cryptutil

package
v1.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 30, 2024 License: LGPL-3.0 Imports: 13 Imported by: 0

Documentation

Overview

Package cryptutil contains some cryptographic functions that are useful when using go-tpm2.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func KDFa

func KDFa(hashAlg tpm2.HashAlgorithmId, key, label, contextU, contextV []byte, sizeInBits int) []byte

KDFa performs key derivation using the counter mode described in SP800-108 and HMAC as the PRF.

This will panic if hashAlg is not available.

func KDFe

func KDFe(hashAlg tpm2.HashAlgorithmId, z, label, partyUInfo, partyVInfo []byte, sizeInBits int) []byte

KDFe performs key derivation using the "Concatenation Key Derivation Function (Approved Alternative 1) in the original version of SP800-56A.

This will panic if hashAlg is not available.

func SecretDecrypt

func SecretDecrypt(priv crypto.PrivateKey, hashAlg tpm2.HashAlgorithmId, label, secret []byte) (seed []byte, err error)

SecretDecrypt recovers a seed from the supplied secret structure using the supplied private key. It can be used to recover secrets created by the TPM, such as those created by the TPM2_Duplicate command.

If priv is a *rsa.PrivateKey, this will recover the seed by decrypting the supplied secret with RSA-OAEP.

If priv is a *ecdsa.PrivateKey, this uses ECDH to derive the seed using the supplied secret, which will contain a serialized ephemeral peer key.

The specified digest algorithm must match the name algorithm of the public area associated with the supplied private key.

func SecretEncrypt

func SecretEncrypt(rand io.Reader, public *tpm2.Public, label []byte) (secret tpm2.EncryptedSecret, seed []byte, err error)

SecretEncrypt establishes a seed and associated secret value using the supplied public key. The corresponding private key can recover the seed from the returned secret value. This is useful for sharing secrets with the TPM via the TPM2_Import, TPM2_ActivateCredential and TPM2_StartAuthSession commands.

If public has the type tpm2.ObjectTypeRSA, this will generate a random seed and then RSA-OAEP encrypt it to create the secret.

If public has the type tpm2.ObjectTypeECC, this uses ECDH to derive a seed value using an an ephemeral key. The secret contains the serialized form of the public part of the ephemeral key.

func Sign

func Sign(rand io.Reader, signer crypto.Signer, digest []byte, opts crypto.SignerOpts) (*tpm2.Signature, error)

Sign creates a signature of the supplied digest using the supplied signer and options. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures can be created. The returned signature can be verified on a TPM using the associated public key.

func VerifySignature

func VerifySignature(key crypto.PublicKey, digest []byte, signature *tpm2.Signature) (ok bool, err error)

VerifySignature verifies a signature created by a TPM using the supplied public key. Note that only RSA-SSA, RSA-PSS, ECDSA and HMAC signatures are supported.

Types

type HMACKey

type HMACKey []byte

HMACKey can be used to sign and verify signatures using the Sign and VerifySignature APIs.

func (HMACKey) Public

func (k HMACKey) Public() crypto.PublicKey

Public implements crypto.Signer.Public.

func (HMACKey) Sign

func (k HMACKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign implements crypto.Signer.Sign.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL