add direct x509 support

Signed-off-by: sal rashid <[email protected]>

Author: salrashid123

.goreleaser.yml

@@ -0,0 +1,48 @@
+project_name: github.com/salrashid123/signer
+version: 2
+release:
+  draft: true
+  github:
+    owner: salrashid123
+    name: github.com/salrashid123
+  name_template: '{{.Tag}}'
+  extra_files:
+gomod:
+  dir: ./tpm/
+  gobinary: go
+builds:
+- skip: true
+archives:
+  - id: archive
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    formats: ['tar.gz']
+    files:
+      - LICENSE*
+      - README*    
+      - dist/*.sig      
+snapshot:
+  version_template: '{{ .Version }}'
+checksum:
+  name_template: '{{ .ProjectName }}_checksums.txt'
+  algorithm: sha256
+dist: dist
+signs:
+  - cmd: gpg
+    id: gpg
+    artifacts: all
+    output: true
+    args:
+      - "--batch"
+      - "--local-user"
+      - "{{ .Env.GPG_FINGERPRINT }}" # "5D8EA7261718FE5728BA937C97341836616BF511" [email protected] https://keyserver.ubuntu.com/pks/lookup?search=5D8EA7261718FE5728BA937C97341836616BF511&fingerprint=on&op=index
+      - "--output"
+      - "${signature}"
+      - "--detach-sign"
+      - "${artifact}"
+env_files:
+  github_token: ~/.config/goreleaser/github_token
+source:
+  name_template: '{{ .ProjectName }}-{{ .Version }}'
+  format: tar.gz
+github_urls:
+  download: https://github.com

example/README.md

@@ -56,55 +56,52 @@ cd example/
 ## RSA - no password
 	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
 	tpm2_create -G rsa2048:rsassa:null -g sha256 -u key.pub -r key.priv -C primary.ctx
-	tpm2_flushcontext  -t
 	tpm2_getcap  handles-transient
 	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
 	tpm2_evictcontrol -C o -c key.ctx 0x81008001
-	tpm2_flushcontext  -t
+
+### RSA - no password with PEM key file
+
+	printf '\x00\x00' > unique.dat
+	tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u unique.dat
+
+	tpm2_create -G rsa2048:rsapss:null -g sha256 -u key.pub -r key.priv -C primary.ctx  --format=pem --output=rsapss_public.pem
+	tpm2_getcap  handles-transient
+	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
+	tpm2_encodeobject -C primary.ctx -u key.pub -r key.priv -o key.pem
 
 ## rsa-pss
 	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
-	tpm2_create -G rsa2048:rsapss:null -g sha256 -u key.pub -r key.priv -C primary.ctx  --format=pem --output=rsapss_public.pem
-	tpm2_flushcontext  -t
 	tpm2_getcap  handles-transient 
 	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
 	tpm2_evictcontrol -C o -c key.ctx 0x81008004
-	tpm2_flushcontext  -t
 
 ## ecc
 	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
 	tpm2_create -G ecc:ecdsa  -g sha256  -u key.pub -r key.priv -C primary.ctx  --format=pem --output=ecc_public.pem
-	tpm2_flushcontext  -t
 	tpm2_getcap  handles-transient  
 	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
 	tpm2_evictcontrol -C o -c key.ctx 0x81008005    
-	tpm2_flushcontext  -t
-
 
 ## for policyPCR
 
 	tpm2_pcrread sha256:23
 	tpm2_startauthsession -S session.dat
 	tpm2_policypcr -S session.dat -l sha256:23  -L policy.dat
 	tpm2_flushcontext session.dat
-	tpm2_flushcontext  -t
 	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256  -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
 	tpm2_create -G rsa2048:rsassa:null -g sha256 -u key.pub -r key.priv -C primary.ctx  -L policy.dat
-	tpm2_flushcontext  -t
 	tpm2_getcap  handles-transient
 	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
 	tpm2_evictcontrol -C o -c key.ctx 0x81008006
-	tpm2_flushcontext  -t
 
 ## for policyPassword
 
 	tpm2_createprimary -C o  -G rsa2048:aes128cfb -g sha256  -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
 	tpm2_create -G rsa2048:rsassa:null -p testpwd -g sha256 -u key.pub -r key.priv -C primary.ctx 
-	tpm2_flushcontext  -t
 	tpm2_getcap  handles-transient
 	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx 
 	tpm2_evictcontrol -C o -c key.ctx 0x81008007
-	tpm2_flushcontext  -t	
 
 ## ===== 
 

example/go.mod

@@ -1,8 +1,8 @@
 module main
 
-go 1.22
+go 1.22.0
 
-toolchain go1.22.2
+toolchain go1.24.0
 
 require (
 	github.com/google/go-tpm v0.9.1
@@ -20,6 +20,7 @@ require (
 	cloud.google.com/go/kms v1.17.1 // indirect
 	cloud.google.com/go/longrunning v0.5.7 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/foxboron/go-tpm-keyfiles v0.0.0-20241207144721-04534a2f2feb // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect

example/go.sum

@@ -26,6 +26,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20241207144721-04534a2f2feb h1:kwNzot0LHHST1wdN8zP5hSWITzPubfEZlwyRspMAzFg=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20241207144721-04534a2f2feb/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=

example/sign_verify_tpm/keyfile/main.go

@@ -0,0 +1,165 @@
+package main
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"encoding/base64"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"os"
+	"slices"
+
+	keyfile "github.com/foxboron/go-tpm-keyfiles"
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport"
+	"github.com/google/go-tpm/tpmutil"
+	saltpm "github.com/salrashid123/signer/tpm"
+)
+
+const ()
+
+/*
+
+
+## keyfile with H2 template
+	printf '\x00\x00' > unique.dat
+	tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u unique.dat
+
+	tpm2_create -G rsa2048:rsapss:null -g sha256 -u key.pub -r key.priv -C primary.ctx  --format=pem --output=rsapss_public.pem
+	tpm2_getcap  handles-transient
+	tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
+	tpm2_encodeobject -C primary.ctx -u key.pub -r key.priv -o key.pem
+*/
+
+var (
+	tpmPath = flag.String("tpm-path", "/dev/tpmrm0", "Path to the TPM device (character device or a Unix socket).")
+	pemFile = flag.String("pemFile", "key.pem", "KeyFile in PEM format")
+)
+
+var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}
+
+func OpenTPM(path string) (io.ReadWriteCloser, error) {
+	if slices.Contains(TPMDEVICES, path) {
+		return tpmutil.OpenTPM(path)
+	} else if path == "simulator" {
+		return simulator.Get()
+	} else {
+		return net.Dial("tcp", path)
+	}
+}
+
+func main() {
+
+	flag.Parse()
+
+	rwc, err := OpenTPM(*tpmPath)
+	if err != nil {
+		log.Fatalf("can't open TPM %q: %v", *tpmPath, err)
+	}
+	defer func() {
+		if err := rwc.Close(); err != nil {
+			log.Fatalf("can't close TPM %q: %v", *tpmPath, err)
+		}
+	}()
+
+	rwr := transport.FromReadWriter(rwc)
+
+	c, err := os.ReadFile(*pemFile)
+	if err != nil {
+		log.Fatalf("can't load keys %q: %v", *tpmPath, err)
+	}
+	key, err := keyfile.Decode(c)
+	if err != nil {
+		log.Fatalf("can't decode keys %q: %v", *tpmPath, err)
+	}
+
+	primaryKey, err := tpm2.CreatePrimary{
+		PrimaryHandle: key.Parent,
+		InPublic:      tpm2.New2B(keyfile.ECCSRK_H2_Template),
+	}.Execute(rwr)
+	if err != nil {
+		log.Fatalf("can't create primary %q: %v", *tpmPath, err)
+	}
+
+	defer func() {
+		flushContextCmd := tpm2.FlushContext{
+			FlushHandle: primaryKey.ObjectHandle,
+		}
+		_, _ = flushContextCmd.Execute(rwr)
+	}()
+
+	rsaKey, err := tpm2.Load{
+		ParentHandle: tpm2.AuthHandle{
+			Handle: primaryKey.ObjectHandle,
+			Name:   tpm2.TPM2BName(primaryKey.Name),
+			Auth:   tpm2.PasswordAuth([]byte("")),
+		},
+		InPublic:  key.Pubkey,
+		InPrivate: key.Privkey,
+	}.Execute(rwr)
+
+	if err != nil {
+		log.Fatalf("can't load  hmacKey : %v", err)
+	}
+
+	pub, err := tpm2.ReadPublic{
+		ObjectHandle: rsaKey.ObjectHandle,
+	}.Execute(rwr)
+	if err != nil {
+		log.Fatalf("error executing tpm2.ReadPublic %v", err)
+	}
+
+	stringToSign := "foo"
+	fmt.Printf("Data to sign %s\n", stringToSign)
+
+	b := []byte(stringToSign)
+
+	h := sha256.New()
+	h.Write(b)
+	digest := h.Sum(nil)
+
+	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
+		TpmDevice: rwc,
+		NamedHandle: &tpm2.NamedHandle{
+			Handle: rsaKey.ObjectHandle,
+			Name:   pub.Name,
+		},
+	})
+
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	s, err := r.Sign(rand.Reader, digest, crypto.SHA256)
+	if err != nil {
+		log.Println(err)
+		os.Exit(1)
+	}
+	fmt.Printf("RSA Signed String: %s\n", base64.StdEncoding.EncodeToString(s))
+
+	rsaPubKey, ok := r.Public().(*rsa.PublicKey)
+	if !ok {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	opts := &rsa.PSSOptions{
+		Hash:       crypto.SHA256,
+		SaltLength: rsa.PSSSaltLengthAuto,
+	}
+	err = rsa.VerifyPSS(rsaPubKey, crypto.SHA256, digest, s, opts)
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+
+	fmt.Printf("RSA Signed String verified\n")
+
+}

kms/kms.go

@@ -40,13 +40,17 @@ type KMS struct {
 	KeyRing            string
 	Key                string
 	KeyVersion         string
-	x509Certificate    *x509.Certificate
+	X509Certificate    *x509.Certificate
 	ECCRawOutput       bool // for ECC keys, output raw signatures. If false, signature is ans1 formatted
 	SignatureAlgorithm x509.SignatureAlgorithm
 }
 
 func NewKMSCrypto(conf *KMS) (KMS, error) {
 
+	if conf.X509Certificate != nil && conf.PublicKeyFile != "" {
+		return KMS{}, fmt.Errorf("salrashid123/signer: Either X509Certificate or a the path to the certificate must be specified; not both")
+	}
+
 	if conf.SignatureAlgorithm == x509.UnknownSignatureAlgorithm {
 		conf.SignatureAlgorithm = x509.SHA256WithRSA
 	}
@@ -87,11 +91,7 @@ func (t KMS) Public() crypto.PublicKey {
 
 func (t KMS) TLSCertificate() (tls.Certificate, error) {
 
-	if t.PublicKeyFile == "" {
-		return tls.Certificate{}, fmt.Errorf("public X509 certificate not specified")
-	}
-
-	if t.x509Certificate == nil {
+	if t.X509Certificate == nil {
 		pubPEM, err := os.ReadFile(t.PublicKeyFile)
 		if err != nil {
 			return tls.Certificate{}, fmt.Errorf("unable to read keys %v", err)
@@ -104,14 +104,14 @@ func (t KMS) TLSCertificate() (tls.Certificate, error) {
 		if err != nil {
 			return tls.Certificate{}, fmt.Errorf("failed to parse public key: %v ", err)
 		}
-		t.x509Certificate = pub
+		t.X509Certificate = pub
 	}
 
 	var privKey crypto.PrivateKey = t
 	return tls.Certificate{
 		PrivateKey:  privKey,
-		Leaf:        t.x509Certificate,
-		Certificate: [][]byte{t.x509Certificate.Raw},
+		Leaf:        t.X509Certificate,
+		Certificate: [][]byte{t.X509Certificate.Raw},
 	}, nil
 }