modify keyfile sample

Signed-off-by: sal rashid <[email protected]>
salrashid123 · Aug 12, 2024 · 3a492f3 · 3a492f3
1 parent 2b6238d
commit 3a492f3
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 26 deletions.
diff --git a/example/go.mod b/example/go.mod
@@ -10,7 +10,7 @@ require (
 )
 
 require (
-	github.com/foxboron/go-tpm-keyfiles v0.0.0-20240525122353-0883da4eb332
+	github.com/foxboron/go-tpm-keyfiles v0.0.0-20240620184055-b891af1cbc88
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/salrashid123/golang-jwt-tpm v1.5.0
 )
@@ -26,7 +26,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 )
 

diff --git a/example/go.sum b/example/go.sum
@@ -1,7 +1,9 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/foxboron/go-tpm-keyfiles v0.0.0-20240525122353-0883da4eb332 h1:Cg18duIK8XCYDTJWqFEQrUbYgGBeswBGyW4M23hdhQE=
-github.com/foxboron/go-tpm-keyfiles v0.0.0-20240525122353-0883da4eb332/go.mod h1:Y5SsZTulz5NFq7aigID+rsWMgAq72YHHTUD0Zo2iar8=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20240620184055-b891af1cbc88 h1:MXG/QPdIbe7ez9WM7q+iXedMjDwqMCfqkiAPoI+m2bA=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20240620184055-b891af1cbc88/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80=
+github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006 h1:50sW4r0PcvlpG4PV8tYh2RVCapszJgaOLRCS2subvV4=
+github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006/go.mod h1:eIXCMsMYCaqq9m1KSSxXwQG11krpuNPGP3k0uaWrbas=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -42,8 +44,8 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

diff --git a/example/go_keyfile_compat/main.go b/example/go_keyfile_compat/main.go
@@ -28,10 +28,6 @@ import (
 /*
 Load a key using https://github.com/Foxboron/go-tpm-keyfiles
 
-also see:
-
-	https://gist.github.com/salrashid123/9822b151ebb66f4083c5f71fd4cdbe40
-
 $ go run go_keyfile_compat/main.go
 
 2024/05/30 11:20:36 ======= Init  ========
@@ -69,6 +65,12 @@ dwIDAQAB
 TOKEN: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0ZXN0IiwiZXhwIjoxNzE3MDgyNDk2fQ.Gyb8YIeQsbbl5mFVn55dO-J26HuwM1JK94RdrOEafySI7YJzfOkSeSAaSHvNR9aPiHh--nx3oMYpxPwPR161mKBF-w9DETqHn6lUqFSYzEk7tut-E1LrohrACkhSS_VbJuUw9S57imYMqzI9BTKm-FFG1mYBktWI0UWxC7e5wGaajS_cJc7fRx-5Ni-lDyBxYL1Az1ApIg9bwkEJxG7fLSI2_nsO9Unzd1mpRZ2nBUMjaK2aoG8vZMhHOK80R46VEeBq1ZT2xoaXiNZshBRf2mIptLpfSNVjT1gDCWdKVtIaBHevTpzmQLflQJVdSNKinCst-7N_QzF2UEPRBGx7GQ
 2024/05/30 11:20:36      verified with TPM PublicKey
 2024/05/30 11:20:36      verified with exported PubicKey
+
+// note the primary is created using the h2 template
+//   printf '\x00\x00' > /tmp/unique.dat
+//   tpm2_createprimary -C o -G ecc  -g sha256 \
+//       -c primary.ctx \
+//       -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u /tmp/unique.dat
 */
 var (
 	tpmPath = flag.String("tpm-path", "127.0.0.1:2321", "Path to the TPM device (character device or a Unix socket).")
@@ -109,8 +111,11 @@ func main() {
 	log.Printf("======= createPrimary ========")
 
 	primaryKey, err := tpm2.CreatePrimary{
-		PrimaryHandle: tpm2.TPMRHOwner,
-		InPublic:      tpm2.New2B(tpm2.RSASRKTemplate),
+		PrimaryHandle: tpm2.AuthHandle{
+			Handle: tpm2.TPMRHOwner,
+			Auth:   tpm2.PasswordAuth(nil),
+		},
+		InPublic: tpm2.New2B(keyfile.ECCSRK_H2_Template),
 	}.Execute(rwr)
 	if err != nil {
 		log.Fatalf("can't create primary %v", err)
@@ -173,13 +178,23 @@ func main() {
 		log.Fatalf("can't create rsa %v", err)
 	}
 
+	defer func() {
+		flushContextCmd := tpm2.FlushContext{
+			FlushHandle: rsaKeyResponse.ObjectHandle,
+		}
+		_, _ = flushContextCmd.Execute(rwr)
+	}()
+
 	// write the key to file
 	log.Printf("======= writing key to file ========")
 
-	//tkf, err := keyfile.NewLoadableKey(rsaKeyResponse.OutPublic, rsaKeyResponse.OutPrivate, tpm2.TPMHandle(*persistenthandle), false)
-	tkf, err := keyfile.NewLoadableKey(rsaKeyResponse.OutPublic, rsaKeyResponse.OutPrivate, primaryKey.ObjectHandle, false)
-	if err != nil {
-		log.Fatalf("failed to create KeyFile: %v", err)
+	tkf := &keyfile.TPMKey{
+		Keytype:    keyfile.OIDLoadableKey,
+		EmptyAuth:  true,
+		AuthPolicy: []*keyfile.TPMAuthPolicy{},
+		Parent:     tpm2.TPMRHOwner,
+		Pubkey:     rsaKeyResponse.OutPublic,
+		Privkey:    rsaKeyResponse.OutPrivate,
 	}
 
 	b := new(bytes.Buffer)
@@ -196,6 +211,16 @@ func main() {
 		log.Fatalf("failed to write private key to file %v", err)
 	}
 
+	flushContextRSACmd := tpm2.FlushContext{
+		FlushHandle: rsaKeyResponse.ObjectHandle,
+	}
+	_, _ = flushContextRSACmd.Execute(rwr)
+
+	flushContextPrimaryCmd := tpm2.FlushContext{
+		FlushHandle: primaryKey.ObjectHandle,
+	}
+	_, _ = flushContextPrimaryCmd.Execute(rwr)
+
 	log.Printf("======= reading key from file ========")
 	c, err := os.ReadFile(*out)
 	if err != nil {
@@ -206,10 +231,28 @@ func main() {
 		log.Fatalf("failed decoding key: %v", err)
 	}
 
+	primary, err := tpm2.CreatePrimary{
+		PrimaryHandle: tpm2.AuthHandle{
+			Handle: tpm2.TPMHandle(key.Parent),
+			Auth:   tpm2.PasswordAuth(nil),
+		},
+		InPublic: tpm2.New2B(keyfile.ECCSRK_H2_Template),
+	}.Execute(rwr)
+	if err != nil {
+		log.Fatalf(" can't create primary: %v", err)
+	}
+
+	defer func() {
+		flushContextCmd := tpm2.FlushContext{
+			FlushHandle: primary.ObjectHandle,
+		}
+		_, _ = flushContextCmd.Execute(rwr)
+	}()
+
 	regenRSAKey, err := tpm2.Load{
 		ParentHandle: tpm2.AuthHandle{
-			Handle: primaryKey.ObjectHandle,
-			Name:   tpm2.TPM2BName(primaryKey.Name),
+			Handle: primary.ObjectHandle,
+			Name:   tpm2.TPM2BName(primary.Name),
 			Auth:   tpm2.PasswordAuth(nil),
 		},
 		InPublic:  key.Pubkey,
@@ -219,14 +262,6 @@ func main() {
 		log.Fatalf("can't load rsa key: %v", err)
 	}
 
-	flush := tpm2.FlushContext{
-		FlushHandle: primaryKey.ObjectHandle,
-	}
-	_, err = flush.Execute(rwr)
-	if err != nil {
-		log.Fatalf("can't close primary  %v", err)
-	}
-
 	defer func() {
 		flushContextCmd := tpm2.FlushContext{
 			FlushHandle: regenRSAKey.ObjectHandle,