tpm-key_attestation 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +8 -0
  3. data/Gemfile.lock +3 -1
  4. data/README.md +1 -1
  5. data/lib/tpm/certify_validator.rb +28 -12
  6. data/lib/tpm/ek_certificate.rb +1 -1
  7. data/lib/tpm/key_attestation.rb +23 -4
  8. data/lib/tpm/key_attestation/version.rb +1 -1
  9. data/lib/tpm/t_public.rb +1 -1
  10. data/tpm-key_attestation.gemspec +1 -0
  11. metadata +16 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e5df735cc88867e6fb7c0cdb55698173cfdddec88630b3a69534ba15cd0d9c32
4
- data.tar.gz: aef2b61ce9a23bd4bd27f9dda61e7719a7eb1914ce29321d3e6ab2c723ffcf16
3
+ metadata.gz: 6b370d3aabc86bde782bf8cf6a6507f85edf56a676875fd4511c30dd4ddff1da
4
+ data.tar.gz: 53ce92d16a1ab22b573236c0a859c8ebec4c6172679b22d957e6ebf3347d4531
5
5
  SHA512:
6
- metadata.gz: 3ec2802f034dfceebd917044760337c4968cb0268b8de970fd977c0f5d5da5ffbaf3c7017b12c3d372d1973d2f4807d1051e90ed28ddb4a8bca52eb15510cf57
7
- data.tar.gz: 2bba01a0fdcd9baee3af72c2442a388cccde52b31c3e22a2e25ee46cace1edb307d1246ecdb62e11251a3e41d0114318a973f5253bfb8516d940c27dbd134d80
6
+ metadata.gz: 407f2c3dadf408a90c536cb5723e52ebc28e12f89231b93c6915ba182b7773960c256c7a2d5cc087bb3af02bf14522518cdafc279783321e3f0812daafe7b405
7
+ data.tar.gz: '0787cf34b0c204ed54391766fceafdf28fb1fcc5a453887b0a8f671f13f6c4b89f9f562e6ec6b72e996b3668f4b797ec0a53acdee87174a8cb0ae97c6dbdf91f'
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## [v0.6.0] - 2020-01-30
4
+
5
+ ### Changed
6
+
7
+ - `TPM::KeyAttestation.new` now accepts `signature_algorithm` and `hash_algorithm` in TPM format in
8
+ replacement of `JOSE` format `algorithm` string
9
+
3
10
  ## [v0.5.0] - 2020-01-23
4
11
 
5
12
  ### Added
@@ -31,6 +38,7 @@
31
38
  - `TPM::EKCertificate` wrapper
32
39
  - `TPM::SAttest` wrapper
33
40
 
41
+ [v0.6.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.5.0...v0.6.0/
34
42
  [v0.5.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.4.0...v0.5.0/
35
43
  [v0.4.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.3.0...v0.4.0/
36
44
  [v0.3.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.2.0...v0.3.0/
data/Gemfile.lock CHANGED
@@ -1,8 +1,9 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- tpm-key_attestation (0.5.0)
4
+ tpm-key_attestation (0.6.0)
5
5
  bindata (~> 2.4)
6
+ openssl-signature_algorithm (~> 0.3.0)
6
7
 
7
8
  GEM
8
9
  remote: https://rubygems.org/
@@ -16,6 +17,7 @@ GEM
16
17
  byebug (11.1.0)
17
18
  diff-lcs (1.3)
18
19
  jaro_winkler (1.5.4)
20
+ openssl-signature_algorithm (0.3.0)
19
21
  parallel (1.19.1)
20
22
  parser (2.7.0.2)
21
23
  ast (~> 2.4.0)
data/README.md CHANGED
@@ -31,7 +31,7 @@ key_attestation =
31
31
  certified_object,
32
32
  signing_key,
33
33
  quilifying_data,
34
- algorithm: "RS256" # Supported values: "RS256", "PS256", "ES256" (default "RS256")
34
+ signature_algorithm: TPM::ALG_RSAPSS # Supported values: TPM::ALG_RSAPSS, TPM::ALG_RSASSA, TPM::ALG_ECDSA (default TPM::ALG_RSASSA)
35
35
  )
36
36
 
37
37
  if key_attestation.valid?
data/lib/tpm/certify_validator.rb CHANGED
@@ -1,19 +1,32 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "openssl/signature_algorithm"
3
4
  require "tpm/constants"
4
5
  require "tpm/public_area"
5
6
  require "tpm/s_attest"
6
7
 
7
8
  module TPM
8
9
  class CertifyValidator
9
- attr_reader :info, :signature, :nonce, :object, :algorithm
10
+ attr_reader :info, :signature, :nonce, :object, :signature_algorithm, :hash_algorithm
10
11
 
11
- def initialize(info, signature, nonce, object, algorithm: "RS256")
12
+ TPM_SIGNATURE_ALG_TO_OPENSSL = {
13
+ ALG_RSASSA => OpenSSL::SignatureAlgorithm::RSAPKCS1,
14
+ ALG_RSAPSS => OpenSSL::SignatureAlgorithm::RSAPSS,
15
+ ALG_ECDSA => OpenSSL::SignatureAlgorithm::ECDSA
16
+ }.freeze
17
+
18
+ TPM_HASH_ALG_TO_OPENSSL = {
19
+ ALG_SHA1 => "SHA1",
20
+ ALG_SHA256 => "SHA256"
21
+ }.freeze
22
+
23
+ def initialize(info, signature, nonce, object, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256)
12
24
  @info = info
13
25
  @signature = signature
14
26
  @nonce = nonce
15
27
  @object = object
16
- @algorithm = algorithm
28
+ @signature_algorithm = signature_algorithm
29
+ @hash_algorithm = hash_algorithm
17
30
  end
18
31
 
19
32
  def valid?(signing_key)
@@ -29,11 +42,14 @@ module TPM
29
42
  attest.attested.name.buffer == TPM::PublicArea.new(object).name
30
43
  end
31
44
 
32
- def valid_signature?(signing_key)
33
- if rsa_pss?
34
- signing_key.verify_pss(hash_function, signature, info, salt_length: :auto, mgf1_hash: hash_function)
35
- else
36
- signing_key.verify(hash_function, signature, info)
45
+ def valid_signature?(verify_key)
46
+ openssl_signature_algorithm = openssl_signature_algorithm_class.new(openssl_hash_function[3..-1])
47
+ openssl_signature_algorithm.verify_key = verify_key
48
+
49
+ begin
50
+ openssl_signature_algorithm.verify(signature, info)
51
+ rescue OpenSSL::SignatureAlgorithm::Error
52
+ false
37
53
  end
38
54
  end
39
55
 
@@ -41,12 +57,12 @@ module TPM
41
57
  @attest ||= TPM::SAttest.deserialize(info)
42
58
  end
43
59
 
44
- def hash_function
45
- "SHA#{algorithm[2..-1]}"
60
+ def openssl_hash_function
61
+ TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
46
62
  end
47
63
 
48
- def rsa_pss?
49
- algorithm.start_with?("PS")
64
+ def openssl_signature_algorithm_class
65
+ TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] || raise("Unsupported signature algorithm #{algorithm}")
50
66
  end
51
67
  end
52
68
  end
data/lib/tpm/ek_certificate.rb CHANGED
@@ -72,7 +72,7 @@ module TPM
72
72
  model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
73
73
  version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
74
74
 
75
- ::TPM::VENDOR_IDS[manufacturer] &&
75
+ TPM::VENDOR_IDS[manufacturer] &&
76
76
  !model.empty? &&
77
77
  !version.empty? &&
78
78
  (empty_subject? && extension.critical? || !empty_subject? && !extension.critical?)
data/lib/tpm/key_attestation.rb CHANGED
@@ -2,20 +2,38 @@
2
2
 
3
3
  require "tpm/key_attestation/version"
4
4
  require "tpm/certify_validator"
5
+ require "tpm/constants"
5
6
 
6
7
  module TPM
7
8
  class KeyAttestation
8
9
  class Error < StandardError; end
9
10
 
10
- attr_reader :certify_info, :signature, :certified_object, :signing_key, :algorithm, :qualifying_data
11
+ attr_reader(
12
+ :certify_info,
13
+ :signature,
14
+ :certified_object,
15
+ :signing_key,
16
+ :signature_algorithm,
17
+ :hash_algorithm,
18
+ :qualifying_data
19
+ )
11
20
 
12
- def initialize(certify_info, signature, certified_object, signing_key, qualifying_data, algorithm: "RS256")
21
+ def initialize(
22
+ certify_info,
23
+ signature,
24
+ certified_object,
25
+ signing_key,
26
+ qualifying_data,
27
+ signature_algorithm: ALG_RSASSA,
28
+ hash_algorithm: ALG_SHA256
29
+ )
13
30
  @certify_info = certify_info
14
31
  @signature = signature
15
32
 
16
33
  @certified_object = certified_object
17
34
  @signing_key = signing_key
18
- @algorithm = algorithm
35
+ @signature_algorithm = signature_algorithm
36
+ @hash_algorithm = hash_algorithm
19
37
  @qualifying_data = qualifying_data
20
38
  end
21
39
 
@@ -38,7 +56,8 @@ module TPM
38
56
  signature,
39
57
  qualifying_data,
40
58
  certified_object,
41
- algorithm: algorithm
59
+ signature_algorithm: signature_algorithm,
60
+ hash_algorithm: hash_algorithm
42
61
  )
43
62
  end
44
63
 
data/lib/tpm/key_attestation/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module TPM
4
4
  class KeyAttestation
5
- VERSION = "0.5.0"
5
+ VERSION = "0.6.0"
6
6
  end
7
7
  end
data/lib/tpm/t_public.rb CHANGED
@@ -37,7 +37,7 @@ module TPM
37
37
  end
38
38
 
39
39
  def key
40
- if parameters.symmetric == ::TPM::ALG_NULL
40
+ if parameters.symmetric == TPM::ALG_NULL
41
41
  case alg_type
42
42
  when TPM::ALG_ECC
43
43
  ecc_key
data/tpm-key_attestation.gemspec CHANGED
@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
26
26
  spec.require_paths = ["lib"]
27
27
 
28
28
  spec.add_dependency "bindata", "~> 2.4"
29
+ spec.add_dependency "openssl-signature_algorithm", "~> 0.3.0"
29
30
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tpm-key_attestation
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Gonzalo
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-01-23 00:00:00.000000000 Z
11
+ date: 2020-01-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bindata
@@ -24,6 +24,20 @@ dependencies:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
26
  version: '2.4'
27
+ - !ruby/object:Gem::Dependency
28
+ name: openssl-signature_algorithm
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 0.3.0
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 0.3.0
27
41
  description:
28
42
  email:
29
43
  executables: []