README
¶
tpm
This package is an abstraction on top of the go-tpm libraries to use a local TPM to create and use RSA, ECC, and AES keys that are bound to that TPM. The keys can never be used without the TPM that was used to create them.
Any number of keys can be created and used concurrently. The library takes care loading the right key in the TPM, as needed.
By default, 2048-bit RSA keys are created. AES keys, ECC keys, and RSA keys of different sizes can also be created if the TPM supports them.
Example:
package main
import (
"crypto"
"crypto/rsa"
"crypto/sha256"
"log"
"github.com/c2FmZQ/tpm"
)
const keyPassphrase = "foobar"
func main() {
tpm, err := tpm.New(tpm.WithObjectAuth([]byte(keyPassphrase)))
if err != nil {
log.Fatalf("tpm.New: %v", err)
}
defer tpm.Close()
// CreateKey returns a []byte that can be saved offline.
keyctx, err := tpm.CreateKey()
if err != nil {
log.Fatalf("tpm.CreateKey: %v", err)
}
key, err := tpm.Key(keyctx)
if err != nil {
log.Fatalf("tpm.Key: %v", err)
}
payload := "Hello world!"
encrypted, err := key.Encrypt([]byte(payload))
if err != nil {
log.Fatalf("key.Encrypt: %v", err)
}
decrypted, err := key.Decrypt(nil, encrypted, nil)
if err != nil {
log.Fatalf("key.Decrypt: %v", err)
}
_ = decrypted
hashed := sha256.Sum256([]byte(payload))
sig, err := key.Sign(nil, hashed[:], crypto.SHA256)
if err != nil {
log.Fatalf("key.Sign: %v", err)
}
if err := rsa.VerifyPKCS1v15(key.Public().(*rsa.PublicKey), crypto.SHA256, hashed[:], sig); err != nil {
log.Fatalf("rsa.VerifyPKCS1v15: %v", err)
}
}
Documentation
¶
Overview ¶
Package tpm is an abstraction on top of the go-tpm libraries to use a local TPM to create and use RSA, ECC, and AES keys that are bound to that TPM. The keys can never be used without the TPM that was used to create them.
Any number of keys can be created and used concurrently. The library takes care loading the right key in the TPM, as needed.
By default, 2048-bit RSA keys are created. AES keys, ECC keys, and RSA keys of different sizes can also be created if the TPM supports them.
Index ¶
- Variables
- type Key
- func (k *Key) Bits() int
- func (k *Key) Curve() elliptic.Curve
- func (k *Key) Decrypt(_ io.Reader, ciphertext []byte, _ crypto.DecrypterOpts) (plaintext []byte, err error)
- func (k *Key) Encrypt(cleartext []byte) (ciphertext []byte, err error)
- func (k *Key) Public() crypto.PublicKey
- func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
- func (k *Key) Type() KeyType
- type KeyOption
- type KeyType
- type Option
- type TPM
Constants ¶
This section is empty.
Variables ¶
Functions ¶
This section is empty.
Types ¶
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
Key executes the expected operations via the TPM. It implements the crypto.Signer and crypto.Decrypter interfaces.
func (*Key) Decrypt ¶
func (k *Key) Decrypt(_ io.Reader, ciphertext []byte, _ crypto.DecrypterOpts) (plaintext []byte, err error)
Decrypt decrypts ciphertext with the key.
type KeyOption ¶
type KeyOption func(*keyOptions)
KeyOption is an option that can be passed to CreateKey.
type Option ¶
type Option func(*TPM)
Option is an option that can be passed to New.
func WithEndorsementAuth ¶
WithEndorsementAuth specifies the endorsement passphrase.
func WithObjectAuth ¶
WithObjectAuth specifies the passphrase to set on created keys.
func WithTPM ¶
func WithTPM(rwc io.ReadWriteCloser) Option
WithTPM specifies an already open TPM device to use.
type TPM ¶
type TPM struct {
// contains filtered or unexported fields
}
TPM uses a local Trusted Platform Module (TPM) device to create and use RSA keys that are bound to that TPM. The private keys can never be used without the TPM created them.
Source Files
Directories