add policy callback interface

Author: salrashid123

README.md

@@ -92,10 +92,9 @@ If you just want to issue JWT's, see
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   tpm2.PasswordAuth(nil),
 		},
 	})
 	// the tpm is opened and then closed after every sign operation

example/README.md

@@ -81,7 +81,7 @@ cd example/
 	tpm2_flushcontext  -t
 
 
-## for policyRSApersistentHandle
+## for policyPCR
 
 	tpm2_pcrread sha256:23
 	tpm2_startauthsession -S session.dat
@@ -96,6 +96,16 @@ cd example/
 	tpm2_evictcontrol -C o -c key.ctx 0x81008006
 	tpm2_flushcontext  -t
 
+## for policyPassword
+
+	tpm2_createprimary -C o  -G rsa2048:aes128cfb -g sha256  -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
+	tpm2_create -G rsa2048:rsassa:null -p testpwd -g sha256 -u key.pub -r key.priv -C primary.ctx 
+	tpm2_flushcontext  -t
+	tpm2_getcap  handles-transient
+	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx 
+	tpm2_evictcontrol -C o -c key.ctx 0x81008007
+	tpm2_flushcontext  -t	
+
 ## ===== 
 
 cd example/
@@ -109,8 +119,11 @@ go run sign_verify_tpm/rsapss/main.go --handle=0x81008004 --tpm-path="127.0.0.1:
 ## ECC
 go run sign_verify_tpm/ecc/main.go --handle=0x81008005 --tpm-path="127.0.0.1:2321"
 
-## RSA with policy
-go run sign_verify_tpm/policy/main.go --handle=0x81008006 --tpm-path="127.0.0.1:2321"
+## RSA with pcr policy
+go run sign_verify_tpm/policy_pcr/main.go --handle=0x81008006 --tpm-path="127.0.0.1:2321"
+
+## RSA with password policy
+go run sign_verify_tpm/policy_password/main.go --handle=0x81008007 --tpm-path="127.0.0.1:2321"
 ```
 
 ---

example/sign_verify_tpm/ecc/main.go

@@ -88,10 +88,9 @@ func main() {
 
 	er, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   tpm2.PasswordAuth(nil),
 		},
 		ECCRawOutput: true, // use raw output; not asn1
 	})
@@ -131,10 +130,9 @@ func main() {
 	// now verify with ASN1 output format for ecc using library managed device
 	erasn, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   tpm2.PasswordAuth(nil),
 		},
 		//ECCRawOutput: false,
 	})

example/sign_verify_tpm/policy_password/main.go

@@ -0,0 +1,134 @@
+package main
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"encoding/base64"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"os"
+	"slices"
+
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport"
+	"github.com/google/go-tpm/tpmutil"
+
+	saltpm "github.com/salrashid123/signer/tpm"
+)
+
+const (
+	emptyPassword   = ""
+	defaultPassword = ""
+)
+
+/*
+
+## RSA - password
+	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256  -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
+	tpm2_create -G rsa2048:rsassa:null -p testpwd -g sha256 -u key.pub -r key.priv -C primary.ctx
+	tpm2_flushcontext  -t
+	tpm2_getcap  handles-transient
+	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
+	tpm2_evictcontrol -C o -c key.ctx 0x81008006
+	tpm2_flushcontext  -t
+
+go run sign_verify_tpm/policy_password/main.go --handle=0x81008006
+*/
+
+var (
+	tpmPath = flag.String("tpm-path", "/dev/tpmrm0", "Path to the TPM device (character device or a Unix socket).")
+	handle  = flag.Uint("handle", 0x81008006, "rsa Handle value")
+	keyPass = flag.String("keyPass", "testpwd", "KeyPassword")
+)
+
+var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}
+
+func OpenTPM(path string) (io.ReadWriteCloser, error) {
+	if slices.Contains(TPMDEVICES, path) {
+		return tpmutil.OpenTPM(path)
+	} else if path == "simulator" {
+		return simulator.GetWithFixedSeedInsecure(1073741825)
+	} else {
+		return net.Dial("tcp", path)
+	}
+}
+
+func main() {
+
+	flag.Parse()
+
+	rwc, err := OpenTPM(*tpmPath)
+	if err != nil {
+		log.Fatalf("can't open TPM %q: %v", *tpmPath, err)
+	}
+	defer func() {
+		if err := rwc.Close(); err != nil {
+			log.Fatalf("can't close TPM %q: %v", *tpmPath, err)
+		}
+	}()
+
+	rwr := transport.FromReadWriter(rwc)
+
+	pub, err := tpm2.ReadPublic{
+		ObjectHandle: tpm2.TPMHandle(*handle),
+	}.Execute(rwr)
+	if err != nil {
+		log.Fatalf("error executing tpm2.ReadPublic %v", err)
+	}
+
+	stringToSign := "foo"
+	fmt.Printf("Data to sign %s\n", stringToSign)
+
+	b := []byte(stringToSign)
+
+	h := sha256.New()
+	h.Write(b)
+	digest := h.Sum(nil)
+
+	se, err := saltpm.NewPasswordSession(rwr, []byte(*keyPass))
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	rr, err := saltpm.NewTPMCrypto(&saltpm.TPM{
+		TpmDevice: rwc,
+		NamedHandle: &tpm2.NamedHandle{
+			Handle: tpm2.TPMHandle(*handle),
+			Name:   pub.Name,
+		},
+		AuthSession: se,
+	})
+
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	rs, err := rr.Sign(rand.Reader, digest, crypto.SHA256)
+	if err != nil {
+		log.Println(err)
+		os.Exit(1)
+	}
+	fmt.Printf("RSA Signed String: %s\n", base64.StdEncoding.EncodeToString(rs))
+
+	rrsaPubKey, ok := rr.Public().(*rsa.PublicKey)
+	if !ok {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	err = rsa.VerifyPKCS1v15(rrsaPubKey, crypto.SHA256, digest, rs)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	fmt.Printf("RSA Signed String verified\n")
+
+}

example/sign_verify_tpm/policy/main.go example/sign_verify_tpm/policy_pcr/main.go

@@ -99,37 +99,24 @@ func main() {
 	h.Write(b)
 	digest := h.Sum(nil)
 
-	sess, cleanup, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-	defer cleanup()
-
-	_, err = tpm2.PolicyPCR{
-		PolicySession: sess.Handle(),
-		Pcrs: tpm2.TPMLPCRSelection{
-			PCRSelections: []tpm2.TPMSPCRSelection{
-				{
-					Hash:      tpm2.TPMAlgSHA256,
-					PCRSelect: tpm2.PCClientCompatible.PCRs(uint(*pcr)),
-				},
-			},
+	se, err := saltpm.NewPCRSession(rwr, []tpm2.TPMSPCRSelection{
+		{
+			Hash:      tpm2.TPMAlgSHA256,
+			PCRSelect: tpm2.PCClientCompatible.PCRs(uint(*pcr)),
 		},
-	}.Execute(rwr)
+	})
 	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
+		fmt.Println(err)
+		os.Exit(1)
 	}
 
-	defer func() {
-		_, err = tpm2.FlushContext{FlushHandle: sess.Handle()}.Execute(rwr)
-	}()
 	rr, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   sess,
 		},
+		AuthSession: se,
 	})
 
 	if err != nil {

example/sign_verify_tpm/rsapss/main.go

@@ -88,10 +88,9 @@ func main() {
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   tpm2.PasswordAuth(nil),
 		},
 	})
 

example/sign_verify_tpm/rsassa/main.go

@@ -87,10 +87,9 @@ func main() {
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: &tpm2.NamedHandle{
 			Handle: tpm2.TPMHandle(*handle),
 			Name:   pub.Name,
-			Auth:   tpm2.PasswordAuth(nil),
 		},
 	})