util

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2022 License: LGPL-3.0 Imports: 18 Imported by: 1

Documentation

Overview

Package util contains helper functions that are useful when using go-tpm2.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeCpHash 

func ComputeCpHash(alg tpm2.HashAlgorithmId, command tpm2.CommandCode, handles []tpm2.Name, params ...interface{}) (tpm2.Digest, error)

ComputeCpHash computes a command parameter digest from the specified command code, the supplied handles (identified by their names) and parameters using the specified digest algorithm.

The required parameters is defined in part 3 of the TPM 2.0 Library Specification for the specific command.

The result of this is useful for extended authorization commands that bind an authorization to a command and set of command parameters, such as TPMContext.PolicySigned, TPMContext.PolicySecret, TPMContext.PolicyTicket and TPMContext.PolicyCpHash.

func ComputePCRDigest 

func ComputePCRDigest(alg tpm2.HashAlgorithmId, pcrs tpm2.PCRSelectionList, values tpm2.PCRValues) (tpm2.Digest, error)

ComputePCRDigest computes a digest using the specified algorithm from the provided set of PCR values and the provided PCR selections. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It is most useful for computing an input to TPMContext.PolicyPCR or TrialAuthPolicy.PolicyPCR, and for validating quotes and creation data.

func ComputePCRDigestFromAllValues 

func ComputePCRDigestFromAllValues(alg tpm2.HashAlgorithmId, values tpm2.PCRValues) (tpm2.PCRSelectionList, tpm2.Digest, error)

ComputePCRDigestFromAllValues computes a digest using the specified algorithm from all of the provided set of PCR values. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It returns the PCR selection associated with the computed digest.

func ComputePolicyAuthorizeDigest 

func ComputePolicyAuthorizeDigest(alg tpm2.HashAlgorithmId, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, error)

ComputePolicyAuthorizeDigest computes a digest to sign from the supplied authorization policy digest and policy reference. The resulting digest can be signed to authorize the supplied policy with the TPM2_PolicyAuthorize assertion.

func ComputeQualifiedName 

func ComputeQualifiedName(name, parentQn tpm2.Name) (tpm2.Name, error)

ComputeQualifiedName can compute the qualified name of an object with the specified name that is protected by a parent with the specified qualified name.

func ComputeQualifiedNameFull 

func ComputeQualifiedNameFull(name tpm2.Name, hierarchy tpm2.Handle, ancestors ...tpm2.Name) (tpm2.Name, error)

ComputeQualifiedNameFull can compute the qualified name of an object with the specified name that is protected in the specified hierarchy by the chain of parent objects with the specified names. The ancestor names are ordered from the primary key towards the immediate parent.

func CreateDuplicationObjectFromSensitive 

func CreateDuplicationObjectFromSensitive(sensitive *tpm2.Sensitive, public, parentPublic *tpm2.Public, encryptionKeyIn tpm2.Data, symmetricAlg *tpm2.SymDefObject) (encryptionKeyOut tpm2.Data, duplicate tpm2.Private, outSymSeed tpm2.EncryptedSecret, err error)

CreateDuplicationObjectFromSensitive creates a duplication object that can be imported in to a TPM from the supplied sensitive area.

If symmetricAlg is supplied and the Algorithm field is not SymObjectAlgorithmNull, this function will apply an inner wrapper to the duplication object. If encryptionKeyIn is supplied, it will be used as the symmetric key for the inner wrapper. It must have a size appropriate for the selected symmetric algorithm. If encryptionKeyIn is not supplied, a symmetric key will be created and returned

If parentPublic is supplied, an outer wrapper will be applied to the duplication object. The parentPublic argument should correspond to the public area of the storage key to which the duplication object will be imported. When applying the outer wrapper, the seed used to derice the symmetric key and HMAC key will be encrypted using parentPublic and returned.

func CryptSecretDecrypt added in v0.0.3 

func CryptSecretDecrypt(priv crypto.PrivateKey, hashAlg tpm2.HashAlgorithmId, label []byte, secret tpm2.EncryptedSecret) ([]byte, error)

CryptSecretDecrypt recovers a secret value from the supplied secret structure using the private key. It can be used to recover secrets created by the TPM, such as those created by the TPM2_Duplicate command.

func DuplicateToSensitive 

func DuplicateToSensitive(duplicate tpm2.Private, name tpm2.Name, parentNameAlg tpm2.HashAlgorithmId, parentSymmetricAlg *tpm2.SymDefObject, seed []byte, symmetricAlg *tpm2.SymDefObject, innerSymKey tpm2.Data) (sensitive *tpm2.Sensitive, err error)

DuplicateToSensitive unwraps the supplied duplication blob. The supplied name is the name of the duplication object.

If a seed is supplied, it removes the outer wrapper using the specified parent name algorithm and parent symmetric algorithm - these correspond to properties of the new parent's public area.

If symmetricAlg is supplied, it removes the inner wrapper - first by decrypting it with the supplied innerSymKey, and then checking the inner integrity digest is valid and returning an error if it isn't.

func MakeCredential 

func MakeCredential(key *tpm2.Public, credential tpm2.Digest, objectName tpm2.Name) (credentialBlob tpm2.IDObjectRaw, secret tpm2.EncryptedSecret, err error)

MakeCredential performs the duties of a certificate authority in order to create an activation credential. It produces a seed and encrypts this with the supplied public key. The seed and supplied object name is then used to apply an outer wrapper to the credential.

The encrypted credential blob and encrypted seed are returned, and these can be passed to the TPM2_ActivateCredential on the TPM on which both the private part of key and the object associated with objectName are loaded.

func NewExternalECCPublicKey 

func NewExternalECCPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.ECCScheme, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKey creates a public area from the supplied elliptic public key with the specified name algorithm, key usage and scheme, for use with the TPM2_LoadExternal command. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalECCPublicKeyWithDefaults 

func NewExternalECCPublicKeyWithDefaults(usage templates.KeyUsage, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKeyWithDefaults creates a public area from the supplied elliptic public key with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the TPM2_LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalHMACKey 

func NewExternalHMACKey(nameAlg, schemeAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKey creates both the public and sensitive areas for the supplied HMAC key with the specified name algorithm, scheme algorithm and auth value. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If schemeAlg is HashAlgorithmNull, then nameAlg is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObjectFromSensitive for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func NewExternalHMACKeyWithDefaults 

func NewExternalHMACKeyWithDefaults(authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKeyWithDefaults creates both the public and sensitive areas for the supplied HMAC key with the specified auth value and with SHA256 as both the name and scheme algorithm.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObjectFromSensitive for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func NewExternalRSAPublicKey 

func NewExternalRSAPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.RSAScheme, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKey creates a public area from the supplied RSA public key with the specified name algorithm, key usage and scheme, for use with the TPM2_LoadExternal command. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalRSAPublicKeyWithDefaults 

func NewExternalRSAPublicKeyWithDefaults(usage templates.KeyUsage, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKeyWithDefaults creates a public area from the supplied RSA with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the TPM2_LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalSealedObject 

func NewExternalSealedObject(nameAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, data []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalSealedObject creates both the public and sensitive areas for a sealed object containing the supplied data, with the specified name algorithm and authorization value. If nameAlgorithm is HashAlgorithmNull, then HashAlgorithmSHA256 is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObjectFromSensitive for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func PolicyAuthorize 

func PolicyAuthorize(key crypto.PrivateKey, scheme *tpm2.SigScheme, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, *tpm2.Signature, error)

PolicyAuthorize authorizes an authorization policy digest with the supplied key and signature scheme. The resulting digest and signature can be verified by the TPM in order to produce a ticket that can then be supplied to a TPM2_PolicyAuthorize assertion.

The digest algorithm used for the signature must match the name algorithm in the public area associated with the supplied private key.

func PrivateToSensitive 

func PrivateToSensitive(private tpm2.Private, name tpm2.Name, hashAlg tpm2.HashAlgorithmId, symmetricAlg *tpm2.SymDefObject, seed []byte) (sensitive *tpm2.Sensitive, err error)

func ProduceOuterWrap 

func ProduceOuterWrap(hashAlg tpm2.HashAlgorithmId, symmetricAlg *tpm2.SymDefObject, name tpm2.Name, seed []byte, useIV bool, data []byte) ([]byte, error)

ProduceOuterWrap adds an outer wrapper to the supplied data. The supplied name is associated with the data.

It encrypts the data using the specified symmetric algorithm and a key derived from the supplied seed and name.

It then prepends an integrity HMAC of the encrypted data and the supplied name using the specified digest algorithm and a key derived from the supplied seed.

func SensitiveToDuplicate 

func SensitiveToDuplicate(sensitive *tpm2.Sensitive, name tpm2.Name, parent *tpm2.Public, seed []byte, symmetricAlg *tpm2.SymDefObject, innerSymKey tpm2.Data) (innerSymKeyOut tpm2.Data, duplicate tpm2.Private, err error)

SensitiveToDuplicate creates a duplication blob from the supplied sensitive structure. The supplied name is the name of the object associated with sensitive.

If symmetricAlg is defined, an inner wrapper will be applied, first by prepending an inner integrity digest computed with the object's name algorithm from the sensitive data and its name, and then encrypting the data with innerSymKey. If innerSymKey isn't supplied, a random key will be created and returned.

If a seed is supplied, an outer wrapper will be applied using the name algorithm and symmetric algorithm of parent.

func SensitiveToPrivate 

func SensitiveToPrivate(sensitive *tpm2.Sensitive, name tpm2.Name, hashAlg tpm2.HashAlgorithmId, symmetricAlg *tpm2.SymDefObject, seed []byte) (tpm2.Private, error)

func Sign 

func Sign(key crypto.PrivateKey, scheme *tpm2.SigScheme, digest []byte) (*tpm2.Signature, error)

Sign creates a signature of the supplied digest using the supplied private key and signature scheme. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures can be created. The returned signature can be verified on a TPM using the associated public key.

In order to create a HMAC, the supplied private key should be a byte slice containing the HMAC key.

func SignPolicyAuthorization 

func SignPolicyAuthorization(key crypto.PrivateKey, scheme *tpm2.SigScheme, nonceTPM tpm2.Nonce, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32) (*tpm2.Signature, error)

SignPolicyAuthorization creates a signed authorization using the supplied key and signature scheme. The signed authorization can be used in a TPM2_PolicySigned assertion. The authorizing party can apply contraints on how the session that includes this authorization can be used.

If nonceTPM is supplied, then the signed authorization can only be used for the session associated with the supplied nonce.

If expiration is non-zero, then the signed authorization is only valid for the specified number of seconds from when nonceTPM was generated.

If cpHash is supplied, then the signed authorization is only valid for use in a command with the associated set of command parameters.

func UnwrapDuplicationObjectToSensitive 

func UnwrapDuplicationObjectToSensitive(duplicate tpm2.Private, public *tpm2.Public, privKey crypto.PrivateKey, parentNameAlg tpm2.HashAlgorithmId, parentSymmetricAlg *tpm2.SymDefObject, encryptionKey tpm2.Data, inSymSeed tpm2.EncryptedSecret, symmetricAlg *tpm2.SymDefObject) (*tpm2.Sensitive, error)

UnwrapDuplicationObjectToSensitive unwraps the supplied duplication object and returns the corresponding sensitive area. If inSymSeed is supplied, then it is assumed that the object has an outer wrapper. In this case, privKey, parentNameAlg and parentSymmetricAlg must be supplied - privKey is the key with which inSymSeed is protected, parentNameAlg is the name algorithm for the parent key (and must not be HashAlgorithmNull), and parentSymmetricAlg defines the symmetric algorithm for the parent key (and the Algorithm field must not be SymObjectAlgorithmNull).

If symmetricAlg is supplied and the Algorithm field is not SymObjectAlgorithmNull, then it is assumed that the object has an inner wrapper. In this case, the symmetric key for the inner wrapper must be supplied using the encryptionKey argument.

func UnwrapOuter 

func UnwrapOuter(hashAlg tpm2.HashAlgorithmId, symmetricAlg *tpm2.SymDefObject, name tpm2.Name, seed []byte, useIV bool, data []byte) ([]byte, error)

UnwrapOuter removes an outer wrapper from the supplied sensitive data blob. The supplied name is associated with the data.

It checks the integrity HMAC is valid using the specified digest algorithm and a key derived from the supplied seed and returns an error if the check fails.

It then decrypts the data blob using the specified symmetric algorithm and a key derived from the supplied seed and name.

func VerifyAttestationSignature 

func VerifyAttestationSignature(key crypto.PublicKey, attest *tpm2.Attest, signature *tpm2.Signature) (ok bool, err error)

VerifyAttestationSignature verifies the signature for the supplied attestation structure as generated by one of the TPM's attestation commands. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

func VerifySignature 

func VerifySignature(key crypto.PublicKey, digest []byte, signature *tpm2.Signature) (ok bool, err error)

VerifySignature verifies a signature created by a TPM using the supplied public key. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

Types

type TrialAuthPolicy 

type TrialAuthPolicy struct {
	// contains filtered or unexported fields
}

TrialAuthPolicy provides a mechanism for computing authorization policy digests without having to execute a trial authorization policy session on the TPM. An advantage of this is that it is possible to compute digests for PolicySecret and PolicyNV assertions without knowledge of the authorization value of the authorizing entities used for those commands.

func ComputeAuthPolicy 

func ComputeAuthPolicy(alg tpm2.HashAlgorithmId) *TrialAuthPolicy

ComputeAuthPolicy creates a new context for computing an authorization policy digest. It will panic if the specified algorithm is not available. The caller should check this beforehand.

func (*TrialAuthPolicy) GetDigest 

func (p *TrialAuthPolicy) GetDigest() tpm2.Digest

GetDigest returns the current digest computed for the policy assertions executed so far.

func (*TrialAuthPolicy) PolicyAuthValue 

func (p *TrialAuthPolicy) PolicyAuthValue()

PolicyAuthValue computes a TPM2_PolicyAuthValue assertion.

func (*TrialAuthPolicy) PolicyAuthorize 

func (p *TrialAuthPolicy) PolicyAuthorize(policyRef tpm2.Nonce, keySign tpm2.Name)

PolicyAuthorize computes a TPM2_PolicyAuthorize assertion for the key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicyCommandCode 

func (p *TrialAuthPolicy) PolicyCommandCode(code tpm2.CommandCode)

PolicyCommandCode computes a TPM2_PolicyCommandCode assertion for the specified command code.

func (*TrialAuthPolicy) PolicyCounterTimer 

func (p *TrialAuthPolicy) PolicyCounterTimer(operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyCounterTimer computes a TPM2_PolicyCounterTimer assertion for the specified comparison operation.

func (*TrialAuthPolicy) PolicyCpHash 

func (p *TrialAuthPolicy) PolicyCpHash(cpHashA tpm2.Digest)

PolicyCpHash computes a TPM2_PolicyCpHash assertion for the command parameters associated with the specified hash.

func (*TrialAuthPolicy) PolicyDuplicationSelect 

func (p *TrialAuthPolicy) PolicyDuplicationSelect(objectName, newParentName tpm2.Name, includeObject bool)

PolicyDuplicationSelect computes a TPM2_PolicyDuplicationSelect assertion for the object and parent object with the specified names.

func (*TrialAuthPolicy) PolicyNV 

func (p *TrialAuthPolicy) PolicyNV(nvIndexName tpm2.Name, operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyNV computes a TPM2_PolicyNV assertion executed for an index for the specified name, with the specified comparison operation.

func (*TrialAuthPolicy) PolicyNameHash 

func (p *TrialAuthPolicy) PolicyNameHash(nameHash tpm2.Digest)

PolicyNameHash computes a TPM2_PolicyNameHash assertion with for the entities associated with the specified name digest.

func (*TrialAuthPolicy) PolicyNvWritten 

func (p *TrialAuthPolicy) PolicyNvWritten(writtenSet bool)

PolicyNvWritten computes a TPM2_PolicyNvWritten assertion

func (*TrialAuthPolicy) PolicyOR 

func (p *TrialAuthPolicy) PolicyOR(pHashList tpm2.DigestList)

PolicyOR computes a TPM2_PolicyOR assertion executed for the specified digests. It will panic if there are fewer than 2 or more than 8 digests, or if any digest has the wrong size.

func (*TrialAuthPolicy) PolicyPCR 

func (p *TrialAuthPolicy) PolicyPCR(pcrDigest tpm2.Digest, pcrs tpm2.PCRSelectionList)

PolicyPCR computes a TPM2_PolicyPCR assertion executed for the specified PCR selection and with PCR values associated with the specified PCR digest.

func (*TrialAuthPolicy) PolicyPassword 

func (p *TrialAuthPolicy) PolicyPassword()

PolicyPassword computes a TPM2_PolicyPassword assertion.

func (*TrialAuthPolicy) PolicySecret 

func (p *TrialAuthPolicy) PolicySecret(authName tpm2.Name, policyRef tpm2.Nonce)

PolicySecret computes a TPM2_PolicySecret assertion executed for an object with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicySigned 

func (p *TrialAuthPolicy) PolicySigned(authName tpm2.Name, policyRef tpm2.Nonce)

PolicySigned computes a TPM2_PolicySigned assertion executed for a key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) Reset 

func (p *TrialAuthPolicy) Reset()

Reset clears the current digest.

func (*TrialAuthPolicy) SetDigest 

func (p *TrialAuthPolicy) SetDigest(d tpm2.Digest)

SetDigests overwrites the current digest. It will panic if the supplied digest is not the correct size.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.