tpm-key_attestation 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a70caca43d540853ceca86581030de8e86925e630510deb34e3af736e314b55
-  data.tar.gz: c7b0ab0e81a6607b9d24b8a8a01aa0447f2b4281f961f0180d27dd4f8fc88e00
+  metadata.gz: fbe3cdf38d6460a938f807e18343011b5b1222fd0a3451c40ca0675ea30e74b1
+  data.tar.gz: 7bad2c9779bc3c15cb591ca6ca7a54ac0c608727166056360c31d77bc5cc23fd
 SHA512:
-  metadata.gz: babb217a8144f5fc34ce1f2b8a02485390b1c744beb3ed7f5f80e656415ad70dd674b2a7917b3e4db778aa7e69b20318179609c15d793126028a0699b38932e2
-  data.tar.gz: 16e3f16f0cbe9d9d3032f112416d276532563c1730959cc8c41539e750e7476f3bc4a7074671628524bb051a7be17c792209ff4d931ac1808f56e390225782eb
+  metadata.gz: 0ffae87bcd8326dcbaaad92e9d487843461ae07d67dc20b0934d1130de00b8c167553c072e8674a41214f330952b9b6bb39ada04d2f6aad2bf62c3748c056e14
+  data.tar.gz: 2f650b3bd139b0db1c41eccbc99cd59f9a4af01454b94b31672cfad58c253c5c4cfc36ffccabc561b651d0b1a7789dc94420c8b680245cd1215053328ca2ce18

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [v0.3.0] - 2020-01-20
+
+### Added
+
+- `TPM::KeyAttestation#key` returns attested key as an instance of `OpenSSL::PKey::PKey`
+
 ## [v0.2.0] - 2020-01-16
 
 ### Added
@@ -13,5 +19,6 @@
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.3.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.2.0...v0.3.0/
 [v0.2.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/tpm-key_attestation/compare/57c926ef7e83830cee8d111fdc5ccaf99ab2e861...v0.1.0/

data/README.md

@@ -24,8 +24,19 @@ Or install it yourself as:
 ## Usage
 
 ```ruby
-  TPM::SAttest.dererialize(certify_info).valid?(certified_object, certified_extra_data_hash)
-  TPM::EKCertificate.from_der(certificate_der).conformant?
+key_attestation =
+  TPM::KeyAttestation.new(
+    certify_info,
+    signature,
+    certified_object,
+    signing_key,
+    hash_function,
+    quilifying_data
+  )
+
+if key_attestation.valid?
+  key_attestation.key
+end
 ```
 
 ## Development

data/lib/tpm/certify_validator.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "tpm/constants"
+require "tpm/public_area"
+require "tpm/s_attest"
+
+module TPM
+  class CertifyValidator
+    attr_reader :info, :signature, :nonce, :object
+
+    def initialize(info, signature, nonce, object)
+      @info = info
+      @signature = signature
+      @nonce = nonce
+      @object = object
+    end
+
+    def valid?(signing_key, hash_function)
+      valid_info? && valid_signature?(signing_key, hash_function)
+    end
+
+    private
+
+    def valid_info?
+      attest.attested_type == TPM::ST_ATTEST_CERTIFY &&
+        attest.extra_data.buffer == nonce &&
+        attest.magic == TPM::GENERATED_VALUE &&
+        attest.attested.name.buffer == TPM::PublicArea.new(object).name
+    end
+
+    def valid_signature?(signing_key, hash_function)
+      signing_key.verify(hash_function, signature, info)
+    end
+
+    def attest
+      @attest ||= TPM::SAttest.deserialize(info)
+    end
+  end
+end

data/lib/tpm/key_attestation.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "tpm/key_attestation/version"
+require "tpm/certify_validator"
 
 module TPM
   class KeyAttestation
@@ -18,22 +19,30 @@ module TPM
       @qualifying_data = qualifying_data
     end
 
+    def key
+      if valid?
+        public_area.key
+      end
+    end
+
     def valid?
-      valid_signature? && valid_certify_info?
+      certify_validator.valid?(signing_key, hash_function)
     end
 
     private
 
-    def valid_signature?
-      signing_key.verify(hash_function, signature, certify_info)
-    end
-
-    def valid_certify_info?
-      s_attest.valid?(certified_object, qualifying_data)
+    def certify_validator
+      @certify_validator ||=
+        TPM::CertifyValidator.new(
+          certify_info,
+          signature,
+          qualifying_data,
+          certified_object
+        )
     end
 
-    def s_attest
-      @s_attest ||= ::TPM::SAttest.read(certify_info)
+    def public_area
+      @public_area ||= TPM::PublicArea.new(certified_object)
     end
   end
 end

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/tpm/public_area.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "tpm/t_public"
+
+module TPM
+  TPM_TO_OPENSSL_HASH_ALG = {
+    TPM::ALG_SHA1 => "SHA1",
+    TPM::ALG_SHA256 => "SHA256"
+  }.freeze
+
+  class PublicArea
+    attr_reader :object
+
+    def initialize(object)
+      @object = object
+    end
+
+    def name
+      [name_alg].pack("n") + name_digest
+    end
+
+    def key
+      t_public.key
+    end
+
+    private
+
+    def name_digest
+      OpenSSL::Digest.digest(TPM_TO_OPENSSL_HASH_ALG[name_alg], object)
+    end
+
+    def name_alg
+      t_public.name_alg
+    end
+
+    def t_public
+      @t_public ||= TPM::TPublic.deserialize(object)
+    end
+  end
+end

data/lib/tpm/s_attest.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "bindata"
-require "openssl"
 require "tpm/constants"
 require "tpm/sized_buffer"
 require "tpm/s_attest/s_certify_info"
@@ -9,11 +8,6 @@ require "tpm/s_attest/s_certify_info"
 module TPM
   # Section 10.12.8 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
   class SAttest < BinData::Record
-    TPM_TO_OPENSSL_HASH_ALG = {
-      ::TPM::ALG_SHA1 => "SHA1",
-      ::TPM::ALG_SHA256 => "SHA256"
-    }.freeze
-
     class << self
       alias_method :deserialize, :read
     end
@@ -32,19 +26,5 @@ module TPM
     choice :attested, selection: :attested_type do
       s_certify_info TPM::ST_ATTEST_CERTIFY
     end
-
-    def valid?(attested_object, expected_extra_data)
-      magic == TPM::GENERATED_VALUE &&
-        valid_attested_object?(attested_object) &&
-        extra_data.buffer == expected_extra_data
-    end
-
-    private
-
-    def valid_attested_object?(attested_object)
-      name_hash_alg = attested.name.buffer[0..1].unpack("n")[0]
-
-      attested.name.buffer[2..-1] == OpenSSL::Digest.digest(TPM_TO_OPENSSL_HASH_ALG[name_hash_alg], attested_object)
-    end
   end
 end

data/lib/tpm/t_public.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "bindata"
+require "tpm/constants"
+require "tpm/sized_buffer"
+require "tpm/t_public/s_ecc_parms"
+require "tpm/t_public/s_rsa_parms"
+
+module TPM
+  # Section 12.2.4 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
+  class TPublic < BinData::Record
+    BYTE_LENGTH = 8
+    CURVE_TPM_TO_OPENSSL = { TPM::ECC_NIST_P256 => "prime256v1" }.freeze
+
+    class << self
+      alias_method :deserialize, :read
+    end
+
+    endian :big
+
+    uint16 :alg_type
+    uint16 :name_alg
+
+    # :object_attributes
+    skip length: 4
+
+    sized_buffer :auth_policy
+
+    choice :parameters, selection: :alg_type do
+      s_ecc_parms TPM::ALG_ECC
+      s_rsa_parms TPM::ALG_RSA
+    end
+
+    choice :unique, selection: :alg_type do
+      sized_buffer TPM::ALG_ECC
+      sized_buffer TPM::ALG_RSA
+    end
+
+    def key
+      if parameters.symmetric == ::TPM::ALG_NULL
+        case alg_type
+        when TPM::ALG_ECC
+          ecc_key
+        when TPM::ALG_RSA
+          rsa_key
+        else
+          raise "Type #{alg_type} not supported"
+        end
+      end
+    end
+
+    private
+
+    def ecc_key
+      if parameters.scheme == TPM::ALG_ECDSA
+        curve = CURVE_TPM_TO_OPENSSL[parameters.curve_id]
+
+        if curve
+          group = OpenSSL::PKey::EC::Group.new(curve)
+          pkey = OpenSSL::PKey::EC.new(group)
+          public_key_bn = OpenSSL::BN.new("\x04" + unique.buffer.value, 2)
+          public_key_point = OpenSSL::PKey::EC::Point.new(group, public_key_bn)
+          pkey.public_key = public_key_point
+
+          pkey
+        end
+      end
+    end
+
+    def rsa_key
+      case parameters.scheme
+      when TPM::ALG_RSASSA, TPM::ALG_RSAPSS, TPM::ALG_NULL
+        n = unique.buffer.value
+
+        if parameters.key_bits / BYTE_LENGTH == n.size
+          key = OpenSSL::PKey::RSA.new(parameters.key_bits.value)
+          key.set_key(bn(n), nil, nil)
+
+          key.public_key
+        end
+      end
+    end
+
+    def bn(data)
+      if data
+        OpenSSL::BN.new(data, 2)
+      end
+    end
+  end
+end

data/lib/tpm/t_public/s_ecc_parms.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TPublic < BinData::Record
+    # Section 12.2.3.6 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
+    class SEccParms < BinData::Record
+      endian :big
+
+      uint16 :symmetric
+      uint16 :scheme
+      uint16 :curve_id
+      uint16 :kdf
+    end
+  end
+end

data/lib/tpm/t_public/s_rsa_parms.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TPublic < BinData::Record
+    # Section 12.2.3.5 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
+    class SRsaParms < BinData::Record
+      endian :big
+
+      uint16 :symmetric
+      uint16 :scheme
+      uint16 :key_bits
+      uint32 :exponent
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Gonzalo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-16 00:00:00.000000000 Z
+date: 2020-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -48,13 +48,18 @@ files:
 - gemfiles/openssl_2_1.gemfile
 - gemfiles/openssl_default.gemfile
 - gemfiles/openssl_head.gemfile
+- lib/tpm/certify_validator.rb
 - lib/tpm/constants.rb
 - lib/tpm/ek_certificate.rb
 - lib/tpm/key_attestation.rb
 - lib/tpm/key_attestation/version.rb
+- lib/tpm/public_area.rb
 - lib/tpm/s_attest.rb
 - lib/tpm/s_attest/s_certify_info.rb
 - lib/tpm/sized_buffer.rb
+- lib/tpm/t_public.rb
+- lib/tpm/t_public/s_ecc_parms.rb
+- lib/tpm/t_public/s_rsa_parms.rb
 - tpm-key_attestation.gemspec
 homepage: https://github.com/cedarcode/tpm-key_attestation
 licenses: