tpm-key_attestation 0.4.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa6a84bd8d758948be4dbb8ee8719205c70f049b841027f496c6f5c5c25362b0
-  data.tar.gz: ca4acf429c5ea3a819c34c8f5ae3053053efa81f1209c4f3152480096562ac1e
+  metadata.gz: 0f495569765faf3eaf8bcd9ff004405e278d720d12253ec01f98175f9dce3e4c
+  data.tar.gz: 26105eb6528b31ddec9a800cdeddea4eee311e25fdfc1c99cee2345b43e58bd9
 SHA512:
-  metadata.gz: 7a0a2dea4c9669fc3a7fdb01d1515987fc61974209414b3d3ec30875f799b0c2111ea40cc6f75f86ff2d95ec7975110905b9a36c27b88f0e09dd4ef2f7c90287
-  data.tar.gz: 0717bc921eba45a9eda3d347f6b70b45c2dfbfc231eba53e2dfddd2ba1f1b22d5fe3fce60ec6f7d79c035813a755e82830c07c64f7750b6e41ede257c3460430
+  metadata.gz: 3501ffabdfea8bc28803a2036f0e83d2e16eb7cdcd21a937f9112ffd7ecfdb91ff37290fd97b5d8de50eab22f3ddf109899b7f715c90b4ef667a0aed04156c4b
+  data.tar.gz: 26698f67fad4bcb5788d5f01ab536057b3fa3c0bd2db5338aa495dda45435bf528e101ae91e4afddd3f94b8389456544677a9964871df9f7997b79274ca41f38

data/.gitignore

@@ -11,3 +11,4 @@
 .rspec_status
 
 /gemfiles/*.gemfile.lock
+.byebug_history

data/.rspec

@@ -1,3 +1,3 @@
---format documentation
 --color
 --require spec_helper
+--order random

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.4
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
@@ -28,9 +28,6 @@ Security:
 Style/BlockComments:
   Enabled: true
 
-Style/BracesAroundHashParameters:
-  Enabled: true
-
 Style/CaseEquality:
   Enabled: true
 

data/.travis.yml

@@ -1,18 +1,27 @@
 ---
 dist: bionic
 language: ruby
-cache: bundler
 
-rvm:
-  - ruby-head
-  - 2.7.0
-  - 2.6.5
-  - 2.5.7
-  - 2.4.9
-  - 2.3.8
+cache:
+  bundler: true
+  directories:
+    - /home/travis/.rvm/
+
+env:
+  - RB=2.7.1 LIBSSL=1.0
+  - RB=2.7.1 LIBSSL=1.1
+  - RB=2.6.6 LIBSSL=1.0
+  - RB=2.6.6 LIBSSL=1.1
+  - RB=2.5.8 LIBSSL=1.0
+  - RB=2.5.8 LIBSSL=1.1
+  - RB=2.4.10 LIBSSL=1.0
+  - RB=2.4.10 LIBSSL=1.1
+  - RB=ruby-head LIBSSL=1.0
+  - RB=ruby-head LIBSSL=1.1
 
 gemfile:
   - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
   - gemfiles/openssl_2_1.gemfile
   - gemfiles/openssl_2_0.gemfile
   - gemfiles/openssl_default.gemfile
@@ -20,9 +29,12 @@ gemfile:
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: ruby-head
+    - env: RB=ruby-head LIBSSL=1.0
+    - env: RB=ruby-head LIBSSL=1.1
     - gemfile: gemfiles/openssl_head.gemfile
 
 before_install:
+  - ./install-openssl.sh
+  - ./install-ruby.sh
   - gem install bundler -v "~> 2.0"
   - rm Gemfile.lock

data/Appraisals

@@ -4,6 +4,10 @@ appraise "openssl_head" do
   gem "openssl", git: "https://github.com/ruby/openssl"
 end
 
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [v0.9.0] - 2020-05-31
+
+### Fixed
+
+- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
+
+## [v0.8.0] - 2020-03-29
+
+### Changed
+
+- Update `openssl-signature_algorithm` gem dependency from `v0.3` to `v0.4`.
+
+## [v0.7.0] - 2020-02-25
+
+### Added
+
+- `TPM::KeyAttestation#valid?` performs certificate path validation. In other words, it verifies trust up
+to an acceptable trusted root certificate.
+
+### Changed
+
+- Rename `TPM::EKCertificate` to `TPM::AIKCertificate` to fix semantics
+
+## [v0.6.0] - 2020-01-30
+
+### Changed
+
+- `TPM::KeyAttestation.new` now accepts `signature_algorithm` and `hash_algorithm` in TPM format in
+replacement of `JOSE` format `algorithm` string
+
+## [v0.5.0] - 2020-01-23
+
+### Added
+
+- `TPM::KeyAttestation#valid?` also checks there's at least a well-formatted key in the attestation
+
 ## [v0.4.0] - 2020-01-20
 
 ### Added
@@ -25,7 +61,14 @@
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.9.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.8.0...v0.9.0/
+[v0.8.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.7.0...v0.8.0/
+[v0.7.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.6.0...v0.7.0/
+[v0.6.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.5.0...v0.6.0/
+[v0.5.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.4.0...v0.5.0/
 [v0.4.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.3.0...v0.4.0/
 [v0.3.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.2.0...v0.3.0/
 [v0.2.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/tpm-key_attestation/compare/57c926ef7e83830cee8d111fdc5ccaf99ab2e861...v0.1.0/
+
+[@santiagorodriguez96]: https://github.com/santiagorodriguez96

data/Gemfile

@@ -6,7 +6,7 @@ source "https://rubygems.org"
 gemspec
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    tpm-key_attestation (0.4.0)
+    tpm-key_attestation (0.9.0)
       bindata (~> 2.4)
+      openssl-signature_algorithm (~> 0.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -12,46 +13,51 @@ GEM
       rake
       thor (>= 0.14.0)
     ast (2.4.0)
-    bindata (2.4.4)
+    bindata (2.4.7)
+    byebug (11.1.3)
     diff-lcs (1.3)
     jaro_winkler (1.5.4)
+    openssl-signature_algorithm (0.4.0)
     parallel (1.19.1)
-    parser (2.7.0.2)
+    parser (2.7.1.3)
       ast (~> 2.4.0)
     rainbow (3.0.0)
-    rake (12.3.3)
+    rake (13.0.1)
+    rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
-    rubocop (0.79.0)
+    rspec-support (3.9.3)
+    rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      rexml
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
     ruby-progressbar (1.10.1)
     thor (1.0.1)
-    unicode-display_width (1.6.0)
+    unicode-display_width (1.6.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   appraisal (~> 2.2.0)
-  rake (~> 12.0)
+  byebug (~> 11.0)
+  rake (~> 13.0)
   rspec (~> 3.0)
-  rubocop
+  rubocop (~> 0.80.1)
   tpm-key_attestation!
 
 BUNDLED WITH

data/README.md

@@ -2,8 +2,9 @@
 
 TPM Key Attestation utitlies
 
-[![Gem](https://img.shields.io/gem/v/tpm-key_attestation.svg?style=flat-square)](https://rubygems.org/gems/tpm-key_attestation)
-[![Travis](https://img.shields.io/travis/cedarcode/tpm-key_attestation.svg?style=flat-square)](https://travis-ci.org/cedarcode/tpm-key_attestation)
+[![Gem](https://img.shields.io/gem/v/tpm-key_attestation.svg?style=flat-square&color=informational)](https://rubygems.org/gems/tpm-key_attestation)
+[![Travis](https://img.shields.io/travis/cedarcode/tpm-key_attestation/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/tpm-key_attestation)
+[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 
 ## Installation
 
@@ -31,7 +32,7 @@ key_attestation =
     certified_object,
     signing_key,
     quilifying_data,
-    algorithm: "RS256" # Supported values: "RS256", "PS256", "ES256" (default "RS256")
+    signature_algorithm: TPM::ALG_RSAPSS # Supported values: TPM::ALG_RSAPSS, TPM::ALG_RSASSA, TPM::ALG_ECDSA (default TPM::ALG_RSASSA)
   )
 
 if key_attestation.valid?

data/gemfiles/openssl_2_0.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", "~> 2.0.0"
 
 gemspec path: "../"

data/gemfiles/openssl_2_1.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", "~> 2.1.0"
 
 gemspec path: "../"

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.2.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 0.80.1"
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/gemfiles/openssl_default.gemfile

@@ -3,8 +3,9 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 
 gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", git: "https://github.com/ruby/openssl"
 
 gemspec path: "../"

data/install-openssl.sh

@@ -0,0 +1,3 @@
+if [[ "${LIBSSL}" == "1.0" ]]; then
+  sudo apt purge libssl-dev && sudo apt-get -yq --no-install-suggests --no-install-recommends install libssl1.0-dev
+fi

data/install-ruby.sh

@@ -0,0 +1,10 @@
+source ~/.rvm/scripts/rvm
+
+if [[ "${LIBSSL}" == "1.0" ]]; then
+  rvm install $RB --autolibs=read-only -C --with-openssl-dir=usr/include/openssl
+elif [[ "${LIBSSL}" == "1.1" ]]; then
+  rvm install $RB --binary --fuzzy
+fi
+
+rvm use $RB
+ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

data/lib/tpm/{ek_certificate.rb → aik_certificate.rb}

@@ -6,14 +6,15 @@ require "tpm/constants"
 
 module TPM
   # Section 3.2 in https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
-  class EKCertificate < SimpleDelegator
+  class AIKCertificate < SimpleDelegator
     ASN_V3 = 2
     EMPTY_NAME = OpenSSL::X509::Name.new([]).freeze
     SAN_DIRECTORY_NAME = 4
-    OID_TCG_AT_TPM_MANUFACTURER = "2.23.133.2.1"
-    OID_TCG_AT_TPM_MODEL = "2.23.133.2.2"
-    OID_TCG_AT_TPM_VERSION = "2.23.133.2.3"
-    OID_TCG_KP_AIK_CERTIFICATE = "2.23.133.8.3"
+    OID_TCG = "2.23.133"
+    OID_TCG_AT_TPM_MANUFACTURER = "#{OID_TCG}.2.1"
+    OID_TCG_AT_TPM_MODEL = "#{OID_TCG}.2.2"
+    OID_TCG_AT_TPM_VERSION = "#{OID_TCG}.2.3"
+    OID_TCG_KP_AIK_CERTIFICATE = "#{OID_TCG}.8.3"
 
     def self.from_der(certificate_der)
       new(OpenSSL::X509::Certificate.new(certificate_der))
@@ -24,13 +25,10 @@ module TPM
         valid_version? &&
         valid_extended_key_usage? &&
         valid_basic_constraints? &&
+        empty_subject? &&
         valid_subject_alternative_name?
     end
 
-    def empty_subject?
-      subject.eql?(EMPTY_NAME)
-    end
-
     private
 
     def in_use?
@@ -55,31 +53,60 @@ module TPM
       extended_key_usage && extended_key_usage.value == OID_TCG_KP_AIK_CERTIFICATE && !extended_key_usage.critical?
     end
 
+    def empty_subject?
+      subject.eql?(EMPTY_NAME)
+    end
+
     def valid_subject_alternative_name?
-      extension = extensions.detect { |ext| ext.oid == "subjectAltName" }
-      return unless extension
-
-      san_asn1 =
-        OpenSSL::ASN1.decode(extension).find do |val|
-          val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
-        end
-      directory_name =
-        OpenSSL::ASN1.decode(san_asn1.value).find do |val|
-          val.tag_class == :CONTEXT_SPECIFIC && val.tag == SAN_DIRECTORY_NAME
-        end
-      name = OpenSSL::X509::Name.new(directory_name.value.first).to_a
-      manufacturer = name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
-      model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
-      version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
-
-      ::TPM::VENDOR_IDS[manufacturer] &&
-        !model.empty? &&
-        !version.empty? &&
-        (empty_subject? && extension.critical? || !empty_subject? && !extension.critical?)
+      if san_extension
+        san_extension.critical? &&
+          !tpm_manufacturer.empty? &&
+          TPM::VENDOR_IDS[tpm_manufacturer] &&
+          !tpm_model.empty? &&
+          !tpm_version.empty?
+      end
     end
 
     def extension(oid)
       extensions.detect { |ext| ext.oid == oid }
     end
+
+    def tpm_manufacturer
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
+      end
+    end
+
+    def tpm_model
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
+      end
+    end
+
+    def tpm_version
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
+      end
+    end
+
+    def san_name
+      if san_extension
+        san_asn1 =
+          OpenSSL::ASN1.decode(san_extension).find do |val|
+            val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
+          end
+
+        directory_name =
+          OpenSSL::ASN1.decode(san_asn1.value).find do |val|
+            val.tag_class == :CONTEXT_SPECIFIC && val.tag == SAN_DIRECTORY_NAME
+          end
+
+        OpenSSL::X509::Name.new(directory_name.value.first).to_a
+      end
+    end
+
+    def san_extension
+      extension("subjectAltName")
+    end
   end
 end

data/lib/tpm/certificates/NationZ/RootCA/EkRootCA.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRDCCAcqgAwIBAgIBATAKBggqhkjOPQQDAzBrMQswCQYDVQQGEwJDTjEhMB8G
+A1UECgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256
+IFRQTSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwHhcNMTcw
+NTEyMDAwMDAwWhcNNDcwNTEzMDAwMDAwWjBrMQswCQYDVQQGEwJDTjEhMB8GA1UE
+CgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256IFRQ
+TSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATvuDTN8TNvp3A9fSjWpDARLmvz7ItQrDq/mmuzvzInwQfs
+YKUUJza4MXB3yS0PH1jjv1YMvaIBIalAgc+kahScQUy6W2fy6hd36pazmc/vQfG3
+Gdhw56gGwRHx4rn4TuqjQjBAMB0GA1UdDgQWBBQ6vP8I314BDCtkB4vHzpUG9Aj9
+5DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNo
+ADBlAjApzqSmd4cCMKC7slJ4NE/7zweXZx89JzSEnEWGcq78jbbXCw6yM+R4nCNX
+phflI9QCMQCeFOAvyR+DQvThfGFINABej+1zeDVIjuZHat3FHVyV0UQVClPgMlZu
+TntipXwGOVY=
+-----END CERTIFICATE-----

data/lib/tpm/certify_validator.rb

@@ -1,19 +1,31 @@
 # frozen_string_literal: true
 
+require "openssl/signature_algorithm"
 require "tpm/constants"
-require "tpm/public_area"
 require "tpm/s_attest"
 
 module TPM
   class CertifyValidator
-    attr_reader :info, :signature, :nonce, :object, :algorithm
+    attr_reader :info, :signature, :nonce, :object, :signature_algorithm, :hash_algorithm
 
-    def initialize(info, signature, nonce, object, algorithm: "RS256")
+    TPM_SIGNATURE_ALG_TO_OPENSSL = {
+      ALG_RSASSA => OpenSSL::SignatureAlgorithm::RSAPKCS1,
+      ALG_RSAPSS => OpenSSL::SignatureAlgorithm::RSAPSS,
+      ALG_ECDSA => OpenSSL::SignatureAlgorithm::ECDSA
+    }.freeze
+
+    TPM_HASH_ALG_TO_OPENSSL = {
+      ALG_SHA1 => "SHA1",
+      ALG_SHA256 => "SHA256"
+    }.freeze
+
+    def initialize(info, signature, nonce, object, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256)
       @info = info
       @signature = signature
       @nonce = nonce
       @object = object
-      @algorithm = algorithm
+      @signature_algorithm = signature_algorithm
+      @hash_algorithm = hash_algorithm
     end
 
     def valid?(signing_key)
@@ -26,14 +38,17 @@ module TPM
       attest.attested_type == TPM::ST_ATTEST_CERTIFY &&
         attest.extra_data.buffer == nonce &&
         attest.magic == TPM::GENERATED_VALUE &&
-        attest.attested.name.buffer == TPM::PublicArea.new(object).name
+        attest.attested.name.valid_for?(object)
     end
 
-    def valid_signature?(signing_key)
-      if rsa_pss?
-        signing_key.verify_pss(hash_function, signature, info, salt_length: :auto, mgf1_hash: hash_function)
-      else
-        signing_key.verify(hash_function, signature, info)
+    def valid_signature?(verify_key)
+      openssl_signature_algorithm = openssl_signature_algorithm_class.new(openssl_hash_function[3..-1])
+      openssl_signature_algorithm.verify_key = verify_key
+
+      begin
+        openssl_signature_algorithm.verify(signature, info)
+      rescue OpenSSL::SignatureAlgorithm::Error
+        false
       end
     end
 
@@ -41,12 +56,12 @@ module TPM
       @attest ||= TPM::SAttest.deserialize(info)
     end
 
-    def hash_function
-      "SHA#{algorithm[2..-1]}"
+    def openssl_hash_function
+      TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
     end
 
-    def rsa_pss?
-      algorithm.start_with?("PS")
+    def openssl_signature_algorithm_class
+      TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] || raise("Unsupported signature algorithm #{algorithm}")
     end
   end
 end

data/lib/tpm/key_attestation.rb

@@ -1,22 +1,54 @@
 # frozen_string_literal: true
 
+require "openssl"
 require "tpm/key_attestation/version"
+require "tpm/aik_certificate"
 require "tpm/certify_validator"
+require "tpm/constants"
 
 module TPM
   class KeyAttestation
+    # https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates
+    ROOT_CERTIFICATES =
+      begin
+        pattern = File.expand_path(File.join(__dir__, "certificates", "*", "RootCA", "*.*"))
+        Dir.glob(pattern).map do |filename|
+          File.open(filename) { |file| OpenSSL::X509::Certificate.new(file) }
+        end
+      end
+
     class Error < StandardError; end
 
-    attr_reader :certify_info, :signature, :certified_object, :signing_key, :algorithm, :qualifying_data
+    attr_reader(
+      :certify_info,
+      :signature,
+      :certified_key,
+      :certificates,
+      :signature_algorithm,
+      :hash_algorithm,
+      :qualifying_data,
+      :root_certificates
+    )
 
-    def initialize(certify_info, signature, certified_object, signing_key, qualifying_data, algorithm: "RS256")
+    def initialize(
+      certify_info,
+      signature,
+      certified_key,
+      certificates,
+      qualifying_data,
+      signature_algorithm: ALG_RSASSA,
+      hash_algorithm: ALG_SHA256,
+      root_certificates: ROOT_CERTIFICATES
+    )
       @certify_info = certify_info
       @signature = signature
 
-      @certified_object = certified_object
-      @signing_key = signing_key
-      @algorithm = algorithm
+      @certified_key = certified_key
+      @certificates = certificates
+      @signature_algorithm = signature_algorithm
+      @hash_algorithm = hash_algorithm
       @qualifying_data = qualifying_data
+      @root_certificates = root_certificates
     end
 
     def key
@@ -26,7 +58,9 @@ module TPM
     end
 
     def valid?
-      certify_validator.valid?(signing_key)
+      certify_validator.valid?(aik_certificate.public_key) &&
+        aik_certificate.conformant? &&
+        trustworthy?
     end
 
     private
@@ -37,13 +71,31 @@ module TPM
           certify_info,
           signature,
           qualifying_data,
-          certified_object,
-          algorithm: algorithm
+          certified_key,
+          signature_algorithm: signature_algorithm,
+          hash_algorithm: hash_algorithm
         )
     end
 
+    def trustworthy?
+      x509_certificates = certificates.map { |c| OpenSSL::X509::Certificate.new(c) }
+
+      trust_store.verify(x509_certificates[0], x509_certificates[1..-1])
+    end
+
+    def trust_store
+      @trust_store ||=
+        OpenSSL::X509::Store.new.tap do |trust_store|
+          root_certificates.uniq(&:serial).each { |root_certificate| trust_store.add_cert(root_certificate) }
+        end
+    end
+
+    def aik_certificate
+      @aik_certificate ||= TPM::AIKCertificate.from_der(certificates.first)
+    end
+
     def public_area
-      @public_area ||= TPM::PublicArea.new(certified_object)
+      @public_area ||= TPM::PublicArea.new(certified_key)
     end
   end
 end

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.4.0"
+    VERSION = "0.9.0"
   end
 end

data/lib/tpm/s_attest/s_certify_info.rb

@@ -2,12 +2,13 @@
 
 require "bindata"
 require "tpm/sized_buffer"
+require "tpm/tpm2b_name"
 
 module TPM
   class SAttest < BinData::Record
     # Section 10.12.3 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
     class SCertifyInfo < BinData::Record
-      sized_buffer :name
+      tpm2b_name :name
       sized_buffer :qualified_name
     end
   end

data/lib/tpm/t_public.rb

@@ -11,6 +11,7 @@ module TPM
   class TPublic < BinData::Record
     BYTE_LENGTH = 8
     CURVE_TPM_TO_OPENSSL = { TPM::ECC_NIST_P256 => "prime256v1" }.freeze
+    RSA_KEY_DEFAULT_PUBLIC_EXPONENT = 2**16 + 1
 
     class << self
       alias_method :deserialize, :read
@@ -37,7 +38,7 @@ module TPM
     end
 
     def key
-      if parameters.symmetric == ::TPM::ALG_NULL
+      if parameters.symmetric == TPM::ALG_NULL
         case alg_type
         when TPM::ALG_ECC
           ecc_key
@@ -74,7 +75,7 @@ module TPM
 
         if parameters.key_bits / BYTE_LENGTH == n.size
           key = OpenSSL::PKey::RSA.new(parameters.key_bits.value)
-          key.set_key(bn(n), nil, nil)
+          key.set_key(bn(n), bn(RSA_KEY_DEFAULT_PUBLIC_EXPONENT), nil)
 
           key.public_key
         end

data/lib/tpm/tpm2b_name.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require "bindata"
+require "tpm/public_area"
+require "tpm/tpmt_ha"
+
+module TPM
+  class Tpm2bName < BinData::Record
+    endian :big
+
+    uint16 :name_size, value: lambda { name.to_binary_s.size }
+    tpmt_ha :name, read_length: :name_size
+
+    def valid_for?(object)
+      name.to_binary_s == TPM::PublicArea.new(object).name
+    end
+  end
+end

data/lib/tpm/tpmt_ha.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TpmtHa < BinData::Record
+    BYTE_LENGTH = 8
+    DIGEST_LENGTH_SHA1 = 160
+    DIGEST_LENGTH_SHA256 = 256
+
+    endian :big
+
+    uint16 :hash_alg
+
+    choice :digest, selection: :hash_alg do
+      string TPM::ALG_SHA1, length: DIGEST_LENGTH_SHA1 / BYTE_LENGTH
+      string TPM::ALG_SHA256, length: DIGEST_LENGTH_SHA256 / BYTE_LENGTH
+    end
+  end
+end

data/tpm-key_attestation.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
 
   spec.summary       = "TPM Key Attestation verifier"
   spec.homepage      = "https://github.com/cedarcode/tpm-key_attestation"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "bindata", "~> 2.4"
+  spec.add_dependency "openssl-signature_algorithm", "~> 0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Gonzalo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-20 00:00:00.000000000 Z
+date: 2020-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: openssl-signature_algorithm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
 description: 
 email: 
 executables: []
@@ -46,11 +60,42 @@ files:
 - bin/setup
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_default.gemfile
 - gemfiles/openssl_head.gemfile
+- install-openssl.sh
+- install-ruby.sh
+- lib/tpm/aik_certificate.rb
+- lib/tpm/certificates/AMD/RootCA/AMD-fTPM-ECC-RootCA.crt
+- lib/tpm/certificates/AMD/RootCA/AMD-fTPM-RSA-RootCA.crt
+- lib/tpm/certificates/Atmel/RootCA/Atmel TPM Root Signing Module.der
+- lib/tpm/certificates/Infineon/RootCA/IFX TPM EK Root CA.cer
+- lib/tpm/certificates/Infineon/RootCA/IFX-RootCA.cer
+- lib/tpm/certificates/Infineon/RootCA/IFX_TPM_RootCert_008.crt
+- lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) ECC Root CA.crt
+- lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) RSA Root CA.crt
+- lib/tpm/certificates/Intel/RootCA/EKRootPublicKey.cer
+- lib/tpm/certificates/Microsoft/RootCA/Microsoft TPM Root Certificate Authority 2014.cer
+- lib/tpm/certificates/NationZ/RootCA/EkRootCA.crt
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA 01.cer
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA 02.cer
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA ARSUF 01.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1013.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1014.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1110.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1111.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2010.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2011.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2110.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2111.cer
+- lib/tpm/certificates/QC/RootCA/Microsoft TPM Root Certificate Authority 2014.cer
+- lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Computing CA.crt
+- lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Platform Module ECC Root
+  CA.crt
+- lib/tpm/certificates/STMicro/RootCA/ST TPM Root Certificate.crt
+- lib/tpm/certificates/STMicro/RootCA/STM TPM ECC Root CA 01.crt
 - lib/tpm/certify_validator.rb
 - lib/tpm/constants.rb
-- lib/tpm/ek_certificate.rb
 - lib/tpm/key_attestation.rb
 - lib/tpm/key_attestation/version.rb
 - lib/tpm/public_area.rb
@@ -60,6 +105,8 @@ files:
 - lib/tpm/t_public.rb
 - lib/tpm/t_public/s_ecc_parms.rb
 - lib/tpm/t_public/s_rsa_parms.rb
+- lib/tpm/tpm2b_name.rb
+- lib/tpm/tpmt_ha.rb
 - tpm-key_attestation.gemspec
 homepage: https://github.com/cedarcode/tpm-key_attestation
 licenses:
@@ -76,14 +123,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.3
 signing_key: 
 specification_version: 4
 summary: TPM Key Attestation verifier