Documentation
¶
Index ¶
Constants ¶
const ( // TPMOrgPersistentMin is the minimum handle SKS will use for persistent, // evicted objects. TPMOrgPersistentMin tpmutil.Handle = 0x8101fb00 // TPMOrgSRKHandle is the handle where the organization root key is // persisted. TPMOrgSRKHandle = TPMOrgPersistentMin + iota )
Variables ¶
var DefaultEKAuthPolicy = []byte{
0x83, 0x71, 0x97, 0x67, 0x44, 0x84,
0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D,
0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52,
0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14,
0x69, 0xAA,
}
DefaultEKAuthPolicy is the default auth policy for an Endorsement Key. See https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/ for details.
Functions ¶
func DefaultECCEKParameters ¶
DefaultECCEKParameters generates the default ECC parameters for use when generating an ECC Endorsement Key. See section 2.1.5.2 of https://fburl.com/tpmcredentialprofileekv14 for details. NOTE: Modifying these parameters will modify any primary key generated using them. Modify this function at your own peril.
func DefaultECCEKTemplate ¶
DefaultECCEKTemplate generates a default template for use when generating an ECC key. This template is suitable for use generating an organization Endorsement Key for a user. See section 2.1.5.2 of https://fburl.com/tpmcredentialprofileekv14 for details on the TSS standard ECC EK template, but note this differs. NOTE: Modifying this template will modify any primary key generated using it. Modify this function at your own peril.
func DefaultECCKeyTemplate ¶
DefaultECCKeyTemplate is the default template to use when generating an ECC signing key for general use. NOTE: Modifying this template will modify any primary key generated using it. Modify this function at your own peril.
Types ¶
type CryptoKey ¶
type CryptoKey interface {
// GetHandle returns the handle to the key in the TPM.
GetHandle() tpmutil.Handle
// GetLoadedHandle returns the handle to the key in the TPM when loaded.
// This differs from GetHandle; GetHandle is for the persistent handle of
// the key in the TPM, GetLoadedHandle is for the handle where the key may
// actually be used and may be 0 if the key is not loaded for use.
GetLoadedHandle() tpmutil.Handle
// SetLoadedHandle provides a way to set the TPM handle the key is currently
// loaded at. Set to 0 to indicate the key is not loaded.
SetLoadedHandle(handle tpmutil.Handle)
// Close empties a key's fields to make it invalid for future use.
Close() error
// IsEmpty determines if a TPMKey is empty (has no usable key data).
// Currently this only means the public area is empty.
IsEmpty() bool
// GetECPublicKey extracts the ECC public key parameters from the key's
// public area and returns it to you. If this is not an ECC key, this
// will return an error.
GetECPublicKey() (*utils.ECCPublicKey, error)
// GetPublicArea returns the key's public area.
GetPublicArea() tpm2.Public
// GetPublicBytes returns the raw bytes of the key's public area.
// This may return nil if an error occurs.
GetPublicBytes() []byte
// GetPrivateArea returns the key's private area. This is not guaranteed to
// be available, in which case the returned tpm2.Private struct will be
// empty.
GetPrivateArea() tpm2.Private
// GetPrivateBytes returns the raw bytes of the key's private area. This is
// not guaranteed to be available.
GetPrivateBytes() []byte
// FillKeyData provides a way to fill in key data not directly filled in
// when a key is generated.
FillKeyData(publicBytes, privateBytes, creationData, keyName []byte) error
}
CryptoKey defines the interface any representation of a key to be used with the TPM must implement.
type Cryptoprocessor ¶
type Cryptoprocessor interface {
// Initialize instantiates a new connection to the TPM.
Initialize() error
// CloseTPM shuts down a TPM session. This should always be called right
// before the process exist. After calling `Close()`, calls to the TPM will
// fail and you must fetch a new Cryptoprocessor instance.
Close() error
// GenKeyPair generates a key pair given a label and a tag. The public key
// is returned as X and Y in ASN.1 DER format.
GenKeyPair(keyID string) ([]byte, error)
// GetSecureHardwareVendorData gets vendor specific information from the secure
// hardware implementation available for a given device
GetSecureHardwareVendorData() (*attest.SecureHardwareVendorData, error)
// FindPubKey looks for a key with the specified label and tag and return
// the public key, as X and Y in ASN.1 DER format.
FindPubKey(keyID string) ([]byte, error)
// DeleteKey deletes a key from TPM persistent storage
DeleteKey(keyID string) error
// SignWithKey gets the key with the specified keyID and tag and signs the
// provided data with it. The caller is expected to have hashed the data
// and pass the digest here. The signature is returned in ASN.1 DER format
// with only the R and S values.
SignWithKey(keyID string, digest []byte) ([]byte, error)
// AttestKey performs a TPM 2.0 handshake and attests the provided TPM key
AttestKey(keyID string, attestor attest.Attestor) (*attest.Resp, error)
}
Cryptoprocessor defines the interface to anything handling crypto operations for us. This could be a TPM, or for devices without a TPM it could be local storage with the crypto handled in code.
func GetCryptoprocessor ¶
func GetCryptoprocessor(path string) (Cryptoprocessor, error)
GetCryptoprocessor handles the logic of determining whether to use a physical TPM, on-disk implementation, or software implementation. Set `path` to the absolute path of the TPM device or the unix socket to interface with. Unless you have a good reason, this should be set to `/dev/tpmrm0`.
type KeyHandler ¶
type KeyHandler struct {
// contains filtered or unexported fields
}
KeyHandler stores mapping between key label and key handle.
func NewKeyHandler ¶
func NewKeyHandler(handles map[string]tpmutil.Handle) KeyHandler
NewKeyHandler returns an instance of KeyHandler.
func (*KeyHandler) Get ¶
Get returns handle for given keyID if present, otherwise return next available handle and callback which should be called after tpm key initialization. success indicates whether tpm key initialization was successful or not.
func (*KeyHandler) Remove ¶
func (h *KeyHandler) Remove(keyID string) func(success bool)
Remove deletes handle with given keyID from KeyHandler if present.
Source Files