Documentation ¶
Overview ¶
Package cryptutil contains some cryptographic functions that are useful when using go-tpm2.
Index ¶
- func KDFa(hashAlg tpm2.HashAlgorithmId, key, label, contextU, contextV []byte, ...) []byte
- func KDFe(hashAlg tpm2.HashAlgorithmId, z, label, partyUInfo, partyVInfo []byte, ...) []byte
- func SecretDecrypt(priv crypto.PrivateKey, hashAlg tpm2.HashAlgorithmId, label, secret []byte) (seed []byte, err error)
- func SecretEncrypt(rand io.Reader, public *tpm2.Public, label []byte) (secret tpm2.EncryptedSecret, seed []byte, err error)
- func Sign(rand io.Reader, signer crypto.Signer, digest []byte, opts crypto.SignerOpts) (*tpm2.Signature, error)
- func VerifySignature(key crypto.PublicKey, digest []byte, signature *tpm2.Signature) (ok bool, err error)
- type HMACKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func KDFa ¶
func KDFa(hashAlg tpm2.HashAlgorithmId, key, label, contextU, contextV []byte, sizeInBits int) []byte
KDFa performs key derivation using the counter mode described in SP800-108 and HMAC as the PRF.
This will panic if hashAlg is not available.
func KDFe ¶
func KDFe(hashAlg tpm2.HashAlgorithmId, z, label, partyUInfo, partyVInfo []byte, sizeInBits int) []byte
KDFe performs key derivation using the "Concatenation Key Derivation Function (Approved Alternative 1) in the original version of SP800-56A.
This will panic if hashAlg is not available.
func SecretDecrypt ¶
func SecretDecrypt(priv crypto.PrivateKey, hashAlg tpm2.HashAlgorithmId, label, secret []byte) (seed []byte, err error)
SecretDecrypt recovers a seed from the supplied secret structure using the supplied private key. It can be used to recover secrets created by the TPM, such as those created by the TPM2_Duplicate command.
If priv is a *rsa.PrivateKey, this will recover the seed by decrypting the supplied secret with RSA-OAEP.
If priv is a *ecdsa.PrivateKey, this uses ECDH to derive the seed using the supplied secret, which will contain a serialized ephemeral peer key.
The specified digest algorithm must match the name algorithm of the public area associated with the supplied private key.
func SecretEncrypt ¶
func SecretEncrypt(rand io.Reader, public *tpm2.Public, label []byte) (secret tpm2.EncryptedSecret, seed []byte, err error)
SecretEncrypt establishes a seed and associated secret value using the supplied public key. The corresponding private key can recover the seed from the returned secret value. This is useful for sharing secrets with the TPM via the TPM2_Import, TPM2_ActivateCredential and TPM2_StartAuthSession commands.
If public has the type tpm2.ObjectTypeRSA, this will generate a random seed and then RSA-OAEP encrypt it to create the secret.
If public has the type tpm2.ObjectTypeECC, this uses ECDH to derive a seed value using an an ephemeral key. The secret contains the serialized form of the public part of the ephemeral key.
func Sign ¶
func Sign(rand io.Reader, signer crypto.Signer, digest []byte, opts crypto.SignerOpts) (*tpm2.Signature, error)
Sign creates a signature of the supplied digest using the supplied signer and options. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures can be created. The returned signature can be verified on a TPM using the associated public key.
Types ¶
type HMACKey ¶
type HMACKey []byte
HMACKey can be used to sign and verify signatures using the Sign and VerifySignature APIs.
func (HMACKey) Public ¶
Public implements crypto.Signer.Public.