tpm-key_attestation 0.12.1 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae6c28ee251d9123abbdaa6c18ab7d424accaf1bb44cbe0e350ccb2bdf8c79ca
-  data.tar.gz: f172c0436c2dedeab2e8300396ddc515428912f6c73f5688d905723844625320
+  metadata.gz: 0a92767d4ddd0efcb039e6c5453f77036bb03ff7bd47a0a0aedf831f12e2645c
+  data.tar.gz: 287110f2d3c8e3945d4eced73103371d40e9d5ca3a00f50a99c209b0df1efa6a
 SHA512:
-  metadata.gz: aa78d70ea5a12c5768a0c24d90ae3f6137260ae8b45d14e23c716519b07a3dade2f76735c0a18b39dc1244f09e2ecd47019554395fb03c45d98a88bc454affd0
-  data.tar.gz: fc501bb669b8ac188a89ce63fe3052b27b22b9e29069a4ca58e4b3538d5b14fd8ae23dccfe1de89027eeb74943750c00b21f460151872b26fdc51ec6f3c45979
+  metadata.gz: e1c2d352b315b796655a0ede9c11383547a902c803f8815354f934090c5a3d683d32426f8fd537f1a76f6eb6784ea5688065bb6008da52e204bb0c6ac9dc5c9f
+  data.tar.gz: 19d3dbb264e6720af1731296aed09549a080119f2af1ee5174ca5ae07c9102b8669ce597bd7df5b7932efbf0c7ac21272e6ed6a033ace8158e5d7d64a3b460fe

data/.github/workflows/build.yml

@@ -22,8 +22,9 @@ jobs:
         os:
           - ubuntu-20.04
           - windows-latest
-          - macos-12
+          - macos-13
         ruby:
+          - '3.3'
           - '3.2'
           - '3.1'
           - '3.0'
@@ -36,6 +37,7 @@ jobs:
           - openssl_2_1
           - openssl_3_0
           - openssl_3_1
+          - openssl_3_2
         exclude:
           - ruby: '2.4'
             gemfile: openssl_3_0
@@ -45,24 +47,42 @@ jobs:
             gemfile: openssl_3_1
           - ruby: '2.5'
             gemfile: openssl_3_1
+          - ruby: '2.4'
+            gemfile: openssl_3_2
+          - ruby: '2.5'
+            gemfile: openssl_3_2
+          - ruby: '2.6'
+            gemfile: openssl_3_2
           - ruby: '3.1'
             gemfile: openssl_2_2
-            os: macos-12
+            os: macos-13
           - ruby: '3.1'
             gemfile: openssl_2_1
-            os: macos-12
+            os: macos-13
           - ruby: '3.2'
             gemfile: openssl_2_2
-            os: macos-12
+            os: macos-13
           - ruby: '3.2'
             gemfile: openssl_2_1
-            os: macos-12
+            os: macos-13
           - ruby: '3.2'
             gemfile: openssl_2_2
             os: windows-latest
           - ruby: '3.2'
             gemfile: openssl_2_1
             os: windows-latest
+          - ruby: '3.3'
+            gemfile: openssl_2_2
+            os: macos-13
+          - ruby: '3.3'
+            gemfile: openssl_2_1
+            os: macos-13
+          - ruby: '3.3'
+            gemfile: openssl_2_2
+            os: windows-latest
+          - ruby: '3.3'
+            gemfile: openssl_2_1
+            os: windows-latest
     env:
       BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
     steps:

data/Appraisals

@@ -15,3 +15,7 @@ end
 appraise "openssl_3_1" do
   gem "openssl", "~> 3.1.0"
 end
+
+appraise "openssl_3_2" do
+  gem "openssl", "~> 3.2.0"
+end

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [v0.14.0] - 2025-02-06
+
+- Handle incompatibility between `parameters` and `unique` in `TPublic`. [@nicolastemciuc], [@santiagorodriguez96]
+
+## [v0.13.1] - 2025-01-22
+
+- Fix build [@nicolastemciuc]
+
+## [v0.13.0] - 2025-01-21
+
+- Use public key from AIK cert for signature algorithm initalization [@santiagorodriguez96]
+- Support algorithm being ECC and pubArea's scheme parameter being TPM_ALG_NULL [@santiagorodriguez96]
+- Allow TPM:TPublic to handle ECC keys in pubArea correctly [@santiagorodriguez96]
+
 ## [v0.12.1] - 2024-08-05
 
 - Fix loading trusted certificates on Windows. #20 & #21 [@johnnyshields], [@salmanasiddiqui]
@@ -79,6 +93,8 @@ replacement of `JOSE` format `algorithm` string
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.13.1]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.13.0...v0.13.1/
+[v0.13.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.12.1...v0.13.0/
 [v0.12.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.11.0...v0.12.0/
 [v0.11.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.10.0...v0.11.0/
 [v0.10.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.9.0...v0.10.0/

data/Gemfile

@@ -5,7 +5,7 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in tpm-key_attestation.gemspec
 gemspec
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    tpm-key_attestation (0.11.0)
+    tpm-key_attestation (0.14.0)
       bindata (~> 2.4)
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
@@ -9,37 +9,39 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    appraisal (2.2.0)
+    appraisal (2.5.0)
       bundler
       rake
       thor (>= 0.14.0)
     ast (2.4.2)
-    bindata (2.4.14)
+    bindata (2.5.0)
     byebug (11.1.3)
-    diff-lcs (1.4.4)
-    jaro_winkler (1.5.4)
-    openssl (3.1.0)
-    openssl-signature_algorithm (1.2.1)
-      openssl (> 2.0, < 3.1)
-    parallel (1.20.1)
-    parser (3.0.0.0)
+    diff-lcs (1.5.1)
+    jaro_winkler (1.5.6)
+    openssl (3.2.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
+    parallel (1.26.3)
+    parser (3.3.6.0)
       ast (~> 2.4.1)
-    rainbow (3.0.0)
-    rake (13.0.3)
-    rexml (3.2.4)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+      racc
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.2.1)
+    rexml (3.3.9)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.2)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
     rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -48,15 +50,15 @@ GEM
       rexml
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
-    ruby-progressbar (1.11.0)
-    thor (1.1.0)
+    ruby-progressbar (1.13.0)
+    thor (1.3.2)
     unicode-display_width (1.6.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  appraisal (~> 2.2.0)
+  appraisal (~> 2.5.0)
   byebug (~> 11.0)
   rake (~> 13.0)
   rspec (~> 3.0)
@@ -64,4 +66,4 @@ DEPENDENCIES
   tpm-key_attestation!
 
 BUNDLED WITH
-   2.2.8
+   2.5.23

data/gemfiles/openssl_2_1.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_2_2.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_1.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.5.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 0.80.1"
+gem "openssl", "~> 3.2.0"
+
+gemspec path: "../"

data/lib/tpm/certify_validator.rb

@@ -44,7 +44,13 @@ module TPM
     end
 
     def valid_signature?(verify_key)
-      openssl_signature_algorithm = openssl_signature_algorithm_class.new(**openssl_signature_algorithm_parameters)
+      parameters = { hash_function: openssl_hash_function }
+
+      if verify_key.is_a?(OpenSSL::PKey::EC) || verify_key.is_a?(OpenSSL::PKey::EC::Point)
+        parameters[:curve] = verify_key.group.curve_name
+      end
+
+      openssl_signature_algorithm = openssl_signature_algorithm_class.new(**parameters)
       openssl_signature_algorithm.verify_key = verify_key
       openssl_signature_algorithm.verify(signature, info)
     rescue OpenSSL::SignatureAlgorithm::Error
@@ -55,16 +61,6 @@ module TPM
       @attest ||= TPM::SAttest.deserialize(info)
     end
 
-    def openssl_signature_algorithm_parameters
-      parameters = { hash_function: openssl_hash_function }
-
-      if public_area.ecc?
-        parameters[:curve] = public_area.openssl_curve_name
-      end
-
-      parameters
-    end
-
     def openssl_hash_function
       TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
     end

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.12.1"
+    VERSION = "0.14.0"
   end
 end

data/lib/tpm/t_public.rb

@@ -4,6 +4,7 @@ require "bindata"
 require "openssl"
 require "tpm/constants"
 require "tpm/sized_buffer"
+require "tpm/tpms_ecc_point"
 require "tpm/t_public/s_ecc_parms"
 require "tpm/t_public/s_rsa_parms"
 
@@ -42,7 +43,7 @@ module TPM
     end
 
     choice :unique, selection: :alg_type do
-      sized_buffer TPM::ALG_ECC
+      tpms_ecc_point TPM::ALG_ECC
       sized_buffer TPM::ALG_RSA
     end
 
@@ -75,9 +76,13 @@ module TPM
     private
 
     def ecc_key
-      if parameters.scheme == TPM::ALG_ECDSA
+      case parameters.scheme
+      when TPM::ALG_ECDSA, TPM::ALG_NULL
         group = OpenSSL::PKey::EC::Group.new(openssl_curve_name)
-        point = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
+        point = OpenSSL::PKey::EC::Point.new(
+          group,
+          bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.x.buffer.value + unique.y.buffer.value)
+        )
 
         # RFC5480 SubjectPublicKeyInfo
         asn1 = OpenSSL::ASN1::Sequence(
@@ -94,6 +99,8 @@ module TPM
 
         OpenSSL::PKey::EC.new(asn1.to_der)
       end
+    rescue OpenSSL::PKey::EC::Point::Error
+      nil
     end
 
     def rsa_key

data/lib/tpm/tpms_ecc_point.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TpmsEccPoint < BinData::Record
+    endian :big
+
+    sized_buffer :x
+    sized_buffer :y
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.12.1
+  version: 0.14.0
 platform: ruby
 authors:
 - Gonzalo
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-05 00:00:00.000000000 Z
+date: 2025-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -76,6 +76,7 @@ files:
 - gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_3_0.gemfile
 - gemfiles/openssl_3_1.gemfile
+- gemfiles/openssl_3_2.gemfile
 - lib/tpm/aik_certificate.rb
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-ECC-RootCA.crt
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-RSA-RootCA.crt
@@ -115,6 +116,7 @@ files:
 - lib/tpm/t_public/s_ecc_parms.rb
 - lib/tpm/t_public/s_rsa_parms.rb
 - lib/tpm/tpm2b_name.rb
+- lib/tpm/tpms_ecc_point.rb
 - lib/tpm/tpmt_ha.rb
 - tpm-key_attestation.gemspec
 homepage: https://github.com/cedarcode/tpm-key_attestation