tpm-key_attestation 0.9.0 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/Gemfile.lock +8 -8
- data/lib/tpm/certify_validator.rb +23 -13
- data/lib/tpm/constants.rb +4 -0
- data/lib/tpm/key_attestation.rb +3 -1
- data/lib/tpm/key_attestation/version.rb +1 -1
- data/lib/tpm/public_area.rb +8 -0
- data/lib/tpm/t_public.rb +31 -14
- data/lib/tpm/tpm2b_name.rb +2 -3
- data/tpm-key_attestation.gemspec +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 28d7fefca9a69f2a4be0c8124bfb2721767c9c891768607473827c11df7aeaa3
|
|
4
|
+
data.tar.gz: 4739a10cab12236ee54f4bfacd2a182bc2c48622c5feaffd800317d1ff49228d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b29f8eff516b2f8a8f78583b264586e9eec7c3ad31f8a351517e4b0552a39ef68be0274e83289189395a00e64aac171131252bd24c76fcd964e33a76acab436a
|
|
7
|
+
data.tar.gz: 69a191891d4a12c8afd4b2acd07ec9c5728506fb33e94cd34e102de1d851acbcfd7694befb6daa01981ab0e2cfaf120a9ddcae4b2d1337eb0e9a74bee485bedd
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v0.10.0] - 2020-07-09
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
|
|
7
|
+
- Support ECDSA with NIST P384 and P521 curves
|
|
8
|
+
|
|
3
9
|
## [v0.9.0] - 2020-05-31
|
|
4
10
|
|
|
5
11
|
### Fixed
|
|
@@ -61,6 +67,7 @@ replacement of `JOSE` format `algorithm` string
|
|
|
61
67
|
- `TPM::EKCertificate` wrapper
|
|
62
68
|
- `TPM::SAttest` wrapper
|
|
63
69
|
|
|
70
|
+
[v0.10.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.9.0...v0.10.0/
|
|
64
71
|
[v0.9.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.8.0...v0.9.0/
|
|
65
72
|
[v0.8.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.7.0...v0.8.0/
|
|
66
73
|
[v0.7.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.6.0...v0.7.0/
|
data/Gemfile.lock
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
tpm-key_attestation (0.
|
|
4
|
+
tpm-key_attestation (0.10.0)
|
|
5
5
|
bindata (~> 2.4)
|
|
6
|
-
openssl-signature_algorithm (~>
|
|
6
|
+
openssl-signature_algorithm (~> 1.0)
|
|
7
7
|
|
|
8
8
|
GEM
|
|
9
9
|
remote: https://rubygems.org/
|
|
@@ -12,15 +12,15 @@ GEM
|
|
|
12
12
|
bundler
|
|
13
13
|
rake
|
|
14
14
|
thor (>= 0.14.0)
|
|
15
|
-
ast (2.4.
|
|
15
|
+
ast (2.4.1)
|
|
16
16
|
bindata (2.4.7)
|
|
17
17
|
byebug (11.1.3)
|
|
18
|
-
diff-lcs (1.
|
|
18
|
+
diff-lcs (1.4.4)
|
|
19
19
|
jaro_winkler (1.5.4)
|
|
20
|
-
openssl-signature_algorithm (0.
|
|
21
|
-
parallel (1.19.
|
|
22
|
-
parser (2.7.1.
|
|
23
|
-
ast (~> 2.4.
|
|
20
|
+
openssl-signature_algorithm (1.0.0)
|
|
21
|
+
parallel (1.19.2)
|
|
22
|
+
parser (2.7.1.4)
|
|
23
|
+
ast (~> 2.4.1)
|
|
24
24
|
rainbow (3.0.0)
|
|
25
25
|
rake (13.0.1)
|
|
26
26
|
rexml (3.2.4)
|
|
@@ -6,7 +6,7 @@ require "tpm/s_attest"
|
|
|
6
6
|
|
|
7
7
|
module TPM
|
|
8
8
|
class CertifyValidator
|
|
9
|
-
attr_reader :info, :signature, :nonce, :
|
|
9
|
+
attr_reader :info, :signature, :nonce, :public_area, :signature_algorithm, :hash_algorithm
|
|
10
10
|
|
|
11
11
|
TPM_SIGNATURE_ALG_TO_OPENSSL = {
|
|
12
12
|
ALG_RSASSA => OpenSSL::SignatureAlgorithm::RSAPKCS1,
|
|
@@ -16,14 +16,16 @@ module TPM
|
|
|
16
16
|
|
|
17
17
|
TPM_HASH_ALG_TO_OPENSSL = {
|
|
18
18
|
ALG_SHA1 => "SHA1",
|
|
19
|
-
ALG_SHA256 => "SHA256"
|
|
19
|
+
ALG_SHA256 => "SHA256",
|
|
20
|
+
ALG_SHA384 => "SHA384",
|
|
21
|
+
ALG_SHA512 => "SHA512"
|
|
20
22
|
}.freeze
|
|
21
23
|
|
|
22
|
-
def initialize(info, signature, nonce,
|
|
24
|
+
def initialize(info, signature, nonce, public_area, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256)
|
|
23
25
|
@info = info
|
|
24
26
|
@signature = signature
|
|
25
27
|
@nonce = nonce
|
|
26
|
-
@
|
|
28
|
+
@public_area = public_area
|
|
27
29
|
@signature_algorithm = signature_algorithm
|
|
28
30
|
@hash_algorithm = hash_algorithm
|
|
29
31
|
end
|
|
@@ -38,30 +40,38 @@ module TPM
|
|
|
38
40
|
attest.attested_type == TPM::ST_ATTEST_CERTIFY &&
|
|
39
41
|
attest.extra_data.buffer == nonce &&
|
|
40
42
|
attest.magic == TPM::GENERATED_VALUE &&
|
|
41
|
-
attest.attested.name.valid_for?(
|
|
43
|
+
attest.attested.name.valid_for?(public_area.name)
|
|
42
44
|
end
|
|
43
45
|
|
|
44
46
|
def valid_signature?(verify_key)
|
|
45
|
-
openssl_signature_algorithm = openssl_signature_algorithm_class.new(
|
|
47
|
+
openssl_signature_algorithm = openssl_signature_algorithm_class.new(**openssl_signature_algorithm_parameters)
|
|
46
48
|
openssl_signature_algorithm.verify_key = verify_key
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
rescue OpenSSL::SignatureAlgorithm::Error
|
|
51
|
-
false
|
|
52
|
-
end
|
|
49
|
+
openssl_signature_algorithm.verify(signature, info)
|
|
50
|
+
rescue OpenSSL::SignatureAlgorithm::Error
|
|
51
|
+
false
|
|
53
52
|
end
|
|
54
53
|
|
|
55
54
|
def attest
|
|
56
55
|
@attest ||= TPM::SAttest.deserialize(info)
|
|
57
56
|
end
|
|
58
57
|
|
|
58
|
+
def openssl_signature_algorithm_parameters
|
|
59
|
+
parameters = { hash_function: openssl_hash_function }
|
|
60
|
+
|
|
61
|
+
if public_area.ecc?
|
|
62
|
+
parameters[:curve] = public_area.openssl_curve_name
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
parameters
|
|
66
|
+
end
|
|
67
|
+
|
|
59
68
|
def openssl_hash_function
|
|
60
69
|
TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
|
|
61
70
|
end
|
|
62
71
|
|
|
63
72
|
def openssl_signature_algorithm_class
|
|
64
|
-
TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] ||
|
|
73
|
+
TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] ||
|
|
74
|
+
raise("Unsupported signature algorithm #{signature_algorithm}")
|
|
65
75
|
end
|
|
66
76
|
end
|
|
67
77
|
end
|
data/lib/tpm/constants.rb
CHANGED
|
@@ -11,6 +11,8 @@ module TPM
|
|
|
11
11
|
ALG_RSA = 0x0001
|
|
12
12
|
ALG_SHA1 = 0x0004
|
|
13
13
|
ALG_SHA256 = 0x000B
|
|
14
|
+
ALG_SHA384 = 0x000C
|
|
15
|
+
ALG_SHA512 = 0x000D
|
|
14
16
|
ALG_NULL = 0x0010
|
|
15
17
|
ALG_RSASSA = 0x0014
|
|
16
18
|
ALG_RSAPSS = 0x0016
|
|
@@ -19,6 +21,8 @@ module TPM
|
|
|
19
21
|
|
|
20
22
|
# ECC curves
|
|
21
23
|
ECC_NIST_P256 = 0x0003
|
|
24
|
+
ECC_NIST_P384 = 0x0004
|
|
25
|
+
ECC_NIST_P521 = 0x0005
|
|
22
26
|
|
|
23
27
|
# https://trustedcomputinggroup.org/resource/vendor-id-registry/ section 2 "TPM Capabilities Vendor ID (CAP_VID)"
|
|
24
28
|
VENDOR_IDS = {
|
data/lib/tpm/key_attestation.rb
CHANGED
|
@@ -2,9 +2,11 @@
|
|
|
2
2
|
|
|
3
3
|
require "openssl"
|
|
4
4
|
require "tpm/key_attestation/version"
|
|
5
|
+
|
|
5
6
|
require "tpm/aik_certificate"
|
|
6
7
|
require "tpm/certify_validator"
|
|
7
8
|
require "tpm/constants"
|
|
9
|
+
require "tpm/public_area"
|
|
8
10
|
|
|
9
11
|
module TPM
|
|
10
12
|
class KeyAttestation
|
|
@@ -71,7 +73,7 @@ module TPM
|
|
|
71
73
|
certify_info,
|
|
72
74
|
signature,
|
|
73
75
|
qualifying_data,
|
|
74
|
-
|
|
76
|
+
public_area,
|
|
75
77
|
signature_algorithm: signature_algorithm,
|
|
76
78
|
hash_algorithm: hash_algorithm
|
|
77
79
|
)
|
data/lib/tpm/public_area.rb
CHANGED
data/lib/tpm/t_public.rb
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require "bindata"
|
|
4
|
+
require "openssl"
|
|
4
5
|
require "tpm/constants"
|
|
5
6
|
require "tpm/sized_buffer"
|
|
6
7
|
require "tpm/t_public/s_ecc_parms"
|
|
@@ -10,8 +11,16 @@ module TPM
|
|
|
10
11
|
# Section 12.2.4 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
|
|
11
12
|
class TPublic < BinData::Record
|
|
12
13
|
BYTE_LENGTH = 8
|
|
13
|
-
|
|
14
|
+
|
|
15
|
+
CURVE_TPM_TO_OPENSSL = {
|
|
16
|
+
TPM::ECC_NIST_P256 => "prime256v1",
|
|
17
|
+
TPM::ECC_NIST_P384 => "secp384r1",
|
|
18
|
+
TPM::ECC_NIST_P521 => "secp521r1",
|
|
19
|
+
}.freeze
|
|
20
|
+
|
|
21
|
+
BN_BASE = 2
|
|
14
22
|
RSA_KEY_DEFAULT_PUBLIC_EXPONENT = 2**16 + 1
|
|
23
|
+
ECC_UNCOMPRESSED_POINT_INDICATOR = "\x04"
|
|
15
24
|
|
|
16
25
|
class << self
|
|
17
26
|
alias_method :deserialize, :read
|
|
@@ -37,12 +46,19 @@ module TPM
|
|
|
37
46
|
sized_buffer TPM::ALG_RSA
|
|
38
47
|
end
|
|
39
48
|
|
|
49
|
+
def rsa?
|
|
50
|
+
alg_type == TPM::ALG_RSA
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def ecc?
|
|
54
|
+
alg_type == TPM::ALG_ECC
|
|
55
|
+
end
|
|
56
|
+
|
|
40
57
|
def key
|
|
41
58
|
if parameters.symmetric == TPM::ALG_NULL
|
|
42
|
-
|
|
43
|
-
when TPM::ALG_ECC
|
|
59
|
+
if ecc?
|
|
44
60
|
ecc_key
|
|
45
|
-
|
|
61
|
+
elsif rsa?
|
|
46
62
|
rsa_key
|
|
47
63
|
else
|
|
48
64
|
raise "Type #{alg_type} not supported"
|
|
@@ -50,21 +66,22 @@ module TPM
|
|
|
50
66
|
end
|
|
51
67
|
end
|
|
52
68
|
|
|
69
|
+
def openssl_curve_name
|
|
70
|
+
if ecc?
|
|
71
|
+
CURVE_TPM_TO_OPENSSL[parameters.curve_id] || raise("Unknown curve #{parameters.curve_id}")
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
53
75
|
private
|
|
54
76
|
|
|
55
77
|
def ecc_key
|
|
56
78
|
if parameters.scheme == TPM::ALG_ECDSA
|
|
57
|
-
|
|
79
|
+
group = OpenSSL::PKey::EC::Group.new(openssl_curve_name)
|
|
58
80
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
pkey = OpenSSL::PKey::EC.new(group)
|
|
62
|
-
public_key_bn = OpenSSL::BN.new("\x04" + unique.buffer.value, 2)
|
|
63
|
-
public_key_point = OpenSSL::PKey::EC::Point.new(group, public_key_bn)
|
|
64
|
-
pkey.public_key = public_key_point
|
|
81
|
+
key = OpenSSL::PKey::EC.new(group)
|
|
82
|
+
key.public_key = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
|
|
65
83
|
|
|
66
|
-
|
|
67
|
-
end
|
|
84
|
+
key
|
|
68
85
|
end
|
|
69
86
|
end
|
|
70
87
|
|
|
@@ -84,7 +101,7 @@ module TPM
|
|
|
84
101
|
|
|
85
102
|
def bn(data)
|
|
86
103
|
if data
|
|
87
|
-
OpenSSL::BN.new(data,
|
|
104
|
+
OpenSSL::BN.new(data, BN_BASE)
|
|
88
105
|
end
|
|
89
106
|
end
|
|
90
107
|
end
|
data/lib/tpm/tpm2b_name.rb
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require "bindata"
|
|
4
|
-
require "tpm/public_area"
|
|
5
4
|
require "tpm/tpmt_ha"
|
|
6
5
|
|
|
7
6
|
module TPM
|
|
@@ -11,8 +10,8 @@ module TPM
|
|
|
11
10
|
uint16 :name_size, value: lambda { name.to_binary_s.size }
|
|
12
11
|
tpmt_ha :name, read_length: :name_size
|
|
13
12
|
|
|
14
|
-
def valid_for?(
|
|
15
|
-
name.to_binary_s ==
|
|
13
|
+
def valid_for?(other_name)
|
|
14
|
+
name.to_binary_s == other_name
|
|
16
15
|
end
|
|
17
16
|
end
|
|
18
17
|
end
|
data/tpm-key_attestation.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: tpm-key_attestation
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Gonzalo
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-07-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bindata
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: '1.0'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: '1.0'
|
|
41
41
|
description:
|
|
42
42
|
email:
|
|
43
43
|
executables: []
|
|
@@ -130,7 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
131
|
version: '0'
|
|
132
132
|
requirements: []
|
|
133
|
-
rubygems_version: 3.1.
|
|
133
|
+
rubygems_version: 3.1.4
|
|
134
134
|
signing_key:
|
|
135
135
|
specification_version: 4
|
|
136
136
|
summary: TPM Key Attestation verifier
|