Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TPM Key Support #74

Merged
merged 31 commits into from
Nov 8, 2024
Merged

Add TPM Key Support #74

Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
6e5e91b
Add stub of TPMv2 support
dwmw2 Jun 12, 2023
3610922
Flesh out unimplemented TPMv2Signer a little more
dwmw2 Jun 14, 2023
a17714e
Basic shell of TPM, working at least for EC
dwmw2 Jun 14, 2023
eda60b6
Add RSA support
dwmw2 Jun 15, 2023
72ead0c
Add TPM support to docs
dwmw2 Jun 15, 2023
77a97d5
Add tests for TPM
dwmw2 Jul 3, 2023
5d35347
Allow $TPM_DEVICE to set TPM device path
dwmw2 Jul 4, 2023
908569c
Add swtpm testing
dwmw2 Jul 4, 2023
2944557
Test cert + key both in one PEM file
dwmw2 Jul 4, 2023
42afaef
Merge in dwmw2:tpm
13ajay Jun 12, 2024
e785ffd
Merge branch 'dwmw2-tpm' into pkcs11
13ajay Jun 12, 2024
7767d1d
Support password-protected TPM signing keys
13ajay Jun 26, 2024
aca9860
Add testing for RSA TPM keys that have the Sign capability
13ajay Jun 26, 2024
5cec079
Code formatting and clean up
13ajay Jun 26, 2024
38e0412
Add further documentation around TPM keys
13ajay Jun 26, 2024
cceb33d
Add TPM capability check before signing
13ajay Jun 27, 2024
085de24
Add parent key password support
13ajay Jun 28, 2024
2b1ea32
Add tests to verify parent key password support
13ajay Aug 11, 2024
8a09473
Fix builds on Windows
13ajay Sep 6, 2024
dfbcf65
Introduce flags to convey intent when not using TPM key passwords
13ajay Sep 19, 2024
70904cc
Add some more tests for TPMv2Signer
13ajay Sep 19, 2024
7bdd7a9
Accept TPM key handles
13ajay Oct 17, 2024
0694dfc
Switch Makefile to using Intel tools to generate TPM fixtures
13ajay Oct 18, 2024
54968db
Determine authorization requirement based on CLI flags or key file
13ajay Oct 19, 2024
d6c3740
Improve TPM key guidance
13ajay Oct 19, 2024
a17522f
Fix 'scripts' section of README
13ajay Oct 23, 2024
574140c
Modify TPM key file password indication behavior
13ajay Oct 24, 2024
8ac0e84
Miscellaneous changes
13ajay Nov 6, 2024
19bb307
Error out when TPM key files are used on Windows
13ajay Nov 6, 2024
15598e3
Merge branch 'main' into tpm
13ajay Nov 6, 2024
d937441
Update THIRD-PARTY-LICENSES.txt
13ajay Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add stub of TPMv2 support 
This does nothing useful yet, except detecting that we were given a
TSS2 private key blob and reporting that it's not supported. It does
help to ensure that when we come to implement this, we'll get the
user experience right. Which is "just give us the file".

We can do the actual implementation either via OpenSSL with one of
the TPM engines/providers, or by parsing the TSS2 ASN.1 ourselves
and driving the TPM directly. Not sure which is easier from Go.
  • Loading branch information
@dwmw2
dwmw2 committed Jul 5, 2023
commit 6e5e91b5451897bf47770b7c85739b60b577e25a
5 changes: 5 additions & 0 deletions aws_signing_helper/signer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,11 @@ func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string,
if strings.HasPrefix(privateKeyId, "pkcs11:") {
return GetPKCS11Signer(opts.LibPkcs11, certificate, certificateChain, opts.PrivateKeyId, opts.CertificateId)
} else {
_, err := parseDERFromPEM(privateKeyId, "TSS2 PRIVATE KEY")
if err == nil {
return nil, "", errors.New("TPMv2 support not implemented yet")
}

privateKey, err := ReadPrivateKeyData(privateKeyId)
if err != nil {
return nil, "", err
Expand Down