From 25d05f9a14f6f55ed10c92d59e058b6e8c6f3166 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 09:26:55 -0400 Subject: [PATCH 01/17] Improve TPMUSensitiveComposite --- tpm2/structures.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tpm2/structures.go b/tpm2/structures.go index 11a0261e..f9a4d3e9 100644 --- a/tpm2/structures.go +++ b/tpm2/structures.go @@ -2868,6 +2868,36 @@ func New2BTemplate[C TemplateContents](data C) TPM2BTemplate { } } +// Sym returns the 'sym' member of the union. +func (u *TPMUSensitiveComposite) Sym() (*TPM2BSymKey, error) { + if u.selector == TPMAlgSymCipher { + return u.contents.(*TPM2BSymKey), nil + } + return nil, fmt.Errorf("did not contain sym (selector value was %v)", u.selector) +} +// bits returns the 'bits' member of the union. +func (u *TPMUSensitiveComposite) Bits() (*TPM2BSensitiveData, error) { + if u.selector == TPMAlgKeyedHash { + return u.contents.(*TPM2BSensitiveData), nil + } + + return nil, fmt.Errorf("did not contain bits (selector value was %v)", u.selector) +} +// RSA returns the 'rsa' member of the union. +func (u *TPMUSensitiveComposite) RSA() (*TPM2BPrivateKeyRSA, error) { + if u.selector == TPMAlgRSA { + return u.contents.(*TPM2BPrivateKeyRSA), nil + } + return nil, fmt.Errorf("did not contain rsa (selector value was %v)", u.selector) +} +// ECC returns the 'ecc' member of the union. +func (u *TPMUSensitiveComposite) ECC() (*TPM2BECCParameter, error) { + if u.selector == TPMAlgECC { + return u.contents.(*TPM2BECCParameter), nil + } + return nil, fmt.Errorf("did not contain ecc (selector value was %v)", u.selector) +} + // TPMUSensitiveComposite represents a TPMU_SENSITIVE_COMPOSITE. // See definition in Part 2: Structures, section 12.3.2.3. type TPMUSensitiveComposite struct { From 864077bacae6f0b0055b5f4cc06e21ca6528141c Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 09:31:18 -0400 Subject: [PATCH 02/17] Fix typo --- tpm2/structures.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tpm2/structures.go b/tpm2/structures.go index f9a4d3e9..bf745162 100644 --- a/tpm2/structures.go +++ b/tpm2/structures.go @@ -2875,7 +2875,7 @@ func (u *TPMUSensitiveComposite) Sym() (*TPM2BSymKey, error) { } return nil, fmt.Errorf("did not contain sym (selector value was %v)", u.selector) } -// bits returns the 'bits' member of the union. +// Bits returns the 'bits' member of the union. func (u *TPMUSensitiveComposite) Bits() (*TPM2BSensitiveData, error) { if u.selector == TPMAlgKeyedHash { return u.contents.(*TPM2BSensitiveData), nil From 425f1c8c8b0adfc4d6b4f291eb2defa95b8116dd Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 10:44:29 -0400 Subject: [PATCH 03/17] Improve crypto.go --- tpm2/crypto.go | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 3082cccb..8c3b6700 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -1,6 +1,7 @@ package tpm2 import ( + "crypto" "crypto/ecdh" "crypto/ecdsa" "crypto/elliptic" @@ -24,6 +25,41 @@ func RSAPub(parms *TPMSRSAParms, pub *TPM2BPublicKeyRSA) (*rsa.PublicKey, error) return &result, nil } +// ECDHPub converts a TPM ECC public key into one recognized by the ecdh package +func ECDSAPub(parms *TPMSECCParms, pub *TPMSECCPoint) (*ecdsa.PublicKey, error) { + + var c elliptic.Curve + switch parms.CurveID { + case TPMECCNistP256: + c = elliptic.P256() + case TPMECCNistP384: + c = elliptic.P384() + case TPMECCNistP521: + c = elliptic.P521() + default: + return nil, fmt.Errorf("unknown curve: %v", parms.CurveID) + } + + pubKey := ecdsa.PublicKey{ + Curve: c, + X: big.NewInt(0).SetBytes(pub.X.Buffer), + Y: big.NewInt(0).SetBytes(pub.Y.Buffer), + } + + return &pubKey, nil +} + +// ECDHPub converts a TPM ECC public key into one recognized by the ecdh package +func ECDHPub(parms *TPMSECCParms, pub *TPMSECCPoint) (*ecdh.PublicKey, error) { + + pubKey, err := ECDSAPub(parms, pub) + if err != nil { + return nil, err + } + + return pubKey.ECDH() +} + // ECDHPubKey converts a TPM ECC public key into one recognized by the ecdh package func ECDHPubKey(curve ecdh.Curve, pub *TPMSECCPoint) (*ecdh.PublicKey, error) { From 95edc2a1a1834f9ec26f1273300bc787285a05b8 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 10:45:52 -0400 Subject: [PATCH 04/17] Fix typo --- tpm2/crypto.go | 1 - 1 file changed, 1 deletion(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 8c3b6700..3c525af9 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -1,7 +1,6 @@ package tpm2 import ( - "crypto" "crypto/ecdh" "crypto/ecdsa" "crypto/elliptic" From 5ff22c609eac76fee297d401cd19c3047a686852 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 10:49:48 -0400 Subject: [PATCH 05/17] Fix typo --- tpm2/crypto.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 3c525af9..52b25fdc 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -24,7 +24,7 @@ func RSAPub(parms *TPMSRSAParms, pub *TPM2BPublicKeyRSA) (*rsa.PublicKey, error) return &result, nil } -// ECDHPub converts a TPM ECC public key into one recognized by the ecdh package +// ECDSAPub converts a TPM ECC public key into one recognized by the ecdh package func ECDSAPub(parms *TPMSECCParms, pub *TPMSECCPoint) (*ecdsa.PublicKey, error) { var c elliptic.Curve From c51902ae11012527bdc65072670c427d463f54e7 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 10:52:11 -0400 Subject: [PATCH 06/17] Improve crypto.go --- tpm2/crypto.go | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 52b25fdc..9947e8a1 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -1,6 +1,7 @@ package tpm2 import ( + "crypto" "crypto/ecdh" "crypto/ecdsa" "crypto/elliptic" @@ -9,6 +10,48 @@ import ( "math/big" ) +func Pub(public TPMTPublic) (crypto.PublicKey, error) { + var publicKey crypto.PublicKey + + switch public.Type { + case TPMAlgRSA: + parameters, err := public.Parameters.RSADetail() + if err != nil { + return nil, fmt.Errorf("failed to retrieve the RSA parameters") + } + + n, err := public.Unique.RSA() + if err != nil { + return nil, fmt.Errorf("failed to parse and retreive the RSA modulus") + } + + publicKey, err = RSAPub(parameters, n) + if err != nil { + return nil, fmt.Errorf("failed to retrieve the RSA public key") + } + case TPMAlgECC: + parameters, err := public.Parameters.ECCDetail() + if err != nil { + return nil, fmt.Errorf("failed to retrieve the ECC parameters") + } + + pub, err := public.Unique.ECC() + if err != nil { + return nil, fmt.Errorf("failed to parse and retreive the ECC point") + } + + publicKey, err = ECDSAPub(parameters, pub) + if err != nil { + return nil, fmt.Errorf("failed to retrieve the ECC public key") + } + + default: + return nil, fmt.Errorf("unsupported public key type: %v", public.Type) + } + + return publicKey, nil +} + // RSAPub converts a TPM RSA public key into one recognized by the rsa package. func RSAPub(parms *TPMSRSAParms, pub *TPM2BPublicKeyRSA) (*rsa.PublicKey, error) { result := rsa.PublicKey{ From 2dd283295261d2071dcf889b77d3ca55d0acfbc5 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 13:12:04 -0400 Subject: [PATCH 07/17] Fix typo --- tpm2/crypto.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 9947e8a1..67fca19d 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -22,7 +22,7 @@ func Pub(public TPMTPublic) (crypto.PublicKey, error) { n, err := public.Unique.RSA() if err != nil { - return nil, fmt.Errorf("failed to parse and retreive the RSA modulus") + return nil, fmt.Errorf("failed to parse and retrieve the RSA modulus") } publicKey, err = RSAPub(parameters, n) @@ -37,7 +37,7 @@ func Pub(public TPMTPublic) (crypto.PublicKey, error) { pub, err := public.Unique.ECC() if err != nil { - return nil, fmt.Errorf("failed to parse and retreive the ECC point") + return nil, fmt.Errorf("failed to parse and retrieve the ECC point") } publicKey, err = ECDSAPub(parameters, pub) From 52108c8c01f28744c953738b371cbce130efba51 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 13:14:51 -0400 Subject: [PATCH 08/17] Fix lint --- tpm2/structures.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tpm2/structures.go b/tpm2/structures.go index bf745162..88e9cb4f 100644 --- a/tpm2/structures.go +++ b/tpm2/structures.go @@ -2875,6 +2875,7 @@ func (u *TPMUSensitiveComposite) Sym() (*TPM2BSymKey, error) { } return nil, fmt.Errorf("did not contain sym (selector value was %v)", u.selector) } + // Bits returns the 'bits' member of the union. func (u *TPMUSensitiveComposite) Bits() (*TPM2BSensitiveData, error) { if u.selector == TPMAlgKeyedHash { From c314983b4a2c51a1af701b09286deb005916af15 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 13:15:54 -0400 Subject: [PATCH 09/17] Fix lint --- tpm2/structures.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tpm2/structures.go b/tpm2/structures.go index 88e9cb4f..17dffa14 100644 --- a/tpm2/structures.go +++ b/tpm2/structures.go @@ -2884,6 +2884,7 @@ func (u *TPMUSensitiveComposite) Bits() (*TPM2BSensitiveData, error) { return nil, fmt.Errorf("did not contain bits (selector value was %v)", u.selector) } + // RSA returns the 'rsa' member of the union. func (u *TPMUSensitiveComposite) RSA() (*TPM2BPrivateKeyRSA, error) { if u.selector == TPMAlgRSA { @@ -2891,6 +2892,7 @@ func (u *TPMUSensitiveComposite) RSA() (*TPM2BPrivateKeyRSA, error) { } return nil, fmt.Errorf("did not contain rsa (selector value was %v)", u.selector) } + // ECC returns the 'ecc' member of the union. func (u *TPMUSensitiveComposite) ECC() (*TPM2BECCParameter, error) { if u.selector == TPMAlgECC { From aa83dbf01c7e90a14cef44df364501ff11fc8236 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Wed, 25 Sep 2024 13:17:36 -0400 Subject: [PATCH 10/17] Fix lint --- tpm2/structures.go | 1 - 1 file changed, 1 deletion(-) diff --git a/tpm2/structures.go b/tpm2/structures.go index 17dffa14..fb4685cc 100644 --- a/tpm2/structures.go +++ b/tpm2/structures.go @@ -2881,7 +2881,6 @@ func (u *TPMUSensitiveComposite) Bits() (*TPM2BSensitiveData, error) { if u.selector == TPMAlgKeyedHash { return u.contents.(*TPM2BSensitiveData), nil } - return nil, fmt.Errorf("did not contain bits (selector value was %v)", u.selector) } From 633db09c9afda3883d14b1980f3a30df17a7c5ba Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 12:58:47 -0400 Subject: [PATCH 11/17] Improve crypto.go --- tpm2/crypto.go | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 67fca19d..535c01b5 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -10,6 +10,47 @@ import ( "math/big" ) +// Priv converts a TPM private key into one recognized by the crypto package. +func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) { + + var privateKey crypto.PrivateKey + + publicKey, err := Pub(public) + if err != nil { + return nil, err + } + + switch public.Type { + case TPMAlgRSA: + prime, err := sensitive.Sensitive.RSA() + if err != nil { + return nil, fmt.Errorf("failed to retrieve the RSA prime number") + } + + publicKey := publicKey.(rsa.PublicKey) + + P := new(big.Int).SetBytes(prime.Buffer) + Q := new(big.Int).Div(publicKey.N, P) + phiN := new(big.Int).Mul(new(big.Int).Sub(P, big.NewInt(1)), new(big.Int).Sub(Q, big.NewInt(1))) + D := new(big.Int).ModInverse(big.NewInt(int64(publicKey.E)), phiN) + + privateKey = rsa.PrivateKey{ + PublicKey: publicKey, + D: D, + Primes: []*big.Int{P, Q}, + } + privateKey := privateKey.(rsa.PrivateKey) + + privateKey.Precompute() + + default: + return nil, fmt.Errorf("unsupported public key type: %v", public.Type) + } + + return privateKey, nil +} + +// Pub converts a TPM public key into one recognized by the crypto package. func Pub(public TPMTPublic) (crypto.PublicKey, error) { var publicKey crypto.PublicKey @@ -44,7 +85,6 @@ func Pub(public TPMTPublic) (crypto.PublicKey, error) { if err != nil { return nil, fmt.Errorf("failed to retrieve the ECC public key") } - default: return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } From 6fae44f92a7b69f18008b21a8fba9c4c59ff76f2 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 13:01:36 -0400 Subject: [PATCH 12/17] Fix lint --- tpm2/crypto.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 535c01b5..894b8597 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -37,12 +37,12 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) privateKey = rsa.PrivateKey{ PublicKey: publicKey, D: D, - Primes: []*big.Int{P, Q}, + Primes: []*big.Int{P, Q}, } privateKey := privateKey.(rsa.PrivateKey) privateKey.Precompute() - + default: return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } From 41eeb7a43f04860a7c72c3e461801982956acd78 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 14:19:02 -0400 Subject: [PATCH 13/17] Fix --- tpm2/crypto.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 894b8597..83effc10 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -22,19 +22,19 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) switch public.Type { case TPMAlgRSA: + publicKey := publicKey.(rsa.PublicKey) + prime, err := sensitive.Sensitive.RSA() if err != nil { return nil, fmt.Errorf("failed to retrieve the RSA prime number") } - publicKey := publicKey.(rsa.PublicKey) - P := new(big.Int).SetBytes(prime.Buffer) Q := new(big.Int).Div(publicKey.N, P) phiN := new(big.Int).Mul(new(big.Int).Sub(P, big.NewInt(1)), new(big.Int).Sub(Q, big.NewInt(1))) D := new(big.Int).ModInverse(big.NewInt(int64(publicKey.E)), phiN) - privateKey = rsa.PrivateKey{ + privateKey = &rsa.PrivateKey{ PublicKey: publicKey, D: D, Primes: []*big.Int{P, Q}, @@ -47,7 +47,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } - return privateKey, nil + return &privateKey, nil } // Pub converts a TPM public key into one recognized by the crypto package. @@ -89,7 +89,7 @@ func Pub(public TPMTPublic) (crypto.PublicKey, error) { return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } - return publicKey, nil + return &publicKey, nil } // RSAPub converts a TPM RSA public key into one recognized by the rsa package. From 050cd314cacc6fbd2898fb7d94f1f9386cdba5a4 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 14:22:53 -0400 Subject: [PATCH 14/17] Fix --- tpm2/crypto.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 83effc10..8358009e 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -22,7 +22,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) switch public.Type { case TPMAlgRSA: - publicKey := publicKey.(rsa.PublicKey) + publicKey := publicKey.(*rsa.PublicKey) prime, err := sensitive.Sensitive.RSA() if err != nil { @@ -35,7 +35,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) D := new(big.Int).ModInverse(big.NewInt(int64(publicKey.E)), phiN) privateKey = &rsa.PrivateKey{ - PublicKey: publicKey, + PublicKey: *publicKey, D: D, Primes: []*big.Int{P, Q}, } From ec8a16312fe21a525d3d4ef9190b894ce38ed407 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 15:32:10 -0400 Subject: [PATCH 15/17] Fix --- tpm2/crypto.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 8358009e..afbd88b4 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -23,7 +23,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) switch public.Type { case TPMAlgRSA: publicKey := publicKey.(*rsa.PublicKey) - + prime, err := sensitive.Sensitive.RSA() if err != nil { return nil, fmt.Errorf("failed to retrieve the RSA prime number") @@ -34,7 +34,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) phiN := new(big.Int).Mul(new(big.Int).Sub(P, big.NewInt(1)), new(big.Int).Sub(Q, big.NewInt(1))) D := new(big.Int).ModInverse(big.NewInt(int64(publicKey.E)), phiN) - privateKey = &rsa.PrivateKey{ + privateKey = rsa.PrivateKey{ PublicKey: *publicKey, D: D, Primes: []*big.Int{P, Q}, @@ -42,7 +42,6 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) privateKey := privateKey.(rsa.PrivateKey) privateKey.Precompute() - default: return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } @@ -89,7 +88,7 @@ func Pub(public TPMTPublic) (crypto.PublicKey, error) { return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } - return &publicKey, nil + return publicKey, nil } // RSAPub converts a TPM RSA public key into one recognized by the rsa package. From a31d031df0515d0632a8dd72d7d4e83450adc56a Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 15:34:10 -0400 Subject: [PATCH 16/17] Fix --- tpm2/crypto.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index afbd88b4..260f8dcb 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -23,7 +23,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) switch public.Type { case TPMAlgRSA: publicKey := publicKey.(*rsa.PublicKey) - + prime, err := sensitive.Sensitive.RSA() if err != nil { return nil, fmt.Errorf("failed to retrieve the RSA prime number") From 81c88afdaec8b0fdd5e61ea77de11d2f08868846 Mon Sep 17 00:00:00 2001 From: Alexandre Laroche Date: Thu, 3 Oct 2024 15:39:30 -0400 Subject: [PATCH 17/17] Fix --- tpm2/crypto.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tpm2/crypto.go b/tpm2/crypto.go index 260f8dcb..b54f25bf 100644 --- a/tpm2/crypto.go +++ b/tpm2/crypto.go @@ -46,7 +46,7 @@ func Priv(public TPMTPublic, sensitive TPMTSensitive) (crypto.PrivateKey, error) return nil, fmt.Errorf("unsupported public key type: %v", public.Type) } - return &privateKey, nil + return privateKey, nil } // Pub converts a TPM public key into one recognized by the crypto package.