Print TSS2 formatted key with tss2=true on a TPM KMS

smallstep · Nov 6, 2023 · b233ac5 · b233ac5
1 parent 566bd2a
commit b233ac5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/cmd/create.go b/cmd/create.go
@@ -23,7 +23,9 @@ import (
 	"go.step.sm/crypto/kms"
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/softkms"
+	"go.step.sm/crypto/kms/tpmkms"
 	"go.step.sm/crypto/pemutil"
+	"go.step.sm/crypto/tpm/tss2"
 
 	"github.com/smallstep/step-kms-plugin/internal/flagutil"
 	"github.com/smallstep/step-kms-plugin/internal/termutil"
@@ -168,6 +170,18 @@ Keys in a PKCS #11 module requires an id in hexadecimal as well as a label
 			}
 		}
 
+		// Print TSS2 private key if available. Currently if "tss2=true" is added to the URI.
+		if _, ok := km.(*tpmkms.TPMKMS); ok && resp.PrivateKey != nil {
+			if key, ok := resp.PrivateKey.(*tss2.TPMKey); ok {
+				b, err := key.EncodeToMemory()
+				if err != nil {
+					return fmt.Errorf("failed to serialize the private key: %w", err)
+				}
+				fmt.Print(string(b))
+				return nil
+			}
+		}
+
 		// Print the public key
 		block, err := pemutil.Serialize(resp.PublicKey)
 		if err != nil {