tpm-key_attestation 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e5df735cc88867e6fb7c0cdb55698173cfdddec88630b3a69534ba15cd0d9c32
4
- data.tar.gz: aef2b61ce9a23bd4bd27f9dda61e7719a7eb1914ce29321d3e6ab2c723ffcf16
3
+ metadata.gz: 6b370d3aabc86bde782bf8cf6a6507f85edf56a676875fd4511c30dd4ddff1da
4
+ data.tar.gz: 53ce92d16a1ab22b573236c0a859c8ebec4c6172679b22d957e6ebf3347d4531
5
5
  SHA512:
6
- metadata.gz: 3ec2802f034dfceebd917044760337c4968cb0268b8de970fd977c0f5d5da5ffbaf3c7017b12c3d372d1973d2f4807d1051e90ed28ddb4a8bca52eb15510cf57
7
- data.tar.gz: 2bba01a0fdcd9baee3af72c2442a388cccde52b31c3e22a2e25ee46cace1edb307d1246ecdb62e11251a3e41d0114318a973f5253bfb8516d940c27dbd134d80
6
+ metadata.gz: 407f2c3dadf408a90c536cb5723e52ebc28e12f89231b93c6915ba182b7773960c256c7a2d5cc087bb3af02bf14522518cdafc279783321e3f0812daafe7b405
7
+ data.tar.gz: '0787cf34b0c204ed54391766fceafdf28fb1fcc5a453887b0a8f671f13f6c4b89f9f562e6ec6b72e996b3668f4b797ec0a53acdee87174a8cb0ae97c6dbdf91f'
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## [v0.6.0] - 2020-01-30
4
+
5
+ ### Changed
6
+
7
+ - `TPM::KeyAttestation.new` now accepts `signature_algorithm` and `hash_algorithm` in TPM format in
8
+ replacement of `JOSE` format `algorithm` string
9
+
3
10
  ## [v0.5.0] - 2020-01-23
4
11
 
5
12
  ### Added
@@ -31,6 +38,7 @@
31
38
  - `TPM::EKCertificate` wrapper
32
39
  - `TPM::SAttest` wrapper
33
40
 
41
+ [v0.6.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.5.0...v0.6.0/
34
42
  [v0.5.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.4.0...v0.5.0/
35
43
  [v0.4.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.3.0...v0.4.0/
36
44
  [v0.3.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.2.0...v0.3.0/
@@ -1,8 +1,9 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- tpm-key_attestation (0.5.0)
4
+ tpm-key_attestation (0.6.0)
5
5
  bindata (~> 2.4)
6
+ openssl-signature_algorithm (~> 0.3.0)
6
7
 
7
8
  GEM
8
9
  remote: https://rubygems.org/
@@ -16,6 +17,7 @@ GEM
16
17
  byebug (11.1.0)
17
18
  diff-lcs (1.3)
18
19
  jaro_winkler (1.5.4)
20
+ openssl-signature_algorithm (0.3.0)
19
21
  parallel (1.19.1)
20
22
  parser (2.7.0.2)
21
23
  ast (~> 2.4.0)
data/README.md CHANGED
@@ -31,7 +31,7 @@ key_attestation =
31
31
  certified_object,
32
32
  signing_key,
33
33
  quilifying_data,
34
- algorithm: "RS256" # Supported values: "RS256", "PS256", "ES256" (default "RS256")
34
+ signature_algorithm: TPM::ALG_RSAPSS # Supported values: TPM::ALG_RSAPSS, TPM::ALG_RSASSA, TPM::ALG_ECDSA (default TPM::ALG_RSASSA)
35
35
  )
36
36
 
37
37
  if key_attestation.valid?
@@ -1,19 +1,32 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "openssl/signature_algorithm"
3
4
  require "tpm/constants"
4
5
  require "tpm/public_area"
5
6
  require "tpm/s_attest"
6
7
 
7
8
  module TPM
8
9
  class CertifyValidator
9
- attr_reader :info, :signature, :nonce, :object, :algorithm
10
+ attr_reader :info, :signature, :nonce, :object, :signature_algorithm, :hash_algorithm
10
11
 
11
- def initialize(info, signature, nonce, object, algorithm: "RS256")
12
+ TPM_SIGNATURE_ALG_TO_OPENSSL = {
13
+ ALG_RSASSA => OpenSSL::SignatureAlgorithm::RSAPKCS1,
14
+ ALG_RSAPSS => OpenSSL::SignatureAlgorithm::RSAPSS,
15
+ ALG_ECDSA => OpenSSL::SignatureAlgorithm::ECDSA
16
+ }.freeze
17
+
18
+ TPM_HASH_ALG_TO_OPENSSL = {
19
+ ALG_SHA1 => "SHA1",
20
+ ALG_SHA256 => "SHA256"
21
+ }.freeze
22
+
23
+ def initialize(info, signature, nonce, object, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256)
12
24
  @info = info
13
25
  @signature = signature
14
26
  @nonce = nonce
15
27
  @object = object
16
- @algorithm = algorithm
28
+ @signature_algorithm = signature_algorithm
29
+ @hash_algorithm = hash_algorithm
17
30
  end
18
31
 
19
32
  def valid?(signing_key)
@@ -29,11 +42,14 @@ module TPM
29
42
  attest.attested.name.buffer == TPM::PublicArea.new(object).name
30
43
  end
31
44
 
32
- def valid_signature?(signing_key)
33
- if rsa_pss?
34
- signing_key.verify_pss(hash_function, signature, info, salt_length: :auto, mgf1_hash: hash_function)
35
- else
36
- signing_key.verify(hash_function, signature, info)
45
+ def valid_signature?(verify_key)
46
+ openssl_signature_algorithm = openssl_signature_algorithm_class.new(openssl_hash_function[3..-1])
47
+ openssl_signature_algorithm.verify_key = verify_key
48
+
49
+ begin
50
+ openssl_signature_algorithm.verify(signature, info)
51
+ rescue OpenSSL::SignatureAlgorithm::Error
52
+ false
37
53
  end
38
54
  end
39
55
 
@@ -41,12 +57,12 @@ module TPM
41
57
  @attest ||= TPM::SAttest.deserialize(info)
42
58
  end
43
59
 
44
- def hash_function
45
- "SHA#{algorithm[2..-1]}"
60
+ def openssl_hash_function
61
+ TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
46
62
  end
47
63
 
48
- def rsa_pss?
49
- algorithm.start_with?("PS")
64
+ def openssl_signature_algorithm_class
65
+ TPM_SIGNATURE_ALG_TO_OPENSSL[signature_algorithm] || raise("Unsupported signature algorithm #{algorithm}")
50
66
  end
51
67
  end
52
68
  end
@@ -72,7 +72,7 @@ module TPM
72
72
  model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
73
73
  version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
74
74
 
75
- ::TPM::VENDOR_IDS[manufacturer] &&
75
+ TPM::VENDOR_IDS[manufacturer] &&
76
76
  !model.empty? &&
77
77
  !version.empty? &&
78
78
  (empty_subject? && extension.critical? || !empty_subject? && !extension.critical?)
@@ -2,20 +2,38 @@
2
2
 
3
3
  require "tpm/key_attestation/version"
4
4
  require "tpm/certify_validator"
5
+ require "tpm/constants"
5
6
 
6
7
  module TPM
7
8
  class KeyAttestation
8
9
  class Error < StandardError; end
9
10
 
10
- attr_reader :certify_info, :signature, :certified_object, :signing_key, :algorithm, :qualifying_data
11
+ attr_reader(
12
+ :certify_info,
13
+ :signature,
14
+ :certified_object,
15
+ :signing_key,
16
+ :signature_algorithm,
17
+ :hash_algorithm,
18
+ :qualifying_data
19
+ )
11
20
 
12
- def initialize(certify_info, signature, certified_object, signing_key, qualifying_data, algorithm: "RS256")
21
+ def initialize(
22
+ certify_info,
23
+ signature,
24
+ certified_object,
25
+ signing_key,
26
+ qualifying_data,
27
+ signature_algorithm: ALG_RSASSA,
28
+ hash_algorithm: ALG_SHA256
29
+ )
13
30
  @certify_info = certify_info
14
31
  @signature = signature
15
32
 
16
33
  @certified_object = certified_object
17
34
  @signing_key = signing_key
18
- @algorithm = algorithm
35
+ @signature_algorithm = signature_algorithm
36
+ @hash_algorithm = hash_algorithm
19
37
  @qualifying_data = qualifying_data
20
38
  end
21
39
 
@@ -38,7 +56,8 @@ module TPM
38
56
  signature,
39
57
  qualifying_data,
40
58
  certified_object,
41
- algorithm: algorithm
59
+ signature_algorithm: signature_algorithm,
60
+ hash_algorithm: hash_algorithm
42
61
  )
43
62
  end
44
63
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module TPM
4
4
  class KeyAttestation
5
- VERSION = "0.5.0"
5
+ VERSION = "0.6.0"
6
6
  end
7
7
  end
@@ -37,7 +37,7 @@ module TPM
37
37
  end
38
38
 
39
39
  def key
40
- if parameters.symmetric == ::TPM::ALG_NULL
40
+ if parameters.symmetric == TPM::ALG_NULL
41
41
  case alg_type
42
42
  when TPM::ALG_ECC
43
43
  ecc_key
@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
26
26
  spec.require_paths = ["lib"]
27
27
 
28
28
  spec.add_dependency "bindata", "~> 2.4"
29
+ spec.add_dependency "openssl-signature_algorithm", "~> 0.3.0"
29
30
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tpm-key_attestation
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Gonzalo
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-01-23 00:00:00.000000000 Z
11
+ date: 2020-01-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bindata
@@ -24,6 +24,20 @@ dependencies:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
26
  version: '2.4'
27
+ - !ruby/object:Gem::Dependency
28
+ name: openssl-signature_algorithm
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 0.3.0
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 0.3.0
27
41
  description:
28
42
  email:
29
43
  executables: []