util

package
v1.7.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 14, 2024 License: LGPL-3.0 Imports: 16 Imported by: 6

Documentation

Overview

Package util contains helper functions that are useful when using go-tpm2.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeCpHash deprecated

func ComputeCpHash(alg tpm2.HashAlgorithmId, command tpm2.CommandCode, handles []Entity, params ...interface{}) (tpm2.Digest, error)

ComputeCpHash computes a command parameter digest from the specified command code, the supplied handles, and parameters using the specified digest algorithm.

The required parameters is defined in part 3 of the TPM 2.0 Library Specification for the specific command.

The result of this is useful for extended authorization commands that bind an authorization to a command and set of command parameters, such as tpm2.TPMContext.PolicySigned, tpm2.TPMContext.PolicySecret, tpm2.TPMContext.PolicyTicket and tpm2.TPMContext.PolicyCpHash.

Deprecated: Use policyutil.ComputeCpHash.

func ComputePCRDigest deprecated

func ComputePCRDigest(alg tpm2.HashAlgorithmId, pcrs tpm2.PCRSelectionList, values tpm2.PCRValues) (tpm2.Digest, error)

ComputePCRDigest computes a digest using the specified algorithm from the provided set of PCR values and the provided PCR selections. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It is most useful for computing an input to tpm2.TPMContext.PolicyPCR or TrialAuthPolicy.PolicyPCR, and for validating quotes and creation data.

Deprecated: use policyutil.ComputePCRDigest.

func ComputePCRDigestFromAllValues deprecated

func ComputePCRDigestFromAllValues(alg tpm2.HashAlgorithmId, values tpm2.PCRValues) (tpm2.PCRSelectionList, tpm2.Digest, error)

ComputePCRDigestFromAllValues computes a digest using the specified algorithm from all of the provided set of PCR values. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It returns the PCR selection associated with the computed digest.

Deprecated: use policyutil.ComputePCRDigestFromAllValues.

func ComputePolicyAuthorizeDigest deprecated

func ComputePolicyAuthorizeDigest(alg tpm2.HashAlgorithmId, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, error)

ComputePolicyAuthorizeDigest computes a digest to sign from the supplied authorization policy digest and policy reference. The resulting digest can be signed to authorize the supplied policy with the TPM2_PolicyAuthorize assertion, using the tpm2.TPMContext.PolicyAuthorize function.

Deprecated: Use policyutil.ComputePolicyAuthorizationTBSDigest.

func ComputeQualifiedName deprecated

func ComputeQualifiedName(entity Entity, rootQn tpm2.Name, ancestors ...Entity) (tpm2.Name, error)

ComputeQualifiedName computes the qualified name of an object from the specified qualified name of a root object and a list of ancestor object. The ancestor objects are ordered starting with the immediate child of the object associated with the root qualified name.

Deprecated: Use objectutil.ComputeQualifiedName.

func ComputeQualifiedNameInHierarchy deprecated added in v0.9.9

func ComputeQualifiedNameInHierarchy(entity Entity, hierarchy tpm2.Handle, ancestors ...Entity) (tpm2.Name, error)

ComputeQualifiedNameInHierarchy computes the qualified name of an object protected in the specified hierarchy from a list of ancestor object. The ancestor objects are ordered starting from the primary object.

Deprecated: Use objectutil.ComputeQualifiedNameInHierarchy.

func CreateDuplicationObject deprecated added in v0.9.9

func CreateDuplicationObject(sensitive *tpm2.Sensitive, public, parentPublic *tpm2.Public, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (innerSymmetricKeyOut tpm2.Data, duplicate tpm2.Private, outerSecret tpm2.EncryptedSecret, err error)

CreateDuplicationObject creates a duplication object that can be imported in to a TPM with the tpm2.TPMContext.Import command from the supplied sensitive area.

If parentPublic is supplied, an outer duplication wrapper will be applied to the duplication object. The parentPublic argument should correspond to the public area of the storage key to which the duplication object will be imported. A secret structure will be returned as tpm2.EncryptedSecret which can be used by the private part of parentPublic in order to recover the seed used to generate the outer wrapper.

If innerSymmetricAlg is supplied and the Algorithm field is not tpm2.SymObjectAlgorithmNull, this function will apply an inner duplication wrapper to the duplication object. If innerSymmetricKey is supplied, it will be used as the symmetric key for the inner wrapper. It must have a size appropriate for the selected symmetric algorithm. If innerSymmetricKey is not supplied, a symmetric key will be created and returned as tpm2.Data.

Deprecated: Use objectutil.CreateImportable.

func MakeCredential deprecated

func MakeCredential(key *tpm2.Public, credential tpm2.Digest, objectName tpm2.Name) (credentialBlob tpm2.IDObjectRaw, secret tpm2.EncryptedSecret, err error)

MakeCredential performs the duties of a certificate authority in order to create an activation credential. It establishes a seed which is used to protect the activation credential (see section 24 - "Credential Protection" of Part 1 of the Trusted Platform Module Library specification).

The encrypted and integrity protected credential blob and a secret are returned, and these can be supplied to the TPM2_ActivateCredential command on the TPM on which both the private part of key and the object associated with objectName are loaded in order to recover the activation credential.

Deprecated: Use objectutil.MakeCredential.

func NewExternalECCPublicKey deprecated

func NewExternalECCPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.ECCScheme, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKey creates a public area from the supplied elliptic public key with the specified name algorithm, key usage and scheme, for use with the tpm2.TPMContext.LoadExternal command. If nameAlg is tpm2.HashAlgorithmNull, then tpm2.HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

Deprecated: Use github.com/canonical/go-tpm2/object.NewECCPublicKey.

func NewExternalECCPublicKeyWithDefaults deprecated

func NewExternalECCPublicKeyWithDefaults(usage templates.KeyUsage, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKeyWithDefaults creates a public area from the supplied elliptic public key with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the tpm2.TPMContext.LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

Deprecated: Use github.com/canonical/go-tpm2/object.NewECCPublicKey.

func NewExternalHMACKey deprecated

func NewExternalHMACKey(nameAlg, schemeAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKey creates both the public and sensitive areas for the supplied HMAC key with the specified name algorithm, scheme algorithm and auth value. If nameAlg is tpm2.HashAlgorithmNull, then tpm2.HashAlgorithmSHA256 is used. If schemeAlg is tpm2.HashAlgorithmNull, then nameAlg is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the tpm2.AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the tpm2.AttrUserWithAuth attribute.

Deprecated: Use github.com/canonical/go-tpm2/object.NewHMACKey.

func NewExternalHMACKeyWithDefaults deprecated

func NewExternalHMACKeyWithDefaults(authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKeyWithDefaults creates both the public and sensitive areas for the supplied HMAC key with the specified auth value and with SHA256 as both the name and scheme algorithm.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the tpm2.AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the tpm2.AttrUserWithAuth attribute.

Deprecated: Use github.com/canonical/go-tpm2/object.NewHMACKey.

func NewExternalRSAPublicKey deprecated

func NewExternalRSAPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.RSAScheme, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKey creates a public area from the supplied RSA public key with the specified name algorithm, key usage and scheme, for use with the tpm2.TPMContext.LoadExternal command. If nameAlg is tpm2.HashAlgorithmNull, then tpm2.HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

Deprecated: Use github.com/canonical/go-tpm2/object.NewRSAPublicKey.

func NewExternalRSAPublicKeyWithDefaults deprecated

func NewExternalRSAPublicKeyWithDefaults(usage templates.KeyUsage, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKeyWithDefaults creates a public area from the supplied RSA with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the tpm2.TPMContext.LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

Deprecated: Use github.com/canonical/go-tpm2/object.NewRSAPublicKey.

func NewExternalSealedObject deprecated

func NewExternalSealedObject(nameAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, data []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalSealedObject creates both the public and sensitive areas for a sealed object containing the supplied data, with the specified name algorithm and authorization value. If nameAlgorithm is tpm2.HashAlgorithmNull, then tpm2.HashAlgorithmSHA256 is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the tpm2.AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the tpm2.AttrUserWithAuth attribute.

Deprecated: Use github.com/canonical/go-tpm2/object.NewSealedObject.

func PolicyAuthorize deprecated

func PolicyAuthorize(key crypto.PrivateKey, scheme *tpm2.SigScheme, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, *tpm2.Signature, error)

PolicyAuthorize authorizes an authorization policy digest with the supplied key and signature scheme. The resulting digest and signature can be verified by the TPM in order to produce a ticket that can then be supplied to a TPM2_PolicyAuthorize assertion, using the tpm2.TPMContext.VerifySignature and tpm2.TPMContext.PolicyAuthorize functions.

The digest algorithm used for the signature must match the name algorithm in the public area associated with the supplied private key.

Deprecated: Use policyutil.SignPolicyAuthorize.

func Sign deprecated

func Sign(key crypto.PrivateKey, scheme *tpm2.SigScheme, digest []byte) (*tpm2.Signature, error)

Sign creates a signature of the supplied digest using the supplied private key and signature scheme. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures can be created. The returned signature can be verified on a TPM using the associated public key.

In order to create a HMAC, the supplied private key should be a byte slice containing the HMAC key.

Deprecated: Use cryptutil.Sign instead.

func SignPolicyAuthorization deprecated

func SignPolicyAuthorization(key crypto.PrivateKey, scheme *tpm2.SigScheme, nonceTPM tpm2.Nonce, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32) (*tpm2.Signature, error)

SignPolicyAuthorization creates a signed authorization using the supplied key and signature scheme. The signed authorization can be used in a TPM2_PolicySigned assertion using the tpm2.TPMContext.PolicySigned function. The authorizing party can apply contraints on how the session that includes this authorization can be used.

If nonceTPM is supplied, then the signed authorization can only be used for the session associated with the supplied nonce.

If expiration is non-zero, then the signed authorization is only valid for the specified number of seconds from when nonceTPM was generated.

If cpHash is supplied, then the signed authorization is only valid for use in a command with the associated command code and set of command parameters. The command parameter digest can be computed using ComputeCpHash.

Deprecated: Use policyutil.SignPolicySignedAuthorization.

func UnwrapDuplicationObject deprecated added in v0.9.9

func UnwrapDuplicationObject(duplicate tpm2.Private, public *tpm2.Public, privKey crypto.PrivateKey, outerHashAlg tpm2.HashAlgorithmId, outerSymmetricAlg *tpm2.SymDefObject, outerSecret tpm2.EncryptedSecret, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (*tpm2.Sensitive, error)

UnwrapDuplicationObject unwraps the supplied duplication object and returns the corresponding sensitive area. The duplication object will normally be created by executing the tpm2.TPMContext.Duplicate command.

If outerSecret is supplied then it is assumed that the object has an outer duplication wrapper. For an object duplicated with tpm2.TPMContext.Duplicate, outerSecret is the secret structure returned by this command. In this case, privKey, outerHashAlg and outerSymmetricAlg must be supplied - privKey is the key that recovers the seed used to generate the outer wrapper (the new parent when using tpm2.TPMContext.Duplicate), outerHashAlg is the algorithm used for integrity checking and key derivation (the new parent's name algorithm when using tpm2.TPMContext.Duplicate) and must not be tpm2.HashAlgorithmNull, and outerSymmetricAlg defines the symmetric algorithm for the outer wrapper (the new parent's symmetric algorithm when using tpm2.TPMContext.Duplicate) and must not be tpm2.SymObjectAlgorithmNull).

If innerSymmetricAlg is supplied and the Algorithm field is not tpm2.SymObjectAlgorithmNull, then it is assumed that the object has an inner duplication wrapper. In this case, the symmetric key for the inner wrapper must be supplied using the innerSymmetricKey argument.

Deprecated: Use objectutil.UnwrapDuplicated.

func VerifyAttestationSignature

func VerifyAttestationSignature(key crypto.PublicKey, attest *tpm2.Attest, signature *tpm2.Signature) (ok bool, err error)

VerifyAttestationSignature verifies the signature for the supplied attestation structure as generated by one of the TPM's attestation commands. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

func VerifySignature deprecated

func VerifySignature(key crypto.PublicKey, digest []byte, signature *tpm2.Signature) (ok bool, err error)

VerifySignature verifies a signature created by a TPM using the supplied public key. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

Deprecated: Use cryptutil.Verify instead.

Types

type Entity added in v0.9.9

type Entity = objectutil.Named

Entity is a type that has a name.

type TrialAuthPolicy deprecated

type TrialAuthPolicy struct {
	// contains filtered or unexported fields
}

TrialAuthPolicy provides a mechanism for computing authorization policy digests without having to execute a trial authorization policy session on the TPM. An advantage of this is that it is possible to compute digests for PolicySecret and PolicyNV assertions without knowledge of the authorization value of the authorizing entities used for those commands.

Deprecated: Use policyutil.PolicyBuilder.

func ComputeAuthPolicy deprecated

func ComputeAuthPolicy(alg tpm2.HashAlgorithmId) *TrialAuthPolicy

ComputeAuthPolicy creates a new context for computing an authorization policy digest. It will panic if the specified algorithm is not available. The caller should check this beforehand.

Deprecated: Use policyutil.NewPolicyBuilder.

func (*TrialAuthPolicy) GetDigest

func (p *TrialAuthPolicy) GetDigest() tpm2.Digest

GetDigest returns the current digest computed for the policy assertions executed so far.

func (*TrialAuthPolicy) PolicyAuthValue

func (p *TrialAuthPolicy) PolicyAuthValue()

PolicyAuthValue computes a TPM2_PolicyAuthValue assertion.

func (*TrialAuthPolicy) PolicyAuthorize

func (p *TrialAuthPolicy) PolicyAuthorize(policyRef tpm2.Nonce, key Entity)

PolicyAuthorize computes a TPM2_PolicyAuthorize assertion for the key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicyCommandCode

func (p *TrialAuthPolicy) PolicyCommandCode(code tpm2.CommandCode)

PolicyCommandCode computes a TPM2_PolicyCommandCode assertion for the specified command code.

func (*TrialAuthPolicy) PolicyCounterTimer

func (p *TrialAuthPolicy) PolicyCounterTimer(operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyCounterTimer computes a TPM2_PolicyCounterTimer assertion for the specified comparison operation.

func (*TrialAuthPolicy) PolicyCpHash

func (p *TrialAuthPolicy) PolicyCpHash(cpHashA tpm2.Digest)

PolicyCpHash computes a TPM2_PolicyCpHash assertion for the command parameters associated with the specified hash.

func (*TrialAuthPolicy) PolicyDuplicationSelect

func (p *TrialAuthPolicy) PolicyDuplicationSelect(object, newParent Entity, includeObject bool)

PolicyDuplicationSelect computes a TPM2_PolicyDuplicationSelect assertion for the object and parent object with the specified names.

func (*TrialAuthPolicy) PolicyNV

func (p *TrialAuthPolicy) PolicyNV(nvIndex Entity, operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyNV computes a TPM2_PolicyNV assertion executed for an index for the specified name, with the specified comparison operation.

func (*TrialAuthPolicy) PolicyNameHash

func (p *TrialAuthPolicy) PolicyNameHash(nameHash tpm2.Digest)

PolicyNameHash computes a TPM2_PolicyNameHash assertion with for the entities associated with the specified name digest.

func (*TrialAuthPolicy) PolicyNvWritten

func (p *TrialAuthPolicy) PolicyNvWritten(writtenSet bool)

PolicyNvWritten computes a TPM2_PolicyNvWritten assertion

func (*TrialAuthPolicy) PolicyOR

func (p *TrialAuthPolicy) PolicyOR(pHashList tpm2.DigestList)

PolicyOR computes a TPM2_PolicyOR assertion executed for the specified digests. It will panic if there are fewer than 2 or more than 8 digests, or if any digest has the wrong size.

func (*TrialAuthPolicy) PolicyPCR

func (p *TrialAuthPolicy) PolicyPCR(pcrDigest tpm2.Digest, pcrs tpm2.PCRSelectionList)

PolicyPCR computes a TPM2_PolicyPCR assertion executed for the specified PCR selection and with PCR values associated with the specified PCR digest.

If generating policy for non PC client TPM devices, make sure to call tpm2.PCRSelectionList.WithMinSelectSize with an appropriate value defined in the TPM's platform profile specification.

func (*TrialAuthPolicy) PolicyPassword

func (p *TrialAuthPolicy) PolicyPassword()

PolicyPassword computes a TPM2_PolicyPassword assertion.

func (*TrialAuthPolicy) PolicySecret

func (p *TrialAuthPolicy) PolicySecret(auth Entity, policyRef tpm2.Nonce)

PolicySecret computes a TPM2_PolicySecret assertion executed for an object with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicySigned

func (p *TrialAuthPolicy) PolicySigned(auth Entity, policyRef tpm2.Nonce)

PolicySigned computes a TPM2_PolicySigned assertion executed for a key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) Reset

func (p *TrialAuthPolicy) Reset()

Reset clears the current digest.

func (*TrialAuthPolicy) SetDigest

func (p *TrialAuthPolicy) SetDigest(d tpm2.Digest)

SetDigests overwrites the current digest. It will panic if the supplied digest is not the correct size.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL