Add TPM Key Support #74
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This does nothing useful yet, except detecting that we were given a TSS2 private key blob and reporting that it's not supported. It does help to ensure that when we come to implement this, we'll get the user experience right. Which is "just give us the file". We can do the actual implementation either via OpenSSL with one of the TPM engines/providers, or by parsing the TSS2 ASN.1 ourselves and driving the TPM directly. Not sure which is easier from Go.
Just parse the ASN.1 (working around historical bugs and the lack of BER support in asn1.Unmarshal()). Returns a Signer that won't work yet.
This allows us to use the swtpm, via the unix socket
* Only password-protected TPM signing keys are supported. It isn't currently possible to use passwords for parents or hierarchies. * Modify the README appropriately, to convey the above. * Refactor testing and Makefile, so that TPM tests are in their own file, and so that they can be run in isolation (without having to set up SoftHSM, for example). * Change RSA signing, so that only keys with the sign capability can be used to perform signatures (note that this is yet to be tested since it may not be possible to create such keys using the create_tpm2_key utility.
* Remove some unnecessary code that was previously commented out * Format code * Add a few more TPM key tests
* Note that the guidance as written now hasn't been fully tested
* Check that the TPM used supports the necessary algorithms before attempting to sign * Minor modifications to README and some code cleanup
* Refactor password prompting so that both loading a TPM key and signing with a TPM key can be done easily * Passwords on parent keys are still yet to be tested through unit tests
* Modify Makefile to create primary (parent) keys with passwords * Add positive and negative tests to verify parent key password support * Add hacky helper functions to help transform a TPM key blob into a Bottomley TPM key file
* Modify TPM tests so that they continue to work * Fix a bug relating to using certificate chains with TPM keys
* TPM key handles are now supported by the credential helper * Remove support for parent key passwords; instead, child keys with parent passwords will need to be loaded into the TPM and referred to by their handle in order to be used with the credential helper * Add unit tests for TPM key handles * Add no-tpm-key-password flag for sign-string command * Partially modify README to include TPM guidance based on Intel tools
* Emulate a subset of functionality provided by the tpm2_create_key utility within a bash script of the same name (with a .sh extension) * Modify Makefile to either use tpm2-tools or tpm2-openssl directly, or to use the bash script utility * Fix no-tpm-key-password intent logic
* Determine whether authorization is required based on key file (in which case, there is an `emptyAuth` field) or CLI flag (if a handle is used), so as to not cause unnecessary DA lockout * Refactor tests based on the above * Fix some Makefile components dealing with hardware TPM keys
* Note customer responsibilities when referencing TPM keys using their handles * Add example of using the credential helper with a TPM key file * Add further notes on tooling and limitations
* When passwords aren't required by key files (through `emptyAuth`), make sure that one isn't provided through the CLI (fail if it is)
* Update README to warn about loaded TPM keys without passwords persisting after use * Update error handling for a particular type of file parsing and remove extra print statements
rlalcorn
approved these changes
Nov 7, 2024
|
Nice. Thanks for seeing this to completion! |
|
Sorry it took so long, and thanks for all your help throughout the process (including writing the majority of the code, from which I built off of)! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
This is a continuation of this PR.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.