tpm-key_attestation 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28d7fefca9a69f2a4be0c8124bfb2721767c9c891768607473827c11df7aeaa3
-  data.tar.gz: 4739a10cab12236ee54f4bfacd2a182bc2c48622c5feaffd800317d1ff49228d
+  metadata.gz: 119c14ff3ec3d663dcd7557406f4d147d8e010e61705f759cd2cba7412045458
+  data.tar.gz: a0aae7f5759575312ca4050e94622cfcf5c24719450ba399115061df45b0ae72
 SHA512:
-  metadata.gz: b29f8eff516b2f8a8f78583b264586e9eec7c3ad31f8a351517e4b0552a39ef68be0274e83289189395a00e64aac171131252bd24c76fcd964e33a76acab436a
-  data.tar.gz: 69a191891d4a12c8afd4b2acd07ec9c5728506fb33e94cd34e102de1d851acbcfd7694befb6daa01981ab0e2cfaf120a9ddcae4b2d1337eb0e9a74bee485bedd
+  metadata.gz: 92d66d626a3849915ef0379cbe150363a7072e7f74e8988b93273cc0ce0ad0f5093e7a69b2ad80929de319dd682b33f6ef09dfba427b8bb83c56deed08ae08ea
+  data.tar.gz: 9ca765e75668c4c9f400acfadabeb8c59bb89b5719adb59e926d8ce25e037efd9a3a05069fa3dfc2aa21559499c177f925fe5d67c1bbeea9ea6ebbc79ec90667

data/.github/workflows/build.yml

@@ -0,0 +1,42 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: build
+
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.0'
+          - '2.7'
+          - '2.6'
+          - '2.5'
+          - '2.4'
+        gemfile:
+          - openssl_2_2
+          - openssl_2_1
+          - openssl_3_0
+        exclude:
+          - ruby: '2.4'
+            gemfile: openssl_3_0
+          - ruby: '2.5'
+            gemfile: openssl_3_0
+    env:
+      BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
+    steps:
+    - uses: actions/checkout@v2
+    - run: rm Gemfile.lock
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - run: bundle exec rake

data/.rubocop.yml

@@ -3,6 +3,7 @@ AllCops:
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
+    - "vendor/bundle/**/*"
 
 Bundler:
   Enabled: true

data/Appraisals

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-appraise "openssl_head" do
-  gem "openssl", git: "https://github.com/ruby/openssl"
-end
-
 appraise "openssl_2_2" do
   gem "openssl", "~> 2.2.0"
 end
@@ -12,9 +8,6 @@ appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end
 
-appraise "openssl_2_0" do
-  gem "openssl", "~> 2.0.0"
-end
-
-appraise "openssl_default" do
+appraise "openssl_3_0" do
+  gem "openssl", "~> 3.0.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## [v0.11.0] - 2022-07-05
+
+- Support OpenSSL ~>3.0.0. Credits to @ClearlyClaire <3
+
 ## [v0.10.0] - 2020-07-09
 
 ### Added
@@ -67,6 +71,7 @@ replacement of `JOSE` format `algorithm` string
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.11.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.10.0...v0.11.0/
 [v0.10.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.9.0...v0.10.0/
 [v0.9.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.8.0...v0.9.0/
 [v0.8.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.7.0...v0.8.0/
@@ -79,3 +84,4 @@ replacement of `JOSE` format `algorithm` string
 [v0.1.0]: https://github.com/cedarcode/tpm-key_attestation/compare/57c926ef7e83830cee8d111fdc5ccaf99ab2e861...v0.1.0/
 
 [@santiagorodriguez96]: https://github.com/santiagorodriguez96
+[@ClearlyClaire]: https://github.com/ClearlyClaire

data/Gemfile.lock

@@ -3,6 +3,7 @@ PATH
   specs:
     tpm-key_attestation (0.10.0)
       bindata (~> 2.4)
+      openssl (> 2.0, < 3.1)
       openssl-signature_algorithm (~> 1.0)
 
 GEM
@@ -12,31 +13,33 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    ast (2.4.1)
-    bindata (2.4.7)
+    ast (2.4.2)
+    bindata (2.4.8)
     byebug (11.1.3)
     diff-lcs (1.4.4)
     jaro_winkler (1.5.4)
-    openssl-signature_algorithm (1.0.0)
-    parallel (1.19.2)
-    parser (2.7.1.4)
+    openssl (3.0.0)
+    openssl-signature_algorithm (1.2.1)
+      openssl (> 2.0, < 3.1)
+    parallel (1.20.1)
+    parser (3.0.0.0)
       ast (~> 2.4.1)
     rainbow (3.0.0)
-    rake (13.0.1)
+    rake (13.0.3)
     rexml (3.2.4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
     rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -45,8 +48,8 @@ GEM
       rexml
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
-    ruby-progressbar (1.10.1)
-    thor (1.0.1)
+    ruby-progressbar (1.11.0)
+    thor (1.1.0)
     unicode-display_width (1.6.1)
 
 PLATFORMS
@@ -61,4 +64,4 @@ DEPENDENCIES
   tpm-key_attestation!
 
 BUNDLED WITH
-   2.1.4
+   2.2.8

data/README.md

@@ -3,7 +3,7 @@
 TPM Key Attestation utitlies
 
 [![Gem](https://img.shields.io/gem/v/tpm-key_attestation.svg?style=flat-square&color=informational)](https://rubygems.org/gems/tpm-key_attestation)
-[![Travis](https://img.shields.io/travis/cedarcode/tpm-key_attestation/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/tpm-key_attestation)
+[![Actions Build](https://github.com/cedarcode/tpm-key_attestation/workflows/build/badge.svg)](https://github.com/cedarcode/tpm-key_attestation/actions)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 
 ## Installation

data/gemfiles/{openssl_2_0.gemfile → openssl_3_0.gemfile}

@@ -7,6 +7,6 @@ gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
 gem "rubocop", "~> 0.80.1"
-gem "openssl", "~> 2.0.0"
+gem "openssl", "~> 3.0.0"
 
 gemspec path: "../"

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.10.0"
+    VERSION = "0.11.0"
   end
 end

data/lib/tpm/key_attestation.rb

@@ -11,7 +11,7 @@ require "tpm/public_area"
 module TPM
   class KeyAttestation
     # https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates
-    ROOT_CERTIFICATES =
+    TRUSTED_CERTIFICATES =
       begin
         pattern = File.expand_path(File.join(__dir__, "certificates", "*", "RootCA", "*.*"))
         Dir.glob(pattern).map do |filename|
@@ -29,7 +29,7 @@ module TPM
       :signature_algorithm,
       :hash_algorithm,
       :qualifying_data,
-      :root_certificates
+      :trusted_certificates
     )
 
     def initialize(
@@ -40,7 +40,7 @@ module TPM
       qualifying_data,
       signature_algorithm: ALG_RSASSA,
       hash_algorithm: ALG_SHA256,
-      root_certificates: ROOT_CERTIFICATES
+      trusted_certificates: TRUSTED_CERTIFICATES
     )
       @certify_info = certify_info
       @signature = signature
@@ -50,7 +50,7 @@ module TPM
       @signature_algorithm = signature_algorithm
       @hash_algorithm = hash_algorithm
       @qualifying_data = qualifying_data
-      @root_certificates = root_certificates
+      @trusted_certificates = trusted_certificates
     end
 
     def key
@@ -88,7 +88,7 @@ module TPM
     def trust_store
       @trust_store ||=
         OpenSSL::X509::Store.new.tap do |trust_store|
-          root_certificates.uniq(&:serial).each { |root_certificate| trust_store.add_cert(root_certificate) }
+          trusted_certificates.uniq(&:serial).each { |trusted_certificate| trust_store.add_cert(trusted_certificate) }
         end
     end
 

data/lib/tpm/t_public.rb

@@ -77,11 +77,22 @@ module TPM
     def ecc_key
       if parameters.scheme == TPM::ALG_ECDSA
         group = OpenSSL::PKey::EC::Group.new(openssl_curve_name)
-
-        key = OpenSSL::PKey::EC.new(group)
-        key.public_key = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
-
-        key
+        point = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
+
+        # RFC5480 SubjectPublicKeyInfo
+        asn1 = OpenSSL::ASN1::Sequence(
+          [
+            OpenSSL::ASN1::Sequence(
+              [
+                OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+                OpenSSL::ASN1::ObjectId(group.curve_name),
+              ]
+            ),
+            OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+          ]
+        )
+
+        OpenSSL::PKey::EC.new(asn1.to_der)
       end
     end
 
@@ -91,10 +102,15 @@ module TPM
         n = unique.buffer.value
 
         if parameters.key_bits / BYTE_LENGTH == n.size
-          key = OpenSSL::PKey::RSA.new(parameters.key_bits.value)
-          key.set_key(bn(n), bn(RSA_KEY_DEFAULT_PUBLIC_EXPONENT), nil)
-
-          key.public_key
+          # PKCS#1 RSAPublicKey
+          asn1 = OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::Integer.new(bn(n)),
+              OpenSSL::ASN1::Integer.new(bn(RSA_KEY_DEFAULT_PUBLIC_EXPONENT)),
+            ]
+          )
+
+          OpenSSL::PKey::RSA.new(asn1.to_der)
         end
       end
     end

data/tpm-key_attestation.gemspec

@@ -26,5 +26,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "bindata", "~> 2.4"
+  spec.add_dependency "openssl", "> 2.0", "< 3.1"
   spec.add_dependency "openssl-signature_algorithm", "~> 1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Gonzalo
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-09 00:00:00.000000000 Z
+date: 2022-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -24,6 +24,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: openssl-signature_algorithm
   requirement: !ruby/object:Gem::Requirement
@@ -38,16 +58,16 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-description: 
-email: 
+description:
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/build.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - Appraisals
 - CHANGELOG.md
 - Gemfile
@@ -58,20 +78,15 @@ files:
 - SECURITY.md
 - bin/console
 - bin/setup
-- gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
 - gemfiles/openssl_2_2.gemfile
-- gemfiles/openssl_default.gemfile
-- gemfiles/openssl_head.gemfile
-- install-openssl.sh
-- install-ruby.sh
+- gemfiles/openssl_3_0.gemfile
 - lib/tpm/aik_certificate.rb
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-ECC-RootCA.crt
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-RSA-RootCA.crt
 - lib/tpm/certificates/Atmel/RootCA/Atmel TPM Root Signing Module.der
 - lib/tpm/certificates/Infineon/RootCA/IFX TPM EK Root CA.cer
 - lib/tpm/certificates/Infineon/RootCA/IFX-RootCA.cer
-- lib/tpm/certificates/Infineon/RootCA/IFX_TPM_RootCert_008.crt
 - lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) ECC Root CA.crt
 - lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) RSA Root CA.crt
 - lib/tpm/certificates/Intel/RootCA/EKRootPublicKey.cer
@@ -88,7 +103,6 @@ files:
 - lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2011.cer
 - lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2110.cer
 - lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2111.cer
-- lib/tpm/certificates/QC/RootCA/Microsoft TPM Root Certificate Authority 2014.cer
 - lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Computing CA.crt
 - lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Platform Module ECC Root
   CA.crt
@@ -115,7 +129,7 @@ metadata:
   homepage_uri: https://github.com/cedarcode/tpm-key_attestation
   source_code_uri: https://github.com/cedarcode/tpm-key_attestation
   changelog_uri: https://github.com/cedarcode/tpm-key_attestation/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -130,8 +144,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: TPM Key Attestation verifier
 test_files: []

data/.travis.yml

@@ -1,40 +0,0 @@
----
-dist: bionic
-language: ruby
-
-cache:
-  bundler: true
-  directories:
-    - /home/travis/.rvm/
-
-env:
-  - RB=2.7.1 LIBSSL=1.0
-  - RB=2.7.1 LIBSSL=1.1
-  - RB=2.6.6 LIBSSL=1.0
-  - RB=2.6.6 LIBSSL=1.1
-  - RB=2.5.8 LIBSSL=1.0
-  - RB=2.5.8 LIBSSL=1.1
-  - RB=2.4.10 LIBSSL=1.0
-  - RB=2.4.10 LIBSSL=1.1
-  - RB=ruby-head LIBSSL=1.0
-  - RB=ruby-head LIBSSL=1.1
-
-gemfile:
-  - gemfiles/openssl_head.gemfile
-  - gemfiles/openssl_2_2.gemfile
-  - gemfiles/openssl_2_1.gemfile
-  - gemfiles/openssl_2_0.gemfile
-  - gemfiles/openssl_default.gemfile
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - env: RB=ruby-head LIBSSL=1.0
-    - env: RB=ruby-head LIBSSL=1.1
-    - gemfile: gemfiles/openssl_head.gemfile
-
-before_install:
-  - ./install-openssl.sh
-  - ./install-ruby.sh
-  - gem install bundler -v "~> 2.0"
-  - rm Gemfile.lock

data/gemfiles/openssl_default.gemfile

@@ -1,11 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "appraisal", "~> 2.2.0"
-gem "byebug", "~> 11.0"
-gem "rake", "~> 13.0"
-gem "rspec", "~> 3.0"
-gem "rubocop", "~> 0.80.1"
-
-gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -1,12 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "appraisal", "~> 2.2.0"
-gem "byebug", "~> 11.0"
-gem "rake", "~> 13.0"
-gem "rspec", "~> 3.0"
-gem "rubocop", "~> 0.80.1"
-gem "openssl", git: "https://github.com/ruby/openssl"
-
-gemspec path: "../"

data/install-openssl.sh

@@ -1,3 +0,0 @@
-if [[ "${LIBSSL}" == "1.0" ]]; then
-  sudo apt purge libssl-dev && sudo apt-get -yq --no-install-suggests --no-install-recommends install libssl1.0-dev
-fi

data/install-ruby.sh

@@ -1,10 +0,0 @@
-source ~/.rvm/scripts/rvm
-
-if [[ "${LIBSSL}" == "1.0" ]]; then
-  rvm install $RB --autolibs=read-only -C --with-openssl-dir=usr/include/openssl
-elif [[ "${LIBSSL}" == "1.1" ]]; then
-  rvm install $RB --binary --fuzzy
-fi
-
-rvm use $RB
-ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'