Fix crypto routines, add SM2/SM3 support, parsing issues
This commit is contained in:
parent
806cb3592c
commit
bf1d2e9341
|
@ -16,7 +16,6 @@ import (
|
|||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/provisioning/bg"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/tools"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
type context struct {
|
||||
|
@ -43,7 +42,7 @@ type templateCmd struct {
|
|||
DMABase1 uint64 `flag optional name:"dmabase1" help:"High DMA protected range base."`
|
||||
DMASize1 uint64 `flag optional name:"dmasize1" help:"High DMA protected range limit."`
|
||||
EntryPoint uint32 `flag optional name:"entrypoint" help:"IBB (Startup BIOS) entry point"`
|
||||
IbbHash []tpm2.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
|
||||
IbbHash []manifest.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
|
||||
IbbSegbase uint32 `flag optional name:"ibbsegbase" help:"Value for IbbSegment structure"`
|
||||
IbbSegsize uint32 `flag optional name:"ibbsegsize" help:"Value for IBB segment structure"`
|
||||
IbbSegFlag uint16 `flag optional name:"ibbsegflag" help:"Reducted"`
|
||||
|
@ -89,19 +88,19 @@ type bpmExportCmd struct {
|
|||
}
|
||||
|
||||
type generateKMCmd struct {
|
||||
KM string `arg required name:"km" help:"Path to the newly generated Key Manifest binary file." type:"path"`
|
||||
Key string `arg required name:"key" help:"Public signing key"`
|
||||
Config string `flag optional name:"config" help:"Path to the JSON config file." type:"path"`
|
||||
Revision uint8 `flag optional name:"revision" help:"Platform Manufacturer’s BPM revision number."`
|
||||
SVN manifest.SVN `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
|
||||
ID uint8 `flag optional name:"id" help:"The key Manifest Identifier"`
|
||||
PKHashAlg tpm2.Algorithm `flag optional name:"pkhashalg" help:"Hash algorithm of OEM public key digest"`
|
||||
KMHashes []key.Hash `flag optional name:"kmhashes" help:"Key hashes for BPM, ACM, uCode etc"`
|
||||
BpmPubkey string `flag optional name:"bpmpubkey" help:"Path to bpm public signing key"`
|
||||
BpmHashAlg tpm2.Algorithm `flag optional name:"bpmhashalgo" help:"Hash algorithm for bpm public signing key"`
|
||||
Out string `flag optional name:"out" help:"Path to write applied config to"`
|
||||
Cut bool `flag optional name:"cut" help:"Cuts the signature before writing to binary."`
|
||||
PrintME bool `flag optional name:"printme" help:"Prints the hash of KM public signing key"`
|
||||
KM string `arg required name:"km" help:"Path to the newly generated Key Manifest binary file." type:"path"`
|
||||
Key string `arg required name:"key" help:"Public signing key"`
|
||||
Config string `flag optional name:"config" help:"Path to the JSON config file." type:"path"`
|
||||
Revision uint8 `flag optional name:"revision" help:"Platform Manufacturer’s BPM revision number."`
|
||||
SVN manifest.SVN `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
|
||||
ID uint8 `flag optional name:"id" help:"The key Manifest Identifier"`
|
||||
PKHashAlg manifest.Algorithm `flag optional name:"pkhashalg" help:"Hash algorithm of OEM public key digest"`
|
||||
KMHashes []key.Hash `flag optional name:"kmhashes" help:"Key hashes for BPM, ACM, uCode etc"`
|
||||
BpmPubkey string `flag optional name:"bpmpubkey" help:"Path to bpm public signing key"`
|
||||
BpmHashAlg manifest.Algorithm `flag optional name:"bpmhashalgo" help:"Hash algorithm for bpm public signing key"`
|
||||
Out string `flag optional name:"out" help:"Path to write applied config to"`
|
||||
Cut bool `flag optional name:"cut" help:"Cuts the signature before writing to binary."`
|
||||
PrintME bool `flag optional name:"printme" help:"Prints the hash of KM public signing key"`
|
||||
}
|
||||
|
||||
type generateBPMCmd struct {
|
||||
|
@ -123,7 +122,7 @@ type generateBPMCmd struct {
|
|||
DMABase1 uint64 `flag optional name:"dmabase1" help:"High DMA protected range base."`
|
||||
DMASize1 uint64 `flag optional name:"dmasize1" help:"High DMA protected range limit."`
|
||||
EntryPoint uint32 `flag optional name:"entrypoint" help:"IBB (Startup BIOS) entry point"`
|
||||
IbbHash []tpm2.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
|
||||
IbbHash []manifest.Algorithm `flag optional name:"ibbhash" help:"IBB Hash Algorithm"`
|
||||
IbbSegbase uint32 `flag optional name:"ibbsegbase" help:"Value for IbbSegment structure"`
|
||||
IbbSegsize uint32 `flag optional name:"ibbsegsize" help:"Value for IBB segment structure"`
|
||||
IbbSegFlag uint16 `flag optional name:"ibbsegflag" help:"Reducted"`
|
||||
|
@ -188,11 +187,9 @@ func (kmp *kmPrintCmd) Run(ctx *context) error {
|
|||
return err
|
||||
}
|
||||
km.Print()
|
||||
|
||||
if err := km.KeyAndSignature.Key.PrintMEKey(); err != nil {
|
||||
if err := km.KeyAndSignature.Key.PrintKMPubKey(km.PubKeyHashAlg); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -207,6 +204,9 @@ func (bpmp *bpmPrintCmd) Run(ctx *context) error {
|
|||
return err
|
||||
}
|
||||
bpm.Print()
|
||||
if err := bpm.PMSE.KeySignature.Key.PrintBPMPubKey(bpm.PMSE.Signature.HashAlg); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -330,7 +330,7 @@ func (g *generateKMCmd) Run(ctx *context) error {
|
|||
return err
|
||||
}
|
||||
if g.PrintME {
|
||||
if err := options.KeyManifest.KeyAndSignature.Key.PrintMEKey(); err != nil {
|
||||
if err := options.KeyManifest.KeyAndSignature.Key.PrintKMPubKey(options.KeyManifest.PubKeyHashAlg); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
13
go.mod
13
go.mod
|
@ -5,18 +5,29 @@ go 1.13
|
|||
require (
|
||||
github.com/alecthomas/kong v0.2.11
|
||||
github.com/creasty/defaults v1.5.1
|
||||
github.com/dsnet/compress v0.0.1 // indirect
|
||||
github.com/dustin/go-humanize v1.0.0
|
||||
github.com/fatih/camelcase v1.0.0
|
||||
github.com/fatih/structtag v1.2.0 // indirect
|
||||
github.com/fearful-symmetry/gomsr v0.0.1
|
||||
github.com/frankban/quicktest v1.11.3 // indirect
|
||||
github.com/golang/snappy v0.0.2 // indirect
|
||||
github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f
|
||||
github.com/intel-go/cpuid v0.0.0-20200819041909-2aa72927c3e2
|
||||
github.com/linuxboot/fiano v5.0.0+incompatible
|
||||
github.com/logrusorgru/aurora v2.0.3+incompatible
|
||||
github.com/mholt/archiver v3.1.1+incompatible
|
||||
github.com/nwaples/rardecode v1.1.0 // indirect
|
||||
github.com/pierrec/lz4 v2.6.0+incompatible // indirect
|
||||
github.com/spf13/pflag v1.0.3
|
||||
github.com/stretchr/testify v1.2.2
|
||||
github.com/tidwall/pretty v1.0.2
|
||||
github.com/tjfoc/gmsm v1.4.0
|
||||
github.com/ulikunitz/xz v0.5.8 // indirect
|
||||
github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735
|
||||
github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30 // indirect
|
||||
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
|
||||
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
|
||||
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee
|
||||
golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b // indirect
|
||||
golang.org/x/text v0.3.3 // indirect
|
||||
)
|
||||
|
|
45
go.sum
45
go.sum
|
@ -11,6 +11,7 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
|
|||
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
|
||||
|
@ -25,9 +26,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
|
|||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
|
||||
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
|
||||
github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
|
||||
github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
|
||||
github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
|
||||
github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
|
||||
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
|
||||
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
|
||||
github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
|
||||
|
@ -35,6 +41,8 @@ github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4
|
|||
github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
|
||||
github.com/fearful-symmetry/gomsr v0.0.1 h1:m208RzdTApWVbv8a9kf78rdPLQe+BY9AxRb/nSbHxSA=
|
||||
github.com/fearful-symmetry/gomsr v0.0.1/go.mod h1:Qb/0Y7zwobP7v8Sji+M5mlL4N7Voyz5WaKXXRFPnLio=
|
||||
github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
|
||||
github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||
|
@ -50,12 +58,16 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
|
|||
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
|
||||
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
|
||||
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
|
||||
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
|
||||
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
|
||||
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
|
||||
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
|
||||
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
|
||||
github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw=
|
||||
github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
|
||||
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
|
@ -67,8 +79,6 @@ github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
|
|||
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
|
||||
github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
|
||||
github.com/google/go-tpm v0.3.2 h1:3iQQ2dlEf+1no7CLlfLPYzxhQy7j2G/emBqU5okydaw=
|
||||
github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
|
||||
github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f h1:L2/I8aWw3KRzIPQ55ps20JfD8tF/olPBJepwmGHxiXA=
|
||||
github.com/google/go-tpm v0.3.3-0.20210120190357-1ff48daca32f/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
|
||||
github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
|
||||
|
@ -85,10 +95,15 @@ github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22
|
|||
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
|
||||
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
|
||||
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
|
||||
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/linuxboot/fiano v5.0.0+incompatible h1:DZAZO0z9l35cakTNnkdh+yWRZfzCCJnDHmPAYW/t0No=
|
||||
github.com/linuxboot/fiano v5.0.0+incompatible/go.mod h1:IPKmAwYdbidivI8+nWCBO97QkdsiF8OThAHowU8Tvdk=
|
||||
|
@ -96,11 +111,17 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
|
|||
github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
|
||||
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||
github.com/mholt/archiver v3.1.1+incompatible h1:1dCVxuqs0dJseYEhi5pl7MYPH9zDa1wBi7mF09cbNkU=
|
||||
github.com/mholt/archiver v3.1.1+incompatible/go.mod h1:Dh2dOXnSdiLxRiPoVfIr/fI1TwETms9B8CTWfeh7ROU=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
|
||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||
github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7MQ=
|
||||
github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
|
||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
github.com/pierrec/lz4 v2.6.0+incompatible h1:Ix9yFKn1nSPBLFl/yZknTp8TU5G4Ps0JDmguYK6iH1A=
|
||||
github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
|
||||
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
|
@ -137,15 +158,20 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
|
|||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/tidwall/pretty v1.0.2 h1:Z7S3cePv9Jwm1KwS0513MRaoUe3S01WPbLNV40pwWZU=
|
||||
github.com/tidwall/pretty v1.0.2/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
|
||||
github.com/tjfoc/gmsm v1.4.0 h1:8nbaiZG+iVdh+fXVw0DZoZZa7a4TGm3Qab+xdrdzj8s=
|
||||
github.com/tjfoc/gmsm v1.4.0/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
|
||||
github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
|
||||
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
|
||||
github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
|
||||
github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ=
|
||||
github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
|
||||
github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735 h1:I5vlWq623SQl/E48ulUZP2YN+vlLMhzyETuOuTNtZhI=
|
||||
github.com/xaionaro-go/gosrc v0.0.0-20201124181305-3fdf8476a735/go.mod h1:KWPOUqeg7VZ8gE4MQJJmG+YgmNf2yAkBiDI++R48tFg=
|
||||
github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30 h1:6HCWbXp+IoQx6XRlVbcDlM0BSWigu8H2FM6VdXeOk5s=
|
||||
github.com/xaionaro-go/unsafetools v0.0.0-20200202162159-021b112c4d30/go.mod h1:spWmgrD4QEkFsootCLGU3OLWgeeJew0KXrCsVPWBQ88=
|
||||
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
|
||||
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
|
||||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
|
||||
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
|
||||
go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
|
||||
|
@ -156,8 +182,9 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
|
|||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
|
||||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM=
|
||||
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee h1:4yd7jl+vXjalO5ztz6Vc1VADv+S/80LGJmyl1ROJ2AI=
|
||||
golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
|
||||
|
@ -170,6 +197,7 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
|
|||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||
golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
|
@ -182,12 +210,18 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h
|
|||
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d h1:MiWWjyhUzZ+jvhZvloX6ZrUsdEghn8a64Upd8EMHglE=
|
||||
golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b h1:lAZ0/chPUDWwjqosYR0X4M490zQhMsiJ4K3DbA7o+3g=
|
||||
golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
|
||||
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
|
@ -202,13 +236,16 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
|
|||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
||||
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
|
||||
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
|
||||
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
|
||||
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
|
||||
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
|
||||
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
|
||||
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
|
||||
google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
|
||||
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
Prequesites:
|
||||
Open another terminal and go get the sm2/sm3 crypto library into your gopath.
|
||||
The code generator disables go modules.
|
||||
```
|
||||
GOPATH=your/go/path go get "github.com/tjfoc/gmsm/sm2"
|
||||
```
|
||||
|
||||
To generalize all the logic related to Boot Policy Manifest and Key Manifest
|
||||
we use code generation. Therefore it is enough to create structure declarations
|
||||
and run command from this directory:
|
||||
|
|
|
@ -0,0 +1,109 @@
|
|||
package manifest
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"fmt"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// MAX_DIGEST_BUFFER is the maximum size of []byte request or response fields.
|
||||
// Typically used for chunking of big blobs of data (such as for hashing or
|
||||
// encryption).
|
||||
const maxDigestBuffer = 1024
|
||||
|
||||
// Algorithm represents a crypto algorithm value.
|
||||
type Algorithm uint16
|
||||
|
||||
const (
|
||||
AlgUnknown Algorithm = 0x0000
|
||||
AlgRSA Algorithm = 0x0001
|
||||
AlgSHA1 Algorithm = 0x0004
|
||||
AlgSHA256 Algorithm = 0x000B
|
||||
AlgSHA384 Algorithm = 0x000C
|
||||
AlgSHA512 Algorithm = 0x000D
|
||||
AlgNull Algorithm = 0x0010
|
||||
AlgSM3_256 Algorithm = 0x0012
|
||||
AlgRSASSA Algorithm = 0x0014
|
||||
AlgRSAPSS Algorithm = 0x0016
|
||||
AlgECDSA Algorithm = 0x0018
|
||||
AlgSM2 Algorithm = 0x001b
|
||||
AlgECC Algorithm = 0x0023
|
||||
)
|
||||
|
||||
var hashInfo = []struct {
|
||||
alg Algorithm
|
||||
hash crypto.Hash
|
||||
}{
|
||||
{AlgSHA1, crypto.SHA1},
|
||||
{AlgSHA256, crypto.SHA256},
|
||||
{AlgSHA384, crypto.SHA384},
|
||||
{AlgSHA512, crypto.SHA512},
|
||||
}
|
||||
|
||||
// HashToAlgorithm looks up the manifest algorithm corresponding to the provided crypto.Hash
|
||||
func HashToAlgorithm(hash crypto.Hash) (Algorithm, error) {
|
||||
for _, info := range hashInfo {
|
||||
if info.hash == hash {
|
||||
return info.alg, nil
|
||||
}
|
||||
}
|
||||
return AlgUnknown, fmt.Errorf("go hash algorithm #%d has no manifest algorithm", hash)
|
||||
}
|
||||
|
||||
// IsNull returns true if a is AlgNull or zero (unset).
|
||||
func (a Algorithm) IsNull() bool {
|
||||
return a == AlgNull || a == AlgUnknown
|
||||
}
|
||||
|
||||
// Hash returns a crypto.Hash based on the given id.
|
||||
// An error is returned if the given algorithm is not a hash algorithm or is not available.
|
||||
func (a Algorithm) Hash() (crypto.Hash, error) {
|
||||
for _, info := range hashInfo {
|
||||
if info.alg == a {
|
||||
if !info.hash.Available() {
|
||||
return crypto.Hash(0), fmt.Errorf("go hash algorithm #%d not available", info.hash)
|
||||
}
|
||||
return info.hash, nil
|
||||
}
|
||||
}
|
||||
return crypto.Hash(0), fmt.Errorf("hash algorithm not supported: 0x%x", a)
|
||||
}
|
||||
|
||||
func (a Algorithm) String() string {
|
||||
var s strings.Builder
|
||||
var err error
|
||||
switch a {
|
||||
case AlgUnknown:
|
||||
_, err = s.WriteString("AlgUnknown")
|
||||
case AlgRSA:
|
||||
_, err = s.WriteString("RSA")
|
||||
case AlgSHA1:
|
||||
_, err = s.WriteString("SHA1")
|
||||
case AlgSHA256:
|
||||
_, err = s.WriteString("SHA256")
|
||||
case AlgSHA384:
|
||||
_, err = s.WriteString("SHA384")
|
||||
case AlgSHA512:
|
||||
_, err = s.WriteString("SHA512")
|
||||
case AlgSM3_256:
|
||||
_, err = s.WriteString("SM3_256")
|
||||
case AlgNull:
|
||||
_, err = s.WriteString("AlgNull")
|
||||
case AlgRSASSA:
|
||||
_, err = s.WriteString("RSASSA")
|
||||
case AlgRSAPSS:
|
||||
_, err = s.WriteString("RSAPSS")
|
||||
case AlgECDSA:
|
||||
_, err = s.WriteString("ECDSA")
|
||||
case AlgECC:
|
||||
_, err = s.WriteString("ECC")
|
||||
case AlgSM2:
|
||||
_, err = s.WriteString("SM2")
|
||||
default:
|
||||
return fmt.Sprintf("Alg?<%d>", int(a))
|
||||
}
|
||||
if err != nil {
|
||||
return fmt.Sprintf("Writing to string builder failed: %v", err)
|
||||
}
|
||||
return s.String()
|
||||
}
|
|
@ -2,12 +2,10 @@
|
|||
|
||||
package manifest
|
||||
|
||||
import "github.com/google/go-tpm/tpm2"
|
||||
|
||||
// HashStructure describes a digest.
|
||||
type HashStructure struct {
|
||||
HashAlg tpm2.Algorithm `default:"0x10" json:"hs_Alg"`
|
||||
HashBuffer []byte `json:"hs_Buffer"`
|
||||
HashAlg Algorithm `default:"0x10" json:"hs_Alg"`
|
||||
HashBuffer []byte `json:"hs_Buffer"`
|
||||
}
|
||||
|
||||
// HashList describes multiple digests
|
||||
|
|
|
@ -8,20 +8,19 @@ import (
|
|||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"math/big"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
"github.com/tjfoc/gmsm/sm2"
|
||||
)
|
||||
|
||||
// Key is a public key of an asymmetric crypto keypair.
|
||||
type Key struct {
|
||||
KeyAlg tpm2.Algorithm `json:"key_alg"`
|
||||
Version uint8 `require:"0x10" json:"key_version"`
|
||||
KeySize BitSize `json:"key_bitsize"`
|
||||
Data []byte `countValue:"keyDataSize()" json:"key_data"`
|
||||
KeyAlg Algorithm `json:"key_alg"`
|
||||
Version uint8 `require:"0x10" json:"key_version"`
|
||||
KeySize BitSize `json:"key_bitsize"`
|
||||
Data []byte `countValue:"keyDataSize()" json:"key_data"`
|
||||
}
|
||||
|
||||
// BitSize is a size in bits.
|
||||
|
@ -51,9 +50,9 @@ func (ks *BitSize) SetInBytes(amountOfBytes uint16) {
|
|||
// KeyAlg and KeySize.
|
||||
func (k Key) keyDataSize() int64 {
|
||||
switch k.KeyAlg {
|
||||
case tpm2.AlgRSA:
|
||||
case AlgRSA:
|
||||
return int64(k.KeySize.InBytes()) + 4
|
||||
case tpm2.AlgECC:
|
||||
case AlgECC, AlgSM2:
|
||||
return int64(k.KeySize.InBytes()) * 2
|
||||
}
|
||||
return -1
|
||||
|
@ -70,18 +69,23 @@ func (k Key) PubKey() (crypto.PublicKey, error) {
|
|||
}
|
||||
|
||||
switch k.KeyAlg {
|
||||
case tpm2.AlgRSA:
|
||||
case AlgRSA:
|
||||
result := &rsa.PublicKey{
|
||||
N: new(big.Int).SetBytes(reverseBytes(k.Data[4:])),
|
||||
E: int(binaryOrder.Uint32(k.Data)),
|
||||
}
|
||||
|
||||
return result, nil
|
||||
case tpm2.AlgECC:
|
||||
case AlgECC:
|
||||
keySize := k.KeySize.InBytes()
|
||||
x := new(big.Int).SetBytes(reverseBytes(k.Data[:keySize]))
|
||||
y := new(big.Int).SetBytes(reverseBytes(k.Data[keySize:]))
|
||||
return ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}, nil
|
||||
case AlgSM2:
|
||||
keySize := k.KeySize.InBytes()
|
||||
x := new(big.Int).SetBytes(reverseBytes(k.Data[:keySize]))
|
||||
y := new(big.Int).SetBytes(reverseBytes(k.Data[keySize:]))
|
||||
return sm2.PublicKey{Curve: elliptic.P256(), X: x, Y: y}, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("unexpected TPM algorithm: %s", k.KeyAlg)
|
||||
|
@ -101,7 +105,7 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
|
|||
|
||||
switch key := key.(type) {
|
||||
case *rsa.PublicKey:
|
||||
k.KeyAlg = tpm2.AlgRSA
|
||||
k.KeyAlg = AlgRSA
|
||||
n := key.N.Bytes()
|
||||
k.KeySize.SetInBytes(uint16(len(n)))
|
||||
k.Data = make([]byte, 4+len(n))
|
||||
|
@ -111,7 +115,25 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
|
|||
|
||||
case *ecdsa.PublicKey:
|
||||
var x, y *big.Int
|
||||
k.KeyAlg = tpm2.AlgRSA
|
||||
k.KeyAlg = AlgECC
|
||||
x, y = key.X, key.Y
|
||||
if x == nil || y == nil {
|
||||
return fmt.Errorf("the pubkey '%#+v' is invalid: x == nil || y == nil", key)
|
||||
}
|
||||
k.KeySize.SetInBits(256)
|
||||
xB, yB := x.Bytes(), y.Bytes()
|
||||
if len(xB) != int(k.KeySize.InBytes()) || len(yB) != int(k.KeySize.InBytes()) {
|
||||
return fmt.Errorf("the pubkey '%#+v' is invalid: len(x)<%d> != %d || len(y)<%d> == %d",
|
||||
key, len(xB), int(k.KeySize.InBytes()), len(yB), int(k.KeySize.InBytes()))
|
||||
}
|
||||
k.Data = make([]byte, 2*k.KeySize.InBytes())
|
||||
copy(k.Data[:], reverseBytes(xB))
|
||||
copy(k.Data[len(xB):], reverseBytes(yB))
|
||||
return nil
|
||||
|
||||
case *sm2.PublicKey:
|
||||
var x, y *big.Int
|
||||
k.KeyAlg = AlgSM2
|
||||
x, y = key.X, key.Y
|
||||
if x == nil || y == nil {
|
||||
return fmt.Errorf("the pubkey '%#+v' is invalid: x == nil || y == nil", key)
|
||||
|
@ -131,19 +153,66 @@ func (k *Key) SetPubKey(key crypto.PublicKey) error {
|
|||
return fmt.Errorf("unexpected key type: %T", key)
|
||||
}
|
||||
|
||||
//PrintMEKey prints the KM public signing key hash to fuse into the Intel ME
|
||||
func (k *Key) PrintMEKey() error {
|
||||
//PrintBPMPubKey prints the BPM public signing key hash to fuse into the Intel ME
|
||||
func (k *Key) PrintBPMPubKey(bpmAlg Algorithm) error {
|
||||
buf := new(bytes.Buffer)
|
||||
if len(k.Data) > 1 {
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
|
||||
return nil
|
||||
if k.KeyAlg == AlgRSA {
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
|
||||
return err
|
||||
}
|
||||
h, err := bpmAlg.Hash()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
hash := h.New()
|
||||
hash.Write(buf.Bytes())
|
||||
fmt.Printf(" Boot Policy Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
|
||||
} else if k.KeyAlg == AlgSM2 || k.KeyAlg == AlgECC {
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data); err != nil {
|
||||
return err
|
||||
}
|
||||
h, err := bpmAlg.Hash()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
hash := h.New()
|
||||
hash.Write(buf.Bytes())
|
||||
fmt.Printf(" Boot Policy Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
|
||||
} else {
|
||||
fmt.Printf(" Boot Policy Manifest Pubkey Hash: Unknown Algorithm\n")
|
||||
}
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data[:4]); err != nil {
|
||||
return nil
|
||||
} else {
|
||||
fmt.Printf(" Boot Policy Pubkey Hash: No km public key set in KM\n")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
//PrintKMPubKey prints the KM public signing key hash to fuse into the Intel ME
|
||||
func (k *Key) PrintKMPubKey(kmAlg Algorithm) error {
|
||||
buf := new(bytes.Buffer)
|
||||
if len(k.Data) > 1 {
|
||||
if k.KeyAlg == AlgRSA {
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data[4:]); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := binary.Write(buf, binary.LittleEndian, k.Data[:4]); err != nil {
|
||||
return err
|
||||
}
|
||||
if kmAlg != AlgSHA256 {
|
||||
return fmt.Errorf("KM public key hash algorithm must be SHA256")
|
||||
}
|
||||
h, err := kmAlg.Hash()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
hash := h.New()
|
||||
hash.Write(buf.Bytes())
|
||||
fmt.Printf(" Key Manifest Pubkey Hash: 0x%x\n", hash.Sum(nil))
|
||||
} else {
|
||||
fmt.Printf(" Key Manifest Pubkey Hash: Unsupported Algorithm\n")
|
||||
}
|
||||
h := sha256.New()
|
||||
h.Write(buf.Bytes())
|
||||
fmt.Printf(" Key Manifest Pubkey Hash: 0x%x\n", h.Sum(nil))
|
||||
} else {
|
||||
fmt.Printf(" Key Manifest Pubkey Hash: No km public key set in KM\n")
|
||||
}
|
||||
|
|
|
@ -6,8 +6,6 @@ import (
|
|||
"crypto"
|
||||
"fmt"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest"
|
||||
)
|
||||
|
||||
|
@ -35,7 +33,7 @@ type Manifest struct {
|
|||
|
||||
// PubKeyHashAlg is the hash algorithm of OEM public key digest programmed
|
||||
// into the FPF.
|
||||
PubKeyHashAlg tpm2.Algorithm `json:"km_PubKeyHashAlg"`
|
||||
PubKeyHashAlg manifest.Algorithm `json:"km_PubKeyHashAlg"`
|
||||
|
||||
// Hash is the slice of KMHASH_STRUCT (KHS) structures (see table 5-3
|
||||
// of the document #575623). Describes BPM pubkey digest (among other).
|
||||
|
@ -46,7 +44,7 @@ type Manifest struct {
|
|||
}
|
||||
|
||||
func (m *Manifest) SetSignature(
|
||||
algo tpm2.Algorithm,
|
||||
algo manifest.Algorithm,
|
||||
privKey crypto.Signer,
|
||||
signedData []byte,
|
||||
) error {
|
||||
|
|
|
@ -5,8 +5,6 @@ package manifest
|
|||
import (
|
||||
"crypto"
|
||||
"fmt"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
// KeySignature
|
||||
|
@ -38,7 +36,7 @@ func (m *KeySignature) Verify(signedData []byte) error {
|
|||
//
|
||||
// if signAlgo is zero then it is detected automatically, based on the type
|
||||
// of the provided private key.
|
||||
func (ks *KeySignature) SetSignature(signAlgo tpm2.Algorithm, privKey crypto.Signer, signedData []byte) error {
|
||||
func (ks *KeySignature) SetSignature(signAlgo Algorithm, privKey crypto.Signer, signedData []byte) error {
|
||||
err := ks.Key.SetPubKey(privKey.Public())
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to set public key: %w", err)
|
||||
|
|
|
@ -7,8 +7,6 @@ import (
|
|||
"crypto/rand"
|
||||
"fmt"
|
||||
"math/big"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
var (
|
||||
|
@ -18,11 +16,11 @@ var (
|
|||
|
||||
// Signature exports the Signature structure
|
||||
type Signature struct {
|
||||
SigScheme tpm2.Algorithm `json:"sig_scheme"`
|
||||
Version uint8 `require:"0x10" json:"sig_version,omitempty"`
|
||||
KeySize BitSize `json:"sig_keysize,omitempty"`
|
||||
HashAlg tpm2.Algorithm `json:"sig_hashAlg"`
|
||||
Data []byte `countValue:"KeySize.InBytes()" prettyValue:"dataPrettyValue()" json:"sig_data"`
|
||||
SigScheme Algorithm `json:"sig_scheme"`
|
||||
Version uint8 `require:"0x10" json:"sig_version,omitempty"`
|
||||
KeySize BitSize `json:"sig_keysize,omitempty"`
|
||||
HashAlg Algorithm `json:"sig_hashAlg"`
|
||||
Data []byte `countValue:"KeySize.InBytes()" prettyValue:"dataPrettyValue()" json:"sig_data"`
|
||||
}
|
||||
|
||||
func (m Signature) dataPrettyValue() interface{} {
|
||||
|
@ -36,9 +34,9 @@ func (m Signature) dataPrettyValue() interface{} {
|
|||
// * SignatureSM2
|
||||
func (m Signature) SignatureData() (SignatureDataInterface, error) {
|
||||
switch m.SigScheme {
|
||||
case tpm2.AlgRSASSA:
|
||||
case AlgRSA:
|
||||
return SignatureRSAASA(m.Data), nil
|
||||
case tpm2.AlgECDSA:
|
||||
case AlgECDSA:
|
||||
if len(m.Data) != 64 && len(m.Data) != 96 {
|
||||
return nil, fmt.Errorf("invalid length of the signature data: %d (expected 64 or 96)", len(m.Data))
|
||||
}
|
||||
|
@ -46,6 +44,14 @@ func (m Signature) SignatureData() (SignatureDataInterface, error) {
|
|||
R: new(big.Int).SetBytes(reverseBytes(m.Data[:len(m.Data)/2])),
|
||||
S: new(big.Int).SetBytes(reverseBytes(m.Data[len(m.Data)/2:])),
|
||||
}, nil
|
||||
case AlgSM2:
|
||||
if len(m.Data) != 64 && len(m.Data) != 96 {
|
||||
return nil, fmt.Errorf("invalid length of the signature data: %d (expected 64 or 96)", len(m.Data))
|
||||
}
|
||||
return SignatureSM2{
|
||||
R: new(big.Int).SetBytes(reverseBytes(m.Data[:len(m.Data)/2])),
|
||||
S: new(big.Int).SetBytes(reverseBytes(m.Data[len(m.Data)/2:])),
|
||||
}, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("unexpected signature scheme: %s", m.SigScheme)
|
||||
|
@ -64,12 +70,16 @@ func (m *Signature) SetSignatureByData(sig SignatureDataInterface) error {
|
|||
|
||||
switch sig := sig.(type) {
|
||||
case SignatureRSAASA:
|
||||
m.SigScheme = tpm2.AlgRSASSA
|
||||
m.HashAlg = tpm2.AlgSHA256
|
||||
m.SigScheme = AlgRSA
|
||||
m.HashAlg = AlgSHA256
|
||||
m.KeySize.SetInBytes(uint16(len(m.Data)))
|
||||
case SignatureECDSA:
|
||||
m.SigScheme = tpm2.AlgECDSA
|
||||
m.HashAlg = tpm2.AlgSHA256
|
||||
m.SigScheme = AlgECDSA
|
||||
m.HashAlg = AlgSHA256
|
||||
m.KeySize.SetInBits(uint16(sig.R.BitLen()))
|
||||
case SignatureSM2:
|
||||
m.SigScheme = AlgSM2
|
||||
m.HashAlg = AlgSM3_256
|
||||
m.KeySize.SetInBits(uint16(sig.R.BitLen()))
|
||||
default:
|
||||
return fmt.Errorf("unexpected signature type: %T", sig)
|
||||
|
@ -91,6 +101,8 @@ func (m *Signature) SetSignatureData(sig SignatureDataInterface) error {
|
|||
switch sig := sig.(type) {
|
||||
case SignatureECDSA:
|
||||
r, s = sig.R, sig.S
|
||||
case SignatureSM2:
|
||||
r, s = sig.R, sig.S
|
||||
default:
|
||||
return fmt.Errorf("internal error")
|
||||
}
|
||||
|
@ -114,7 +126,7 @@ func (m *Signature) SetSignatureData(sig SignatureDataInterface) error {
|
|||
//
|
||||
// if signAlgo is zero then it is detected automatically, based on the type
|
||||
// of the provided private key.
|
||||
func (m *Signature) SetSignature(signAlgo tpm2.Algorithm, privKey crypto.Signer, signedData []byte) error {
|
||||
func (m *Signature) SetSignature(signAlgo Algorithm, privKey crypto.Signer, signedData []byte) error {
|
||||
signData, err := NewSignatureData(signAlgo, privKey, signedData)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to construct the signature data: %w", err)
|
||||
|
|
|
@ -8,16 +8,18 @@ import (
|
|||
"fmt"
|
||||
"math/big"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
"github.com/tjfoc/gmsm/sm2"
|
||||
)
|
||||
|
||||
var SM2UID = []byte{0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38}
|
||||
|
||||
// NewSignatureData returns an implementation of SignatureDataInterface,
|
||||
// accordingly to signAlgo, privKey and signedData.
|
||||
//
|
||||
// if signAlgo is zero then it is detected automatically, based on the type
|
||||
// of the provided private key.
|
||||
func NewSignatureData(
|
||||
signAlgo tpm2.Algorithm,
|
||||
signAlgo Algorithm,
|
||||
privKey crypto.Signer,
|
||||
signedData []byte,
|
||||
) (SignatureDataInterface, error) {
|
||||
|
@ -25,19 +27,19 @@ func NewSignatureData(
|
|||
// auto-detect the sign algorithm, based on the provided signing key
|
||||
switch privKey.(type) {
|
||||
case *rsa.PrivateKey:
|
||||
signAlgo = tpm2.AlgRSASSA
|
||||
signAlgo = AlgRSASSA
|
||||
case *ecdsa.PrivateKey:
|
||||
signAlgo = tpm2.AlgECDSA
|
||||
signAlgo = AlgECDSA
|
||||
case *sm2.PrivateKey:
|
||||
signAlgo = AlgSM2
|
||||
}
|
||||
}
|
||||
|
||||
switch signAlgo {
|
||||
case tpm2.AlgRSASSA:
|
||||
case AlgRSASSA:
|
||||
rsaPrivateKey, ok := privKey.(*rsa.PrivateKey)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("expected private RSA key (type %T), but received %T", rsaPrivateKey, privKey)
|
||||
}
|
||||
|
||||
h := sha256.New()
|
||||
_, _ = h.Write(signedData)
|
||||
bpmHash := h.Sum(nil)
|
||||
|
@ -47,7 +49,7 @@ func NewSignatureData(
|
|||
}
|
||||
return SignatureRSAASA(data), nil
|
||||
|
||||
case tpm2.AlgECDSA:
|
||||
case AlgECDSA:
|
||||
eccPrivateKey, ok := privKey.(*ecdsa.PrivateKey)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("expected private ECDSA key (type %T), but received %T", eccPrivateKey, privKey)
|
||||
|
@ -59,6 +61,19 @@ func NewSignatureData(
|
|||
return nil, fmt.Errorf("unable to sign with ECDSA the data: %w", err)
|
||||
}
|
||||
return data, nil
|
||||
|
||||
case AlgSM2:
|
||||
eccPrivateKey, ok := privKey.(*sm2.PrivateKey)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("expected private SM2 key (type %T), but received %T", eccPrivateKey, privKey)
|
||||
}
|
||||
var data SignatureSM2
|
||||
var err error
|
||||
data.R, data.S, err = sm2.Sm2Sign(eccPrivateKey, signedData, SM2UID, RandReader)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to sign with SM2 the data: %w", err)
|
||||
}
|
||||
return data, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("signing algorithm '%s' is not implemented in this library", signAlgo)
|
||||
|
|
|
@ -11,8 +11,6 @@ import (
|
|||
"io/ioutil"
|
||||
"os"
|
||||
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/bootpolicy"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
|
||||
|
@ -30,9 +28,9 @@ type IbbSegment struct {
|
|||
|
||||
// KeyHash export for usage as cmd line argument type
|
||||
type KeyHash struct {
|
||||
Usage uint64 `json:"usage"` //
|
||||
Hash string `json:"hash"` //
|
||||
Algorithm tpm2.Algorithm `json:"algorithm"` //
|
||||
Usage uint64 `json:"usage"` //
|
||||
Hash string `json:"hash"` //
|
||||
Algorithm manifest.Algorithm `json:"algorithm"` //
|
||||
}
|
||||
|
||||
// BootGuardOptions presents all available options for BootGuard configuarion file.
|
||||
|
@ -94,10 +92,10 @@ func getIBBSegment(ibbs []bootpolicy.IBBSegment, image []byte) ([][]byte, error)
|
|||
return ibbSegments, nil
|
||||
}
|
||||
|
||||
func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorithm) ([]byte, error) {
|
||||
func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo manifest.Algorithm) ([]byte, error) {
|
||||
var hash []byte
|
||||
switch algo {
|
||||
case tpm2.AlgSHA1:
|
||||
case manifest.AlgSHA1:
|
||||
h := sha1.New()
|
||||
segments, err := getIBBSegment(ibbs, image)
|
||||
if err != nil {
|
||||
|
@ -110,7 +108,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
|
|||
}
|
||||
}
|
||||
hash = h.Sum(nil)
|
||||
case tpm2.AlgSHA256:
|
||||
case manifest.AlgSHA256:
|
||||
h := sha256.New()
|
||||
segments, err := getIBBSegment(ibbs, image)
|
||||
if err != nil {
|
||||
|
@ -123,7 +121,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
|
|||
}
|
||||
}
|
||||
hash = h.Sum(nil)
|
||||
case tpm2.AlgSHA384:
|
||||
case manifest.AlgSHA384:
|
||||
h := sha512.New384()
|
||||
segments, err := getIBBSegment(ibbs, image)
|
||||
if err != nil {
|
||||
|
@ -136,7 +134,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
|
|||
}
|
||||
}
|
||||
hash = h.Sum(nil)
|
||||
case tpm2.AlgSHA512:
|
||||
case manifest.AlgSHA512:
|
||||
h := sha512.New512_256()
|
||||
segments, err := getIBBSegment(ibbs, image)
|
||||
if err != nil {
|
||||
|
@ -149,7 +147,7 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo tpm2.Algorit
|
|||
}
|
||||
}
|
||||
hash = h.Sum(nil)
|
||||
case tpm2.AlgNull:
|
||||
case manifest.AlgNull:
|
||||
return nil, nil
|
||||
default:
|
||||
return nil, fmt.Errorf("couldn't match requested hash algorithm: 0x%x", algo)
|
||||
|
@ -310,7 +308,7 @@ func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*Boo
|
|||
|
||||
// GetBPMPubHash takes the path to public BPM signing key and hash algorithm
|
||||
// and returns a hash with hashAlg of pub BPM singing key
|
||||
func GetBPMPubHash(path string, hashAlg tpm2.Algorithm) ([]key.Hash, error) {
|
||||
func GetBPMPubHash(path string, hashAlg manifest.Algorithm) ([]key.Hash, error) {
|
||||
var data []byte
|
||||
pubkey, err := ReadPubKey(path)
|
||||
if err != nil {
|
||||
|
@ -332,7 +330,7 @@ func GetBPMPubHash(path string, hashAlg tpm2.Algorithm) ([]key.Hash, error) {
|
|||
data = hash.Sum(nil)
|
||||
var keyHashes []key.Hash
|
||||
hStruc := &manifest.HashStructure{
|
||||
HashAlg: tpm2.Algorithm(hashAlg),
|
||||
HashAlg: manifest.Algorithm(hashAlg),
|
||||
}
|
||||
hStruc.HashBuffer = data
|
||||
|
||||
|
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/bootpolicy"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
|
||||
"github.com/9elements/converged-security-suite/v2/pkg/tools"
|
||||
"github.com/google/go-tpm/tpm2"
|
||||
)
|
||||
|
||||
// WriteBootGuardStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into seperate files.
|
||||
|
@ -246,7 +245,7 @@ func generatePCR0Content(status uint64, km *key.Manifest, bpm *bootpolicy.Manife
|
|||
|
||||
for _, se := range bpm.SE {
|
||||
for i := 0; i < len(se.DigestList.List); i++ {
|
||||
if se.DigestList.List[i].HashAlg == tpm2.AlgSHA1 {
|
||||
if se.DigestList.List[i].HashAlg == manifest.AlgSHA1 {
|
||||
if err = binary.Write(buf, binary.LittleEndian, se.DigestList.List[i].HashBuffer); err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue