From 5a6795fdde4d748235374eff2956c5ee75faaac0 Mon Sep 17 00:00:00 2001 From: max furman Date: Wed, 16 Aug 2023 21:45:04 -0700 Subject: [PATCH 1/2] ReadCertificate[Bundle|Request] PEM check whole file for PEM header. --- go.mod | 2 +- pemutil/pem.go | 9 ++++-- pemutil/pem_test.go | 2 ++ pemutil/testdata/nonPEMHeaderCa.crt | 45 +++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 pemutil/testdata/nonPEMHeaderCa.crt diff --git a/go.mod b/go.mod index 4bcda647..1e64327a 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module go.step.sm/crypto -go 1.18 +go 1.20 require ( cloud.google.com/go/kms v1.15.1 diff --git a/pemutil/pem.go b/pemutil/pem.go index e02512eb..0941323d 100644 --- a/pemutil/pem.go +++ b/pemutil/pem.go @@ -44,6 +44,9 @@ var PromptPassword PasswordPrompter // check if a file exists and prompts the user if it should be overwritten. var WriteFile FileWriter = utils.WriteFile +// PEMBlockHeader is the expected header for any PEM formatted block. +var PEMBlockHeader = []byte("-----BEGIN ") + // context add options to the pem methods. type context struct { filename string @@ -282,7 +285,7 @@ func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error } // PEM format - if bytes.HasPrefix(b, []byte("-----BEGIN ")) { + if bytes.Contains(b, PEMBlockHeader) { var crt interface{} crt, err = Read(filename, opts...) if err != nil { @@ -311,7 +314,7 @@ func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) { } // PEM format - if bytes.HasPrefix(b, []byte("-----BEGIN ")) { + if bytes.Contains(b, PEMBlockHeader) { var block *pem.Block var bundle []*x509.Certificate for len(b) > 0 { @@ -352,7 +355,7 @@ func ReadCertificateRequest(filename string) (*x509.CertificateRequest, error) { } // PEM format - if bytes.HasPrefix(b, []byte("-----BEGIN ")) { + if bytes.Contains(b, PEMBlockHeader) { csr, err := Parse(b, WithFilename(filename)) if err != nil { return nil, err diff --git a/pemutil/pem_test.go b/pemutil/pem_test.go index 362b7e53..5659ee42 100644 --- a/pemutil/pem_test.go +++ b/pemutil/pem_test.go @@ -338,6 +338,7 @@ func TestReadCertificate(t *testing.T) { err error }{ {"testdata/ca.crt", nil, nil}, + {"testdata/nonPEMHeaderCa.crt", nil, nil}, {"testdata/ca.der", nil, nil}, {"testdata/bundle.crt", []Options{WithFirstBlock()}, nil}, {"testdata/bundle.crt", nil, errors.New("error decoding testdata/bundle.crt: contains more than one PEM encoded block")}, @@ -370,6 +371,7 @@ func TestReadCertificateBundle(t *testing.T) { err error }{ {"testdata/ca.crt", 1, nil}, + {"testdata/nonPEMHeaderCa.crt", 1, nil}, {"testdata/ca.der", 1, nil}, {"testdata/bundle.crt", 2, nil}, {"testdata/notexists.crt", 0, errors.New("error reading testdata/notexists.crt: no such file or directory")}, diff --git a/pemutil/testdata/nonPEMHeaderCa.crt b/pemutil/testdata/nonPEMHeaderCa.crt new file mode 100644 index 00000000..3d186eec --- /dev/null +++ b/pemutil/testdata/nonPEMHeaderCa.crt @@ -0,0 +1,45 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + fe:9f:60:35:b0:13:ba:d4:be:fb:84:ec:70:ed:3d:ed + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = testroot + Validity + Not Before: Aug 15 17:50:02 2023 GMT + Not After : Aug 16 17:50:02 2023 GMT + Subject: CN = testroot + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bf:f8:db:3c:7a:c2:a4:b2:f5:51:e9:43:80:98: + 68:b2:1b:62:25:11:a7:de:03:74:27:6a:04:82:99: + 9a:7d:da:e7:a6:a6:a5:12:ad:c9:de:65:61:12:00: + a6:6d:39:b6:46:d8:f5:b4:a8:77:69:da:1f:35:2b: + 28:70:33:1e:90 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 + X509v3 Subject Key Identifier: + 38:E0:29:66:91:8C:E3:42:0F:85:A5:BA:78:B6:1F:49:E3:34:33:D5 + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:37:78:01:d9:e7:4d:9c:2c:2f:3c:09:41:8a:2f: + 3f:65:b5:6a:31:eb:10:a9:92:a0:74:98:d6:9c:50:45:1c:56: + 02:21:00:bf:b5:53:37:97:f0:f5:14:df:22:00:22:47:4f:7d: + 41:c5:5d:b6:24:58:e4:d2:09:b1:3d:9b:7b:0f:3f:cb:ba +-----BEGIN CERTIFICATE----- +MIIBajCCARCgAwIBAgIRAP6fYDWwE7rUvvuE7HDtPe0wCgYIKoZIzj0EAwIwEzER +MA8GA1UEAxMIdGVzdHJvb3QwHhcNMjMwODE1MTc1MDAyWhcNMjMwODE2MTc1MDAy +WjATMREwDwYDVQQDEwh0ZXN0cm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BL/42zx6wqSy9VHpQ4CYaLIbYiURp94DdCdqBIKZmn3a56ampRKtyd5lYRIApm05 +tkbY9bSod2naHzUrKHAzHpCjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E +CDAGAQH/AgEBMB0GA1UdDgQWBBQ44ClmkYzjQg+Fpbp4th9J4zQz1TAKBggqhkjO +PQQDAgNIADBFAiA3eAHZ502cLC88CUGKLz9ltWox6xCpkqB0mNacUEUcVgIhAL+1 +UzeX8PUU3yIAIkdPfUHFXbYkWOTSCbE9m3sPP8u6 +-----END CERTIFICATE----- From 8353738b5468c4bbf86a9acd927b480d7dfffa94 Mon Sep 17 00:00:00 2001 From: max furman Date: Thu, 17 Aug 2023 14:56:27 -0700 Subject: [PATCH 2/2] linter fixes --- jose/parse.go | 2 +- keyutil/key_test.go | 9 +- kms/awskms/awskms.go | 2 +- kms/awskms/signer.go | 2 +- kms/azurekms/signer.go | 2 +- kms/cloudkms/decrypter.go | 2 +- kms/cloudkms/signer.go | 2 +- kms/pkcs11/other_test.go | 2 +- kms/pkcs11/pkcs11.go | 2 +- kms/softkms/softkms.go | 2 +- kms/sshagentkms/sshagentkms.go | 6 +- kms/tpmkms/tpmkms.go | 2 +- kms/yubikey/yubikey.go | 2 +- minica/minica_test.go | 2 +- sshutil/certificate_test.go | 2 +- tlsutil/renewer.go | 6 +- tpm/random.go | 2 +- tpm/skae/extension.go | 156 +++++++++++++++++---------------- x509util/certificate_test.go | 2 +- 19 files changed, 105 insertions(+), 102 deletions(-) diff --git a/jose/parse.go b/jose/parse.go index 8496a648..9807af03 100644 --- a/jose/parse.go +++ b/jose/parse.go @@ -375,7 +375,7 @@ func guessSignatureAlgorithm(key crypto.PrivateKey) SignatureAlgorithm { // guessKnownJWKAlgorithm sets the algorithm for keys that only have one // possible algorithm. -func guessKnownJWKAlgorithm(ctx *context, jwk *JSONWebKey) { +func guessKnownJWKAlgorithm(_ *context, jwk *JSONWebKey) { if jwk.Algorithm == "" && jwk.Use != "enc" { switch k := jwk.Key.(type) { case *ecdsa.PrivateKey: diff --git a/keyutil/key_test.go b/keyutil/key_test.go index d086e783..5d8f047d 100644 --- a/keyutil/key_test.go +++ b/keyutil/key_test.go @@ -50,9 +50,9 @@ yBf6oiIb/beb/pTFqSy86KUe+E4Y5SSlEz2lqg79WIosZgkHbSBsmU7hGg== type badSSHPublicKey struct{} -func (k *badSSHPublicKey) Type() string { return "foo" } -func (k *badSSHPublicKey) Marshal() []byte { return []byte("bar") } -func (k *badSSHPublicKey) Verify(data []byte, sig *ssh.Signature) error { return nil } +func (k *badSSHPublicKey) Type() string { return "foo" } +func (k *badSSHPublicKey) Marshal() []byte { return []byte("bar") } +func (k *badSSHPublicKey) Verify(_ []byte, _ *ssh.Signature) error { return nil } func must(args ...interface{}) interface{} { if err := args[len(args)-1]; err != nil { @@ -63,6 +63,7 @@ func must(args ...interface{}) interface{} { var randReader = rand.Reader +//nolint:gocritic // ignore sloppy func name due to function signature func cleanupRandReader(t *testing.T) { rr := rand.Reader t.Cleanup(func() { @@ -81,7 +82,7 @@ func (zeroReader) Read(buf []byte) (int, error) { type eofReader struct{} -func (eofReader) Read(buf []byte) (int, error) { +func (eofReader) Read(_ []byte) (int, error) { return 0, io.EOF } diff --git a/kms/awskms/awskms.go b/kms/awskms/awskms.go index 3e265f56..a85dc71a 100644 --- a/kms/awskms/awskms.go +++ b/kms/awskms/awskms.go @@ -74,7 +74,7 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{ // // AWS sessions can also be configured with environment variables, see docs at // https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for all the options. -func New(ctx context.Context, opts apiv1.Options) (*KMS, error) { +func New(_ context.Context, opts apiv1.Options) (*KMS, error) { var o session.Options if opts.URI != "" { diff --git a/kms/awskms/signer.go b/kms/awskms/signer.go index 1099b295..47418f3a 100644 --- a/kms/awskms/signer.go +++ b/kms/awskms/signer.go @@ -61,7 +61,7 @@ func (s *Signer) Public() crypto.PublicKey { } // Sign signs digest with the private key stored in the AWS KMS. -func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { +func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { alg, err := getSigningAlgorithm(s.Public(), opts) if err != nil { return nil, err diff --git a/kms/azurekms/signer.go b/kms/azurekms/signer.go index 70f10006..c6a75e6d 100644 --- a/kms/azurekms/signer.go +++ b/kms/azurekms/signer.go @@ -70,7 +70,7 @@ func (s *Signer) Public() crypto.PublicKey { } // Sign signs digest with the private key stored in the Azure Key Vault. -func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { +func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { alg, err := getSigningAlgorithm(s.Public(), opts) if err != nil { return nil, err diff --git a/kms/cloudkms/decrypter.go b/kms/cloudkms/decrypter.go index ee1d509e..a7e47f92 100644 --- a/kms/cloudkms/decrypter.go +++ b/kms/cloudkms/decrypter.go @@ -90,7 +90,7 @@ func validateOAEPOptions(o *rsa.OAEPOptions) error { // for those cases. // // Also see https://cloud.google.com/kms/docs/algorithms#asymmetric_encryption_algorithms. -func (d *Decrypter) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error) { +func (d *Decrypter) Decrypt(_ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error) { if opts == nil { opts = &rsa.OAEPOptions{} } diff --git a/kms/cloudkms/signer.go b/kms/cloudkms/signer.go index c4db9eeb..9fec685c 100644 --- a/kms/cloudkms/signer.go +++ b/kms/cloudkms/signer.go @@ -56,7 +56,7 @@ func (s *Signer) Public() crypto.PublicKey { } // Sign signs digest with the private key stored in Google's Cloud KMS. -func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { +func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { req := &kmspb.AsymmetricSignRequest{ Name: s.signingKey, Digest: &kmspb.Digest{}, diff --git a/kms/pkcs11/other_test.go b/kms/pkcs11/other_test.go index 9f4ab4a8..d1c69d0c 100644 --- a/kms/pkcs11/other_test.go +++ b/kms/pkcs11/other_test.go @@ -124,7 +124,7 @@ func (s *stubPKCS11) DeleteCertificate(id, label []byte, serial *big.Int) error return nil } -func (s *stubPKCS11) GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error) { +func (s *stubPKCS11) GenerateRSAKeyPairWithAttributes(public, _ crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error) { var id, label []byte if v := public[crypto11.CkaId]; v != nil { id = v.Value diff --git a/kms/pkcs11/pkcs11.go b/kms/pkcs11/pkcs11.go index 838334de..8010ad26 100644 --- a/kms/pkcs11/pkcs11.go +++ b/kms/pkcs11/pkcs11.go @@ -76,7 +76,7 @@ type PKCS11 struct { // - pkcs11:token=smallstep;id=0a10;object=ec-key?pin-value=password // - pkcs11:token=smallstep;id=%0a%10?pin-source=/path/to/pin.txt // - pkcs11:token=smallstep;object=ec-key?pin-value=password -func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) { +func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) { if opts.URI == "" { return nil, errors.New("kms uri is required") } diff --git a/kms/softkms/softkms.go b/kms/softkms/softkms.go index c5ae74b9..6854d392 100644 --- a/kms/softkms/softkms.go +++ b/kms/softkms/softkms.go @@ -53,7 +53,7 @@ var generateKey = func(kty, crv string, size int) (interface{}, interface{}, err type SoftKMS struct{} // New returns a new SoftKMS. -func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) { +func New(_ context.Context, _ apiv1.Options) (*SoftKMS, error) { return &SoftKMS{}, nil } diff --git a/kms/sshagentkms/sshagentkms.go b/kms/sshagentkms/sshagentkms.go index e38c1d90..390a2ed7 100644 --- a/kms/sshagentkms/sshagentkms.go +++ b/kms/sshagentkms/sshagentkms.go @@ -35,7 +35,7 @@ type SSHAgentKMS struct { } // New returns a new SSHAgentKMS. -func New(ctx context.Context, opts apiv1.Options) (*SSHAgentKMS, error) { +func New(_ context.Context, _ apiv1.Options) (*SSHAgentKMS, error) { socket := os.Getenv("SSH_AUTH_SOCK") conn, err := net.Dial("unix", socket) if err != nil { @@ -51,7 +51,7 @@ func New(ctx context.Context, opts apiv1.Options) (*SSHAgentKMS, error) { // NewFromAgent initializes an SSHAgentKMS from a given agent, this method is // used for testing purposes. -func NewFromAgent(ctx context.Context, opts apiv1.Options, agentClient agent.Agent) (*SSHAgentKMS, error) { +func NewFromAgent(_ context.Context, _ apiv1.Options, agentClient agent.Agent) (*SSHAgentKMS, error) { return &SSHAgentKMS{ agentClient: agentClient, }, nil @@ -193,7 +193,7 @@ func (k *SSHAgentKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signe } // CreateKey generates a new key and returns both public and private key. -func (k *SSHAgentKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) { +func (k *SSHAgentKMS) CreateKey(_ *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) { return nil, errors.Errorf("SSHAgentKMS doesn't support generating keys") } diff --git a/kms/tpmkms/tpmkms.go b/kms/tpmkms/tpmkms.go index e8cc0ed0..70b04f36 100644 --- a/kms/tpmkms/tpmkms.go +++ b/kms/tpmkms/tpmkms.go @@ -139,7 +139,7 @@ var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]algorithmAttributes // The TPMKMS implementation is backed by an instance of the TPM from // the `tpm` package. If the TPMKMS operations aren't sufficient for // your use case, use a tpm.TPM instance instead. -func New(ctx context.Context, opts apiv1.Options) (kms *TPMKMS, err error) { +func New(_ context.Context, opts apiv1.Options) (kms *TPMKMS, err error) { kms = &TPMKMS{ identityEarlyRenewalEnabled: true, identityRenewalPeriodPercentage: 60, // default to AK certificate renewal at 60% of lifetime diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go index 09b3d929..f002c534 100644 --- a/kms/yubikey/yubikey.go +++ b/kms/yubikey/yubikey.go @@ -72,7 +72,7 @@ var pivOpen = func(card string) (pivKey, error) { // // If the pin or the management-key are not provided, we will use the default // ones. -func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) { +func New(_ context.Context, opts apiv1.Options) (*YubiKey, error) { pin := "123456" managementKey := piv.DefaultManagementKey diff --git a/minica/minica_test.go b/minica/minica_test.go index f3a10921..e1974763 100644 --- a/minica/minica_test.go +++ b/minica/minica_test.go @@ -23,7 +23,7 @@ func (p badSigner) Public() crypto.PublicKey { return []byte("foo") } -func (p badSigner) Sign(r io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { +func (p badSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { return nil, errors.New("foo") } diff --git a/sshutil/certificate_test.go b/sshutil/certificate_test.go index 6bb09e6f..7f67d685 100644 --- a/sshutil/certificate_test.go +++ b/sshutil/certificate_test.go @@ -26,7 +26,7 @@ func (b *badSigner) Sign(r io.Reader, data []byte) (*ssh.Signature, error) { return nil, fmt.Errorf("an error") } -func (b *badSigner) SignWithAlgorithm(r io.Reader, data []byte, algorithm string) (*ssh.Signature, error) { +func (b *badSigner) SignWithAlgorithm(_ io.Reader, data []byte, algorithm string) (*ssh.Signature, error) { return nil, fmt.Errorf("an error") } diff --git a/tlsutil/renewer.go b/tlsutil/renewer.go index e6e7f544..e9f38dd9 100644 --- a/tlsutil/renewer.go +++ b/tlsutil/renewer.go @@ -127,21 +127,21 @@ func (r *Renewer) Stop() bool { // GetCertificate returns the current server certificate. // // This method is set in the tls.Config GetCertificate property. -func (r *Renewer) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { +func (r *Renewer) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { return r.getCertificate(), nil } // GetClientCertificate returns the current client certificate. // // This method is set in the tls.Config GetClientCertificate property. -func (r *Renewer) GetClientCertificate(hello *tls.CertificateRequestInfo) (*tls.Certificate, error) { +func (r *Renewer) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) { return r.getCertificate(), nil } // GetConfigForClient returns the tls.Config used per request. // // This method is set in the tls.Config GetConfigForClient property. -func (r *Renewer) GetConfigForClient(hello *tls.ClientHelloInfo) (*tls.Config, error) { +func (r *Renewer) GetConfigForClient(_ *tls.ClientHelloInfo) (*tls.Config, error) { return r.getConfigForClient(), nil } diff --git a/tpm/random.go b/tpm/random.go index 6edabf7e..6cb5a56c 100644 --- a/tpm/random.go +++ b/tpm/random.go @@ -29,7 +29,7 @@ func (t *TPM) GenerateRandom(ctx context.Context, size uint16) (random []byte, e return t.generateRandom(ctx, size) } -func (t *TPM) generateRandom(ctx context.Context, size uint16) (random []byte, err error) { +func (t *TPM) generateRandom(_ context.Context, size uint16) (random []byte, err error) { random, err = tpm2.GetRandom(t.rwc, size) if err != nil { return nil, fmt.Errorf("failed generating random data: %w", err) diff --git a/tpm/skae/extension.go b/tpm/skae/extension.go index 0d4aee49..e6d22879 100644 --- a/tpm/skae/extension.go +++ b/tpm/skae/extension.go @@ -1,3 +1,4 @@ +//nolint:unused // ignore unused types for now package skae import ( @@ -5,7 +6,6 @@ import ( "crypto/x509/pkix" "encoding/asn1" "errors" - "fmt" "math/big" "github.com/smallstep/go-attestation/attest" @@ -17,100 +17,102 @@ var ( oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} ) -func CreateSubjectKeyAttestationEvidenceExtension(akCert *x509.Certificate, params attest.CertificationParameters, shouldEncrypt bool) (pkix.Extension, error) { +func CreateSubjectKeyAttestationEvidenceExtension(_ *x509.Certificate, _ attest.CertificationParameters, _ bool) (pkix.Extension, error) { return pkix.Extension{}, errors.New("not implemented yet") // return early; not verified to be working as expected yet - asn1Issuer, err := asn1.Marshal(akCert.Issuer.ToRDNSequence()) //nolint:govet // intentionally breaking early - if err != nil { - return pkix.Extension{}, fmt.Errorf("error marshaling issuer: %w", err) - } + /* + asn1Issuer, err := asn1.Marshal(akCert.Issuer.ToRDNSequence()) //nolint:govet // intentionally breaking early + if err != nil { + return pkix.Extension{}, fmt.Errorf("error marshaling issuer: %w", err) + } - skaeExtension := asn1SKAE{ - TCGSpecVersion: asn1TCGSpecVersion{Major: 2, Minor: 0}, - KeyAttestationEvidence: asn1KeyAttestationEvidence{}, - } + skaeExtension := asn1SKAE{ + TCGSpecVersion: asn1TCGSpecVersion{Major: 2, Minor: 0}, + KeyAttestationEvidence: asn1KeyAttestationEvidence{}, + } - attestationEvidence := asn1AttestationEvidence{ - TPMCertifyInfo: asn1TPMCertifyInfo{ - CertifyInfo: asn1.BitString{ // TODO: check if setting the values like this is correct - Bytes: params.CreateAttestation, - BitLength: len(params.CreateAttestation) * 8, - }, - Signature: asn1.BitString{ - Bytes: params.CreateSignature, - BitLength: len(params.CreateSignature) * 8, - }, - }, - TPMIdentityCredAccessInfo: asn1TPMIdentityCredentialAccessInfo{ - AuthorityInfoAccess: createAIA(akCert), - IssuerSerial: issuerAndSerial{ - IssuerName: asn1.RawValue{FullBytes: asn1Issuer}, - SerialNumber: akCert.SerialNumber, + attestationEvidence := asn1AttestationEvidence{ + TPMCertifyInfo: asn1TPMCertifyInfo{ + CertifyInfo: asn1.BitString{ // TODO: check if setting the values like this is correct + Bytes: params.CreateAttestation, + BitLength: len(params.CreateAttestation) * 8, + }, + Signature: asn1.BitString{ + Bytes: params.CreateSignature, + BitLength: len(params.CreateSignature) * 8, + }, }, - }, - } - - aeb, err := asn1.Marshal(attestationEvidence) - if err != nil { - return pkix.Extension{}, fmt.Errorf("error marshaling attestation evidence: %w", err) - } - - if !shouldEncrypt { - //skaeExtension.KeyAttestationEvidence.AttestEvidence = attestationEvidence - skaeExtension.KeyAttestationEvidence.Evidence = asn1.RawValue{ - Class: asn1.ClassContextSpecific, - IsCompound: true, - Tag: 0, // CHOICE "0" - Bytes: aeb, - } - } else { - // TODO: encrypt the AttestEvidence to (right) recipient; set it as the EnvelopedAttestEvidence - encryptedAEB := aeb - - eae := asn1EnvelopedAttestationEvidence{ - RecipientInfos: []recipientInfo{}, // TODO: fill recipient(s) - EncryptedAttestInfo: asn1EncryptedAttestationInfo{ - EncryptionAlgorithm: pkix.AlgorithmIdentifier{ - Algorithm: nil, // TODO: select and fill + TPMIdentityCredAccessInfo: asn1TPMIdentityCredentialAccessInfo{ + AuthorityInfoAccess: createAIA(akCert), + IssuerSerial: issuerAndSerial{ + IssuerName: asn1.RawValue{FullBytes: asn1Issuer}, + SerialNumber: akCert.SerialNumber, }, - EncryptedAttestEvidence: encryptedAEB, }, } - eaeBytes, err := asn1.Marshal(eae) + aeb, err := asn1.Marshal(attestationEvidence) if err != nil { - return pkix.Extension{}, errors.New("error marshaling EnvelopedAttestationEvidence") + return pkix.Extension{}, fmt.Errorf("error marshaling attestation evidence: %w", err) } - skaeExtension.KeyAttestationEvidence.Evidence = asn1.RawValue{ - Class: asn1.ClassContextSpecific, - IsCompound: true, - Tag: 1, // CHOICE "1" - Bytes: eaeBytes, - } + if !shouldEncrypt { + //skaeExtension.KeyAttestationEvidence.AttestEvidence = attestationEvidence + skaeExtension.KeyAttestationEvidence.Evidence = asn1.RawValue{ + Class: asn1.ClassContextSpecific, + IsCompound: true, + Tag: 0, // CHOICE "0" + Bytes: aeb, + } + } else { + // TODO: encrypt the AttestEvidence to (right) recipient; set it as the EnvelopedAttestEvidence + encryptedAEB := aeb + + eae := asn1EnvelopedAttestationEvidence{ + RecipientInfos: []recipientInfo{}, // TODO: fill recipient(s) + EncryptedAttestInfo: asn1EncryptedAttestationInfo{ + EncryptionAlgorithm: pkix.AlgorithmIdentifier{ + Algorithm: nil, // TODO: select and fill + }, + EncryptedAttestEvidence: encryptedAEB, + }, + } - return pkix.Extension{}, errors.New("encrypting the AttestEvidence is not yet supported") - } + eaeBytes, err := asn1.Marshal(eae) + if err != nil { + return pkix.Extension{}, errors.New("error marshaling EnvelopedAttestationEvidence") + } - skaeExtensionBytes, err := asn1.Marshal(skaeExtension) - if err != nil { - return pkix.Extension{}, fmt.Errorf("creating SKAE extension failed: %w", err) - } + skaeExtension.KeyAttestationEvidence.Evidence = asn1.RawValue{ + Class: asn1.ClassContextSpecific, + IsCompound: true, + Tag: 1, // CHOICE "1" + Bytes: eaeBytes, + } - result := pkix.Extension{ - Id: oidSubjectKeyAttestationEvidence, - Critical: false, // non standard extension; don't break clients - Value: skaeExtensionBytes, - } + return pkix.Extension{}, errors.New("encrypting the AttestEvidence is not yet supported") + } - b, err := asn1.Marshal(result) - if err != nil { - return result, err - } + skaeExtensionBytes, err := asn1.Marshal(skaeExtension) + if err != nil { + return pkix.Extension{}, fmt.Errorf("creating SKAE extension failed: %w", err) + } + + result := pkix.Extension{ + Id: oidSubjectKeyAttestationEvidence, + Critical: false, // non standard extension; don't break clients + Value: skaeExtensionBytes, + } + + b, err := asn1.Marshal(result) + if err != nil { + return result, err + } - _ = b + _ = b - return result, nil + return result, nil + */ } func createAIA(ak *x509.Certificate) []asn1AuthorityInfoAccessSyntax { diff --git a/x509util/certificate_test.go b/x509util/certificate_test.go index 2aae98da..2d902824 100644 --- a/x509util/certificate_test.go +++ b/x509util/certificate_test.go @@ -107,7 +107,7 @@ func (b *badSigner) Public() crypto.PublicKey { return b.pub } -func (b *badSigner) Sign(random io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { +func (b *badSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { return nil, fmt.Errorf("💥") }