kairos/tpm-helpers
1
0
Fork 0
mirror of https://github.com/kairos-io/tpm-helpers.git synced 2025-09-25 11:17:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

tpm: add single step functions to perform attestation

Browse Source 
Split generation of the token based on the AK and the EK and the
client authentication.
In particular, make the new funcions agnostic on the channel making
use of a io.ReadWriter interface.
This way, the library could be used for the TPM attestation related
tasks, with no assumptions on the channel or the (extra) data not related
to the TPM attestation exchanged between the client and the server.

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This commit is contained in:
Francesco Giudici
2022-08-19 16:04:28 +02:00
committed by Francesco Giudici
parent baef878366
commit d273b298fc
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
get.go
View File

@@ -5,6 +5,7 @@ import (
"crypto/x509"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net/http"
"strings"
@@ -16,6 +17,50 @@ import (
"github.com/sirupsen/logrus"
)
// GetAuthToken generates an authentication token from the host TPM.
// It will return the token as a string and the generated AK that should
// be saved by the caller for later Authentication.
func GetAuthToken(opts ...Option) (string, []byte, error) {
c := &config{}
c.apply(opts...)
attestationData, akBytes, err := getAttestationData(c)
if err != nil {
return "", nil, err
}
token, err := getToken(attestationData)
if err != nil {
return "", nil, err
}
return token, akBytes, err
}
// Authenticate will read from the passed channel, expecting a challenge from the
// attestation server, will compute a challenge response via the TPM using the passed
// Attestation Key (AK) and will send it back to the attestation server.
func Authenticate(akBytes []byte, channel io.ReadWriter, opts ...Option) error {
c := &config{}
c.apply(opts...)
var challenge Challenge
if err := json.NewDecoder(channel).Decode(&challenge); err != nil {
return fmt.Errorf("unmarshalling Challenge: %w", err)
}
challengeResp, err := getChallengeResponse(c, challenge.EC, akBytes)
if err != nil {
return err
}
if err := json.NewEncoder(channel).Encode(challengeResp); err != nil {
return fmt.Errorf("encoding ChallengeResponse: %w", err)
}
return nil
}
// Get retrieves a message from a remote ws server after
// a successfully process of the TPM challenge
func Get(url string, opts ...Option) ([]byte, error) {