tpm2

package

v0.0.6-alpha.1 Latest Latest Go to latest Published: Dec 3, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/jeremyhahn/go-trusted-platform

Documentation ¶

Index ¶

func NewPlatformSecret(backend keystore.KeyBackend, tpm tpm2.TrustedPlatformModule, ...) keystore.Password
func NewSignerECDSA(keyStore keystore.KeyStorer, signerStore keystore.SignerStorer, ...) crypto.Signer
func NewSignerRSA(keyStore keystore.KeyStorer, signerStore keystore.SignerStorer, ...) crypto.Signer
type KeyStore
type Params
type PlatformKeyStorer
- func NewKeyStore(params *Params) (PlatformKeyStorer, error)
type PlatformSecret
- func (p PlatformSecret) Bytes() ([]byte, error)
- func (p PlatformSecret) String() (string, error)
type SignerECDSA
- func (signer SignerECDSA) Public() crypto.PublicKey
- func (signer SignerECDSA) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
type SignerRSA
- func (signer SignerRSA) Public() crypto.PublicKey
- func (signer SignerRSA) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewPlatformSecret ¶

func NewPlatformSecret(
	backend keystore.KeyBackend,
	tpm tpm2.TrustedPlatformModule,
	keyAttrs *keystore.KeyAttributes) keystore.Password

TPM 2.0 AES symmetric encryption and wrapping operations

func NewSignerECDSA ¶

func NewSignerECDSA(
	keyStore keystore.KeyStorer,
	signerStore keystore.SignerStorer,
	keyAttributes *keystore.KeyAttributes,
	publicKey crypto.PublicKey,
	tpm tpm2.TrustedPlatformModule) crypto.Signer

Signer that uses the Elliptical Curve Cryptography Digital Signature Algorithm (ECDSA).

Signs the requested data using the Certificate Authority Private Key, or, optionally, the private key provided via SignerOpts during the call to Sign.

func NewSignerRSA ¶

func NewSignerRSA(
	keyStore keystore.KeyStorer,
	signerStore keystore.SignerStorer,
	keyAttributes *keystore.KeyAttributes,
	publicKey crypto.PublicKey,
	tpm tpm2.TrustedPlatformModule) crypto.Signer

Types ¶

type KeyStore ¶

type KeyStore struct {
	PlatformKeyStorer
	// contains filtered or unexported fields
}

func (*KeyStore) Backend ¶

func (ks *KeyStore) Backend() keystore.KeyBackend

Returns the key store backend

func (*KeyStore) Close ¶

func (ks *KeyStore) Close() error

Closes the TPM connection

func (*KeyStore) CreatePassword ¶

func (ks *KeyStore) CreatePassword(
	keyAttrs *keystore.KeyAttributes,
	backend keystore.KeyBackend,
	overwrite bool) error

Saves the password in the provided key attributes to the TPM password store, optionally using the provided backend. If nil, the default backend provider will be used.

func (*KeyStore) Decrypter ¶

func (ks *KeyStore) Decrypter(
	attrs *keystore.KeyAttributes) (crypto.Decrypter, error)

Returns a Trusted Platform Module crypto.Decrypter

func (*KeyStore) Delete ¶

func (ks *KeyStore) Delete(attrs *keystore.KeyAttributes) error

Deletes a key pair from the key store. First a session is created to authenticate the request to ensure the caller has ownership of the key, then deleted from the backend.

func (*KeyStore) DeletePassword ¶

func (ks *KeyStore) DeletePassword(
	keyAttrs *keystore.KeyAttributes,
	backend keystore.KeyBackend) error

Delete a password from the TPM password store, optionally using the provided backend. If nil, the default backend provider will be used.

func (*KeyStore) Equal ¶

func (ks *KeyStore) Equal(
	opaque keystore.OpaqueKey, x crypto.PrivateKey) bool

Compares the provided opaque key with the provided private key and returns true if they have the same Modulus / Curve.

func (*KeyStore) GenerateECDSA ¶

func (ks *KeyStore) GenerateECDSA(
	keyAttrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Generates a new ECDSA key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying Trusted Platform Module.

func (*KeyStore) GenerateEd25519 ¶

func (ks *KeyStore) GenerateEd25519(
	attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Returns keystore.ErrInvalidKeyAlgorithm as this is an unsupported TPM 2.0 algorithm

func (*KeyStore) GenerateKey ¶

func (ks *KeyStore) GenerateKey(
	attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Generates a new RSA key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying Trusted Platform Module.

func (*KeyStore) GenerateRSA ¶

func (ks *KeyStore) GenerateRSA(
	keyAttrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Generates a new RSA key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying Trusted Platform Module.

func (*KeyStore) GenerateSecretKey ¶

func (ks *KeyStore) GenerateSecretKey(
	attrs *keystore.KeyAttributes) error

Generates a new AES-256 secret key

func (*KeyStore) Initialize ¶

func (ks *KeyStore) Initialize(soPIN, userPIN keystore.Password) error

Initializes the key store by provisioning the underlying TPM and creating a new Storage Root Key. The secret parameter is used as the SRK primary key password authorization. A fatal error is produced if the TPM hasn't been provisioned with a persistent EK.

func (*KeyStore) Key ¶

func (ks *KeyStore) Key(
	keyAttrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

Returns a TPM 2.0 OpaqueKey for the requested key. Implements keystore.KeyStorer

func (*KeyStore) KeyAttributes ¶

func (ks *KeyStore) KeyAttributes() *keystore.KeyAttributes

Returns the key attributes for the key store secret sealed to the SRK

func (*KeyStore) Password ¶

func (ks *KeyStore) Password(
	attrs *keystore.KeyAttributes) (keystore.Password, error)

Returns a secret sealed to a TPM keyed hash object using a just-in-time retrieval strategy, If the key is configured with the platform PCR policy, a PlatformPassword is returned otherwise the password is returned in clear text.

func (*KeyStore) RotateKey ¶

func (ks *KeyStore) RotateKey(
	attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)

TPM key rotation is a no-op at this time because all of the key types implemented thus far are deterministic based on the Endorsement Primary Seed (EPS). Therefore, generating a new key will result in the same key. This method is here for compatibility with the keystore.KeyStorer interface and will be implemented in the future.

func (*KeyStore) SRKAttributes ¶

func (ks *KeyStore) SRKAttributes() *keystore.KeyAttributes

Returns the key store dedicated SRK attributes using it's persistent handle.

func (*KeyStore) Signer ¶

func (ks *KeyStore) Signer(
	attrs *keystore.KeyAttributes) (crypto.Signer, error)

Returns a TPM 2.0 crypto.Signer

func (*KeyStore) TPM2 ¶

func (ks *KeyStore) TPM2() tptpm2.TrustedPlatformModule

Returns the underlying TPM 2.0 connection

func (*KeyStore) Type ¶

func (ks *KeyStore) Type() keystore.StoreType

Returns the key store type

func (*KeyStore) Verifier ¶

func (ks *KeyStore) Verifier(
	attrs *keystore.KeyAttributes,
	opts *keystore.VerifyOpts) keystore.Verifier

Returns a software runtime verifier to perform signature verifications. The verifier supports RSA PKCS1v15, RSA-PSS, ECDSA, and Ed25519.

type Params ¶

type Params struct {
	Backend          keystore.KeyBackend
	Logger           *logging.Logger
	DebugSecrets     bool
	Config           *tptpm2.KeyStoreConfig
	PlatformKeyStore PlatformKeyStorer
	Random           io.Reader
	SignerStore      keystore.SignerStorer
	TPM              tptpm2.TrustedPlatformModule
}

type PlatformKeyStorer ¶

type PlatformKeyStorer interface {
	CreatePassword(keyAttrs *keystore.KeyAttributes, backend keystore.KeyBackend, overwrite bool) error
	KeyAttributes() *keystore.KeyAttributes
	Password(keyAttrs *keystore.KeyAttributes) (keystore.Password, error)
	SRKAttributes() *keystore.KeyAttributes
	TPM2() tpm2.TrustedPlatformModule
	keystore.KeyStorer
}

func NewKeyStore ¶

func NewKeyStore(params *Params) (PlatformKeyStorer, error)

type PlatformSecret ¶

type PlatformSecret struct {
	keystore.Password
	// contains filtered or unexported fields
}

func (PlatformSecret) Bytes ¶

func (p PlatformSecret) Bytes() ([]byte, error)

Returns the secret as bytes

func (PlatformSecret) String ¶

func (p PlatformSecret) String() (string, error)

Returns the secret as a string

type SignerECDSA ¶

type SignerECDSA struct {
	crypto.Signer
	// contains filtered or unexported fields
}

func (SignerECDSA) Public ¶

func (signer SignerECDSA) Public() crypto.PublicKey

Returns the public half of the signing key

func (SignerECDSA) Sign ¶

func (signer SignerECDSA) Sign(
	rand io.Reader,
	digest []byte,
	opts crypto.SignerOpts) (signature []byte, err error)

Signs the requested digest using the PKCS #8 private key

type SignerRSA ¶

type SignerRSA struct {
	crypto.Signer
	// contains filtered or unexported fields
}

func (SignerRSA) Public ¶

func (signer SignerRSA) Public() crypto.PublicKey

Returns the public half of the signing key implements crypto.Signer

func (SignerRSA) Sign ¶

func (signer SignerRSA) Sign(
	rand io.Reader,
	digest []byte,
	opts crypto.SignerOpts) (signature []byte, err error)

Signs the requested digest using underlying key store implements crypto.Signer

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL