salrashid123
diff --git a/‎README.md
+1-23 b/‎README.md
+1-23
diff --git a/‎example/README.md
+14-7 b/‎example/README.md
+14-7
diff --git a/‎example/sign_verify_tpm/rsassa_managed/main.go
-87 b/‎example/sign_verify_tpm/rsassa_managed/main.go
-87
diff --git a/‎tpm/tpm.go
+9-156 b/‎tpm/tpm.go
+9-156
@@ -21,8 +21,6 @@ see the [example/](example/) folder for more information.
 
 ---
 
-
-
 >> this library is not supported by google
 
 ---
@@ -77,11 +75,8 @@ If you just want to issue JWT's, see
 
 ### TPM Signer Device management
 
->> **NOTE** there will be a breaking change if you are using this library for TPM based signature after `v0.8.0`.  The new structure uses the [tpm-direct](https://github.com/google/go-tpm/releases/tag/v0.9.0) API.  If you would rather use the tpm2/legacy branch, please use the signer at [v0.7.2](https://github.com/salrashid123/signer/releases/tag/v0.7.2).  While this repo still retain managed and unmanaged handles to the TPM device, its recommended to to manage it externally if you need complex authorization...if its simple authorization like pcr and password or if you need concurrent, non blocking of the TPM device, use library managed handle.  For externally manged, just remember to open-sign-close as the device is locking.
+>> **NOTE** there will be a breaking change if you are using this library for TPM based signature after `v0.8.0`.  The new structure uses the [tpm-direct](https://github.com/google/go-tpm/releases/tag/v0.9.0) API.  If you would rather use the tpm2/legacy branch, please use the signer at [v0.7.2](https://github.com/salrashid123/signer/releases/tag/v0.7.2).   Library managed device was removed (it seems tpm resource managers work well enough...I'm clearly on the fence here given the recent commits..)
 
-For TPM Signer, there are two modes of operation:
-
-* managed externally
 
   The TPM device is managed externally outside of the signer.  You have to instantiate the TPM device ReadWriteCloser and client.Key outside of the library and pass that in.
 
@@ -107,23 +102,6 @@ For TPM Signer, there are two modes of operation:
 	s, err := r.Sign(rand.Reader, digest, crypto.SHA256)
   ```
 
-* managed by library
-
-  This is the preferred mode: you just pass the uint32 handle for the key and the path to the tpm device as string and the library opens/closes it as needed.
-
-  If the device is busy or the TPM is in use during invocation, the operation will fail.
-
-  ```golang
-	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
-		TpmPath:      *tpmPath,
-		KeyHandle:    tpm2.TPMHandle(*handle).HandleValue(),
-		PCRs:         []uint{},
-		AuthPassword: []byte(""),
-	})
-
-	// the tpm is opened and then closed after every sign operation
-	s, err := r.Sign(rand.Reader, digest, crypto.SHA256)
-  ```
 
 TODO use a backoff retry similar to [tpmrand](https://github.com/salrashid123/tpmrand) to prevent contention.
 
@@ -39,10 +39,19 @@ First install latest `tpm2_tools`
 ```bash
 cd example/
 
+## if you want to use a software TPM, 
 # rm -rf /tmp/myvtpm && mkdir /tmp/myvtpm
 # sudo swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear
+
+## then specify "127.0.0.1:2321"  as the TPM device path in the examples
+## then for tpm2_tools, export the following var
 # export TPM2TOOLS_TCTI="swtpm:port=2321"
 
+## note if you want, the primary can be the "H2" profile from https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#name-parent
+## see https://gist.github.com/salrashid123/9822b151ebb66f4083c5f71fd4cdbe40
+# printf '\x00\x00' > unique.dat
+# tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u unique.dat
+
 
 ## RSA - no password
 	tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c primary.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
@@ -92,19 +101,17 @@ cd example/
 cd example/
 
 ## RSA-SSA managed externally
-go run sign_verify_tpm/rsassa/main.go --handle=0x81008001
-
-## RSA-SSA managed by library
-go run sign_verify_tpm/rsassa_managed/main.go --handle=0x81008001
+go run sign_verify_tpm/rsassa/main.go --handle=0x81008001 --tpm-path="127.0.0.1:2321"
 
 ## RSA-PSS
-go run sign_verify_tpm/rsapss/main.go --handle=0x81008004
+go run sign_verify_tpm/rsapss/main.go --handle=0x81008004 --tpm-path="127.0.0.1:2321"
 
 ## ECC
-go run sign_verify_tpm/ecc/main.go --handle=0x81008005 
+go run sign_verify_tpm/ecc/main.go --handle=0x81008005 --tpm-path="127.0.0.1:2321"
 
 ## RSA with policy
-go run sign_verify_tpm/policy/main.go --handle=0x81008006
+go run sign_verify_tpm/policy/main.go --handle=0x81008006 --tpm-path="127.0.0.1:2321"
 ```
 
+---
 
@@ -46,17 +46,10 @@ type TPM struct {
 	publicKey       crypto.PublicKey
 	tpmPublic       tpm2.TPMTPublic
 
-	// for externally managed device
 	AuthHandle       *tpm2.AuthHandle   // load a key from handle
 	TpmDevice        io.ReadWriteCloser // TPM read closer
 	EncryptionHandle tpm2.TPMHandle     // (optional) handle to use for transit encryption
 	EncryptionPub    *tpm2.TPMTPublic   // (optional) public key to use for transit encryption
-
-	// for library  managed device
-	TpmPath      string // string path to the tpm ("eg: /dev/tpm0")
-	KeyHandle    uint32 // uint value for the persistent handle
-	PCRs         []uint // pcrs to bind to
-	AuthPassword []byte // auth password
 }
 
 var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}
@@ -75,99 +68,17 @@ func OpenTPM(path string) (io.ReadWriteCloser, error) {
 
 func NewTPMCrypto(conf *TPM) (TPM, error) {
 
-	if conf.TpmDevice == nil && conf.TpmPath == "" {
-		return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: TpmDevice or TpmPath must be specified")
-	}
-
-	if conf.TpmDevice != nil && conf.TpmPath != "" {
-		return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: only one of TpmDevice or TpmPath must be specified")
+	if conf.TpmDevice == nil {
+		return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: TpmDevice must be specified")
 	}
-
-	var rwr transport.TPM
-	var ah *tpm2.AuthHandle
-
-	// if an actual device is specified, its externally managed
-	// so the auth handle shoud've been initialzied before this
-	if conf.TpmDevice != nil {
-		if conf.AuthHandle == nil {
-			return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: AuthHandle and TpmDevice must be specified")
-		}
-		rwr = transport.FromReadWriter(conf.TpmDevice)
-		ah = conf.AuthHandle
-	} else {
-		// otherwise, its a library managed call
-		// here we'll open up the tpm and read in the
-		// persistent handle
-		//  after enabling for if any password or pcr policies, we'll read the public key..then
-		// wer'e going to close the tpm after this function call
-		rwc, err := OpenTPM(conf.TpmPath)
-		if err != nil {
-			return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: TpmDevice or TpmPath must be specified")
-		}
-		defer rwc.Close()
-
-		if len(conf.AuthPassword) > 0 && len(conf.PCRs) > 0 {
-			return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: only auth or pcr policy is supported...")
-		}
-
-		rwr = transport.FromReadWriter(rwc)
-
-		h := tpm2.TPMHandle(conf.KeyHandle)
-		defer func() {
-			flushContextCmd := tpm2.FlushContext{
-				FlushHandle: h,
-			}
-			_, _ = flushContextCmd.Execute(rwr)
-		}()
-
-		pub, err := tpm2.ReadPublic{
-			ObjectHandle: tpm2.TPMHandle(conf.KeyHandle),
-		}.Execute(rwr)
-		if err != nil {
-			return TPM{}, fmt.Errorf("error reading public %v", err)
-		}
-
-		if len(conf.PCRs) > 0 {
-			sess, cleanup, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16)
-			if err != nil {
-				return TPM{}, fmt.Errorf("error creating policy session %v", err)
-			}
-			defer cleanup()
-
-			_, err = tpm2.PolicyPCR{
-				PolicySession: sess.Handle(),
-				Pcrs: tpm2.TPMLPCRSelection{
-					PCRSelections: []tpm2.TPMSPCRSelection{
-						{
-							Hash:      tpm2.TPMAlgSHA256,
-							PCRSelect: tpm2.PCClientCompatible.PCRs(conf.PCRs...),
-						},
-					},
-				},
-			}.Execute(rwr)
-			if err != nil {
-				return TPM{}, fmt.Errorf("error creating policy pcr %v", err)
-			}
-
-			ah = &tpm2.AuthHandle{
-				Handle: h,
-				Name:   pub.Name,
-				Auth:   sess,
-			}
-
-		} else {
-			ah = &tpm2.AuthHandle{
-				Handle: h,
-				Name:   pub.Name,
-				Auth:   tpm2.PasswordAuth(conf.AuthPassword),
-			}
-		}
-
+	if conf.AuthHandle == nil {
+		return TPM{}, fmt.Errorf("salrashid123/x/oauth2/google: AuthHandle and TpmDevice must be specified")
 	}
+	rwr := transport.FromReadWriter(conf.TpmDevice)
 
 	// todo: we should supply the encrypted session here, if set
 	pub, err := tpm2.ReadPublic{
-		ObjectHandle: ah.Handle,
+		ObjectHandle: conf.AuthHandle.Handle,
 	}.Execute(rwr)
 	if err != nil {
 		return TPM{}, fmt.Errorf("google: Unable to Read Public data from TPM: %v", err)
@@ -227,65 +138,7 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 	t.refreshMutex.Lock()
 	defer t.refreshMutex.Unlock()
 
-	var rwr transport.TPM
-	var ah *tpm2.AuthHandle
-
-	// for each signature, check if the device is externally
-	// managed or not
-	if t.TpmDevice != nil {
-		rwr = transport.FromReadWriter(t.TpmDevice)
-		ah = t.AuthHandle
-	} else {
-		// since its internally managed, open, sign and then close
-		// the device
-		// we need to reload the key from the handle and apply
-		// any password or pcr policies before the signature
-		rwc, err := OpenTPM(t.TpmPath)
-		if err != nil {
-			return nil, fmt.Errorf("salrashid123/x/oauth2/google: error opening tpm %v", err)
-		}
-		defer rwc.Close()
-
-		rwr = transport.FromReadWriter(rwc)
-
-		pub, err := tpm2.ReadPublic{
-			ObjectHandle: tpm2.TPMHandle(t.KeyHandle),
-		}.Execute(rwr)
-		if err != nil {
-			return nil, fmt.Errorf("salrashid123/x/oauth2/google: error executing tpm2.ReadPublic %v", err)
-		}
-
-		if len(t.PCRs) > 0 {
-			sess, cleanup, err := tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16)
-			if err != nil {
-				return nil, fmt.Errorf("error creating policy session %v", err)
-			}
-			defer cleanup()
-
-			_, err = tpm2.PolicyPCR{
-				PolicySession: sess.Handle(),
-				Pcrs: tpm2.TPMLPCRSelection{
-					PCRSelections: []tpm2.TPMSPCRSelection{
-						{
-							Hash:      tpm2.TPMAlgSHA256,
-							PCRSelect: tpm2.PCClientCompatible.PCRs(t.PCRs...),
-						},
-					},
-				},
-			}.Execute(rwr)
-			if err != nil {
-				return nil, fmt.Errorf("error creating policy pcr %v", err)
-			}
-		} else {
-
-			ah = &tpm2.AuthHandle{
-				Handle: tpm2.TPMHandle(t.KeyHandle),
-				Name:   pub.Name,
-				Auth:   tpm2.PasswordAuth(t.AuthPassword),
-			}
-		}
-
-	}
+	rwr := transport.FromReadWriter(t.TpmDevice)
 
 	var sess tpm2.Session
 
@@ -319,7 +172,7 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 			return nil, fmt.Errorf("tpmjwt: can't error getting rsa details %v", err)
 		}
 		rspSign, err := tpm2.Sign{
-			KeyHandle: *ah,
+			KeyHandle: *t.AuthHandle,
 			Digest: tpm2.TPM2BDigest{
 				Buffer: digest[:],
 			},
@@ -359,7 +212,7 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 			return nil, fmt.Errorf("tpmjwt: can't error getting rsa details %v", err)
 		}
 		rspSign, err := tpm2.Sign{
-			KeyHandle: *ah,
+			KeyHandle: *t.AuthHandle,
 			Digest: tpm2.TPM2BDigest{
 				Buffer: digest[:],
 			},