diff --git a/agent/agent.go b/agent/agent.go index aaa2b07..3f530b2 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -240,7 +240,8 @@ func LoadKeys(keyDir string) (map[string]*key.Key, error) { } k, err := key.DecodeKey(f) if err != nil { - return fmt.Errorf("%s not a TPM sealed key: %v", path, err) + log.Printf("%s not a TPM sealed key: %v\n", path, err) + return nil } sshpubkey, err := k.SSHPublicKey() if err != nil { diff --git a/cmd/ssh-tpm-agent/main_test.go b/cmd/ssh-tpm-agent/main_test.go index 1aec403..82f1511 100644 --- a/cmd/ssh-tpm-agent/main_test.go +++ b/cmd/ssh-tpm-agent/main_test.go @@ -14,6 +14,7 @@ import ( "github.com/foxboron/ssh-tpm-agent/agent" "github.com/foxboron/ssh-tpm-agent/key" + "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" "github.com/google/go-tpm/tpm2/transport/simulator" "golang.org/x/crypto/ssh" @@ -32,7 +33,8 @@ func newSSHKey() ssh.Signer { return signer } -func setupServer(clientKey ssh.PublicKey) (hostkey ssh.PublicKey, msgSent chan bool) { +func setupServer(clientKey ssh.PublicKey) (hostkey ssh.PublicKey, msgSent chan bool, listener net.Listener) { + var err error hostSigner := newSSHKey() msgSent = make(chan bool) @@ -57,7 +59,7 @@ func setupServer(clientKey ssh.PublicKey) (hostkey ssh.PublicKey, msgSent chan b config.AddHostKey(hostSigner) go func() { - listener, err := net.Listen("tcp", "127.0.0.1:2022") + listener, err = net.Listen("tcp", "127.0.0.1:2022") if err != nil { log.Fatal("failed to listen for connection: ", err) } @@ -105,16 +107,16 @@ func setupServer(clientKey ssh.PublicKey) (hostkey ssh.PublicKey, msgSent chan b // Waiting until the server has started <-srvStart - return hostSigner.PublicKey(), msgSent + return hostSigner.PublicKey(), msgSent, listener } -func TestSSHAuth(t *testing.T) { +func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID) { tpm, err := simulator.OpenSimulator() if err != nil { t.Fatal(err) } - k, err := key.CreateKey(tpm, []byte("")) + k, err := key.CreateKey(tpm, keytype, []byte("")) if err != nil { t.Fatalf("failed creating key: %v", err) } @@ -123,7 +125,8 @@ func TestSSHAuth(t *testing.T) { t.Fatalf("failed getting ssh public key") } - hostkey, msgSent := setupServer(clientKey) + hostkey, msgSent, listener := setupServer(clientKey) + defer listener.Close() socket := path.Join(t.TempDir(), "socket") @@ -174,3 +177,12 @@ func TestSSHAuth(t *testing.T) { t.Fatalf("failed to connect") } } + +func TestSSHAuth(t *testing.T) { + t.Run("ecdsa - agent", func(t *testing.T) { + runSSHAuth(t, tpm2.TPMAlgECDSA) + }) + t.Run("rsa - agent", func(t *testing.T) { + runSSHAuth(t, tpm2.TPMAlgRSA) + }) +} diff --git a/cmd/ssh-tpm-keygen/main.go b/cmd/ssh-tpm-keygen/main.go index d6fd70e..de53156 100644 --- a/cmd/ssh-tpm-keygen/main.go +++ b/cmd/ssh-tpm-keygen/main.go @@ -13,8 +13,10 @@ import ( "strings" "syscall" + "github.com/foxboron/ssh-tpm-agent/agent" "github.com/foxboron/ssh-tpm-agent/key" "github.com/foxboron/ssh-tpm-agent/utils" + "github.com/google/go-tpm/tpm2" "golang.org/x/crypto/ssh" "golang.org/x/term" ) @@ -25,9 +27,10 @@ const usage = `Usage: ssh-tpm-keygen Options: - -C Comment WIP - -f Output keyfile WIP - -N PIN for the key WIP + -C Comment WIP + -f Output keyfile WIP + -N PIN for the key WIP + -t ecdsa | rsa Specify the type of key to create. Defaults to ecdsa Generate new TPM sealed keys for ssh-tpm-agent. @@ -96,19 +99,34 @@ func main() { var ( comment, outputFile, keyPin string + keyType string swtpmFlag bool ) flag.StringVar(&comment, "C", "", "provide a comment with the key") flag.StringVar(&outputFile, "f", "", "output keyfile") flag.StringVar(&keyPin, "N", "", "new pin for the key") + flag.StringVar(&keyType, "t", "ecdsa", "key to create") flag.BoolVar(&swtpmFlag, "swtpm", false, "use swtpm instead of actual tpm") flag.Parse() - fmt.Println("Generating a sealed public/private ecdsa key pair.") + var tpmkeyType tpm2.TPMAlgID + var filename string + + switch keyType { + case "ecdsa": + tpmkeyType = tpm2.TPMAlgECDSA + filename = "id_ecdsa" + case "rsa": + tpmkeyType = tpm2.TPMAlgRSA + filename = "id_rsa" + } + + fmt.Printf("Generating a sealed public/private %s key pair.\n", keyType) + + filename = path.Join(agent.GetSSHDir(), filename) - filename := path.Join(utils.GetSSHDir(), "id_ecdsa") filenameInput, err := getStdin("Enter file in which to save the key (%s): ", filename) if err != nil { log.Fatal(err) @@ -118,6 +136,7 @@ func main() { } privatekeyFilename := filename + ".tpm" + pubkeyFilename := filename + ".pub" if fileExists(privatekeyFilename) { fmt.Printf("%s already exists.\n", privatekeyFilename) @@ -129,6 +148,16 @@ func main() { return } } + if fileExists(pubkeyFilename) { + fmt.Printf("%s already exists.\n", pubkeyFilename) + s, err := getStdin("Overwrite (y/n)?") + if err != nil { + log.Fatal(err) + } + if s != "y" { + return + } + } var pin []byte pinInput := getPin() @@ -141,7 +170,7 @@ func main() { log.Fatal(err) } defer tpm.Close() - k, err := key.CreateKey(tpm, pin) + k, err := key.CreateKey(tpm, tpmkeyType, pin) if err != nil { log.Fatal(err) } @@ -150,7 +179,7 @@ func main() { if err != nil { log.Fatal(err) } - pubkeyFilename := filename + ".pub" + if err := os.WriteFile(pubkeyFilename, ssh.MarshalAuthorizedKey(sshKey), 0644); err != nil { log.Fatal(err) } diff --git a/key/key.go b/key/key.go index 6d088f4..a9e3b44 100644 --- a/key/key.go +++ b/key/key.go @@ -4,6 +4,7 @@ import ( "bytes" "crypto/ecdsa" "crypto/elliptic" + "crypto/rsa" "encoding/binary" "encoding/pem" "fmt" @@ -36,11 +37,12 @@ func (p PINStatus) String() string { type Key struct { Version uint8 PIN PINStatus + Type tpm2.TPMAlgID Private tpm2.TPM2BPrivate Public tpm2.TPM2BPublic } -func (k *Key) PublicKey() (*ecdsa.PublicKey, error) { +func (k *Key) ecdsaPubKey() (*ecdsa.PublicKey, error) { c := tpm2.BytesAs2B[tpm2.TPMTPublic](k.Public.Bytes()) pub, err := c.Contents() if err != nil { @@ -59,6 +61,33 @@ func (k *Key) PublicKey() (*ecdsa.PublicKey, error) { return ecdsaKey, nil } +func (k *Key) rsaPubKey() (*rsa.PublicKey, error) { + pub, err := k.Public.Contents() + if err != nil { + return nil, fmt.Errorf("failed getting content: %v", err) + } + rsaDetail, err := pub.Parameters.RSADetail() + if err != nil { + return nil, fmt.Errorf("failed getting rsa details: %v", err) + } + rsaUnique, err := pub.Unique.RSA() + if err != nil { + return nil, fmt.Errorf("failed getting unique rsa: %v", err) + } + + return tpm2.RSAPub(rsaDetail, rsaUnique) +} + +func (k *Key) PublicKey() (any, error) { + switch k.Type { + case tpm2.TPMAlgECDSA: + return k.ecdsaPubKey() + case tpm2.TPMAlgRSA: + return k.rsaPubKey() + } + return nil, fmt.Errorf("no public key") +} + func (k *Key) SSHPublicKey() (ssh.PublicKey, error) { pubkey, err := k.PublicKey() if err != nil { @@ -75,6 +104,7 @@ func UnmarshalKey(b []byte) (*Key, error) { for _, k := range []interface{}{ &key.Version, &key.PIN, + &key.Type, } { if err := binary.Read(r, binary.BigEndian, k); err != nil { return nil, err @@ -101,6 +131,7 @@ func MarshalKey(k *Key) []byte { var b bytes.Buffer binary.Write(&b, binary.BigEndian, k.Version) binary.Write(&b, binary.BigEndian, k.PIN) + binary.Write(&b, binary.BigEndian, k.Type) var pub []byte pub = append(pub, tpm2.Marshal(k.Public)...) @@ -111,7 +142,7 @@ func MarshalKey(k *Key) []byte { } var ( - keyType = "TPM EC PRIVATE KEY" + keyType = "TPM PRIVATE KEY" ) func EncodeKey(k *Key) []byte { @@ -131,7 +162,7 @@ func DecodeKey(pemBytes []byte) (*Key, error) { return nil, fmt.Errorf("not an armored key") } switch block.Type { - case "TPM EC PRIVATE KEY": + case "TPM PRIVATE KEY": return UnmarshalKey(block.Bytes) default: return nil, fmt.Errorf("tpm-ssh: unsupported key type %q", block.Type) @@ -139,7 +170,17 @@ func DecodeKey(pemBytes []byte) (*Key, error) { } // Creates a Storage Key, or return the loaded storage key -func CreateSRK(tpm transport.TPMCloser) (*tpm2.AuthHandle, *tpm2.TPMTPublic, error) { +func CreateSRK(tpm transport.TPMCloser, keytype tpm2.TPMAlgID) (*tpm2.AuthHandle, *tpm2.TPMTPublic, error) { + + var public tpm2.TPM2BPublic + switch keytype { + case tpm2.TPMAlgECDSA: + public = tpm2.New2B(tpm2.ECCSRKTemplate) + case tpm2.TPMAlgRSA: + public = tpm2.New2B(tpm2.RSASRKTemplate) + + } + srk := tpm2.CreatePrimary{ PrimaryHandle: tpm2.TPMRHOwner, InSensitive: tpm2.TPM2BSensitiveCreate{ @@ -149,7 +190,7 @@ func CreateSRK(tpm transport.TPMCloser) (*tpm2.AuthHandle, *tpm2.TPMTPublic, err }, }, }, - InPublic: tpm2.New2B(tpm2.ECCSRKTemplate), + InPublic: public, } var rsp *tpm2.CreatePrimaryResponse @@ -170,49 +211,96 @@ func CreateSRK(tpm transport.TPMCloser) (*tpm2.AuthHandle, *tpm2.TPMTPublic, err }, srkPublic, nil } -func CreateKey(tpm transport.TPMCloser, pin []byte) (*Key, error) { - srkHandle, srkPublic, err := CreateSRK(tpm) +var ( + eccPublic = tpm2.New2B(tpm2.TPMTPublic{ + Type: tpm2.TPMAlgECC, + NameAlg: tpm2.TPMAlgSHA256, + ObjectAttributes: tpm2.TPMAObject{ + SignEncrypt: true, + FixedTPM: true, + FixedParent: true, + SensitiveDataOrigin: true, + UserWithAuth: true, + }, + Parameters: tpm2.NewTPMUPublicParms( + tpm2.TPMAlgECC, + &tpm2.TPMSECCParms{ + CurveID: tpm2.TPMECCNistP256, + Scheme: tpm2.TPMTECCScheme{ + Scheme: tpm2.TPMAlgECDSA, + Details: tpm2.NewTPMUAsymScheme( + tpm2.TPMAlgECDSA, + &tpm2.TPMSSigSchemeECDSA{ + HashAlg: tpm2.TPMAlgSHA256, + }, + ), + }, + }, + ), + }) + + rsaPublic = tpm2.New2B(tpm2.TPMTPublic{ + Type: tpm2.TPMAlgRSA, + NameAlg: tpm2.TPMAlgSHA256, + ObjectAttributes: tpm2.TPMAObject{ + SignEncrypt: true, + FixedTPM: true, + FixedParent: true, + SensitiveDataOrigin: true, + UserWithAuth: true, + }, + Parameters: tpm2.NewTPMUPublicParms( + tpm2.TPMAlgRSA, + &tpm2.TPMSRSAParms{ + Scheme: tpm2.TPMTRSAScheme{ + Scheme: tpm2.TPMAlgRSASSA, + Details: tpm2.NewTPMUAsymScheme( + tpm2.TPMAlgRSASSA, + &tpm2.TPMSSigSchemeRSASSA{ + HashAlg: tpm2.TPMAlgSHA256, + }, + ), + }, + KeyBits: 2048, + }, + ), + }) +) + +func CreateKey(tpm transport.TPMCloser, keytype tpm2.TPMAlgID, pin []byte) (*Key, error) { + switch keytype { + case tpm2.TPMAlgECDSA: + case tpm2.TPMAlgRSA: + default: + return nil, fmt.Errorf("unsupported key type") + } + + srkHandle, srkPublic, err := CreateSRK(tpm, keytype) if err != nil { return nil, fmt.Errorf("failed creating SRK: %v", err) } defer utils.FlushHandle(tpm, srkHandle) + var keyPublic tpm2.TPM2BPublic + + switch keytype { + case tpm2.TPMAlgECDSA: + keyPublic = eccPublic + case tpm2.TPMAlgRSA: + keyPublic = rsaPublic + } + // Template for en ECDSA key for signing - eccKey := tpm2.Create{ + createKey := tpm2.Create{ ParentHandle: srkHandle, - InPublic: tpm2.New2B(tpm2.TPMTPublic{ - Type: tpm2.TPMAlgECC, - NameAlg: tpm2.TPMAlgSHA256, - ObjectAttributes: tpm2.TPMAObject{ - SignEncrypt: true, - FixedTPM: true, - FixedParent: true, - SensitiveDataOrigin: true, - UserWithAuth: true, - }, - Parameters: tpm2.NewTPMUPublicParms( - tpm2.TPMAlgECC, - &tpm2.TPMSECCParms{ - CurveID: tpm2.TPMECCNistP256, - Scheme: tpm2.TPMTECCScheme{ - Scheme: tpm2.TPMAlgECDSA, - Details: tpm2.NewTPMUAsymScheme( - tpm2.TPMAlgECDSA, - &tpm2.TPMSSigSchemeECDSA{ - HashAlg: tpm2.TPMAlgSHA256, - }, - ), - }, - }, - ), - }), + InPublic: keyPublic, } pinstatus := NoPIN if !bytes.Equal(pin, []byte("")) { - eccKey.InSensitive = tpm2.TPM2BSensitiveCreate{ + createKey.InSensitive = tpm2.TPM2BSensitiveCreate{ Sensitive: &tpm2.TPMSSensitiveCreate{ UserAuth: tpm2.TPM2BAuth{ Buffer: pin, @@ -222,8 +310,8 @@ func CreateKey(tpm transport.TPMCloser, pin []byte) (*Key, error) { pinstatus = HasPIN } - var eccRsp *tpm2.CreateResponse - eccRsp, err = eccKey.Execute(tpm, + var createRsp *tpm2.CreateResponse + createRsp, err = createKey.Execute(tpm, tpm2.HMAC(tpm2.TPMAlgSHA256, 16, tpm2.AESEncryption(128, tpm2.EncryptIn), tpm2.Salted(srkHandle.Handle, *srkPublic))) @@ -234,8 +322,9 @@ func CreateKey(tpm transport.TPMCloser, pin []byte) (*Key, error) { return &Key{ Version: 1, PIN: pinstatus, - Private: eccRsp.OutPrivate, - Public: eccRsp.OutPublic, + Type: keytype, + Private: createRsp.OutPrivate, + Public: createRsp.OutPublic, }, nil } @@ -259,7 +348,7 @@ func LoadKeyWithParent(tpm transport.TPMCloser, parent tpm2.AuthHandle, key *Key } func LoadKey(tpm transport.TPMCloser, key *Key) (*tpm2.AuthHandle, error) { - srkHandle, _, err := CreateSRK(tpm) + srkHandle, _, err := CreateSRK(tpm, key.Type) if err != nil { return nil, err } diff --git a/key/key_test.go b/key/key_test.go new file mode 100644 index 0000000..ad3e013 --- /dev/null +++ b/key/key_test.go @@ -0,0 +1,112 @@ +package key + +import ( + "reflect" + "testing" + + "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/tpm2/transport/simulator" +) + +func TestECDSACreateKey(t *testing.T) { + tpm, err := simulator.OpenSimulator() + if err != nil { + t.Fatal(err) + } + defer tpm.Close() + k, err := CreateKey(tpm, tpm2.TPMAlgECDSA, []byte("")) + if err != nil { + t.Fatalf("failed key import: %v", err) + } + + // Test if we can load the key + // signer/signer_test.go tests the signing of the key + _, err = LoadKey(tpm, k) + if err != nil { + t.Fatalf("failed loading key: %v", err) + } +} + +func TestRSACreateKey(t *testing.T) { + tpm, err := simulator.OpenSimulator() + if err != nil { + t.Fatal(err) + } + defer tpm.Close() + k, err := CreateKey(tpm, tpm2.TPMAlgRSA, []byte("")) + if err != nil { + t.Fatalf("failed key import: %v", err) + } + + // Test if we can load the key + // signer/signer_test.go tests the signing of the key + _, err = LoadKey(tpm, k) + if err != nil { + t.Fatalf("failed loading key: %v", err) + } +} + +func mustPublic(data []byte) tpm2.TPM2BPublic { + return tpm2.BytesAs2B[tpm2.TPMTPublic](data) +} + +func mustPrivate(data []byte) tpm2.TPM2BPrivate { + return tpm2.TPM2BPrivate{ + Buffer: data, + } +} + +func TestMarshalling(t *testing.T) { + cases := []struct { + k *Key + }{ + { + k: &Key{ + Version: 1, + PIN: HasPIN, + Type: tpm2.TPMAlgECDSA, + Public: mustPublic([]byte("public")), + Private: mustPrivate([]byte("private")), + }, + }, + { + k: &Key{ + Version: 1, + PIN: NoPIN, + Type: tpm2.TPMAlgECDSA, + Public: mustPublic([]byte("public")), + Private: mustPrivate([]byte("private")), + }, + }, + { + k: &Key{ + Version: 1, + PIN: HasPIN, + Type: tpm2.TPMAlgRSA, + Public: mustPublic([]byte("public")), + Private: mustPrivate([]byte("private")), + }, + }, + { + k: &Key{ + Version: 1, + PIN: NoPIN, + Type: tpm2.TPMAlgRSA, + Public: mustPublic([]byte("public")), + Private: mustPrivate([]byte("private")), + }, + }, + } + + for _, c := range cases { + b := EncodeKey(c.k) + k, err := DecodeKey(b) + if err != nil { + t.Fatalf("test failed: %v", err) + } + + if !reflect.DeepEqual(k, c.k) { + t.Fatalf("keys are not the same") + } + } +} diff --git a/signer/signer.go b/signer/signer.go index 6d5f1b9..952b303 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -70,9 +70,31 @@ func encodeSignature(r, s []byte) ([]byte, error) { return b.Bytes() } +var ( + eccSigScheme = tpm2.TPMTSigScheme{ + Scheme: tpm2.TPMAlgECDSA, + Details: tpm2.NewTPMUSigScheme( + tpm2.TPMAlgECDSA, + &tpm2.TPMSSchemeHash{ + HashAlg: tpm2.TPMAlgSHA256, + }, + ), + } + + rsaSigScheme = tpm2.TPMTSigScheme{ + Scheme: tpm2.TPMAlgRSASSA, + Details: tpm2.NewTPMUSigScheme( + tpm2.TPMAlgRSASSA, + &tpm2.TPMSSchemeHash{ + HashAlg: tpm2.TPMAlgSHA256, + }, + ), + } +) + func (t *TPMSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { if opts.HashFunc() != crypto.SHA256 { - return nil, fmt.Errorf("incorrect checksum") + return nil, fmt.Errorf("%s is not a supported hashing algorithm", opts.HashFunc()) } if len(digest) != 32 { @@ -82,7 +104,7 @@ func (t *TPMSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([] tpm := t.getTPM() defer tpm.Close() - srkHandle, srkPublic, err := key.CreateSRK(tpm) + srkHandle, srkPublic, err := key.CreateSRK(tpm, t.key.Type) if err != nil { return nil, fmt.Errorf("failed creating SRK: %v", err) } @@ -102,19 +124,18 @@ func (t *TPMSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([] handle.Auth = tpm2.PasswordAuth(p) } + var sigscheme tpm2.TPMTSigScheme + switch t.key.Type { + case tpm2.TPMAlgECDSA: + sigscheme = eccSigScheme + case tpm2.TPMAlgRSA: + sigscheme = rsaSigScheme + } + sign := tpm2.Sign{ KeyHandle: *handle, Digest: tpm2.TPM2BDigest{Buffer: digest[:]}, - - InScheme: tpm2.TPMTSigScheme{ - Scheme: tpm2.TPMAlgECDSA, - Details: tpm2.NewTPMUSigScheme( - tpm2.TPMAlgECDSA, - &tpm2.TPMSSchemeHash{ - HashAlg: tpm2.TPMAlgSHA256, - }, - ), - }, + InScheme: sigscheme, Validation: tpm2.TPMTTKHashCheck{ Tag: tpm2.TPMSTHashCheck, }, @@ -128,10 +149,21 @@ func (t *TPMSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([] return nil, fmt.Errorf("failed to sign: %v", err) } - eccsig, err := rspSign.Signature.Signature.ECDSA() - if err != nil { - return nil, fmt.Errorf("failed getting signature: %v", err) + switch t.key.Type { + case tpm2.TPMAlgECDSA: + eccsig, err := rspSign.Signature.Signature.ECDSA() + if err != nil { + return nil, fmt.Errorf("failed getting signature: %v", err) + } + return encodeSignature(eccsig.SignatureR.Buffer, eccsig.SignatureS.Buffer) + case tpm2.TPMAlgRSA: + rsassa, err := rspSign.Signature.Signature.RSASSA() + if err != nil { + return nil, fmt.Errorf("failed getting rsassa signature") + } + + return rsassa.Sig.Buffer, nil } - return encodeSignature(eccsig.SignatureR.Buffer, eccsig.SignatureS.Buffer) + return nil, fmt.Errorf("failed returning signature") } diff --git a/signer/signer_test.go b/signer/signer_test.go index 4be57e8..82a98f6 100644 --- a/signer/signer_test.go +++ b/signer/signer_test.go @@ -3,12 +3,14 @@ package signer import ( "crypto" "crypto/ecdsa" + "crypto/rsa" "crypto/sha256" "fmt" "io" "testing" "github.com/foxboron/ssh-tpm-agent/key" + "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" "github.com/google/go-tpm/tpm2/transport/simulator" ) @@ -16,32 +18,63 @@ import ( func TestSigning(t *testing.T) { cases := []struct { msg string + keytype tpm2.TPMAlgID filekey []byte pin []byte signpin []byte shouldfail bool }{ { - msg: "test encryption/decrypt - no pin", + msg: "ecdsa - test encryption/decrypt - no pin", filekey: []byte("this is a test filekey"), + keytype: tpm2.TPMAlgECDSA, }, { - msg: "test encryption/decrypt - pin", + msg: "ecdsa - test encryption/decrypt - pin", filekey: []byte("this is a test filekey"), pin: []byte("123"), signpin: []byte("123"), + keytype: tpm2.TPMAlgECDSA, }, { - msg: "test encryption/decrypt - no pin for sign", + msg: "ecdsa - test encryption/decrypt - no pin for sign", filekey: []byte("this is a test filekey"), pin: []byte("123"), shouldfail: true, + keytype: tpm2.TPMAlgECDSA, }, { - msg: "test encryption/decrypt - no pin for key, pin for sign", + msg: "ecdsa - test encryption/decrypt - no pin for key, pin for sign", filekey: []byte("this is a test filekey"), pin: []byte(""), signpin: []byte("123"), + keytype: tpm2.TPMAlgECDSA, + }, + { + msg: "rsa - test encryption/decrypt - no pin", + filekey: []byte("this is a test filekey"), + keytype: tpm2.TPMAlgRSA, + }, + { + msg: "rsa - test encryption/decrypt - pin", + filekey: []byte("this is a test filekey"), + pin: []byte("123"), + signpin: []byte("123"), + keytype: tpm2.TPMAlgRSA, + }, + { + msg: "rsa - test encryption/decrypt - no pin for sign", + filekey: []byte("this is a test filekey"), + pin: []byte("123"), + shouldfail: true, + keytype: tpm2.TPMAlgRSA, + }, + { + msg: "rsa - test encryption/decrypt - no pin for key, pin for sign", + filekey: []byte("this is a test filekey"), + pin: []byte(""), + signpin: []byte("123"), + keytype: tpm2.TPMAlgRSA, }, } @@ -57,7 +90,7 @@ func TestSigning(t *testing.T) { b := sha256.Sum256([]byte("heyho")) - k, err := key.CreateKey(tpm, c.pin) + k, err := key.CreateKey(tpm, c.keytype, c.pin) if err != nil { t.Fatalf("%v", err) } @@ -97,10 +130,16 @@ func TestSigning(t *testing.T) { t.Fatalf("test should be failing") } - if !ecdsa.VerifyASN1(pubkey, b[:], sig) { - t.Fatalf("invalid signature") + switch pk := pubkey.(type) { + case *ecdsa.PublicKey: + if !ecdsa.VerifyASN1(pk, b[:], sig) { + t.Fatalf("invalid signature") + } + case *rsa.PublicKey: + if err := rsa.VerifyPKCS1v15(pk, crypto.SHA256, b[:], sig); err != nil { + t.Errorf("Signature verification failed: %v", err) + } } - }) } }