util

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2023 License: LGPL-3.0 Imports: 19 Imported by: 6

Documentation

Overview

Package util contains helper functions that are useful when using go-tpm2.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeCpHash 

func ComputeCpHash(alg tpm2.HashAlgorithmId, command tpm2.CommandCode, handles []Entity, params ...interface{}) (tpm2.Digest, error)

ComputeCpHash computes a command parameter digest from the specified command code, the supplied handles (identified by their names) and parameters using the specified digest algorithm.

The required parameters is defined in part 3 of the TPM 2.0 Library Specification for the specific command.

The result of this is useful for extended authorization commands that bind an authorization to a command and set of command parameters, such as TPMContext.PolicySigned, TPMContext.PolicySecret, TPMContext.PolicyTicket and TPMContext.PolicyCpHash.

func ComputePCRDigest 

func ComputePCRDigest(alg tpm2.HashAlgorithmId, pcrs tpm2.PCRSelectionList, values tpm2.PCRValues) (tpm2.Digest, error)

ComputePCRDigest computes a digest using the specified algorithm from the provided set of PCR values and the provided PCR selections. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It is most useful for computing an input to TPMContext.PolicyPCR or TrialAuthPolicy.PolicyPCR, and for validating quotes and creation data.

func ComputePCRDigestFromAllValues 

func ComputePCRDigestFromAllValues(alg tpm2.HashAlgorithmId, values tpm2.PCRValues) (tpm2.PCRSelectionList, tpm2.Digest, error)

ComputePCRDigestFromAllValues computes a digest using the specified algorithm from all of the provided set of PCR values. The digest is computed the same way as PCRComputeCurrentDigest as defined in the TPM reference implementation. It returns the PCR selection associated with the computed digest.

func ComputePolicyAuthorizeDigest 

func ComputePolicyAuthorizeDigest(alg tpm2.HashAlgorithmId, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, error)

ComputePolicyAuthorizeDigest computes a digest to sign from the supplied authorization policy digest and policy reference. The resulting digest can be signed to authorize the supplied policy with the TPM2_PolicyAuthorize assertion.

func ComputeQualifiedName 

func ComputeQualifiedName(entity Entity, rootQn tpm2.Name, ancestors ...Entity) (tpm2.Name, error)

ComputeQualifiedName computes the qualified name of an object from the specified qualified name of a root object and a list of ancestor objects. The ancestor objects are ordered starting with the immediate child of the object associated with the root qualified name.

func ComputeQualifiedNameInHierarchy added in v0.9.9 

func ComputeQualifiedNameInHierarchy(entity Entity, hierarchy tpm2.Handle, ancestors ...Entity) (tpm2.Name, error)

ComputeQualifiedNameInHierarchy computes the qualified name of an object protected in the specified hierarchy from a list of ancestor objects. The ancestor objects are ordered starting from the primary object.

func CreateDuplicationObject added in v0.9.9 

func CreateDuplicationObject(sensitive *tpm2.Sensitive, public, parentPublic *tpm2.Public, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (innerSymmetricKeyOut tpm2.Data, duplicate tpm2.Private, outerSecret tpm2.EncryptedSecret, err error)

CreateDuplicationObject creates a duplication object that can be imported in to a TPM with the TPM2_Import command from the supplied sensitive area.

If parentPublic is supplied, an outer wrapper will be applied to the duplication object. The parentPublic argument should correspond to the public area of the storage key to which the duplication object will be imported. When applying the outer wrapper, the seed used to derive the symmetric key and HMAC key will be encrypted using parentPublic and returned.

If innerSymmetricAlg is supplied and the Algorithm field is not SymObjectAlgorithmNull, this function will apply an inner wrapper to the duplication object. If innerSymmetricKey is supplied, it will be used as the symmetric key for the inner wrapper. It must have a size appropriate for the selected symmetric algorithm. If innerSymmetricKey is not supplied, a symmetric key will be created and returned.

func MakeCredential 

func MakeCredential(key *tpm2.Public, credential tpm2.Digest, objectName tpm2.Name) (credentialBlob tpm2.IDObjectRaw, secret tpm2.EncryptedSecret, err error)

MakeCredential performs the duties of a certificate authority in order to create an activation credential. It produces a seed and encrypts this with the supplied public key. The seed and supplied object name is then used to apply an outer wrapper to the credential.

The encrypted credential blob and encrypted seed are returned, and these can be passed to the TPM2_ActivateCredential on the TPM on which both the private part of key and the object associated with objectName are loaded.

func NewExternalECCPublicKey 

func NewExternalECCPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.ECCScheme, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKey creates a public area from the supplied elliptic public key with the specified name algorithm, key usage and scheme, for use with the TPM2_LoadExternal command. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalECCPublicKeyWithDefaults 

func NewExternalECCPublicKeyWithDefaults(usage templates.KeyUsage, key *ecdsa.PublicKey) *tpm2.Public

NewExternalECCPublicKeyWithDefaults creates a public area from the supplied elliptic public key with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the TPM2_LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalHMACKey 

func NewExternalHMACKey(nameAlg, schemeAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKey creates both the public and sensitive areas for the supplied HMAC key with the specified name algorithm, scheme algorithm and auth value. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If schemeAlg is HashAlgorithmNull, then nameAlg is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func NewExternalHMACKeyWithDefaults 

func NewExternalHMACKeyWithDefaults(authValue tpm2.Auth, key []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalHMACKeyWithDefaults creates both the public and sensitive areas for the supplied HMAC key with the specified auth value and with SHA256 as both the name and scheme algorithm.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func NewExternalRSAPublicKey 

func NewExternalRSAPublicKey(nameAlg tpm2.HashAlgorithmId, usage templates.KeyUsage, scheme *tpm2.RSAScheme, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKey creates a public area from the supplied RSA public key with the specified name algorithm, key usage and scheme, for use with the TPM2_LoadExternal command. If nameAlg is HashAlgorithmNull, then HashAlgorithmSHA256 is used. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalRSAPublicKeyWithDefaults 

func NewExternalRSAPublicKeyWithDefaults(usage templates.KeyUsage, key *rsa.PublicKey) *tpm2.Public

NewExternalRSAPublicKeyWithDefaults creates a public area from the supplied RSA with the specified key usage, SHA256 as the name algorithm and the scheme unset, for use with the TPM2_LoadExternal command. If no usage is specified, the public area will include both sign and decrypt attributes.

func NewExternalSealedObject 

func NewExternalSealedObject(nameAlg tpm2.HashAlgorithmId, authValue tpm2.Auth, data []byte) (*tpm2.Public, *tpm2.Sensitive)

NewExternalSealedObject creates both the public and sensitive areas for a sealed object containing the supplied data, with the specified name algorithm and authorization value. If nameAlgorithm is HashAlgorithmNull, then HashAlgorithmSHA256 is used.

It will panic if authValue is larger than the size of the name algorithm.

The returned public and sensitive areas can be made into a duplication object with CreateDuplicationObject for importing into a TPM.

The public area has the AttrUserWithAuth set in order to permit authentication for the user auth role using the sensitive area's authorization value. In order to require authentication for the user auth role using an authorization policy, remove the AttrUserWithAuth attribute.

func PolicyAuthorize 

func PolicyAuthorize(key crypto.PrivateKey, scheme *tpm2.SigScheme, approvedPolicy tpm2.Digest, policyRef tpm2.Nonce) (tpm2.Digest, *tpm2.Signature, error)

PolicyAuthorize authorizes an authorization policy digest with the supplied key and signature scheme. The resulting digest and signature can be verified by the TPM in order to produce a ticket that can then be supplied to a TPM2_PolicyAuthorize assertion.

The digest algorithm used for the signature must match the name algorithm in the public area associated with the supplied private key.

func Sign 

func Sign(key crypto.PrivateKey, scheme *tpm2.SigScheme, digest []byte) (*tpm2.Signature, error)

Sign creates a signature of the supplied digest using the supplied private key and signature scheme. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures can be created. The returned signature can be verified on a TPM using the associated public key.

In order to create a HMAC, the supplied private key should be a byte slice containing the HMAC key.

func SignPolicyAuthorization 

func SignPolicyAuthorization(key crypto.PrivateKey, scheme *tpm2.SigScheme, nonceTPM tpm2.Nonce, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32) (*tpm2.Signature, error)

SignPolicyAuthorization creates a signed authorization using the supplied key and signature scheme. The signed authorization can be used in a TPM2_PolicySigned assertion. The authorizing party can apply contraints on how the session that includes this authorization can be used.

If nonceTPM is supplied, then the signed authorization can only be used for the session associated with the supplied nonce.

If expiration is non-zero, then the signed authorization is only valid for the specified number of seconds from when nonceTPM was generated.

If cpHash is supplied, then the signed authorization is only valid for use in a command with the associated set of command parameters.

func UnwrapDuplicationObject added in v0.9.9 

func UnwrapDuplicationObject(duplicate tpm2.Private, public *tpm2.Public, privKey crypto.PrivateKey, outerHashAlg tpm2.HashAlgorithmId, outerSymmetricAlg *tpm2.SymDefObject, outerSecret tpm2.EncryptedSecret, innerSymmetricKey tpm2.Data, innerSymmetricAlg *tpm2.SymDefObject) (*tpm2.Sensitive, error)

UnwrapDuplicationObject unwraps the supplied duplication object and returns the corresponding sensitive area. The duplication object will normally be created by executing the TPM2_Duplicate command.

If outerSecret is supplied then it is assumed that the object has an outer wrapper. For an object duplicated with TPM2_Duplicate, outerSecret is the seed returned by this command. In this case, privKey, outerHashAlg and outerSymmetricAlg must be supplied - privKey is the key with which outerSecret is protected (the new parent when using TPM2_Duplicate), outerHashAlg is the algorithm used for integrity checking and key derivation (the new parent's name algorithm when using TPM2_Duplicate) and must not be HashAlgorithmNull, and outerSymmetricAlg defines the symmetric algorithm for the outer wrapper (the new parent's symmetric algorithm when using TPM2_Duplicate) and must not be SymObjectAlgorithmNull).

If innerSymmetricAlg is supplied and the Algorithm field is not SymObjectAlgorithmNull, then it is assumed that the object has an inner wrapper. In this case, the symmetric key for the inner wrapper must be supplied using the innerSymmetricKey argument.

func VerifyAttestationSignature 

func VerifyAttestationSignature(key crypto.PublicKey, attest *tpm2.Attest, signature *tpm2.Signature) (ok bool, err error)

VerifyAttestationSignature verifies the signature for the supplied attestation structure as generated by one of the TPM's attestation commands. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

func VerifySignature 

func VerifySignature(key crypto.PublicKey, digest []byte, signature *tpm2.Signature) (ok bool, err error)

VerifySignature verifies a signature created by a TPM using the supplied public key. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

In order to verify a HMAC signature, the supplied public key should be a byte slice containing the HMAC key.

Types

type Entity added in v0.9.9 

type Entity interface {
	Name() tpm2.Name
}

Entity is a type that has a name.

type TrialAuthPolicy 

type TrialAuthPolicy struct {
	// contains filtered or unexported fields
}

TrialAuthPolicy provides a mechanism for computing authorization policy digests without having to execute a trial authorization policy session on the TPM. An advantage of this is that it is possible to compute digests for PolicySecret and PolicyNV assertions without knowledge of the authorization value of the authorizing entities used for those commands.

func ComputeAuthPolicy 

func ComputeAuthPolicy(alg tpm2.HashAlgorithmId) *TrialAuthPolicy

ComputeAuthPolicy creates a new context for computing an authorization policy digest. It will panic if the specified algorithm is not available. The caller should check this beforehand.

func (*TrialAuthPolicy) GetDigest 

func (p *TrialAuthPolicy) GetDigest() tpm2.Digest

GetDigest returns the current digest computed for the policy assertions executed so far.

func (*TrialAuthPolicy) PolicyAuthValue 

func (p *TrialAuthPolicy) PolicyAuthValue()

PolicyAuthValue computes a TPM2_PolicyAuthValue assertion.

func (*TrialAuthPolicy) PolicyAuthorize 

func (p *TrialAuthPolicy) PolicyAuthorize(policyRef tpm2.Nonce, key Entity)

PolicyAuthorize computes a TPM2_PolicyAuthorize assertion for the key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicyCommandCode 

func (p *TrialAuthPolicy) PolicyCommandCode(code tpm2.CommandCode)

PolicyCommandCode computes a TPM2_PolicyCommandCode assertion for the specified command code.

func (*TrialAuthPolicy) PolicyCounterTimer 

func (p *TrialAuthPolicy) PolicyCounterTimer(operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyCounterTimer computes a TPM2_PolicyCounterTimer assertion for the specified comparison operation.

func (*TrialAuthPolicy) PolicyCpHash 

func (p *TrialAuthPolicy) PolicyCpHash(cpHashA tpm2.Digest)

PolicyCpHash computes a TPM2_PolicyCpHash assertion for the command parameters associated with the specified hash.

func (*TrialAuthPolicy) PolicyDuplicationSelect 

func (p *TrialAuthPolicy) PolicyDuplicationSelect(object, newParent Entity, includeObject bool)

PolicyDuplicationSelect computes a TPM2_PolicyDuplicationSelect assertion for the object and parent object with the specified names.

func (*TrialAuthPolicy) PolicyNV 

func (p *TrialAuthPolicy) PolicyNV(nvIndex Entity, operandB tpm2.Operand, offset uint16, operation tpm2.ArithmeticOp)

PolicyNV computes a TPM2_PolicyNV assertion executed for an index for the specified name, with the specified comparison operation.

func (*TrialAuthPolicy) PolicyNameHash 

func (p *TrialAuthPolicy) PolicyNameHash(nameHash tpm2.Digest)

PolicyNameHash computes a TPM2_PolicyNameHash assertion with for the entities associated with the specified name digest.

func (*TrialAuthPolicy) PolicyNvWritten 

func (p *TrialAuthPolicy) PolicyNvWritten(writtenSet bool)

PolicyNvWritten computes a TPM2_PolicyNvWritten assertion

func (*TrialAuthPolicy) PolicyOR 

func (p *TrialAuthPolicy) PolicyOR(pHashList tpm2.DigestList)

PolicyOR computes a TPM2_PolicyOR assertion executed for the specified digests. It will panic if there are fewer than 2 or more than 8 digests, or if any digest has the wrong size.

func (*TrialAuthPolicy) PolicyPCR 

func (p *TrialAuthPolicy) PolicyPCR(pcrDigest tpm2.Digest, pcrs tpm2.PCRSelectionList)

PolicyPCR computes a TPM2_PolicyPCR assertion executed for the specified PCR selection and with PCR values associated with the specified PCR digest.

If generating policy for non PC client TPM devices, make sure to call tpm2.PCRSelectionList.WithMinSelectSize with an appropriate value defined in the TPM's platform profile specification.

func (*TrialAuthPolicy) PolicyPassword 

func (p *TrialAuthPolicy) PolicyPassword()

PolicyPassword computes a TPM2_PolicyPassword assertion.

func (*TrialAuthPolicy) PolicySecret 

func (p *TrialAuthPolicy) PolicySecret(auth Entity, policyRef tpm2.Nonce)

PolicySecret computes a TPM2_PolicySecret assertion executed for an object with the specified name and the specified policyRef.

func (*TrialAuthPolicy) PolicySigned 

func (p *TrialAuthPolicy) PolicySigned(auth Entity, policyRef tpm2.Nonce)

PolicySigned computes a TPM2_PolicySigned assertion executed for a key with the specified name and the specified policyRef.

func (*TrialAuthPolicy) Reset 

func (p *TrialAuthPolicy) Reset()

Reset clears the current digest.

func (*TrialAuthPolicy) SetDigest 

func (p *TrialAuthPolicy) SetDigest(d tpm2.Digest)

SetDigests overwrites the current digest. It will panic if the supplied digest is not the correct size.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.