tpm-key_attestation 0.5.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5df735cc88867e6fb7c0cdb55698173cfdddec88630b3a69534ba15cd0d9c32
-  data.tar.gz: aef2b61ce9a23bd4bd27f9dda61e7719a7eb1914ce29321d3e6ab2c723ffcf16
+  metadata.gz: 28d7fefca9a69f2a4be0c8124bfb2721767c9c891768607473827c11df7aeaa3
+  data.tar.gz: 4739a10cab12236ee54f4bfacd2a182bc2c48622c5feaffd800317d1ff49228d
 SHA512:
-  metadata.gz: 3ec2802f034dfceebd917044760337c4968cb0268b8de970fd977c0f5d5da5ffbaf3c7017b12c3d372d1973d2f4807d1051e90ed28ddb4a8bca52eb15510cf57
-  data.tar.gz: 2bba01a0fdcd9baee3af72c2442a388cccde52b31c3e22a2e25ee46cace1edb307d1246ecdb62e11251a3e41d0114318a973f5253bfb8516d940c27dbd134d80
+  metadata.gz: b29f8eff516b2f8a8f78583b264586e9eec7c3ad31f8a351517e4b0552a39ef68be0274e83289189395a00e64aac171131252bd24c76fcd964e33a76acab436a
+  data.tar.gz: 69a191891d4a12c8afd4b2acd07ec9c5728506fb33e94cd34e102de1d851acbcfd7694befb6daa01981ab0e2cfaf120a9ddcae4b2d1337eb0e9a74bee485bedd

data/.rspec

@@ -1,3 +1,3 @@
---format documentation
 --color
 --require spec_helper
+--order random

data/.rubocop.yml

@@ -28,9 +28,6 @@ Security:
 Style/BlockComments:
   Enabled: true
 
-Style/BracesAroundHashParameters:
-  Enabled: true
-
 Style/CaseEquality:
   Enabled: true
 

data/.travis.yml

@@ -1,17 +1,27 @@
 ---
 dist: bionic
 language: ruby
-cache: bundler
 
-rvm:
-  - ruby-head
-  - 2.7.0
-  - 2.6.5
-  - 2.5.7
-  - 2.4.9
+cache:
+  bundler: true
+  directories:
+    - /home/travis/.rvm/
+
+env:
+  - RB=2.7.1 LIBSSL=1.0
+  - RB=2.7.1 LIBSSL=1.1
+  - RB=2.6.6 LIBSSL=1.0
+  - RB=2.6.6 LIBSSL=1.1
+  - RB=2.5.8 LIBSSL=1.0
+  - RB=2.5.8 LIBSSL=1.1
+  - RB=2.4.10 LIBSSL=1.0
+  - RB=2.4.10 LIBSSL=1.1
+  - RB=ruby-head LIBSSL=1.0
+  - RB=ruby-head LIBSSL=1.1
 
 gemfile:
   - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
   - gemfiles/openssl_2_1.gemfile
   - gemfiles/openssl_2_0.gemfile
   - gemfiles/openssl_default.gemfile
@@ -19,9 +29,12 @@ gemfile:
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: ruby-head
+    - env: RB=ruby-head LIBSSL=1.0
+    - env: RB=ruby-head LIBSSL=1.1
     - gemfile: gemfiles/openssl_head.gemfile
 
 before_install:
+  - ./install-openssl.sh
+  - ./install-ruby.sh
   - gem install bundler -v "~> 2.0"
   - rm Gemfile.lock

data/Appraisals

@@ -4,6 +4,10 @@ appraise "openssl_head" do
   gem "openssl", git: "https://github.com/ruby/openssl"
 end
 
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [v0.10.0] - 2020-07-09
+
+### Added
+
+- Support ECDSA with NIST P384 and P521 curves
+
+## [v0.9.0] - 2020-05-31
+
+### Fixed
+
+- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
+
+## [v0.8.0] - 2020-03-29
+
+### Changed
+
+- Update `openssl-signature_algorithm` gem dependency from `v0.3` to `v0.4`.
+
+## [v0.7.0] - 2020-02-25
+
+### Added
+
+- `TPM::KeyAttestation#valid?` performs certificate path validation. In other words, it verifies trust up
+to an acceptable trusted root certificate.
+
+### Changed
+
+- Rename `TPM::EKCertificate` to `TPM::AIKCertificate` to fix semantics
+
+## [v0.6.0] - 2020-01-30
+
+### Changed
+
+- `TPM::KeyAttestation.new` now accepts `signature_algorithm` and `hash_algorithm` in TPM format in
+replacement of `JOSE` format `algorithm` string
+
 ## [v0.5.0] - 2020-01-23
 
 ### Added
@@ -31,8 +67,15 @@
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.10.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.9.0...v0.10.0/
+[v0.9.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.8.0...v0.9.0/
+[v0.8.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.7.0...v0.8.0/
+[v0.7.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.6.0...v0.7.0/
+[v0.6.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.5.0...v0.6.0/
 [v0.5.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.4.0...v0.5.0/
 [v0.4.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.3.0...v0.4.0/
 [v0.3.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.2.0...v0.3.0/
 [v0.2.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/tpm-key_attestation/compare/57c926ef7e83830cee8d111fdc5ccaf99ab2e861...v0.1.0/
+
+[@santiagorodriguez96]: https://github.com/santiagorodriguez96

data/Gemfile

@@ -7,7 +7,6 @@ gemspec
 
 gem "appraisal", "~> 2.2.0"
 gem "byebug", "~> 11.0"
-gem "rake", "~> 12.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    tpm-key_attestation (0.5.0)
+    tpm-key_attestation (0.10.0)
       bindata (~> 2.4)
+      openssl-signature_algorithm (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
@@ -11,39 +12,42 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    ast (2.4.0)
-    bindata (2.4.4)
-    byebug (11.1.0)
-    diff-lcs (1.3)
+    ast (2.4.1)
+    bindata (2.4.7)
+    byebug (11.1.3)
+    diff-lcs (1.4.4)
     jaro_winkler (1.5.4)
-    parallel (1.19.1)
-    parser (2.7.0.2)
-      ast (~> 2.4.0)
+    openssl-signature_algorithm (1.0.0)
+    parallel (1.19.2)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
     rainbow (3.0.0)
-    rake (12.3.3)
+    rake (13.0.1)
+    rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.2)
-    rubocop (0.79.0)
+    rspec-support (3.9.3)
+    rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      rexml
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
     ruby-progressbar (1.10.1)
     thor (1.0.1)
-    unicode-display_width (1.6.0)
+    unicode-display_width (1.6.1)
 
 PLATFORMS
   ruby
@@ -51,9 +55,9 @@ PLATFORMS
 DEPENDENCIES
   appraisal (~> 2.2.0)
   byebug (~> 11.0)
-  rake (~> 12.0)
+  rake (~> 13.0)
   rspec (~> 3.0)
-  rubocop
+  rubocop (~> 0.80.1)
   tpm-key_attestation!
 
 BUNDLED WITH

data/README.md

@@ -2,8 +2,9 @@
 
 TPM Key Attestation utitlies
 
-[![Gem](https://img.shields.io/gem/v/tpm-key_attestation.svg?style=flat-square)](https://rubygems.org/gems/tpm-key_attestation)
-[![Travis](https://img.shields.io/travis/cedarcode/tpm-key_attestation.svg?style=flat-square)](https://travis-ci.org/cedarcode/tpm-key_attestation)
+[![Gem](https://img.shields.io/gem/v/tpm-key_attestation.svg?style=flat-square&color=informational)](https://rubygems.org/gems/tpm-key_attestation)
+[![Travis](https://img.shields.io/travis/cedarcode/tpm-key_attestation/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/tpm-key_attestation)
+[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 
 ## Installation
 
@@ -31,7 +32,7 @@ key_attestation =
     certified_object,
     signing_key,
     quilifying_data,
-    algorithm: "RS256" # Supported values: "RS256", "PS256", "ES256" (default "RS256")
+    signature_algorithm: TPM::ALG_RSAPSS # Supported values: TPM::ALG_RSAPSS, TPM::ALG_RSASSA, TPM::ALG_ECDSA (default TPM::ALG_RSASSA)
   )
 
 if key_attestation.valid?

data/gemfiles/openssl_2_0.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", "~> 2.0.0"
 
 gemspec path: "../"

data/gemfiles/openssl_2_1.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", "~> 2.1.0"
 
 gemspec path: "../"

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.2.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 0.80.1"
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/gemfiles/openssl_default.gemfile

@@ -3,8 +3,9 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 
 gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -3,9 +3,10 @@
 source "https://rubygems.org"
 
 gem "appraisal", "~> 2.2.0"
-gem "rake", "~> 12.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
-gem "rubocop"
+gem "rubocop", "~> 0.80.1"
 gem "openssl", git: "https://github.com/ruby/openssl"
 
 gemspec path: "../"

data/install-openssl.sh

@@ -0,0 +1,3 @@
+if [[ "${LIBSSL}" == "1.0" ]]; then
+  sudo apt purge libssl-dev && sudo apt-get -yq --no-install-suggests --no-install-recommends install libssl1.0-dev
+fi

data/install-ruby.sh

@@ -0,0 +1,10 @@
+source ~/.rvm/scripts/rvm
+
+if [[ "${LIBSSL}" == "1.0" ]]; then
+  rvm install $RB --autolibs=read-only -C --with-openssl-dir=usr/include/openssl
+elif [[ "${LIBSSL}" == "1.1" ]]; then
+  rvm install $RB --binary --fuzzy
+fi
+
+rvm use $RB
+ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

data/lib/tpm/{ek_certificate.rb → aik_certificate.rb}

@@ -6,14 +6,15 @@ require "tpm/constants"
 
 module TPM
   # Section 3.2 in https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
-  class EKCertificate < SimpleDelegator
+  class AIKCertificate < SimpleDelegator
     ASN_V3 = 2
     EMPTY_NAME = OpenSSL::X509::Name.new([]).freeze
     SAN_DIRECTORY_NAME = 4
-    OID_TCG_AT_TPM_MANUFACTURER = "2.23.133.2.1"
-    OID_TCG_AT_TPM_MODEL = "2.23.133.2.2"
-    OID_TCG_AT_TPM_VERSION = "2.23.133.2.3"
-    OID_TCG_KP_AIK_CERTIFICATE = "2.23.133.8.3"
+    OID_TCG = "2.23.133"
+    OID_TCG_AT_TPM_MANUFACTURER = "#{OID_TCG}.2.1"
+    OID_TCG_AT_TPM_MODEL = "#{OID_TCG}.2.2"
+    OID_TCG_AT_TPM_VERSION = "#{OID_TCG}.2.3"
+    OID_TCG_KP_AIK_CERTIFICATE = "#{OID_TCG}.8.3"
 
     def self.from_der(certificate_der)
       new(OpenSSL::X509::Certificate.new(certificate_der))
@@ -24,13 +25,10 @@ module TPM
         valid_version? &&
         valid_extended_key_usage? &&
         valid_basic_constraints? &&
+        empty_subject? &&
         valid_subject_alternative_name?
     end
 
-    def empty_subject?
-      subject.eql?(EMPTY_NAME)
-    end
-
     private
 
     def in_use?
@@ -55,31 +53,60 @@ module TPM
       extended_key_usage && extended_key_usage.value == OID_TCG_KP_AIK_CERTIFICATE && !extended_key_usage.critical?
     end
 
+    def empty_subject?
+      subject.eql?(EMPTY_NAME)
+    end
+
     def valid_subject_alternative_name?
-      extension = extensions.detect { |ext| ext.oid == "subjectAltName" }
-      return unless extension
-
-      san_asn1 =
-        OpenSSL::ASN1.decode(extension).find do |val|
-          val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
-        end
-      directory_name =
-        OpenSSL::ASN1.decode(san_asn1.value).find do |val|
-          val.tag_class == :CONTEXT_SPECIFIC && val.tag == SAN_DIRECTORY_NAME
-        end
-      name = OpenSSL::X509::Name.new(directory_name.value.first).to_a
-      manufacturer = name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
-      model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
-      version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
-
-      ::TPM::VENDOR_IDS[manufacturer] &&
-        !model.empty? &&
-        !version.empty? &&
-        (empty_subject? && extension.critical? || !empty_subject? && !extension.critical?)
+      if san_extension
+        san_extension.critical? &&
+          !tpm_manufacturer.empty? &&
+          TPM::VENDOR_IDS[tpm_manufacturer] &&
+          !tpm_model.empty? &&
+          !tpm_version.empty?
+      end
     end
 
     def extension(oid)
       extensions.detect { |ext| ext.oid == oid }
     end
+
+    def tpm_manufacturer
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
+      end
+    end
+
+    def tpm_model
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
+      end
+    end
+
+    def tpm_version
+      if san_name
+        san_name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
+      end
+    end
+
+    def san_name
+      if san_extension
+        san_asn1 =
+          OpenSSL::ASN1.decode(san_extension).find do |val|
+            val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
+          end
+
+        directory_name =
+          OpenSSL::ASN1.decode(san_asn1.value).find do |val|
+            val.tag_class == :CONTEXT_SPECIFIC && val.tag == SAN_DIRECTORY_NAME
+          end
+
+        OpenSSL::X509::Name.new(directory_name.value.first).to_a
+      end
+    end
+
+    def san_extension
+      extension("subjectAltName")
+    end
   end
 end

data/lib/tpm/certificates/NationZ/RootCA/EkRootCA.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRDCCAcqgAwIBAgIBATAKBggqhkjOPQQDAzBrMQswCQYDVQQGEwJDTjEhMB8G
+A1UECgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256
+IFRQTSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwHhcNMTcw
+NTEyMDAwMDAwWhcNNDcwNTEzMDAwMDAwWjBrMQswCQYDVQQGEwJDTjEhMB8GA1UE
+CgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256IFRQ
+TSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATvuDTN8TNvp3A9fSjWpDARLmvz7ItQrDq/mmuzvzInwQfs
+YKUUJza4MXB3yS0PH1jjv1YMvaIBIalAgc+kahScQUy6W2fy6hd36pazmc/vQfG3
+Gdhw56gGwRHx4rn4TuqjQjBAMB0GA1UdDgQWBBQ6vP8I314BDCtkB4vHzpUG9Aj9
+5DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNo
+ADBlAjApzqSmd4cCMKC7slJ4NE/7zweXZx89JzSEnEWGcq78jbbXCw6yM+R4nCNX
+phflI9QCMQCeFOAvyR+DQvThfGFINABej+1zeDVIjuZHat3FHVyV0UQVClPgMlZu
+TntipXwGOVY=
+-----END CERTIFICATE-----

data/lib/tpm/certify_validator.rb

@@ -1,19 +1,33 @@
 # frozen_string_literal: true
 
+require "openssl/signature_algorithm"
 require "tpm/constants"
-require "tpm/public_area"
 require "tpm/s_attest"
 
 module TPM
   class CertifyValidator
-    attr_reader :info, :signature, :nonce, :object, :algorithm
+    attr_reader :info, :signature, :nonce, :public_area, :signature_algorithm, :hash_algorithm
 
-    def initialize(info, signature, nonce, object, algorithm: "RS256")
+    TPM_SIGNATURE_ALG_TO_OPENSSL = {
+      ALG_RSASSA => OpenSSL::SignatureAlgorithm::RSAPKCS1,
+      ALG_RSAPSS => OpenSSL::SignatureAlgorithm::RSAPSS,
+      ALG_ECDSA => OpenSSL::SignatureAlgorithm::ECDSA
+    }.freeze
+
+    TPM_HASH_ALG_TO_OPENSSL = {
+      ALG_SHA1 => "SHA1",
+      ALG_SHA256 => "SHA256",
+      ALG_SHA384 => "SHA384",
+      ALG_SHA512 => "SHA512"
+    }.freeze
+
+    def initialize(info, signature, nonce, public_area, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256)
       @info = info
       @signature = signature
       @nonce = nonce
-      @object = object
-      @algorithm = algorithm
+      @public_area = public_area
+      @signature_algorithm = signature_algorithm
+      @hash_algorithm = hash_algorithm
     end
 
     def valid?(signing_key)
@@ -26,27 +40,38 @@ module TPM
       attest.attested_type == TPM::ST_ATTEST_CERTIFY &&
         attest.extra_data.buffer == nonce &&
         attest.magic == TPM::GENERATED_VALUE &&
-        attest.attested.name.buffer == TPM::PublicArea.new(object).name
+        attest.attested.name.valid_for?(public_area.name)
     end
 
-    def valid_signature?(signing_key)
-      if rsa_pss?
-        signing_key.verify_pss(hash_function, signature, info, salt_length: :auto, mgf1_hash: hash_function)
-      else
-        signing_key.verify(hash_function, signature, info)
-      end
+    def valid_signature?(verify_key)
+      openssl_signature_algorithm = openssl_signature_algorithm_class.new(**openssl_signature_algorithm_parameters)
+      openssl_signature_algorithm.verify_key = verify_key
+      openssl_signature_algorithm.verify(signature, info)
+    rescue OpenSSL::SignatureAlgorithm::Error
+      false
     end
 
     def attest
       @attest ||= TPM::SAttest.deserialize(info)
     end
 
-    def hash_function
-      "SHA#{algorithm[2..-1]}"
+    def openssl_signature_algorithm_parameters
+      parameters = { hash_function: openssl_hash_function }
+
+      if public_area.ecc?
+        parameters[:curve] = public_area.openssl_curve_name
+      end
+
+      parameters
+    end
+
+    def openssl_hash_function
+      TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
     end
 
-    def rsa_pss?
-      algorithm.start_with?("PS")
+    def openssl_signature_algorithm_class
+      TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] ||
+        raise("Unsupported signature algorithm #{signature_algorithm}")
     end
   end
 end

data/lib/tpm/constants.rb

@@ -11,6 +11,8 @@ module TPM
   ALG_RSA = 0x0001
   ALG_SHA1 = 0x0004
   ALG_SHA256 = 0x000B
+  ALG_SHA384 = 0x000C
+  ALG_SHA512 = 0x000D
   ALG_NULL = 0x0010
   ALG_RSASSA = 0x0014
   ALG_RSAPSS = 0x0016
@@ -19,6 +21,8 @@ module TPM
 
   # ECC curves
   ECC_NIST_P256 = 0x0003
+  ECC_NIST_P384 = 0x0004
+  ECC_NIST_P521 = 0x0005
 
   # https://trustedcomputinggroup.org/resource/vendor-id-registry/ section 2 "TPM Capabilities Vendor ID (CAP_VID)"
   VENDOR_IDS = {

data/lib/tpm/key_attestation.rb

@@ -1,32 +1,68 @@
 # frozen_string_literal: true
 
+require "openssl"
 require "tpm/key_attestation/version"
+
+require "tpm/aik_certificate"
 require "tpm/certify_validator"
+require "tpm/constants"
+require "tpm/public_area"
 
 module TPM
   class KeyAttestation
+    # https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates
+    ROOT_CERTIFICATES =
+      begin
+        pattern = File.expand_path(File.join(__dir__, "certificates", "*", "RootCA", "*.*"))
+        Dir.glob(pattern).map do |filename|
+          File.open(filename) { |file| OpenSSL::X509::Certificate.new(file) }
+        end
+      end
+
     class Error < StandardError; end
 
-    attr_reader :certify_info, :signature, :certified_object, :signing_key, :algorithm, :qualifying_data
+    attr_reader(
+      :certify_info,
+      :signature,
+      :certified_key,
+      :certificates,
+      :signature_algorithm,
+      :hash_algorithm,
+      :qualifying_data,
+      :root_certificates
+    )
 
-    def initialize(certify_info, signature, certified_object, signing_key, qualifying_data, algorithm: "RS256")
+    def initialize(
+      certify_info,
+      signature,
+      certified_key,
+      certificates,
+      qualifying_data,
+      signature_algorithm: ALG_RSASSA,
+      hash_algorithm: ALG_SHA256,
+      root_certificates: ROOT_CERTIFICATES
+    )
       @certify_info = certify_info
       @signature = signature
 
-      @certified_object = certified_object
-      @signing_key = signing_key
-      @algorithm = algorithm
+      @certified_key = certified_key
+      @certificates = certificates
+      @signature_algorithm = signature_algorithm
+      @hash_algorithm = hash_algorithm
       @qualifying_data = qualifying_data
+      @root_certificates = root_certificates
     end
 
     def key
-      if certify_validator.valid?(signing_key)
+      if valid?
         public_area.key
       end
     end
 
     def valid?
-      !!key
+      certify_validator.valid?(aik_certificate.public_key) &&
+        aik_certificate.conformant? &&
+        trustworthy?
     end
 
     private
@@ -37,13 +73,31 @@ module TPM
           certify_info,
           signature,
           qualifying_data,
-          certified_object,
-          algorithm: algorithm
+          public_area,
+          signature_algorithm: signature_algorithm,
+          hash_algorithm: hash_algorithm
         )
     end
 
+    def trustworthy?
+      x509_certificates = certificates.map { |c| OpenSSL::X509::Certificate.new(c) }
+
+      trust_store.verify(x509_certificates[0], x509_certificates[1..-1])
+    end
+
+    def trust_store
+      @trust_store ||=
+        OpenSSL::X509::Store.new.tap do |trust_store|
+          root_certificates.uniq(&:serial).each { |root_certificate| trust_store.add_cert(root_certificate) }
+        end
+    end
+
+    def aik_certificate
+      @aik_certificate ||= TPM::AIKCertificate.from_der(certificates.first)
+    end
+
     def public_area
-      @public_area ||= TPM::PublicArea.new(certified_object)
+      @public_area ||= TPM::PublicArea.new(certified_key)
     end
   end
 end

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.5.0"
+    VERSION = "0.10.0"
   end
 end

data/lib/tpm/public_area.rb

@@ -24,6 +24,14 @@ module TPM
       t_public.key
     end
 
+    def ecc?
+      t_public.ecc?
+    end
+
+    def openssl_curve_name
+      t_public.openssl_curve_name
+    end
+
     private
 
     def name_digest

data/lib/tpm/s_attest/s_certify_info.rb

@@ -2,12 +2,13 @@
 
 require "bindata"
 require "tpm/sized_buffer"
+require "tpm/tpm2b_name"
 
 module TPM
   class SAttest < BinData::Record
     # Section 10.12.3 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
     class SCertifyInfo < BinData::Record
-      sized_buffer :name
+      tpm2b_name :name
       sized_buffer :qualified_name
     end
   end

data/lib/tpm/t_public.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "bindata"
+require "openssl"
 require "tpm/constants"
 require "tpm/sized_buffer"
 require "tpm/t_public/s_ecc_parms"
@@ -10,7 +11,16 @@ module TPM
   # Section 12.2.4 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
   class TPublic < BinData::Record
     BYTE_LENGTH = 8
-    CURVE_TPM_TO_OPENSSL = { TPM::ECC_NIST_P256 => "prime256v1" }.freeze
+
+    CURVE_TPM_TO_OPENSSL = {
+      TPM::ECC_NIST_P256 => "prime256v1",
+      TPM::ECC_NIST_P384 => "secp384r1",
+      TPM::ECC_NIST_P521 => "secp521r1",
+    }.freeze
+
+    BN_BASE = 2
+    RSA_KEY_DEFAULT_PUBLIC_EXPONENT = 2**16 + 1
+    ECC_UNCOMPRESSED_POINT_INDICATOR = "\x04"
 
     class << self
       alias_method :deserialize, :read
@@ -36,12 +46,19 @@ module TPM
       sized_buffer TPM::ALG_RSA
     end
 
+    def rsa?
+      alg_type == TPM::ALG_RSA
+    end
+
+    def ecc?
+      alg_type == TPM::ALG_ECC
+    end
+
     def key
-      if parameters.symmetric == ::TPM::ALG_NULL
-        case alg_type
-        when TPM::ALG_ECC
+      if parameters.symmetric == TPM::ALG_NULL
+        if ecc?
           ecc_key
-        when TPM::ALG_RSA
+        elsif rsa?
           rsa_key
         else
           raise "Type #{alg_type} not supported"
@@ -49,21 +66,22 @@ module TPM
       end
     end
 
+    def openssl_curve_name
+      if ecc?
+        CURVE_TPM_TO_OPENSSL[parameters.curve_id] || raise("Unknown curve #{parameters.curve_id}")
+      end
+    end
+
     private
 
     def ecc_key
       if parameters.scheme == TPM::ALG_ECDSA
-        curve = CURVE_TPM_TO_OPENSSL[parameters.curve_id]
+        group = OpenSSL::PKey::EC::Group.new(openssl_curve_name)
 
-        if curve
-          group = OpenSSL::PKey::EC::Group.new(curve)
-          pkey = OpenSSL::PKey::EC.new(group)
-          public_key_bn = OpenSSL::BN.new("\x04" + unique.buffer.value, 2)
-          public_key_point = OpenSSL::PKey::EC::Point.new(group, public_key_bn)
-          pkey.public_key = public_key_point
+        key = OpenSSL::PKey::EC.new(group)
+        key.public_key = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
 
-          pkey
-        end
+        key
       end
     end
 
@@ -74,7 +92,7 @@ module TPM
 
         if parameters.key_bits / BYTE_LENGTH == n.size
           key = OpenSSL::PKey::RSA.new(parameters.key_bits.value)
-          key.set_key(bn(n), nil, nil)
+          key.set_key(bn(n), bn(RSA_KEY_DEFAULT_PUBLIC_EXPONENT), nil)
 
           key.public_key
         end
@@ -83,7 +101,7 @@ module TPM
 
     def bn(data)
       if data
-        OpenSSL::BN.new(data, 2)
+        OpenSSL::BN.new(data, BN_BASE)
       end
     end
   end

data/lib/tpm/tpm2b_name.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "bindata"
+require "tpm/tpmt_ha"
+
+module TPM
+  class Tpm2bName < BinData::Record
+    endian :big
+
+    uint16 :name_size, value: lambda { name.to_binary_s.size }
+    tpmt_ha :name, read_length: :name_size
+
+    def valid_for?(other_name)
+      name.to_binary_s == other_name
+    end
+  end
+end

data/lib/tpm/tpmt_ha.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TpmtHa < BinData::Record
+    BYTE_LENGTH = 8
+    DIGEST_LENGTH_SHA1 = 160
+    DIGEST_LENGTH_SHA256 = 256
+
+    endian :big
+
+    uint16 :hash_alg
+
+    choice :digest, selection: :hash_alg do
+      string TPM::ALG_SHA1, length: DIGEST_LENGTH_SHA1 / BYTE_LENGTH
+      string TPM::ALG_SHA256, length: DIGEST_LENGTH_SHA256 / BYTE_LENGTH
+    end
+  end
+end

data/tpm-key_attestation.gemspec

@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "bindata", "~> 2.4"
+  spec.add_dependency "openssl-signature_algorithm", "~> 1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Gonzalo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-23 00:00:00.000000000 Z
+date: 2020-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: openssl-signature_algorithm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: 
 email: 
 executables: []
@@ -46,11 +60,42 @@ files:
 - bin/setup
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_default.gemfile
 - gemfiles/openssl_head.gemfile
+- install-openssl.sh
+- install-ruby.sh
+- lib/tpm/aik_certificate.rb
+- lib/tpm/certificates/AMD/RootCA/AMD-fTPM-ECC-RootCA.crt
+- lib/tpm/certificates/AMD/RootCA/AMD-fTPM-RSA-RootCA.crt
+- lib/tpm/certificates/Atmel/RootCA/Atmel TPM Root Signing Module.der
+- lib/tpm/certificates/Infineon/RootCA/IFX TPM EK Root CA.cer
+- lib/tpm/certificates/Infineon/RootCA/IFX-RootCA.cer
+- lib/tpm/certificates/Infineon/RootCA/IFX_TPM_RootCert_008.crt
+- lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) ECC Root CA.crt
+- lib/tpm/certificates/Infineon/RootCA/Infineon OPTIGA(TM) RSA Root CA.crt
+- lib/tpm/certificates/Intel/RootCA/EKRootPublicKey.cer
+- lib/tpm/certificates/Microsoft/RootCA/Microsoft TPM Root Certificate Authority 2014.cer
+- lib/tpm/certificates/NationZ/RootCA/EkRootCA.crt
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA 01.cer
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA 02.cer
+- lib/tpm/certificates/Nuvoton/RootCA/NTC TPM EK Root CA ARSUF 01.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1013.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1014.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1110.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 1111.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2010.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2011.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2110.cer
+- lib/tpm/certificates/Nuvoton/RootCA/Nuvoton TPM Root CA 2111.cer
+- lib/tpm/certificates/QC/RootCA/Microsoft TPM Root Certificate Authority 2014.cer
+- lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Computing CA.crt
+- lib/tpm/certificates/STMicro/RootCA/GlobalSign Trusted Platform Module ECC Root
+  CA.crt
+- lib/tpm/certificates/STMicro/RootCA/ST TPM Root Certificate.crt
+- lib/tpm/certificates/STMicro/RootCA/STM TPM ECC Root CA 01.crt
 - lib/tpm/certify_validator.rb
 - lib/tpm/constants.rb
-- lib/tpm/ek_certificate.rb
 - lib/tpm/key_attestation.rb
 - lib/tpm/key_attestation/version.rb
 - lib/tpm/public_area.rb
@@ -60,6 +105,8 @@ files:
 - lib/tpm/t_public.rb
 - lib/tpm/t_public/s_ecc_parms.rb
 - lib/tpm/t_public/s_rsa_parms.rb
+- lib/tpm/tpm2b_name.rb
+- lib/tpm/tpmt_ha.rb
 - tpm-key_attestation.gemspec
 homepage: https://github.com/cedarcode/tpm-key_attestation
 licenses:
@@ -83,7 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: TPM Key Attestation verifier