Comments (9)
Found it: https://github.com/google/go-tpm/blob/master/tpm2/credactivation/credential_activation.go#L53
So you need to make sure your EK crypto.PublicKey
is of type *rsa.PublicKey
. Im guessing your roundtrip through MarshalPKIXPublicKey
/ ParsePKIXPublicKey
is messing up the types.
from go-attestation.
Tpm.NewAK().AttestationParameters()
is correct, and this is what we do in our unit tests:
go-attestation/attest/attest_simulated_tpm20_test.go
Lines 98 to 133 in be496f1
Can you share your code?
from go-attestation.
Here are the 2 relevant routines and associated structs:
type ActivationBundle struct {
TPMVersion attest.TPMVersion `json:"tpmVersion"`
EK []byte `json:"ek"`
AK []byte `json:"ak"`
UseTCSDActivationFormat bool `json:"useTCSDActivationFormat"`
CreateData []byte `json:"createData"`
CreateAttestation []byte `json:"createAttestation"`
CreateSignature []byte `json:"createSignature"`
Nonce []byte `json:"nonce"`
}
type Challenge struct {
Credential []byte `json:"credential"`
Secret []byte `json:"secret"`
}
func NewActivationBundle() (*ActivationBundle, error) {
tpm, err := attest.OpenTPM(nil)
if err != nil {
zap.S().Errorf("OpenTPM failed %v", err)
return nil, err
}
defer tpm.Close()
ek, err := tpm.EKs()
if err != nil {
zap.S().Errorf("failed to list EKs %v", err)
return nil, err
}
ak, err := tpm.NewAK(&attest.AKConfig{})
if err != nil {
zap.S().Errorf("failed to generate AK %v", err)
return nil, err
}
ekbytes, err := x509.MarshalPKIXPublicKey(ek[0].Public)
if err != nil {
zap.S().Errorf("failed to marshal EK %v", err)
return nil, err
}
ap := ak.AttestationParameters()
nonce := make([]byte, 16)
_, err = rand.Read(nonce)
return &ActivationBundle{
TPMVersion: tpm.Version(),
EK: ekbytes,
AK: ap.Public,
UseTCSDActivationFormat: ap.UseTCSDActivationFormat,
CreateData: ap.CreateData,
CreateAttestation: ap.CreateAttestation,
CreateSignature: ap.CreateSignature,
Nonce: nonce,
}, nil
}
func GenerateChallenge(activationBundle *ActivationBundle) (*Challenge, error) {
ap := attest.AttestationParameters{
Public: activationBundle.AK,
UseTCSDActivationFormat: activationBundle.UseTCSDActivationFormat,
CreateData: activationBundle.CreateData,
CreateAttestation: activationBundle.CreateAttestation,
CreateSignature: activationBundle.CreateSignature,
}
activation := &attest.ActivationParameters{
TPMVersion: activationBundle.TPMVersion,
EK: activationBundle.EK,
AK: ap,
}
secret, challenge, err := activation.Generate()
if err != nil {
zap.S().Errorf("Failed to generate activation challenge: %v", err)
return nil, err
}
zap.S().Infow("activation challenge secret", "secret", hex.EncodeToString(secret))
return &Challenge {
Credential: challenge.Credential,
Secret: challenge.Secret,
}, nil
}
from go-attestation.
Are you sure the error about RSA key is about the AK and not the EK?
I don't recall if anyone added support for an ECC EK to credential activation, you are just using the first one ek[0].Public
so perhaps youre not using the RSA one.
from go-attestation.
I'm not sure whether the error is related to the EK or AK. But I am sure the EK is an RSA key. My TPM only has one EK key and it is an RSA pair. I'll double check though and try to dump the EK bytes and look at the data.
from go-attestation.
Can confirm TPM only has one EK and it is an RSA key. Evidence:
$ echo -n "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvLrlJbR1rk5Ohz1G6Vi3Q4vOyvJVoUbZsnlFvo5dF7kISAaxC+jhtPktICkdKHIKSRx6KwqOvDuCzihcPmx8URS1qvQ8ofIMyhGVC2H75eEa5/GeCIf/8B4gOiLa0+n0g/FBuY8ProI7x+RcGHN3Omi1f9eCZLOWy4RAnG3punQkhgR2p+KU6MlWn873UH2TpXmIyZMjrTy6G6NrWhnXHlWPnxboIt8N0stCoJxG6BMnju27OWnYBb53PpIf8bCSoZ6arsoutVAQhRrtE4JwxVnHKmRxjSgo1xQqE3ohPIbqP6Ja4DTE/YZk37ribHb2s+5MSYrMpn1Co2DWWRNZwIDAQAB" |base64 -d | openssl rsa -inform der -text -pubin
RSA Public-Key: (2048 bit)
Modulus:
00:9e:f2:eb:94:96:d1:d6:b9:39:3a:1c:f5:1b:a5:
62:dd:0e:2f:3b:2b:c9:56:85:1b:66:c9:e5:16:fa:
39:74:5e:e4:21:20:1a:c4:2f:a3:86:d3:e4:b4:80:
a4:74:a1:c8:29:24:71:e8:ac:2a:3a:f0:ee:0b:38:
a1:70:f9:b1:f1:44:52:d6:ab:d0:f2:87:c8:33:28:
46:54:2d:87:ef:97:84:6b:9f:c6:78:22:1f:ff:c0:
78:80:e8:8b:6b:4f:a7:d2:0f:c5:06:e6:3c:3e:ba:
08:ef:1f:91:70:61:cd:dc:e9:a2:d5:ff:5e:09:92:
ce:5b:2e:11:02:71:b7:a6:e9:d0:92:18:11:da:9f:
8a:53:a3:25:5a:7f:3b:dd:41:f6:4e:95:e6:23:26:
4c:8e:b4:f2:e8:6e:8d:ad:68:67:5c:79:56:3e:7c:
5b:a0:8b:7c:37:4b:2d:0a:82:71:1b:a0:4c:9e:3b:
b6:ec:e5:a7:60:16:f9:dc:fa:48:7f:c6:c2:4a:86:
7a:6a:bb:28:ba:d5:40:42:14:6b:b4:4e:09:c3:15:
67:1c:a9:91:c6:34:a0:a3:5c:50:a8:4d:e8:84:f2:
1b:a8:fe:89:6b:80:d3:13:f6:19:93:7e:eb:89:b1:
db:da:cf:b9:31:26:2b:32:99:f5:0a:8d:83:59:64:
4d:67
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvLrlJbR1rk5Ohz1G6Vi
3Q4vOyvJVoUbZsnlFvo5dF7kISAaxC+jhtPktICkdKHIKSRx6KwqOvDuCzihcPmx
8URS1qvQ8ofIMyhGVC2H75eEa5/GeCIf/8B4gOiLa0+n0g/FBuY8ProI7x+RcGHN
3Omi1f9eCZLOWy4RAnG3punQkhgR2p+KU6MlWn873UH2TpXmIyZMjrTy6G6NrWhn
XHlWPnxboIt8N0stCoJxG6BMnju27OWnYBb53PpIf8bCSoZ6arsoutVAQhRrtE4J
wxVnHKmRxjSgo1xQqE3ohPIbqP6Ja4DTE/YZk37ribHb2s+5MSYrMpn1Co2DWWRN
ZwIDAQAB
-----END PUBLIC KEY-----
from go-attestation.
Can you post the exact error string from activation.Generate()
?
from go-attestation.
Sure.
2021-10-13T13:38:48.573-0600 ERROR tpm/tpm.go:135 Failed to generate activation challenge: credactivation.Generate() failed: only RSA public keys are supported for credential activation
.
from go-attestation.
Closing. Appears to be a certificate serialization issue.
from go-attestation.
Related Issues (20)
- Implicit platform attestation (question) HOT 2
- A question about EK,SRK HOT 5
- rhshim introduced a MokListTrusted event, leading to failed parsing of the SecureBootState
- error code 0x04: value is out of range or is not for the correct context when Activating credentials HOT 11
- OSS-Fuzz issue 52044 HOT 1
- Wrong decoding of ints in win_events.go HOT 1
- OSS-Fuzz issue 52520 HOT 1
- OSS-Fuzz issue 53008 HOT 1
- [Windows] Guidance around access management for key-attestation on TPMs via the Windows PCP library HOT 4
- OSS-Fuzz issue 54576
- EC Nist P521 key size too short? HOT 2
- suggest go.mod version bump HOT 1
- Proposal to add tpm_event package in an experimental directory HOT 2
- Handle "AttestedCertifyInfo" in ActivationParameter checks for TPM2.0 Challenges HOT 3
- Make AttestationParameters.CreateData an optional field HOT 3
- Support using AK from NV
- Fails to parse malformed Nuvoton EK certs with leading 0s in serial number HOT 1
- MarshalSubjectAltName should support specificing if the extension is critical.
- ECDSA Support on Windows HOT 3
- Getting wrapped private key after certificate generation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-attestation.