Documentation ¶
Overview ¶
Package objectutil contains utilities for creating and working with objects.
Index ¶
- Constants
- func ComputeQualifiedName(object Named, rootQn tpm2.Name, ancestors ...Named) (tpm2.Name, error)
- func ComputeQualifiedNameInHierarchy(object Named, hierarchy tpm2.Handle, ancestors ...Named) (tpm2.Name, error)
- func CreateImportable(rand io.Reader, sensitive *tpm2.Sensitive, public, parentPublic *tpm2.Public, ...) (innerSymmetricKeyOut tpm2.Data, duplicate tpm2.Private, ...)
- func MakeCredential(rand io.Reader, key *tpm2.Public, credential tpm2.Digest, objectName tpm2.Name) (credentialBlob tpm2.IDObject, secret tpm2.EncryptedSecret, err error)
- func NewDerivationParentTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewECCAttestationKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewECCKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
- func NewECCPublicKey(key *ecdsa.PublicKey, options ...PublicTemplateOption) (*tpm2.Public, error)
- func NewECCStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewHMACKey(rand io.Reader, key []byte, authValue tpm2.Auth, ...) (*tpm2.Public, *tpm2.Sensitive, error)
- func NewHMACKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewRSAAttestationKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewRSAKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
- func NewRSAPublicKey(key *rsa.PublicKey, options ...PublicTemplateOption) (*tpm2.Public, error)
- func NewRSAStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewSealedObject(rand io.Reader, data []byte, authValue tpm2.Auth, ...) (*tpm2.Public, *tpm2.Sensitive, error)
- func NewSealedObjectTemplate(options ...PublicTemplateOption) *tpm2.Public
- func NewSymmetricKey(rand io.Reader, usage Usage, key []byte, authValue tpm2.Auth, ...) (*tpm2.Public, *tpm2.Sensitive, error)
- func NewSymmetricKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
- func NewSymmetricStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
- func UnwrapDuplicated(duplicate tpm2.Private, public *tpm2.Public, privKey crypto.PrivateKey, ...) (*tpm2.Sensitive, error)
- type AuthMode
- type DuplicationMode
- type Named
- type ProtectionGroupMode
- type PublicTemplateOption
- func WithAdminAuthMode(mode AuthMode) PublicTemplateOption
- func WithAuthPolicy(policy tpm2.Digest) PublicTemplateOption
- func WithDerivationScheme(hashAlg tpm2.HashAlgorithmId, kdf tpm2.KDFAlgorithmId) PublicTemplateOption
- func WithDictionaryAttackProtection() PublicTemplateOption
- func WithDuplicationMode(mode DuplicationMode) PublicTemplateOption
- func WithECCCurve(curve tpm2.ECCCurve) PublicTemplateOption
- func WithECCScheme(scheme tpm2.ECCSchemeId, hashAlg tpm2.HashAlgorithmId) PublicTemplateOption
- func WithECCUnique(unique *tpm2.ECCPoint) PublicTemplateOption
- func WithExternalSensitiveData() PublicTemplateOption
- func WithHMACDigest(alg tpm2.HashAlgorithmId) PublicTemplateOption
- func WithInternalSensitiveData() PublicTemplateOption
- func WithKeyedHashUnique(unique tpm2.Digest) PublicTemplateOption
- func WithNameAlg(alg tpm2.HashAlgorithmId) PublicTemplateOption
- func WithProtectionGroupMode(mode ProtectionGroupMode) PublicTemplateOption
- func WithProtectionGroupModeFromParent(parent *tpm2.Public) PublicTemplateOption
- func WithRSAKeyBits(keyBits uint16) PublicTemplateOption
- func WithRSAParams(keyBits uint16, exponent uint32) PublicTemplateOption
- func WithRSAScheme(scheme tpm2.RSASchemeId, hashAlg tpm2.HashAlgorithmId) PublicTemplateOption
- func WithRSAUnique(unique tpm2.PublicKeyRSA) PublicTemplateOption
- func WithSymmetricScheme(alg tpm2.SymObjectAlgorithmId, keyBits uint16, mode tpm2.SymModeId) PublicTemplateOption
- func WithSymmetricUnique(unique tpm2.Digest) PublicTemplateOption
- func WithUserAuthMode(mode AuthMode) PublicTemplateOption
- func WithoutDictionaryAttackProtection() PublicTemplateOption
- type Usage
Constants ¶
const ( // UsageSign indicates that a key can be used for signing. UsageSign Usage = 1 << iota // UsageDecrypt indicates that a key can be used for decryption. UsageDecrypt // UsageEncrypt indicates that a key can be used for encryption. UsageEncrypt = UsageSign // UsageKeyAgreement indicates that a key can be used for key agreement. UsageKeyAgreement = UsageDecrypt )
Variables ¶
This section is empty.
Functions ¶
func ComputeQualifiedName ¶
ComputeQualifiedName computes the qualified name of an object from the specified qualified name of a root object and a list of ancestor objects. The ancestor objects are ordered starting with the immediate child of the object associated with the root qualified name.
func ComputeQualifiedNameInHierarchy ¶
func ComputeQualifiedNameInHierarchy(object Named, hierarchy tpm2.Handle, ancestors ...Named) (tpm2.Name, error)
ComputeQualifiedNameInHierarchy computes the qualified name of an object protected in the specified hierarchy from a list of ancestor objects. The ancestor objects are ordered starting from the primary object.
func CreateImportable ¶
func CreateImportable(rand io.Reader, sensitive *tpm2.Sensitive, public, parentPublic *tpm2.Public, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (innerSymmetricKeyOut tpm2.Data, duplicate tpm2.Private, outerSecret tpm2.EncryptedSecret, err error)
CreateImportable creates a duplication object that can be imported in to a TPM with the tpm2.TPMContext.Import command from the supplied sensitive area.
If parentPublic is supplied, an outer duplication wrapper will be applied to the duplication object. The parentPublic argument should correspond to the public area of the storage key to which the duplication object will be imported. A secret structure will be returned as tpm2.EncryptedSecret which can be used by the private part of parentPublic in order to recover the seed used to generate the outer wrapper.
If innerSymmetricAlg is supplied and the Algorithm field is not tpm2.SymObjectAlgorithmNull, this function will apply an inner duplication wrapper to the duplication object. If innerSymmetricKey is supplied, it will be used as the symmetric key for the inner wrapper. It must have a size appropriate for the selected symmetric algorithm. If innerSymmetricKey is not supplied, a symmetric key will be created and returned as tpm2.Data.
func MakeCredential ¶
func MakeCredential(rand io.Reader, key *tpm2.Public, credential tpm2.Digest, objectName tpm2.Name) (credentialBlob tpm2.IDObject, secret tpm2.EncryptedSecret, err error)
MakeCredential performs the duties of a certificate authority in order to create an activation credential. It establishes a seed which is used to protect the activation credential (see section 24 - "Credential Protection" of Part 1 of the Trusted Platform Module Library specification).
The encrypted and integrity protected credential blob and a secret are returned, and these can be supplied to the TPM2_ActivateCredential command on the TPM on which both the private part of key and the object associated with objectName are loaded in order to recover the activation credential.
func NewDerivationParentTemplate ¶
func NewDerivationParentTemplate(options ...PublicTemplateOption) *tpm2.Public
NewDerivationParentTemplate returns a template for a derivation parent. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Sensitive data generated by the TPM - customize with WithInternalSensitiveData and WithExternalSensitiveData.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- SHA-256 and SP800-108 KDF for the derivation scheme - customize with WithDerivationScheme.
func NewECCAttestationKeyTemplate ¶
func NewECCAttestationKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewECCAttestationKeyTemplate returns a template for a ECC attestation key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- NIST P-256 for the curve - customize with WithECCCurve.
- ECDSA and SHA-256 for the ECC scheme - customize with WithECCScheme.
func NewECCKeyTemplate ¶
func NewECCKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
NewECCKeyTemplate returns a template for a ECC key with the specicied usage. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- NIST-P256 for the curve - customize with WithECCCurve.
- No ECC scheme - customize with WithECCScheme.
func NewECCPublicKey ¶
func NewECCPublicKey(key *ecdsa.PublicKey, options ...PublicTemplateOption) (*tpm2.Public, error)
NewECCPublicKey returns a public area for the supplied elliptic key which can be used to verify signatures. The public area can be customized with additional options.
Without any options, the public area will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- No ECC scheme - customize with WithECCScheme.
The returned public area can be loaded into a TPM with tpm2.TPMContext.LoadExternal.
func NewECCStorageKeyTemplate ¶
func NewECCStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewECCStorageKeyTemplate returns a template for a ECC storage key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- AES-128-CFB for the symmetric scheme - customize with WithSymmetricScheme.
- NIST P-256 for the curve - customize with WithECCCurve.
func NewHMACKey ¶
func NewHMACKey(rand io.Reader, key []byte, authValue tpm2.Auth, options ...PublicTemplateOption) (*tpm2.Public, *tpm2.Sensitive, error)
NewHMACKey returns a public and sensitive area for the supplied HMAC key with the specified auth value. The supplied io.Reader is used to generate the seed parameter for the sensitive area. The public area can be customized with additional options.
Without any options, the public area will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- SHA-256 for the HMAC digest algorithm - customize with WithHMACDigest.
The returned public and sensitive area can be loaded into a TPM with tpm2.TPMContext.LoadExternal or imported into a hierarchy by creating an importable object with CreateImportable.
func NewHMACKeyTemplate ¶
func NewHMACKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewHMACKeyTemplate returns a template for a HMAC key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Sensitive data generated by the TPM - customize with WithInternalSensitiveData and WithExternalSensitiveData.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- SHA-256 for the HMAC digest algorithm - customize with WithHMACDigest.
func NewRSAAttestationKeyTemplate ¶
func NewRSAAttestationKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewRSAAttestationKeyTemplate returns a template for a RSA attestation key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- RSA key size of 2048 bits - customize with WithRSAKeyBits.
- RSA-PSS and SHA-256 for the RSA scheme - customize with WithRSAScheme.
func NewRSAKeyTemplate ¶
func NewRSAKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
NewRSAKeyTemplate returns a template for a RSA key with the specicied usage. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- RSA key size of 2048 bits - customize with WithRSAKeyBits.
- No RSA scheme - customize with WithRSAScheme.
func NewRSAPublicKey ¶
func NewRSAPublicKey(key *rsa.PublicKey, options ...PublicTemplateOption) (*tpm2.Public, error)
NewRSAPublicKey returns a public area for the supplied RSA key which can be used to verify signatures. The public area can be customized with additional options.
Without any options, the public area will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- No RSA scheme - customize with WithRSAScheme.
The returned public area can be loaded into a TPM with tpm2.TPMContext.LoadExternal.
func NewRSAStorageKeyTemplate ¶
func NewRSAStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewRSAStorageKeyTemplate returns a template for a RSA storage key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- AES-128-CFB for the symmetric scheme - customize with WithSymmetricScheme.
- RSA key size of 2048 bits - customize with WithRSAKeyBits.
func NewSealedObject ¶
func NewSealedObject(rand io.Reader, data []byte, authValue tpm2.Auth, options ...PublicTemplateOption) (*tpm2.Public, *tpm2.Sensitive, error)
NewSealedObject returns a public and sensitive area for a sealed data object containing the supplied data and with the specified auth value. The supplied io.Reader is used to generate the seed parameter for the sensitive area. The public area can be customized with additional options.
Without any options, the public area will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
The returned public and sensitive area can be loaded into a TPM with tpm2.TPMContext.LoadExternal or imported into a hierarchy by creating an importable object with CreateImportable.
func NewSealedObjectTemplate ¶
func NewSealedObjectTemplate(options ...PublicTemplateOption) *tpm2.Public
NewSealedObjectTemplate returns a template for a sealed object. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
func NewSymmetricKey ¶
func NewSymmetricKey(rand io.Reader, usage Usage, key []byte, authValue tpm2.Auth, options ...PublicTemplateOption) (*tpm2.Public, *tpm2.Sensitive, error)
NewSymmetricKey returns a public and sensitive area for the supplied symmetric key with the specified usage and auth value. The supplied io.Reader is used to generate the seed parameter for the sensitive area. The public area can be customized with additional options.
Without any options, the public area will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- AES-128-CFB for the symmetric scheme - customize with WithSymmetricScheme.
The returned public and sensitive area can be loaded into a TPM with tpm2.TPMContext.LoadExternal or imported into a hierarchy by creating an importable object with CreateImportable.
func NewSymmetricKeyTemplate ¶
func NewSymmetricKeyTemplate(usage Usage, options ...PublicTemplateOption) *tpm2.Public
NewSymmetricKeyTemplate returns a template for a symmetric key with the specicied usage. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Sensitive data generated by the TPM - customize with WithInternalSensitiveData and WithExternalSensitiveData.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- AES-128-CFB for the symmetric scheme - customize with WithSymmetricScheme.
func NewSymmetricStorageKeyTemplate ¶
func NewSymmetricStorageKeyTemplate(options ...PublicTemplateOption) *tpm2.Public
NewSymmetricStorageKeyTemplate returns a template for a symmetric storage key. The template can be customized by supplying additional options.
Without any options, the template will have the following properties:
- SHA-256 for the name algorithm - customize with WithNameAlg.
- Authorization with the object's auth value is permitted for both the user and admin roles - customize with WithUserAuthMode and WithAdminAuthMode.
- DA protected - customize with WithDictionaryAttackProtection and WithoutDictionaryAttackProtection.
- Sensitive data generated by the TPM - customize with WithInternalSensitiveData and WithExternalSensitiveData.
- Not duplicable - customize with WithProtectionGroupMode and WithDuplicationMode.
- AES-128-CFB for the symmetric scheme - customize with WithSymmetricScheme.
func UnwrapDuplicated ¶
func UnwrapDuplicated(duplicate tpm2.Private, public *tpm2.Public, privKey crypto.PrivateKey, outerHashAlg tpm2.HashAlgorithmId, outerSymmetricAlg *tpm2.SymDefObject, outerSecret tpm2.EncryptedSecret, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (*tpm2.Sensitive, error)
UnwrapDuplicated unwraps the supplied duplication object and returns the corresponding sensitive area. The duplication object will normally be created by executing the tpm2.TPMContext.Duplicate command.
If outerSecret is supplied then it is assumed that the object has an outer duplication wrapper. For an object duplicated with tpm2.TPMContext.Duplicate, outerSecret is the secret structure returned by this command. In this case, privKey, outerHashAlg and outerSymmetricAlg must be supplied - privKey is the key that recovers the seed used to generate the outer wrapper (the new parent when using tpm2.TPMContext.Duplicate), outerHashAlg is the algorithm used for integrity checking and key derivation (the new parent's name algorithm when using tpm2.TPMContext.Duplicate) and must not be tpm2.HashAlgorithmNull, and outerSymmetricAlg defines the symmetric algorithm for the outer wrapper (the new parent's symmetric algorithm when using tpm2.TPMContext.Duplicate) and must not be tpm2.SymObjectAlgorithmNull).
If innerSymmetricAlg is supplied and the Algorithm field is not tpm2.SymObjectAlgorithmNull, then it is assumed that the object has an inner duplication wrapper. In this case, the symmetric key for the inner wrapper must be supplied using the innerSymmetricKey argument.
Types ¶
type AuthMode ¶
type AuthMode int
AuthMode represents an authorization mode for an object.
const ( // AllowAuthValue indicates that an object's auth value can be used for authorization with a // passphrase or HMAC session, in addition to a policy session. AllowAuthValue AuthMode = iota + 1 // RequirePolicy indicates that only a policy session can be used for authorization. RequirePolicy )
type DuplicationMode ¶
type DuplicationMode int
DuplicationMode describes whether an object can be duplicated directly.
const ( // FixedParent indicates that the object cannot be duplicated directory. This implies that // tpm2.AttrFixedParent is set. FixedParent DuplicationMode = iota + 1 // DuplicationRoot indicates that the object is a duplication root. This implies that // tpm2.AttrFixedParent is not set. DuplicationRoot // DuplicationRootEncrypted indicates that the object is a duplication root and duplication // requires encryption. This implies that tpm2.AttrFixedParent is not set and // tpm2.AttrEncryptedDuplication is set. DuplicationRootEncrypted )
type Named ¶
type Named interface {
Name() tpm2.Name
}
Named is some type that represents an object.
type ProtectionGroupMode ¶
type ProtectionGroupMode int
ProtectionGroupMode describes the protection group that an object is created within.
const ( // NonDuplicable indicates that the protection group is not duplicable. This implies // tpm2.AttrFixedTPM and tpm2.AttrFixedParent are both set. NonDuplicable ProtectionGroupMode = iota + 1 // Duplicable indicates that the protection group is duplicable. This implies that // tpm2.AttrFixedTPM is not set. Duplicable // DuplicableEncrypted indicates that the protection group is duplicable with encryption. // This implies that tpm2.AttrFixedTPM is not set and tpm2.AttrEncryptedDuplication is set. DuplicableEncrypted )
type PublicTemplateOption ¶
type PublicTemplateOption func(*tpm2.Public)
PublicTemplateOption provides a way to customize the parameters of a public area or public template.
func WithAdminAuthMode ¶
func WithAdminAuthMode(mode AuthMode) PublicTemplateOption
WithAdminAuthMode returns an option that specifies the supplied mode should be used for authorization with the admin role.
func WithAuthPolicy ¶ added in v1.2.0
func WithAuthPolicy(policy tpm2.Digest) PublicTemplateOption
WithAuthPolicy returns an option that sets the specified authorization policy digest.
func WithDerivationScheme ¶
func WithDerivationScheme(hashAlg tpm2.HashAlgorithmId, kdf tpm2.KDFAlgorithmId) PublicTemplateOption
WithDerivationScheme returns an option for the specified derivation scheme. This will panic for objects with a type other than tpm2.ObjectTypeKeyedHash, a scheme other than tpm2.KeyedHashSchemeXOR and objects that aren't parents. This option is intended for derivation parents.
func WithDictionaryAttackProtection ¶
func WithDictionaryAttackProtection() PublicTemplateOption
WithDictionaryAttackProtection returns an option that enables DA protection for an object.
func WithDuplicationMode ¶
func WithDuplicationMode(mode DuplicationMode) PublicTemplateOption
WithDuplicationMode returns an option for the specified duplication mode, which describes whether an object can be duplicated.
If mode is FixedParent then the tpm2.AttrFixedParent attribute is set.
If mode is DuplicationRoot, this unsets both tpm2.AttrFixedTPM and tpm2.AttrFixedParent, and doesn't change tpm2.AttrEncryptedDuplication. In this case, whether encrypted duplication is required will be determined by the protection group, which is inherited from the result of WithProtectionGroupMode.
If mode is DuplicationRootEncrypted, this behaves like DuplicationRoot but also sets tpm2.AttrEncryptedDuplication so that duplication requires encryption. Note that this is only valid if the protection group the object is created within is not duplicable (the parent object has the tpm2.AttrFixedTPM attribute set) or the protection group is already duplicable with encryption (the parent object has the tpm2.AttrFixedTPM attribute unset and the tpm2.AttrEncryptedDuplication attribute set).
func WithECCCurve ¶
func WithECCCurve(curve tpm2.ECCCurve) PublicTemplateOption
WithECCCurve returns an option for the specified elliptic curve. This will panic for objects with a type other than tpm2.ObjectTypeECC.
func WithECCScheme ¶
func WithECCScheme(scheme tpm2.ECCSchemeId, hashAlg tpm2.HashAlgorithmId) PublicTemplateOption
WithECCScheme returns an option for the specified ECC scheme. This will panic for objects with a type other than tpm2.ObjectTypeECC.
Attestation keys always have a signing scheme. Storage keys never have a scheme set. Key exchange or signing keys may have an appropriate scheme set.
func WithECCUnique ¶
func WithECCUnique(unique *tpm2.ECCPoint) PublicTemplateOption
WithECCUnique returns an option for the specified public identity. This will panic for objects with a type other than tpm2.ObjectTypeECC.
This is useful when creating templates for primary keys.
func WithExternalSensitiveData ¶
func WithExternalSensitiveData() PublicTemplateOption
WithExternalSensitiveData returns an option that indicates the sensitive data for an object was or is to be generated outside of the TPM.
func WithHMACDigest ¶
func WithHMACDigest(alg tpm2.HashAlgorithmId) PublicTemplateOption
WithHMACDigest returns an option for the specified HMAC digest algorithm. This will panic for objects with a type other than tpm2.ObjectTypeKeyedHash and a scheme other than tpm2.KeyedHashSchemeHMAC.
func WithInternalSensitiveData ¶
func WithInternalSensitiveData() PublicTemplateOption
WithInternalSensitiveData returns an option that indicates the sensitive data for an object was or is to be generated by the TPM.
func WithKeyedHashUnique ¶
func WithKeyedHashUnique(unique tpm2.Digest) PublicTemplateOption
WithKeyedHashUnique returns an option for the specified public identity. This will panic for objects with a type other than tpm2.ObjectTypeKeyedHash.
This is useful when creating templates for primary keys.
func WithNameAlg ¶
func WithNameAlg(alg tpm2.HashAlgorithmId) PublicTemplateOption
WithNameAlg returns an option for the specified name algorithm.
func WithProtectionGroupMode ¶
func WithProtectionGroupMode(mode ProtectionGroupMode) PublicTemplateOption
WithProtectionGroupMode returns an option for the specified protection group mode, which describes the hierarchy that an object is created within.
If mode is NonDuplicable, then tpm2.AttrFixedTPM will be set and tpm2.AttrEncryptedDuplication will be unset. tpm2.AttrFixedParent will also be set, which is equivalent to setting DuplicationMode to FixedParent.
If mode is Duplicable, then both tpm2.AttrFixedTPM and tpm2.AttrEncryptedDuplication will be unset.
If mode is DuplicableEncrypted, then tpm2.AttrFixedTPM will be unset and tpm2.AttrEncryptedDuplication will be set.
func WithProtectionGroupModeFromParent ¶ added in v1.2.0
func WithProtectionGroupModeFromParent(parent *tpm2.Public) PublicTemplateOption
WithProtectionGroupModeFromParent returns an option that sets the protection group mode based on the attributes of the supplied parent public area.
func WithRSAKeyBits ¶
func WithRSAKeyBits(keyBits uint16) PublicTemplateOption
WithRSAKeyBits returns an option for the specified RSA key size in bits. This will panic for objects with a type other than tpm2.ObjectTypeRSA.
func WithRSAParams ¶
func WithRSAParams(keyBits uint16, exponent uint32) PublicTemplateOption
WithRSAParams returns an option for the specified RSA key size in bits and the specified pbulic exponent. This will panic for objects with a type other than tpm2.ObjectTypeRSA.
func WithRSAScheme ¶
func WithRSAScheme(scheme tpm2.RSASchemeId, hashAlg tpm2.HashAlgorithmId) PublicTemplateOption
WithRSAScheme returns an option for the specified RSA scheme. This will panic for objects with a type other than tpm2.ObjectTypeRSA.
Attestation keys always have a signing scheme. Storage keys never have a scheme set. Decrypt or signing keys may have an appropriate scheme set.
func WithRSAUnique ¶
func WithRSAUnique(unique tpm2.PublicKeyRSA) PublicTemplateOption
WithRSAUnique returns an option for the specified public identity. This will panic for objects with a type other than tpm2.ObjectTypeRSA.
This is useful when creating templates for primary keys.
func WithSymmetricScheme ¶
func WithSymmetricScheme(alg tpm2.SymObjectAlgorithmId, keyBits uint16, mode tpm2.SymModeId) PublicTemplateOption
WithSymmetricScheme returns an option for the specified symmetric mode. This will panic for objects with the type tpm2.ObjectTypeKeyedHash.
Symmetric keys and asymmetric storage keys always have a symmetric scheme. Other keys never have a symmetric scheme. Only tpm2.SymModeCFB is valid for storage keys.
func WithSymmetricUnique ¶
func WithSymmetricUnique(unique tpm2.Digest) PublicTemplateOption
WithSymmetricUnique returns an option for the specified public identity. This will panic for objects with a type other than tpm2.ObjectTypeSymCipher.
This is useful when creating templates for primary keys.
func WithUserAuthMode ¶
func WithUserAuthMode(mode AuthMode) PublicTemplateOption
WithUserAuthMode returns an option that specifies the supplied mode should be used for authorization with the user role.
func WithoutDictionaryAttackProtection ¶
func WithoutDictionaryAttackProtection() PublicTemplateOption
WithoutDictionaryAttackProtection returns an option that disables DA protection for an object.