-
Notifications
You must be signed in to change notification settings - Fork 0
/
convert.go
123 lines (105 loc) · 2.86 KB
/
convert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package tpm2genkey
import (
"bytes"
"encoding/hex"
"fmt"
"strconv"
"strings"
keyfile "github.com/foxboron/go-tpm-keyfiles"
"github.com/google/go-tpm/tpm2"
)
const ()
var ()
type ToPEMConfig struct {
Debug bool // debug logging
Public []byte // TPM2B_PUBLIC
Private []byte // TPM2B_PRIVATE
Parent uint32 // Parent handle
Password []byte // auth password
Description string
CommandCodeHash string
}
type FromPEMConfig struct {
PEM []byte
}
// [TPM2B_PUBLIC, TPM2B_PRIVATE] -> PEM
func ToPEM(h *ToPEMConfig) ([]byte, error) {
// todo: validate input
mtpublic, err := tpm2.Unmarshal[tpm2.TPM2BPublic](h.Public)
if err != nil {
return nil, err
}
p, err := mtpublic.Contents()
if err != nil {
return nil, err
}
mtprivate, err := tpm2.Unmarshal[tpm2.TPM2BPrivate](h.Private)
if err != nil {
return nil, err
}
emptyAuth := true
if len(h.Password) > 0 {
emptyAuth = false
}
cm, err := parseCommandMap(h.CommandCodeHash)
if err != nil {
return nil, err
}
kf := &keyfile.TPMKey{
Keytype: keyfile.OIDLoadableKey,
EmptyAuth: emptyAuth,
AuthPolicy: []*keyfile.TPMAuthPolicy{},
Parent: tpm2.TPMHandle(h.Parent),
Pubkey: tpm2.New2B[tpm2.TPMTPublic, *tpm2.TPMTPublic](*p),
Privkey: tpm2.TPM2BPrivate{
Buffer: mtprivate.Buffer,
},
Description: h.Description,
Policy: cm,
}
if err != nil {
return nil, err
}
keyFileBytes := new(bytes.Buffer)
err = keyfile.Encode(keyFileBytes, kf)
if err != nil {
return nil, err
}
return keyFileBytes.Bytes(), nil
}
// PEM -> [TPM2B_PUBLIC, TPM2B_PRIVATE]
func FromPEM(h *FromPEMConfig) (*keyfile.TPMKey, []byte, []byte, error) {
kf, err := keyfile.Decode(h.PEM)
if err != nil {
return nil, nil, nil, err
}
// todo, optionally print info about the key itself to help using the key.pub, key.prv
// eg, print kf.Parent and if its a permanent handle, then probably create a new primary with h2 template
// and use that to load the keys (thats if the user done't have the oringial primary.ctx handy)
return kf, tpm2.Marshal(kf.Pubkey), tpm2.Marshal(kf.Privkey), nil
}
func parseCommandMap(cm string) ([]*keyfile.TPMPolicy, error) {
var commandMap []*keyfile.TPMPolicy
if len(cm) > 0 {
for _, v := range strings.Split(cm, ",") {
entry := strings.Split(v, ":")
if len(entry) == 2 {
uv, err := strconv.Atoi(entry[0])
if err != nil {
return nil, fmt.Errorf(" TPMPolicy key:value is invalid in parsing %s", v)
}
commandbytes, err := hex.DecodeString(strings.ToLower(entry[1]))
if err != nil {
return nil, fmt.Errorf(" TPMPolicy key:value is invalid in encoding %s", v)
}
commandMap = append(commandMap, &keyfile.TPMPolicy{
CommandCode: uv,
CommandPolicy: commandbytes,
})
} else {
return nil, fmt.Errorf(" TPMPolicy key:value is invalid %s", v)
}
}
}
return commandMap, nil
}