
k1, k2 := ak.ak.(*wrappedKey20), loaded.ak.(*wrappedKey20)
|
|
|
|
if !bytes.Equal(k1.public, k2.public) {
|
|
t.Error("Original & loaded AK public blobs did not match.")
|
|
t.Logf("Original = %v", k1.public)
|
|
t.Logf("Loaded = %v", k2.public)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20ActivateCredential(t *testing.T) {
|
|
testActivateCredential(t, false)
|
|
}
|
|
|
|
func TestSimTPM20ActivateCredentialWithEK(t *testing.T) {
|
|
testActivateCredential(t, true)
|
|
}
|
|
|
|
func testActivateCredential(t *testing.T, useEK bool) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
EKs, err := tpm.EKs()
|
|
if err != nil {
|
|
t.Fatalf("EKs() failed: %v", err)
|
|
}
|
|
ek := chooseEK(t, EKs)
|
|
|
|
ak, err := tpm.NewAK(nil)
|
|
if err != nil {
|
|
t.Fatalf("NewAK() failed: %v", err)
|
|
}
|
|
defer ak.Close(tpm)
|
|
|
|
ap := ActivationParameters{
|
|
TPMVersion: TPMVersion20,
|
|
AK: ak.AttestationParameters(),
|
|
EK: ek.Public,
|
|
}
|
|
secret, challenge, err := ap.Generate()
|
|
if err != nil {
|
|
t.Fatalf("Generate() failed: %v", err)
|
|
}
|
|
|
|
var decryptedSecret []byte
|
|
if useEK {
|
|
decryptedSecret, err = ak.ActivateCredentialWithEK(tpm, *challenge, ek)
|
|
} else {
|
|
decryptedSecret, err = ak.ActivateCredential(tpm, *challenge)
|
|
}
|
|
if err != nil {
|
|
t.Errorf("ak.ActivateCredential() failed: %v", err)
|
|
}
|
|
if !bytes.Equal(secret, decryptedSecret) {
|
|
t.Error("secret does not match decrypted secret")
|
|
t.Logf("Secret = %v", secret)
|
|
t.Logf("Decrypted secret = %v", decryptedSecret)
|
|
}
|
|
}
|
|
|
|
func TestParseAKPublic20(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
ak, err := tpm.NewAK(nil)
|
|
if err != nil {
|
|
t.Fatalf("NewAK() failed: %v", err)
|
|
}
|
|
defer ak.Close(tpm)
|
|
params := ak.AttestationParameters()
|
|
if _, err := ParseAKPublic(TPMVersion20, params.Public); err != nil {
|
|
t.Errorf("parsing AK public blob: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20QuoteAndVerifyAll(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
ak, err := tpm.NewAK(nil)
|
|
if err != nil {
|
|
t.Fatalf("NewAK() failed: %v", err)
|
|
}
|
|
defer ak.Close(tpm)
|
|
|
|
nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8}
|
|
quote256, err := ak.Quote(tpm, nonce, HashSHA256)
|
|
if err != nil {
|
|
t.Fatalf("ak.Quote(SHA256) failed: %v", err)
|
|
}
|
|
quote1, err := ak.Quote(tpm, nonce, HashSHA1)
|
|
if err != nil {
|
|
t.Fatalf("ak.Quote(SHA1) failed: %v", err)
|
|
}
|
|
|
|
// Providing both PCR banks to AKPublic.Verify() ensures we can handle
|
|
// the case where extra PCRs of a different digest algorithm are provided.
|
|
var pcrs []PCR
|
|
for _, alg := range []HashAlg{HashSHA256, HashSHA1} {
|
|
p, err := tpm.PCRs(alg)
|
|
if err != nil {
|
|
t.Fatalf("tpm.PCRs(%v) failed: %v", alg, err)
|
|
}
|
|
pcrs = append(pcrs, p...)
|
|
}
|
|
|
|
pub, err := ParseAKPublic(tpm.Version(), ak.AttestationParameters().Public)
|
|
if err != nil {
|
|
t.Fatalf("ParseAKPublic() failed: %v", err)
|
|
}
|
|
|
|
// Ensure VerifyAll fails if a quote is missing and hence not all PCR
|
|
// banks are covered.
|
|
if err := pub.VerifyAll([]Quote{*quote256}, pcrs, nonce); err == nil {
|
|
t.Error("VerifyAll().err returned nil, expected failure")
|
|
}
|
|
|
|
if err := pub.VerifyAll([]Quote{*quote256, *quote1}, pcrs, nonce); err != nil {
|
|
t.Errorf("quote verification failed: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20AttestPlatform(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
ak, err := tpm.NewAK(nil)
|
|
if err != nil {
|
|
t.Fatalf("NewAK() failed: %v", err)
|
|
}
|
|
defer ak.Close(tpm)
|
|
|
|
nonce := []byte{1, 2, 3, 4, 5, 6, 7, 8}
|
|
attestation, err := tpm.attestPlatform(ak, nonce, nil)
|
|
if err != nil {
|
|
t.Fatalf("AttestPlatform() failed: %v", err)
|
|
}
|
|
|
|
pub, err := ParseAKPublic(attestation.TPMVersion, attestation.Public)
|
|
if err != nil {
|
|
t.Fatalf("ParseAKPublic() failed: %v", err)
|
|
}
|
|
if err := pub.VerifyAll(attestation.Quotes, attestation.PCRs, nonce); err != nil {
|
|
t.Errorf("quote verification failed: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20PCRs(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
PCRs, err := tpm.PCRs(HashSHA256)
|
|
if err != nil {
|
|
t.Fatalf("PCRs() failed: %v", err)
|
|
}
|
|
if len(PCRs) != 24 {
|
|
t.Errorf("len(PCRs) = %d, want %d", len(PCRs), 24)
|
|
}
|
|
|
|
for i, pcr := range PCRs {
|
|
if len(pcr.Digest) != pcr.DigestAlg.Size() {
|
|
t.Errorf("PCR %d len(digest) = %d, expected match with digest algorithm size (%d)", pcr.Index, len(pcr.Digest), pcr.DigestAlg.Size())
|
|
}
|
|
if pcr.Index != i {
|
|
t.Errorf("PCR index %d does not match map index %d", pcr.Index, i)
|
|
}
|
|
if pcr.DigestAlg != crypto.SHA256 {
|
|
t.Errorf("pcr.DigestAlg = %v, expected crypto.SHA256", pcr.DigestAlg)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20PersistenceSRK(t *testing.T) {
|
|
testPersistenceSRK(t, defaultParentConfig)
|
|
}
|
|
|
|
func TestSimTPM20PersistenceECCSRK(t *testing.T) {
|
|
parentConfig := ParentKeyConfig{
|
|
Algorithm: ECDSA,
|
|
Handle: 0x81000002,
|
|
}
|
|
testPersistenceSRK(t, parentConfig)
|
|
}
|
|
|
|
func testPersistenceSRK(t *testing.T, parentConfig ParentKeyConfig) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
srkHnd, _, err := tpm.tpm.(*wrappedTPM20).getStorageRootKeyHandle(parentConfig)
|
|
if err != nil {
|
|
t.Fatalf("getStorageRootKeyHandle() failed: %v", err)
|
|
}
|
|
if srkHnd != parentConfig.Handle {
|
|
t.Fatalf("bad SRK-equivalent handle: got 0x%x, wanted 0x%x", srkHnd, parentConfig.Handle)
|
|
}
|
|
|
|
srkHnd, p, err := tpm.tpm.(*wrappedTPM20).getStorageRootKeyHandle(parentConfig)
|
|
if err != nil {
|
|
t.Fatalf("second getStorageRootKeyHandle() failed: %v", err)
|
|
}
|
|
if srkHnd != parentConfig.Handle {
|
|
t.Fatalf("bad SRK-equivalent handle: got 0x%x, wanted 0x%x", srkHnd, parentConfig.Handle)
|
|
}
|
|
if p {
|
|
t.Fatalf("generated a new key the second time; that shouldn't happen")
|
|
}
|
|
}
|
|
|
|
func TestSimTPM20PersistenceEK(t *testing.T) {
|
|
sim, tpm := setupSimulatedTPM(t)
|
|
defer sim.Close()
|
|
|
|
eks, err := tpm.EKs()
|
|
if err != nil {
|
|
t.Errorf("EKs() failed: %v", err)
|
|
}
|
|
if len(eks) == 0 || (eks[0].Public == nil) {
|
|
t.Errorf("EKs() = %v, want at least 1 EK with populated fields", eks)
|
|
}
|
|
|
|
ek := eks[0]
|
|
ekHnd, _, err := tpm.tpm.(*wrappedTPM20).getEndorsementKeyHandle(&ek)
|
|
if err != nil {
|
|
t.Fatalf("getStorageRootKeyHandle() failed: %v", err)
|
|
}
|
|
if ekHnd != ek.handle {
|
|
t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, ek.handle)
|
|
}
|
|
|
|
ekHnd, p, err := tpm.tpm.(*wrappedTPM20).getEndorsementKeyHandle(&ek)
|
|
if err != nil {
|
|
t.Fatalf("second getEndorsementKeyHandle() failed: %v", err)
|
|
}
|
|
if ekHnd != ek.handle {
|
|
t.Fatalf("bad EK-equivalent handle: got 0x%x, wanted 0x%x", ekHnd, ek.handle)
|
|
}
|
|
if p {
|
|
t.Fatalf("generated a new key the second time; that shouldn't happen")
|
|
}
|
|
}
|