Comments (8)
We learned recently that you can't write a Go PKCS #11 module if your applications call fork() golang/go#15538. You likely need a daemon and a client written in C/C++/Rust
If you're on Linux, I'd suggest looking at Chaps:
https://www.chromium.org/developers/design-documents/chaps-technical-design
from go-attestation.
Thanks for your response, ericchiang!
Our approach is now to use the key material outside of go attestation once it was created. For this we need the TPM handle that is associated with the created application key. All structures and functions that I came across in the code were not exported from the package.
Is there any chance to access this lowlevel TPM data from the application key created with tpm.NewKey(ak, keyConfig)?
from go-attestation.
cc @pszal
Would a method on Key that returned the handle suffice?
from go-attestation.
Our approach is now to use the key material outside of go attestation once it was created.
You can use k.Blobs()
(https://github.com/google/go-attestation/blob/master/attest/application_key.go#L126) to get the material and reload it. If you want to avoid reloading then indeed you need a handle accessor -- I'd be ok with having such a method.
from go-attestation.
Hi @pszal and @ericchiang ,
thanks for your replies. Here is some more context about what we are trying to do:
So far, we have created a key with the TPM2 Tools like:
tpm2_createprimary -c primary.ctx
tpm2_evictcontrol -c primary.ctx 0x81000001
tpm2tss-genkey -P 0x81000001 tss2key-rsa2048.pem
pid="$(tpm2_ptool init --primary-handle=0x81000001 --path=~/teststore | grep id | cut -d' ' -f 2-2)"
tpm2_ptool addtoken --pid=$pid --sopin=mysopin --userpin=myuserpin --label=mytoken --path=~/teststore
tpm2_ptool link --path ~/teststore --label=mytoken --userpin=myuserpin --key-label="link-key" tss2key-rsa2048.pem
In this way, we were able to use a TPM generated key withing an emulated smartcard (https://github.com/tpm2-software/tpm2-pkcs11). Now, we want to use a key generated by https://pkg.go.dev/github.com/google/go-attestation/attest#TPM.NewKey
, since we want to carry out the attestation process with go-attestation
.
Therefore, we need to be able to extract the key material (probably from the Blobs()
) in the format as used by tpm2tss-genkey
and the handle of the keys parent.
Do you think this would be possible?
Thanks in advance!
from go-attestation.
Therefore, we need to be able to extract the key material (probably from the Blobs()) in the format as used by tpm2tss-genkey and the handle of the keys parent.
For the format differences you can look at google/go-tpm#233. Keys are created with SRK as the parent:
go-attestation/attest/wrapped_tpm20.go
Line 207 in 7ec6228
from go-attestation.
Hi @pszal ,
thank you for your response. We tried to experiment with the format of the exported key blob but weren't successful so far. Here's what we tried to do:
Create a key using
appkey, err := tpm.NewKey(ak, keyConfig)
Extract the private Key blob using
_, pkBlob, _ := appkey.Blobs()
Parse the key blob as U16Bytes
var pkTest tpmutil.U16Bytes
pkTest = tpmutil.U16Bytes(pkBlob)
Write the priv key to a file
f, err := os.Create("pk_tpmmarshal")
defer f.Close()
pkTest.TPMMarshal(f)
I am running this code on a Raspberry Pi Model 3. I also tried changing the U16Bytes type to U32Bytes, but still were not able to use the key.
What I eventually try to do (as the next step) is to parse the key using openssl.
To my understanding, if formatted correctly, the key that can be parsed should look something like
MIIB8gYGZ4EFCgEDoAMBAQECBEAAAAEEggEYARYAAQALAAYEcgAAABAAEAgAAAEA
AQEAvqwwmP1BpyQdJdZlV4j24eIz+qc9aJzLHvEk+tOpi8Zp5Vof+Ou0r64IIimG
p66HzYjWJz8HNg8H46R32aDoS7y8zm9ac8bPVPXWq/qRE0a3cU8q3kTcSRPc+hNu
2fg3CJk60Y/2vypjt9JP6hhXswHcGeVS4c1dWiwErV+FWXx71dYnhV/EYdhMshY0
GnFe8k1rnI40fM3NkUrTtA32t6WHXhsi1Budm1YXRAHw75g4+Gi/6DyZnbAiDKN0
OLvQnr5D6e5WSrhZCawEa5fpdvvHT1S0PzwxbfRwN81flRKJBx3gtPhjcgoNgy7n
vVyipS/E55EDiLcVhntmiSrhmwSBwAC+ACAnDe3k/xKYRiXE31jMs/XSkwzYvd9S
GOhbmj8J7BvoPAAQSYeAIbjx94tPPAj9qdijSxiV/1QKtly/GluMLnFjb7UKnrVW
QytqgL+EYlZSD8MeoJvu7QBbWnwKthUJczim77Uwu/BJOH3h+cSMX7ll7VIuQuMo
SWdfH4RuyjZ/gmCa2ebU3L5s0xJCng4QouEbthxuLuiM08u3ij3R9t1ctJZr8+gB
lFSJsyICiQF3E/g9YVNFvF+0XJYHdQ==
and can be parsed using
echo "<KEY FROM ABOVE>" | openssl asn1parse
Currently, the result of TPMMarshal looks like (manually base64 encoded):
AL4AIIQCAH7yhh/TBuoc1QTKUYvgPLuyS1sHk0eMjE/dk4+ZABCJEYYHSNXBAgl1maqFbYAK/xMI
JW5TP1tE/f2/zTh9DQPRwRuCeE9Ht97xRa9u8xScjDK8fo1lvdamqulKU+nHZnCKYKaPg93CwJaF
7z3QiSX8F52F/9ODPMXj3TeOeu9DSs6m7oEBvq/8hUL4V5S/MiNN1tkoCz+W30gUnrGM5EB9jYBe
5I+iJlPhx/C08gwT1tIoUueBIDqE
I would really appreciate your help. I tried various combinations of formatting but ran out of ideas. However, I have the feeling that it is not impossible what we are trying to do.
Thank you and greetings
Kuenni
from go-attestation.
Just a follow up:
We were able to solve that topic. We had assumed (wrongly) that the output should already be the PEM representation of that key and did not realize that it really only contained the key bytes.
For documentation purposes:
We were able to write the key to a file using pkTest.TPMMarshal(f)
(see above). This was done for both, the private and the public key.
Afterwards we could continue and create the PEM file using
tpm2tss-genkey -u pubktpmmarshal -r privktpmmarshal -P 0x81000001 go-key.pem
or link a token using
tpm2_ptool link --path=. --label=goToken --userpin=1234 --key-label="Go-Key-Link" --id=2 pubktpmmarshal privktpmmarshal
EDIT: I guess this can be closed then.
from go-attestation.
Related Issues (20)
- Cannot set key attributes in NewKey and RSA template doesnt allow for "decrypt" - mTLS in Chrome not possible HOT 2
- Implicit platform attestation (question) HOT 2
- A question about EK,SRK HOT 5
- rhshim introduced a MokListTrusted event, leading to failed parsing of the SecureBootState
- error code 0x04: value is out of range or is not for the correct context when Activating credentials HOT 11
- OSS-Fuzz issue 52044 HOT 1
- Wrong decoding of ints in win_events.go HOT 1
- OSS-Fuzz issue 52520 HOT 1
- OSS-Fuzz issue 53008 HOT 1
- [Windows] Guidance around access management for key-attestation on TPMs via the Windows PCP library HOT 4
- OSS-Fuzz issue 54576
- EC Nist P521 key size too short? HOT 2
- suggest go.mod version bump HOT 1
- Proposal to add tpm_event package in an experimental directory HOT 2
- Handle "AttestedCertifyInfo" in ActivationParameter checks for TPM2.0 Challenges HOT 3
- Make AttestationParameters.CreateData an optional field HOT 3
- Support using AK from NV
- Fails to parse malformed Nuvoton EK certs with leading 0s in serial number HOT 1
- MarshalSubjectAltName should support specificing if the extension is critical.
- ECDSA Support on Windows HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-attestation.