func TestValidateEndorsementCert(t *testing.T) {
	aikblob, err := ioutil.ReadFile("./aikblob")
	if err != nil {
		t.Skip("Skipping tests, since there's no ./aikblob file")
	}
	tpmtao, err := tao.NewTPMTao("/dev/tpm0", aikblob, []int{17, 18})
	if err != nil {
		t.Skip("Couldn't create a new TPM Tao:", err)
	}
	tt, ok := tpmtao.(*tao.TPMTao)
	if !ok {
		t.Fatal("Failed to create the right kind of Tao object from NewTPMTao")
	}
	defer tao.CleanUpTPMTao(tt)
	hwPublicKey, err := tpm.UnmarshalRSAPublicKey(aikblob)
	if err != nil {
		t.Fatal(err)
	}

	domain := generateDomain(t)
	policyKey, policyCert := domain.Keys, domain.Keys.Cert
	hwCert := generateEndorsementCertficate(t, policyKey, hwPublicKey, policyCert)
	rootCerts := x509.NewCertPool()
	rootCerts.AddCert(policyCert)
	taoname, err := tt.GetTaoName()
	if err != nil {
		t.Fatal(err)
	}
	err = validateEndorsementCertificate(hwCert, *generateGuard(t), &taoname, rootCerts)
	if err != nil {
		t.Fatal(err)
	}
}
Example #2
0
// NewTPMTao creates a new TPMTao and returns it under the Tao interface.
func NewTPMTao(tpmPath string, aikblob []byte, pcrNums []int) (Tao, error) {
	var err error
	tt := &TPMTao{pcrCount: 24}
	tt.tpmfile, err = os.OpenFile(tpmPath, os.O_RDWR, 0)
	if err != nil {
		return nil, err
	}

	// Make sure the TPMTao releases all its resources
	runtime.SetFinalizer(tt, FinalizeTPMTao)

	// Flush all previously-loaded keys.
	handles, _ := tpm.GetKeys(tt.tpmfile)
	for _, h := range handles {
		h.CloseKey(tt.tpmfile)
	}

	// For now, the SRK Auth value is all zero, which is the well-known value.
	// So, we don't set it here.
	// TODO(tmroeder): add support for general SRK auth values.

	// TODO(tmroeder): the current tpm implementation in go-tpm assumes 24 PCRs.
	// This is not true in general, and it should be generalized there then
	// changed here.
	tt.aikHandle, err = tpm.LoadKey2(tt.tpmfile, aikblob, tt.srkAuth[:])
	if err != nil {
		return nil, err
	}
	lastCreatedTPMTao = tt

	tt.verifier, err = tpm.UnmarshalRSAPublicKey(aikblob)
	if err != nil {
		return nil, err
	}

	// Get the pcr values for the PCR nums.
	tt.pcrNums = make([]int, len(pcrNums))
	for i, v := range pcrNums {
		tt.pcrNums[i] = v
	}

	tt.pcrVals, err = ReadPCRs(tt.tpmfile, pcrNums)
	if err != nil {
		return nil, err
	}

	// Create principal.
	tt.name, err = MakeTPMPrin(tt.verifier, tt.pcrNums, tt.pcrVals)
	if err != nil {
		return nil, err
	}

	return tt, nil
}
func TestVerifyHostAttestation_stackedHost(t *testing.T) {
	aikblob, err := ioutil.ReadFile("./aikblob")
	if err != nil {
		t.Skip("Skipping tests, since there's no ./aikblob file")
	}
	tpmtao, err := tao.NewTPMTao("/dev/tpm0", aikblob, []int{17, 18})
	if err != nil {
		t.Skip("Couldn't create a new TPM Tao:", err)
	}
	tt, ok := tpmtao.(*tao.TPMTao)
	if !ok {
		t.Fatal("Failed to create the right kind of Tao object from NewTPMTao")
	}
	defer tao.CleanUpTPMTao(tt)
	hwPublicKey, err := tpm.UnmarshalRSAPublicKey(aikblob)
	if err != nil {
		t.Fatal(err)
	}

	domain := generateDomain(t)
	policyKey, policyCert := domain.Keys, domain.Keys.Cert
	hwCert := generateEndorsementCertficate(t, policyKey, hwPublicKey, policyCert)
	hostKey, hostAtt := generateTpmAttestation(t, tt, hostName)
	programKey, programAtt := generateAttestation(t, hostKey, programName)
	rawEnd1, err := proto.Marshal(hostAtt)
	if err != nil {
		t.Fatal("Error serializing attestation.")
	}
	rawEnd2 := hwCert.Raw
	programAtt.SerializedEndorsements = [][]byte{rawEnd1, rawEnd2}
	rawAtt, err := proto.Marshal(programAtt)
	if err != nil {
		t.Fatal("Error serializing attestation.")
	}
	certPool := x509.NewCertPool()
	certPool.AddCert(policyCert)
	speaker, key, prog, err := VerifyHostAttestation(rawAtt, domain, certPool)
	if err != nil {
		t.Fatal("Test attesation failed verification checks.", err)
	}
	if !programName.Identical(prog) {
		t.Fatal("Attestation program name not identical to expected program name.")
	}
	if !programKey.SigningKey.ToPrincipal().Identical(key) {
		t.Fatal("Attestation program key not identical to expected program key.")
	}
	if !hostKey.SigningKey.ToPrincipal().Identical(speaker) {
		t.Fatal("Attestation host key not identical to expected host key.")
	}
}
Example #4
0
func makeTPMPrin(tpmPath, aikFile string, pcrNums []int) auth.Prin {
	// Read AIK blob (TPM's public key).
	aikblob, err := ioutil.ReadFile(aikFile)
	options.FailIf(err, "Can't read TPM aik file")

	verifier, err := tpm.UnmarshalRSAPublicKey(aikblob)
	options.FailIf(err, "Can't parse TPM key")

	// Open a connection to the TPM.
	tpmFile, err := os.OpenFile(tpmPath, os.O_RDWR, 0)
	options.FailIf(err, "Can't access TPM")

	// Read registers corresponding to pcrNums.
	pcrVals, err := tao.ReadPCRs(tpmFile, pcrNums)
	tpmFile.Close()
	options.FailIf(err, "Can't read PCRs from TPM")

	// Construct a TPM principal.
	prin, err := tao.MakeTPMPrin(verifier, pcrNums, pcrVals)
	options.FailIf(err, "Can't create TPM principal")

	return prin
}