Git Product home page Git Product logo

Comments (9)

twitchy-jsonp avatar twitchy-jsonp commented on May 4, 2024 1

Found it: https://github.com/google/go-tpm/blob/master/tpm2/credactivation/credential_activation.go#L53

So you need to make sure your EK crypto.PublicKey is of type *rsa.PublicKey. Im guessing your roundtrip through MarshalPKIXPublicKey / ParsePKIXPublicKey is messing up the types.

from go-attestation.

twitchy-jsonp avatar twitchy-jsonp commented on May 4, 2024

Tpm.NewAK().AttestationParameters() is correct, and this is what we do in our unit tests:

go-attestation/attest/attest_simulated_tpm20_test.go

Lines 98 to 133 in be496f1

func TestSimTPM20ActivateCredential(t *testing.T) {
sim, tpm := setupSimulatedTPM(t)
defer sim.Close()
ak, err := tpm.NewAK(nil)
if err != nil {
t.Fatalf("NewAK() failed: %v", err)
}
defer ak.Close(tpm)
EKs, err := tpm.EKs()
if err != nil {
t.Fatalf("EKs() failed: %v", err)
}
ek := chooseEK(t, EKs)
ap := ActivationParameters{
TPMVersion: TPMVersion20,
AK: ak.AttestationParameters(),
EK: ek,
}
secret, challenge, err := ap.Generate()
if err != nil {
t.Fatalf("Generate() failed: %v", err)
}
decryptedSecret, err := ak.ActivateCredential(tpm, *challenge)
if err != nil {
t.Errorf("ak.ActivateCredential() failed: %v", err)
}
if !bytes.Equal(secret, decryptedSecret) {
t.Error("secret does not match decrypted secret")
t.Logf("Secret = %v", secret)
t.Logf("Decrypted secret = %v", decryptedSecret)
}
}

Can you share your code?

from go-attestation.

deeluk avatar deeluk commented on May 4, 2024

Here are the 2 relevant routines and associated structs:

type ActivationBundle struct {
	TPMVersion attest.TPMVersion      `json:"tpmVersion"`
	EK []byte                         `json:"ek"`
	AK []byte                         `json:"ak"`
	UseTCSDActivationFormat bool      `json:"useTCSDActivationFormat"`
	CreateData []byte                 `json:"createData"`
	CreateAttestation []byte          `json:"createAttestation"`
	CreateSignature []byte            `json:"createSignature"`
	Nonce []byte                      `json:"nonce"`
}

type Challenge struct {
	Credential []byte                 `json:"credential"`
	Secret []byte                     `json:"secret"`
}

func NewActivationBundle() (*ActivationBundle, error) {
	tpm, err := attest.OpenTPM(nil)
	if err != nil {
		zap.S().Errorf("OpenTPM failed %v", err)
		return nil, err
	}
	defer tpm.Close()

	ek, err := tpm.EKs()
	if err != nil {
		zap.S().Errorf("failed to list EKs %v", err)
		return nil, err
	}

	ak, err := tpm.NewAK(&attest.AKConfig{})
	if err != nil {
		zap.S().Errorf("failed to generate AK %v", err)
		return nil, err
	}

	ekbytes, err := x509.MarshalPKIXPublicKey(ek[0].Public)
	if err != nil {
		zap.S().Errorf("failed to marshal EK %v", err)
		return nil, err
	}

	ap := ak.AttestationParameters()

	nonce := make([]byte, 16)
	_, err = rand.Read(nonce)

	return &ActivationBundle{
		TPMVersion: tpm.Version(),
		EK: ekbytes,
		AK: ap.Public,
		UseTCSDActivationFormat: ap.UseTCSDActivationFormat,
		CreateData: ap.CreateData,
		CreateAttestation: ap.CreateAttestation,
		CreateSignature: ap.CreateSignature,
		Nonce: nonce,
	}, nil
}

func GenerateChallenge(activationBundle *ActivationBundle) (*Challenge, error) {
	ap := attest.AttestationParameters{
		Public: activationBundle.AK,
		UseTCSDActivationFormat: activationBundle.UseTCSDActivationFormat,
		CreateData: activationBundle.CreateData,
		CreateAttestation: activationBundle.CreateAttestation,
		CreateSignature: activationBundle.CreateSignature,
	}

	activation := &attest.ActivationParameters{
		TPMVersion: activationBundle.TPMVersion,
		EK:         activationBundle.EK,
		AK:         ap,
	}
	secret, challenge, err := activation.Generate()
	if err != nil {
		zap.S().Errorf("Failed to generate activation challenge: %v", err)
		return nil, err
	}

	zap.S().Infow("activation challenge secret", "secret", hex.EncodeToString(secret))

	return &Challenge {
		Credential: challenge.Credential,
		Secret: challenge.Secret,
	}, nil
}

from go-attestation.

twitchy-jsonp avatar twitchy-jsonp commented on May 4, 2024

Are you sure the error about RSA key is about the AK and not the EK?

I don't recall if anyone added support for an ECC EK to credential activation, you are just using the first one ek[0].Public so perhaps youre not using the RSA one.

from go-attestation.

deeluk avatar deeluk commented on May 4, 2024

I'm not sure whether the error is related to the EK or AK. But I am sure the EK is an RSA key. My TPM only has one EK key and it is an RSA pair. I'll double check though and try to dump the EK bytes and look at the data.

from go-attestation.

deeluk avatar deeluk commented on May 4, 2024

Can confirm TPM only has one EK and it is an RSA key. Evidence:

$ echo -n "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvLrlJbR1rk5Ohz1G6Vi3Q4vOyvJVoUbZsnlFvo5dF7kISAaxC+jhtPktICkdKHIKSRx6KwqOvDuCzihcPmx8URS1qvQ8ofIMyhGVC2H75eEa5/GeCIf/8B4gOiLa0+n0g/FBuY8ProI7x+RcGHN3Omi1f9eCZLOWy4RAnG3punQkhgR2p+KU6MlWn873UH2TpXmIyZMjrTy6G6NrWhnXHlWPnxboIt8N0stCoJxG6BMnju27OWnYBb53PpIf8bCSoZ6arsoutVAQhRrtE4JwxVnHKmRxjSgo1xQqE3ohPIbqP6Ja4DTE/YZk37ribHb2s+5MSYrMpn1Co2DWWRNZwIDAQAB" |base64 -d | openssl rsa -inform der -text -pubin
RSA Public-Key: (2048 bit)
Modulus:
    00:9e:f2:eb:94:96:d1:d6:b9:39:3a:1c:f5:1b:a5:
    62:dd:0e:2f:3b:2b:c9:56:85:1b:66:c9:e5:16:fa:
    39:74:5e:e4:21:20:1a:c4:2f:a3:86:d3:e4:b4:80:
    a4:74:a1:c8:29:24:71:e8:ac:2a:3a:f0:ee:0b:38:
    a1:70:f9:b1:f1:44:52:d6:ab:d0:f2:87:c8:33:28:
    46:54:2d:87:ef:97:84:6b:9f:c6:78:22:1f:ff:c0:
    78:80:e8:8b:6b:4f:a7:d2:0f:c5:06:e6:3c:3e:ba:
    08:ef:1f:91:70:61:cd:dc:e9:a2:d5:ff:5e:09:92:
    ce:5b:2e:11:02:71:b7:a6:e9:d0:92:18:11:da:9f:
    8a:53:a3:25:5a:7f:3b:dd:41:f6:4e:95:e6:23:26:
    4c:8e:b4:f2:e8:6e:8d:ad:68:67:5c:79:56:3e:7c:
    5b:a0:8b:7c:37:4b:2d:0a:82:71:1b:a0:4c:9e:3b:
    b6:ec:e5:a7:60:16:f9:dc:fa:48:7f:c6:c2:4a:86:
    7a:6a:bb:28:ba:d5:40:42:14:6b:b4:4e:09:c3:15:
    67:1c:a9:91:c6:34:a0:a3:5c:50:a8:4d:e8:84:f2:
    1b:a8:fe:89:6b:80:d3:13:f6:19:93:7e:eb:89:b1:
    db:da:cf:b9:31:26:2b:32:99:f5:0a:8d:83:59:64:
    4d:67
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvLrlJbR1rk5Ohz1G6Vi
3Q4vOyvJVoUbZsnlFvo5dF7kISAaxC+jhtPktICkdKHIKSRx6KwqOvDuCzihcPmx
8URS1qvQ8ofIMyhGVC2H75eEa5/GeCIf/8B4gOiLa0+n0g/FBuY8ProI7x+RcGHN
3Omi1f9eCZLOWy4RAnG3punQkhgR2p+KU6MlWn873UH2TpXmIyZMjrTy6G6NrWhn
XHlWPnxboIt8N0stCoJxG6BMnju27OWnYBb53PpIf8bCSoZ6arsoutVAQhRrtE4J
wxVnHKmRxjSgo1xQqE3ohPIbqP6Ja4DTE/YZk37ribHb2s+5MSYrMpn1Co2DWWRN
ZwIDAQAB
-----END PUBLIC KEY-----

from go-attestation.

twitchy-jsonp avatar twitchy-jsonp commented on May 4, 2024

Can you post the exact error string from activation.Generate() ?

from go-attestation.

deeluk avatar deeluk commented on May 4, 2024

Sure.
2021-10-13T13:38:48.573-0600 ERROR tpm/tpm.go:135 Failed to generate activation challenge: credactivation.Generate() failed: only RSA public keys are supported for credential activation.

from go-attestation.

deeluk avatar deeluk commented on May 4, 2024

Closing. Appears to be a certificate serialization issue.

from go-attestation.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.