tpm

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2025 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Overview

Package tpm is a generated GoMock package.

Index

Constants

View Source 
const (
	TCGAlgSHA256 = 0x000B
	TCGAlgSHA384 = 0x000C
	TCGAlgSHA512 = 0x000D
)

TCG Algorithm IDs (from TCG Algorithm Registry)

View Source 
const (
	MinNonceLength = 8
)

Variables

View Source 
var (
	ErrNotFound = errors.New("not found")
)
View Source 
var TCGCSRExtensionOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}

CSR Extension OID for TCG-CSR-IDEVID Using id-pkcs9-at-challengePassword temporarily - should be replaced with proper TCG OID

Functions

func AttestationKeyTemplate added in v0.9.0 

func AttestationKeyTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

AttestationKeyTemplate generates a Local Attestation Key template based on the specified algorithm. Based on go-tpm-tools AKTemplateECC/AKTemplateRSA templates.

func BuildTCGCSRIDevID added in v0.9.0 

func BuildTCGCSRIDevID(
	standardCSR []byte,
	productModel string,
	productSerial string,
	ekCert []byte,
	attestationPub []byte,
	signingPub []byte,
	signingCertifyInfo []byte,
	signingCertifySignature []byte,
	signer crypto.Signer,
) ([]byte, error)

BuildTCGCSRIDevID creates a TCG-CSR-IDEVID structure with embedded TPM attestation data

func ConvertTPMSignatureToDER added in v0.9.0 

func ConvertTPMSignatureToDER(sig *tpm2.TPMTSignature) ([]byte, error)

ConvertTPMSignatureToDER handles TPM2 signatures for RSA and ECDSA keys.

func EmbedTCGCSRInX509 added in v0.9.0 

func EmbedTCGCSRInX509(standardCSR []byte, tcgCSRData []byte) ([]byte, error)

EmbedTCGCSRInX509 embeds TCG-CSR-IDEVID data as an extension in a standard X.509 CSR

func GenerateTPM2KeyFile added in v0.10.0 

func GenerateTPM2KeyFile(
	keyType KeyFileType,
	parent tpm2.TPMHandle,
	public tpm2.TPM2BPublic,
	private tpm2.TPM2BPrivate,
	opts ...KeyFileOption,
) ([]byte, error)

GenerateTPM2KeyFile generates a TPM2 key file in TSS2 private key format

func IsTCGCSRFormat added in v0.9.0 

func IsTCGCSRFormat(data []byte) bool

IsTCGCSRFormat checks if the provided data appears to be TCG-CSR-IDEVID format

func LDevIDTemplate added in v0.9.0 

func LDevIDTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

LDevIDTemplate generates a Local Device Identity key template based on the specified algorithm. This key template uses the Storage Root Key as the parent key. Key attributes are aligned with definitions from https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM-2p0-DevID_v1p00_r10_12july2021.pdf. Specifically, for key attribute and parameter recommendations, see Sections 7.3.4.1 and 7.3.4.3.

func LoadCAsFromPaths added in v0.9.0 

func LoadCAsFromPaths(paths []string) (*x509.CertPool, error)

LoadCAsFromPaths loads CA certificates from a list of file paths

func NormalizeEnrollmentCSR added in v0.9.0 

func NormalizeEnrollmentCSR(csrString string) ([]byte, bool, error)

NormalizeEnrollmentCSR extracts the embedded standard X.509 CSR from a TCG CSR if present.

func ParseTCGCSRBytes added in v0.9.0 

func ParseTCGCSRBytes(raw string) ([]byte, bool)

ParseTCGCSRBytes returns the decoded TCG-formatted CSR bytes if valid, or false if not.

func StorageKeyTemplate added in v0.10.0 

func StorageKeyTemplate(keyAlgo KeyAlgorithm) (tpm2.TPMTPublic, error)

func VerifyTCGCSRChainOfTrust added in v0.9.0 

func VerifyTCGCSRChainOfTrust(csrData []byte) error

VerifyTCGCSRChainOfTrust verifies the complete chain of trust in a TCG-CSR-IDEVID

func VerifyTCGCSRChainOfTrustWithRoots added in v0.9.0 

func VerifyTCGCSRChainOfTrustWithRoots(csrData []byte, trustedRoots *x509.CertPool) error

VerifyTCGCSRChainOfTrustWithRoots verifies the complete chain of trust in a TCG-CSR-IDEVID including validation against trusted root CAs

func VerifyTCGCSRSigningChain added in v0.10.0 

func VerifyTCGCSRSigningChain(csrData []byte, trustedCertifyKey []byte) error

VerifyTCGCSRSigningChain verifies that the supplied CSR contains a valid TCG-CSR-IDEVID bundle that is certified by the supplied key

Types

type AppKeyStoreData added in v0.10.0 

type AppKeyStoreData struct {
	ParentHandle tpm2.TPMHandle
	ParentPass   []byte
	Public       tpm2.TPM2BPublic
	Private      tpm2.TPM2BPrivate
	Pass         []byte
}

type CSRPayload added in v0.9.0 

type CSRPayload struct {
	// Product model string
	ProdModel []byte `json:"prodModel"`
	// Product serial number string
	ProdSerial []byte `json:"prodSerial"`
	// CA-specific data
	ProdCaData []byte `json:"prodCaData"`
	// Boot event log
	BootEvntLog []byte `json:"bootEvntLog"`
	// TPM EK certificate (DER format)
	EkCert []byte `json:"ekCert"`
	// Attestation key public area
	AttestPub []byte `json:"attestPub"`
	// TPM2_CertifyCreation ticket
	AtCreateTkt []byte `json:"atCreateTkt"`
	// TPM2_Certify info for attestation key (currently unused)
	AtCertifyInfo []byte `json:"atCertifyInfo"`
	// Signature over attestation certify info (currently unused)
	AtCertifyInfoSignature []byte `json:"atCertifyInfoSignature"`
	// Signing key public area
	SigningPub []byte `json:"signingPub"`
	// TPM2_Certify info for signing key
	SgnCertifyInfo []byte `json:"sgnCertifyInfo"`
	// Signature over signing certify info
	SgnCertifyInfoSignature []byte `json:"sgnCertifyInfoSignature"`
	// Padding
	Pad []byte `json:"pad"`
}

CSRPayload contains the actual payload data referenced by the content structure

type Certifiable added in v0.10.0 

type Certifiable interface {
	// Handle returns the Handle of the Key to certify
	Handle() tpm2.AuthHandle
}

Certifiable defines an interface for keys that are certifiable

type Client added in v0.9.0 

type Client interface {
	// Public returns the public key corresponding to the LDevID private key
	Public() crypto.PublicKey
	// MakeCSR generates a TCG-CSR-IDEVID structure for enrollment requests
	MakeCSR(deviceName string, qualifyingData []byte) ([]byte, error)
	// SolveChallenge uses TPM2_ActivateCredential to decrypt an encrypted secret
	SolveChallenge(credentialBlob, encryptedSecret []byte) ([]byte, error)
	// GetSigner returns the crypto.Signer interface for this client
	GetSigner() crypto.Signer
	// UpdateNonce updates the nonce used for TPM operations
	UpdateNonce(nonce []byte) error
	// Clear clears any stored TPM data
	Clear() error
	// Close closes the TPM session
	Close() error
	// VendorInfoCollector collects vendor information from the TPM
	VendorInfoCollector(ctx context.Context) string
	// CreateApplicationKey generates a TCG CSR IDEVID bundle and a TSS2 PEM encoded file for the specified application
	CreateApplicationKey(name string) ([]byte, []byte, error)
}

Client defines the interface for interacting with the TPM

func NewClient added in v0.9.0 

func NewClient(log *log.PrefixLogger, rw fileio.ReadWriter, config *agent_config.Config) (Client, error)

NewClient creates a new simplified TPM client with the given configuration.

type CredentialChallenge added in v0.10.0 

type CredentialChallenge struct {
	CredentialBlob  []byte
	EncryptedSecret []byte
	ExpectedSecret  []byte
}

CredentialChallenge contains the components of a TPM credential challenge

func CreateCredentialChallenge added in v0.10.0 

func CreateCredentialChallenge(ekCertBytes []byte, publicKeyBytes []byte) (*CredentialChallenge, error)

CreateCredentialChallenge generates a challenge credential that can be solved using TPM2_ActivateCredential. It takes an EK certificate and any TPM public key as byte arrays and returns a CredentialChallenge containing the credential blob, encrypted secret, and expected secret for verification. No calls to a TPM are made.

type DeviceID added in v0.10.0 

type DeviceID interface {
	crypto.Signer
	Certifiable
	// Close flushes the key
	Close() error
	// PublicBlob returns the serialized TPM2Public portion of the key
	PublicBlob() []byte
}

DeviceID defines an interface for Keys that represent an identity

type ExportableDeviceID added in v0.10.0 

type ExportableDeviceID interface {
	DeviceID
	// Export generates a TSS2 PEM formatted file
	Export() ([]byte, error)
}

ExportableDeviceID defines an interface for DeviceIDs that can be exported

type IDevIDContent added in v0.9.0 

type IDevIDContent struct {
	StructVer  [4]byte `json:"-"` // Version 1.0 = 0x00000100
	HashAlgoId [4]byte `json:"-"` // TCG algorithm identifier for CSR hash
	HashSz     [4]byte `json:"-"` // Size, in bytes, of hash used

	// Hash of all that follows is placed here order must not change
	ProdModelSz               [4]byte `json:"-"` // Size of unterminated product model string
	ProdSerialSz              [4]byte `json:"-"` // Size of unterminated product serial number string
	ProdCaDataSz              [4]byte `json:"-"` // Size of CA-specific required data structure
	BootEvntLogSz             [4]byte `json:"-"` // Size of boot event log
	EkCertSz                  [4]byte `json:"-"` // TPM EK cert size
	AttestPubSz               [4]byte `json:"-"` // Attestation key public size
	AtCreateTktSz             [4]byte `json:"-"` // TPM2_CertifyCreation ticket size
	AtCertifyInfoSz           [4]byte `json:"-"` // TPM2_Certify info size
	AtCertifyInfoSignatureSz  [4]byte `json:"-"` // TPM2_CertifyInfo Signature size
	SigningPubSz              [4]byte `json:"-"` // Signing key public size
	SgnCertifyInfoSz          [4]byte `json:"-"` // TPM2_Certify info size
	SgnCertifyInfoSignatureSz [4]byte `json:"-"` // TPM2_CertifyInfo Signature size

	PadSz [4]byte `json:"-"` // Padding size
}

IDevIDContent represents the content portion of TCG-CSR-IDEVID

func (IDevIDContent) MarshalJSON added in v0.9.0 

func (t IDevIDContent) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for DevIDContent

func (*IDevIDContent) UnmarshalJSON added in v0.9.0 

func (t *IDevIDContent) UnmarshalJSON(data []byte) error

UnmarshalJSON implements custom JSON unmarshaling for TCGIDevIDContent

type KeyAlgorithm added in v0.9.0 

type KeyAlgorithm string

KeyAlgorithm represents the cryptographic algorithm used for keys 

const (
	ECDSA KeyAlgorithm = "ecdsa"
	RSA   KeyAlgorithm = "rsa"
)

type KeyFileOption added in v0.10.0 

type KeyFileOption func(*tpmKey)

func WithEmptyAuth added in v0.10.0 

func WithEmptyAuth() KeyFileOption

type KeyFileType added in v0.10.0 

type KeyFileType string

KeyFileType represents the type of TPM2 key file to generate 

const (
	// LoadableKey for keys to be loaded with TPM2_Load
	LoadableKey KeyFileType = "loadable"
)

type KeyType added in v0.9.0 

type KeyType string

KeyType represents the type of TPM key 

const (
	// LDevID (Local Device Identity Key) is a unique identity key for the device,
	// used to authenticate the device to external services.
	LDevID KeyType = "ldevid"

	// LAK (Local Attestation Key) is a restricted signing key used for TPM attestation operations.
	LAK KeyType = "lak"

	// SRK (Storage Root Key) is a well-known, persistent primary key in the TPM's storage hierarchy.
	SRK KeyType = "srk"
)

type MockCertifiable added in v0.10.0 

type MockCertifiable struct {
	// contains filtered or unexported fields
}

MockCertifiable is a mock of Certifiable interface.

func NewMockCertifiable added in v0.10.0 

func NewMockCertifiable(ctrl *gomock.Controller) *MockCertifiable

NewMockCertifiable creates a new mock instance.

func (*MockCertifiable) EXPECT added in v0.10.0 

func (m *MockCertifiable) EXPECT() *MockCertifiableMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockCertifiable) Handle added in v0.10.0 

func (m *MockCertifiable) Handle() tpm2.AuthHandle

Handle mocks base method.

type MockCertifiableMockRecorder added in v0.10.0 

type MockCertifiableMockRecorder struct {
	// contains filtered or unexported fields
}

MockCertifiableMockRecorder is the mock recorder for MockCertifiable.

func (*MockCertifiableMockRecorder) Handle added in v0.10.0 

func (mr *MockCertifiableMockRecorder) Handle() *gomock.Call

Handle indicates an expected call of Handle.

type MockClient added in v0.10.0 

type MockClient struct {
	// contains filtered or unexported fields
}

MockClient is a mock of Client interface.

func NewMockClient added in v0.10.0 

func NewMockClient(ctrl *gomock.Controller) *MockClient

NewMockClient creates a new mock instance.

func (*MockClient) Clear added in v0.10.0 

func (m *MockClient) Clear() error

Clear mocks base method.

func (*MockClient) Close added in v0.10.0 

func (m *MockClient) Close() error

Close mocks base method.

func (*MockClient) CreateApplicationKey added in v0.10.0 

func (m *MockClient) CreateApplicationKey(name string) ([]byte, []byte, error)

CreateApplicationKey mocks base method.

func (*MockClient) EXPECT added in v0.10.0 

func (m *MockClient) EXPECT() *MockClientMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockClient) GetSigner added in v0.10.0 

func (m *MockClient) GetSigner() crypto.Signer

GetSigner mocks base method.

func (*MockClient) MakeCSR added in v0.10.0 

func (m *MockClient) MakeCSR(deviceName string, qualifyingData []byte) ([]byte, error)

MakeCSR mocks base method.

func (*MockClient) Public added in v0.10.0 

func (m *MockClient) Public() crypto.PublicKey

Public mocks base method.

func (*MockClient) SolveChallenge added in v0.10.0 

func (m *MockClient) SolveChallenge(credentialBlob, encryptedSecret []byte) ([]byte, error)

SolveChallenge mocks base method.

func (*MockClient) UpdateNonce added in v0.10.0 

func (m *MockClient) UpdateNonce(nonce []byte) error

UpdateNonce mocks base method.

func (*MockClient) VendorInfoCollector added in v0.10.0 

func (m *MockClient) VendorInfoCollector(ctx context.Context) string

VendorInfoCollector mocks base method.

type MockClientMockRecorder added in v0.10.0 

type MockClientMockRecorder struct {
	// contains filtered or unexported fields
}

MockClientMockRecorder is the mock recorder for MockClient.

func (*MockClientMockRecorder) Clear added in v0.10.0 

func (mr *MockClientMockRecorder) Clear() *gomock.Call

Clear indicates an expected call of Clear.

func (*MockClientMockRecorder) Close added in v0.10.0 

func (mr *MockClientMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockClientMockRecorder) CreateApplicationKey added in v0.10.0 

func (mr *MockClientMockRecorder) CreateApplicationKey(name any) *gomock.Call

CreateApplicationKey indicates an expected call of CreateApplicationKey.

func (*MockClientMockRecorder) GetSigner added in v0.10.0 

func (mr *MockClientMockRecorder) GetSigner() *gomock.Call

GetSigner indicates an expected call of GetSigner.

func (*MockClientMockRecorder) MakeCSR added in v0.10.0 

func (mr *MockClientMockRecorder) MakeCSR(deviceName, qualifyingData any) *gomock.Call

MakeCSR indicates an expected call of MakeCSR.

func (*MockClientMockRecorder) Public added in v0.10.0 

func (mr *MockClientMockRecorder) Public() *gomock.Call

Public indicates an expected call of Public.

func (*MockClientMockRecorder) SolveChallenge added in v0.10.0 

func (mr *MockClientMockRecorder) SolveChallenge(credentialBlob, encryptedSecret any) *gomock.Call

SolveChallenge indicates an expected call of SolveChallenge.

func (*MockClientMockRecorder) UpdateNonce added in v0.10.0 

func (mr *MockClientMockRecorder) UpdateNonce(nonce any) *gomock.Call

UpdateNonce indicates an expected call of UpdateNonce.

func (*MockClientMockRecorder) VendorInfoCollector added in v0.10.0 

func (mr *MockClientMockRecorder) VendorInfoCollector(ctx any) *gomock.Call

VendorInfoCollector indicates an expected call of VendorInfoCollector.

type MockDeviceID added in v0.10.0 

type MockDeviceID struct {
	// contains filtered or unexported fields
}

MockDeviceID is a mock of DeviceID interface.

func NewMockDeviceID added in v0.10.0 

func NewMockDeviceID(ctrl *gomock.Controller) *MockDeviceID

NewMockDeviceID creates a new mock instance.

func (*MockDeviceID) Close added in v0.10.0 

func (m *MockDeviceID) Close() error

Close mocks base method.

func (*MockDeviceID) EXPECT added in v0.10.0 

func (m *MockDeviceID) EXPECT() *MockDeviceIDMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockDeviceID) Handle added in v0.10.0 

func (m *MockDeviceID) Handle() tpm2.AuthHandle

Handle mocks base method.

func (*MockDeviceID) Public added in v0.10.0 

func (m *MockDeviceID) Public() crypto.PublicKey

Public mocks base method.

func (*MockDeviceID) PublicBlob added in v0.10.0 

func (m *MockDeviceID) PublicBlob() []byte

PublicBlob mocks base method.

func (*MockDeviceID) Sign added in v0.10.0 

func (m *MockDeviceID) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign mocks base method.

type MockDeviceIDMockRecorder added in v0.10.0 

type MockDeviceIDMockRecorder struct {
	// contains filtered or unexported fields
}

MockDeviceIDMockRecorder is the mock recorder for MockDeviceID.

func (*MockDeviceIDMockRecorder) Close added in v0.10.0 

func (mr *MockDeviceIDMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockDeviceIDMockRecorder) Handle added in v0.10.0 

func (mr *MockDeviceIDMockRecorder) Handle() *gomock.Call

Handle indicates an expected call of Handle.

func (*MockDeviceIDMockRecorder) Public added in v0.10.0 

func (mr *MockDeviceIDMockRecorder) Public() *gomock.Call

Public indicates an expected call of Public.

func (*MockDeviceIDMockRecorder) PublicBlob added in v0.10.0 

func (mr *MockDeviceIDMockRecorder) PublicBlob() *gomock.Call

PublicBlob indicates an expected call of PublicBlob.

func (*MockDeviceIDMockRecorder) Sign added in v0.10.0 

func (mr *MockDeviceIDMockRecorder) Sign(rand, digest, opts any) *gomock.Call

Sign indicates an expected call of Sign.

type MockExportableDeviceID added in v0.10.0 

type MockExportableDeviceID struct {
	// contains filtered or unexported fields
}

MockExportableDeviceID is a mock of ExportableDeviceID interface.

func NewMockExportableDeviceID added in v0.10.0 

func NewMockExportableDeviceID(ctrl *gomock.Controller) *MockExportableDeviceID

NewMockExportableDeviceID creates a new mock instance.

func (*MockExportableDeviceID) Close added in v0.10.0 

func (m *MockExportableDeviceID) Close() error

Close mocks base method.

func (*MockExportableDeviceID) EXPECT added in v0.10.0 

func (m *MockExportableDeviceID) EXPECT() *MockExportableDeviceIDMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockExportableDeviceID) Export added in v0.10.0 

func (m *MockExportableDeviceID) Export() ([]byte, error)

Export mocks base method.

func (*MockExportableDeviceID) Handle added in v0.10.0 

func (m *MockExportableDeviceID) Handle() tpm2.AuthHandle

Handle mocks base method.

func (*MockExportableDeviceID) Public added in v0.10.0 

func (m *MockExportableDeviceID) Public() crypto.PublicKey

Public mocks base method.

func (*MockExportableDeviceID) PublicBlob added in v0.10.0 

func (m *MockExportableDeviceID) PublicBlob() []byte

PublicBlob mocks base method.

func (*MockExportableDeviceID) Sign added in v0.10.0 

func (m *MockExportableDeviceID) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign mocks base method.

type MockExportableDeviceIDMockRecorder added in v0.10.0 

type MockExportableDeviceIDMockRecorder struct {
	// contains filtered or unexported fields
}

MockExportableDeviceIDMockRecorder is the mock recorder for MockExportableDeviceID.

func (*MockExportableDeviceIDMockRecorder) Close added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockExportableDeviceIDMockRecorder) Export added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) Export() *gomock.Call

Export indicates an expected call of Export.

func (*MockExportableDeviceIDMockRecorder) Handle added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) Handle() *gomock.Call

Handle indicates an expected call of Handle.

func (*MockExportableDeviceIDMockRecorder) Public added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) Public() *gomock.Call

Public indicates an expected call of Public.

func (*MockExportableDeviceIDMockRecorder) PublicBlob added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) PublicBlob() *gomock.Call

PublicBlob indicates an expected call of PublicBlob.

func (*MockExportableDeviceIDMockRecorder) Sign added in v0.10.0 

func (mr *MockExportableDeviceIDMockRecorder) Sign(rand, digest, opts any) *gomock.Call

Sign indicates an expected call of Sign.

type MockSession added in v0.9.0 

type MockSession struct {
	// contains filtered or unexported fields
}

MockSession is a mock of Session interface.

func NewMockSession added in v0.9.0 

func NewMockSession(ctrl *gomock.Controller) *MockSession

NewMockSession creates a new mock instance.

func (*MockSession) Certify added in v0.10.0 

func (m *MockSession) Certify(key Certifiable, qualifyingData []byte) ([]byte, []byte, error)

Certify mocks base method.

func (*MockSession) CertifyKey added in v0.9.0 

func (m *MockSession) CertifyKey(keyType KeyType, qualifyingData []byte) ([]byte, []byte, error)

CertifyKey mocks base method.

func (*MockSession) Clear added in v0.9.0 

func (m *MockSession) Clear() error

Clear mocks base method.

func (*MockSession) Close added in v0.9.0 

func (m *MockSession) Close() error

Close mocks base method.

func (*MockSession) CreateKey added in v0.9.0 

func (m *MockSession) CreateKey(keyType KeyType) (*tpm2.CreateResponse, error)

CreateKey mocks base method.

func (*MockSession) EXPECT added in v0.9.0 

func (m *MockSession) EXPECT() *MockSessionMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockSession) GenerateChallenge added in v0.10.0 

func (m *MockSession) GenerateChallenge(secret []byte) ([]byte, []byte, error)

GenerateChallenge mocks base method.

func (*MockSession) GetEndorsementKeyCert added in v0.9.0 

func (m *MockSession) GetEndorsementKeyCert() ([]byte, error)

GetEndorsementKeyCert mocks base method.

func (*MockSession) GetPublicKey added in v0.9.0 

func (m *MockSession) GetPublicKey(keyType KeyType) (*tpm2.TPM2BPublic, error)

GetPublicKey mocks base method.

func (*MockSession) LoadApplicationKey added in v0.10.0 

func (m *MockSession) LoadApplicationKey(appName string) (ExportableDeviceID, error)

LoadApplicationKey mocks base method.

func (*MockSession) LoadKey added in v0.9.0 

func (m *MockSession) LoadKey(keyType KeyType) (*tpm2.NamedHandle, error)

LoadKey mocks base method.

func (*MockSession) RemoveApplicationKey added in v0.10.0 

func (m *MockSession) RemoveApplicationKey(appName string) error

RemoveApplicationKey mocks base method.

func (*MockSession) Sign added in v0.9.0 

func (m *MockSession) Sign(keyType KeyType, digest []byte) ([]byte, error)

Sign mocks base method.

func (*MockSession) SolveChallenge added in v0.10.0 

func (m *MockSession) SolveChallenge(credentialBlob, encryptedSecret []byte) ([]byte, error)

SolveChallenge mocks base method.

type MockSessionMockRecorder added in v0.9.0 

type MockSessionMockRecorder struct {
	// contains filtered or unexported fields
}

MockSessionMockRecorder is the mock recorder for MockSession.

func (*MockSessionMockRecorder) Certify added in v0.10.0 

func (mr *MockSessionMockRecorder) Certify(key, qualifyingData any) *gomock.Call

Certify indicates an expected call of Certify.

func (*MockSessionMockRecorder) CertifyKey added in v0.9.0 

func (mr *MockSessionMockRecorder) CertifyKey(keyType, qualifyingData any) *gomock.Call

CertifyKey indicates an expected call of CertifyKey.

func (*MockSessionMockRecorder) Clear added in v0.9.0 

func (mr *MockSessionMockRecorder) Clear() *gomock.Call

Clear indicates an expected call of Clear.

func (*MockSessionMockRecorder) Close added in v0.9.0 

func (mr *MockSessionMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockSessionMockRecorder) CreateKey added in v0.9.0 

func (mr *MockSessionMockRecorder) CreateKey(keyType any) *gomock.Call

CreateKey indicates an expected call of CreateKey.

func (*MockSessionMockRecorder) GenerateChallenge added in v0.10.0 

func (mr *MockSessionMockRecorder) GenerateChallenge(secret any) *gomock.Call

GenerateChallenge indicates an expected call of GenerateChallenge.

func (*MockSessionMockRecorder) GetEndorsementKeyCert added in v0.9.0 

func (mr *MockSessionMockRecorder) GetEndorsementKeyCert() *gomock.Call

GetEndorsementKeyCert indicates an expected call of GetEndorsementKeyCert.

func (*MockSessionMockRecorder) GetPublicKey added in v0.9.0 

func (mr *MockSessionMockRecorder) GetPublicKey(keyType any) *gomock.Call

GetPublicKey indicates an expected call of GetPublicKey.

func (*MockSessionMockRecorder) LoadApplicationKey added in v0.10.0 

func (mr *MockSessionMockRecorder) LoadApplicationKey(appName any) *gomock.Call

LoadApplicationKey indicates an expected call of LoadApplicationKey.

func (*MockSessionMockRecorder) LoadKey added in v0.9.0 

func (mr *MockSessionMockRecorder) LoadKey(keyType any) *gomock.Call

LoadKey indicates an expected call of LoadKey.

func (*MockSessionMockRecorder) RemoveApplicationKey added in v0.10.0 

func (mr *MockSessionMockRecorder) RemoveApplicationKey(appName any) *gomock.Call

RemoveApplicationKey indicates an expected call of RemoveApplicationKey.

func (*MockSessionMockRecorder) Sign added in v0.9.0 

func (mr *MockSessionMockRecorder) Sign(keyType, digest any) *gomock.Call

Sign indicates an expected call of Sign.

func (*MockSessionMockRecorder) SolveChallenge added in v0.10.0 

func (mr *MockSessionMockRecorder) SolveChallenge(credentialBlob, encryptedSecret any) *gomock.Call

SolveChallenge indicates an expected call of SolveChallenge.

type MockStorage added in v0.9.0 

type MockStorage struct {
	// contains filtered or unexported fields
}

MockStorage is a mock of Storage interface.

func NewMockStorage added in v0.9.0 

func NewMockStorage(ctrl *gomock.Controller) *MockStorage

NewMockStorage creates a new mock instance.

func (*MockStorage) ClearApplicationKey added in v0.10.0 

func (m *MockStorage) ClearApplicationKey(arg0 string) error

ClearApplicationKey mocks base method.

func (*MockStorage) ClearApplicationKeys added in v0.10.0 

func (m *MockStorage) ClearApplicationKeys() error

ClearApplicationKeys mocks base method.

func (*MockStorage) ClearKey added in v0.9.0 

func (m *MockStorage) ClearKey(keyType KeyType) error

ClearKey mocks base method.

func (*MockStorage) ClearPassword added in v0.9.0 

func (m *MockStorage) ClearPassword() error

ClearPassword mocks base method.

func (*MockStorage) Close added in v0.9.0 

func (m *MockStorage) Close() error

Close mocks base method.

func (*MockStorage) EXPECT added in v0.9.0 

func (m *MockStorage) EXPECT() *MockStorageMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockStorage) GetApplicationKey added in v0.10.0 

func (m *MockStorage) GetApplicationKey(arg0 string) (*AppKeyStoreData, error)

GetApplicationKey mocks base method.

func (*MockStorage) GetKey added in v0.9.0 

func (m *MockStorage) GetKey(keyType KeyType) (*tpm2.TPM2BPublic, *tpm2.TPM2BPrivate, error)

GetKey mocks base method.

func (*MockStorage) GetPassword added in v0.9.0 

func (m *MockStorage) GetPassword() ([]byte, error)

GetPassword mocks base method.

func (*MockStorage) StoreApplicationKey added in v0.10.0 

func (m *MockStorage) StoreApplicationKey(arg0 string, arg1 AppKeyStoreData) error

StoreApplicationKey mocks base method.

func (*MockStorage) StoreKey added in v0.9.0 

func (m *MockStorage) StoreKey(keyType KeyType, public tpm2.TPM2BPublic, private tpm2.TPM2BPrivate) error

StoreKey mocks base method.

func (*MockStorage) StorePassword added in v0.9.0 

func (m *MockStorage) StorePassword(password []byte) error

StorePassword mocks base method.

type MockStorageMockRecorder added in v0.9.0 

type MockStorageMockRecorder struct {
	// contains filtered or unexported fields
}

MockStorageMockRecorder is the mock recorder for MockStorage.

func (*MockStorageMockRecorder) ClearApplicationKey added in v0.10.0 

func (mr *MockStorageMockRecorder) ClearApplicationKey(arg0 any) *gomock.Call

ClearApplicationKey indicates an expected call of ClearApplicationKey.

func (*MockStorageMockRecorder) ClearApplicationKeys added in v0.10.0 

func (mr *MockStorageMockRecorder) ClearApplicationKeys() *gomock.Call

ClearApplicationKeys indicates an expected call of ClearApplicationKeys.

func (*MockStorageMockRecorder) ClearKey added in v0.9.0 

func (mr *MockStorageMockRecorder) ClearKey(keyType any) *gomock.Call

ClearKey indicates an expected call of ClearKey.

func (*MockStorageMockRecorder) ClearPassword added in v0.9.0 

func (mr *MockStorageMockRecorder) ClearPassword() *gomock.Call

ClearPassword indicates an expected call of ClearPassword.

func (*MockStorageMockRecorder) Close added in v0.9.0 

func (mr *MockStorageMockRecorder) Close() *gomock.Call

Close indicates an expected call of Close.

func (*MockStorageMockRecorder) GetApplicationKey added in v0.10.0 

func (mr *MockStorageMockRecorder) GetApplicationKey(arg0 any) *gomock.Call

GetApplicationKey indicates an expected call of GetApplicationKey.

func (*MockStorageMockRecorder) GetKey added in v0.9.0 

func (mr *MockStorageMockRecorder) GetKey(keyType any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockStorageMockRecorder) GetPassword added in v0.9.0 

func (mr *MockStorageMockRecorder) GetPassword() *gomock.Call

GetPassword indicates an expected call of GetPassword.

func (*MockStorageMockRecorder) StoreApplicationKey added in v0.10.0 

func (mr *MockStorageMockRecorder) StoreApplicationKey(arg0, arg1 any) *gomock.Call

StoreApplicationKey indicates an expected call of StoreApplicationKey.

func (*MockStorageMockRecorder) StoreKey added in v0.9.0 

func (mr *MockStorageMockRecorder) StoreKey(keyType, public, private any) *gomock.Call

StoreKey indicates an expected call of StoreKey.

func (*MockStorageMockRecorder) StorePassword added in v0.9.0 

func (mr *MockStorageMockRecorder) StorePassword(password any) *gomock.Call

StorePassword indicates an expected call of StorePassword.

type ParsedTCGCSR added in v0.9.0 

type ParsedTCGCSR struct {
	StructVer       uint32
	Contents        uint32
	SigSz           uint32
	CSRContents     *ParsedTCGContent
	Signature       []byte
	IsValid         bool
	ValidationError string
}

ParsedTCGCSR contains the parsed TCG-CSR-IDEVID data

func ParseTCGCSR added in v0.9.0 

func ParseTCGCSR(data []byte) (*ParsedTCGCSR, error)

ParseTCGCSR parses TCG-CSR-IDEVID format data

type ParsedTCGContent added in v0.9.0 

type ParsedTCGContent struct {
	StructVer                 uint32
	HashAlgoId                uint32
	HashSz                    uint32
	ProdModelSz               uint32
	ProdSerialSz              uint32
	ProdCaDataSz              uint32
	BootEvntLogSz             uint32
	EkCertSz                  uint32
	AttestPubSz               uint32
	AtCreateTktSz             uint32
	AtCertifyInfoSz           uint32
	AtCertifyInfoSignatureSz  uint32
	SigningPubSz              uint32
	SgnCertifyInfoSz          uint32
	SgnCertifyInfoSignatureSz uint32
	PadSz                     uint32
	Payload                   *ParsedTCGPayload
}

ParsedTCGContent contains the parsed content portion

type ParsedTCGPayload added in v0.9.0 

type ParsedTCGPayload struct {
	ProdModel               []byte
	ProdSerial              []byte
	ProdCaData              []byte
	BootEvntLog             []byte
	EkCert                  []byte
	AttestPub               []byte
	AtCreateTkt             []byte
	AtCertifyInfo           []byte
	AtCertifyInfoSignature  []byte
	SigningPub              []byte
	SgnCertifyInfo          []byte
	SgnCertifyInfoSignature []byte
	Pad                     []byte
}

ParsedTCGPayload contains the parsed payload data

type Session added in v0.9.0 

type Session interface {
	// CreateKey creates a new key of the specified type
	CreateKey(keyType KeyType) (*tpm2.CreateResponse, error)
	// LoadKey loads a key into the TPM and returns its handle
	LoadKey(keyType KeyType) (*tpm2.NamedHandle, error)
	// CertifyKey certifies a key with the LAK
	CertifyKey(keyType KeyType, qualifyingData []byte) (certifyInfo, signature []byte, err error)
	// Certify certifies a key with the LAK
	Certify(key Certifiable, qualifyingData []byte) (certifyInfo, signature []byte, err error)
	// LoadApplicationKey creates or returns an already existing DeviceID
	LoadApplicationKey(appName string) (ExportableDeviceID, error)
	// RemoveApplicationKey removes the key for the specified application
	RemoveApplicationKey(appName string) error
	// Sign signs data with the specified key
	Sign(keyType KeyType, digest []byte) ([]byte, error)
	// GetPublicKey gets the public key for a key type
	GetPublicKey(keyType KeyType) (*tpm2.TPM2BPublic, error)
	// GetEndorsementKeyCert returns the endorsement key certificate
	GetEndorsementKeyCert() ([]byte, error)
	// GenerateChallenge creates a credential challenge used to prove ownership
	GenerateChallenge(secret []byte) ([]byte, []byte, error)
	// SolveChallenge decrypts the encryptedSecret to prove ownership of the credentials
	SolveChallenge(credentialBlob, encryptedSecret []byte) ([]byte, error)
	// Clear performs a best-effort clear of the TPM, resetting keys and auth
	Clear() error
	// Close closes the session and flushes handles
	Close() error
}

Session manages active TPM state and operations

func NewSession added in v0.9.0 

func NewSession(conn io.ReadWriteCloser, log *log.PrefixLogger, opts ...SessionOption) (Session, error)

NewSession creates a new TPM session

type SessionOption added in v0.10.0 

type SessionOption func(*tpmSession)

func WithAuth added in v0.10.0 

func WithAuth(authEnabled bool) SessionOption

func WithInitialization added in v0.10.0 

func WithInitialization() SessionOption

WithInitialization indicates that the session should initialize the device's main keys

func WithKeyAlgo added in v0.10.0 

func WithKeyAlgo(keyAlgo KeyAlgorithm) SessionOption

WithKeyAlgo sets the algorithm used for the session

func WithStorage added in v0.10.0 

func WithStorage(storage Storage) SessionOption

type Storage added in v0.9.0 

type Storage interface {
	// GetKey retrieves stored key data for the specified key type
	// Returns nil values if key doesn't exist
	GetKey(keyType KeyType) (*tpm2.TPM2BPublic, *tpm2.TPM2BPrivate, error)
	// StoreKey stores key data for the specified key type
	StoreKey(keyType KeyType, public tpm2.TPM2BPublic, private tpm2.TPM2BPrivate) error
	// ClearKey clears key data for the specified key type
	ClearKey(keyType KeyType) error
	// GetApplicationKey returns the AppKeyStoreData for a given application
	GetApplicationKey(string) (*AppKeyStoreData, error)
	// StoreApplicationKey stores the AppKeyStoreData for a given application
	StoreApplicationKey(string, AppKeyStoreData) error
	// ClearApplicationKey removes the stored info for the application
	ClearApplicationKey(string) error
	// ClearApplicationKeys removes all application keys
	ClearApplicationKeys() error
	// GetPassword retrieves the stored storage hierarchy password
	GetPassword() ([]byte, error)
	// StorePassword stores the storage hierarchy password
	StorePassword(password []byte) error
	// ClearPassword removes the stored password
	ClearPassword() error
	// Close closes the storage and releases any resources
	Close() error
}

Storage handles pure disk persistence of TPM data on disk

func NewFileStorage added in v0.9.0 

func NewFileStorage(rw fileio.ReadWriter, path string, log *log.PrefixLogger) Storage

NewFileStorage creates a new file-based storage implementation

type TCGCSRIDevID added in v0.9.0 

type TCGCSRIDevID struct {
	// Version 1.0 = 0x01000100
	StructVer [4]byte `json:"-"`
	// Size of csrContents
	Contents [4]byte `json:"-"`
	// Size, in bytes, of signature
	SigSz [4]byte `json:"-"`
	// The actual content
	CSRContents IDevIDContent `json:"csrContents"`
	// DER encoded signature, including algorithm ID
	Signature []byte `json:"signature"`
}

TCG-CSR-IDEVID implementation according to TCG TPM 2.0 Keys for Device Identity and Attestation v1.0 Rev 12 Section 13.1: TCG-CSR Structures. TCGCSRIDevID represents the complete TCG-CSR-IDEVID structure The TCG-CSR-IDEVID uses Big Endian byte ordering. All sizes are in bytes.

func (TCGCSRIDevID) MarshalJSON added in v0.9.0 

func (t TCGCSRIDevID) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for TCGCSRIDevID

func (*TCGCSRIDevID) UnmarshalJSON added in v0.9.0 

func (t *TCGCSRIDevID) UnmarshalJSON(data []byte) error

UnmarshalJSON implements custom JSON unmarshaling for TCGCSRIDevID

type TCGCSRParser added in v0.9.0 

type TCGCSRParser struct {
	// contains filtered or unexported fields
}

TCGCSRParser provides functionality to parse TCG-CSR-IDEVID format

type TPMAttestationData added in v0.9.0 

type TPMAttestationData struct {
	EKCertificate          []byte
	LAKPublicKey           []byte
	LAKCertifyInfo         []byte // (currently unused)
	LAKCertifySignature    []byte // (currently unused)
	LDevIDPublicKey        []byte
	LDevIDCertifyInfo      []byte
	LDevIDCertifySignature []byte
	ProductModel           string
	ProductSerial          string
	StandardCSR            []byte // Embedded standard X.509 CSR if available
}

TPMAttestationData represents the extracted TPM data in a usable format

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.