func TestValidateEndorsementCert(t *testing.T) {
aikblob, err := ioutil.ReadFile("./aikblob")
if err != nil {
t.Skip("Skipping tests, since there's no ./aikblob file")
}
tpmtao, err := tao.NewTPMTao("/dev/tpm0", aikblob, []int{17, 18})
if err != nil {
t.Skip("Couldn't create a new TPM Tao:", err)
}
tt, ok := tpmtao.(*tao.TPMTao)
if !ok {
t.Fatal("Failed to create the right kind of Tao object from NewTPMTao")
}
defer tao.CleanUpTPMTao(tt)
hwPublicKey, err := tpm.UnmarshalRSAPublicKey(aikblob)
if err != nil {
t.Fatal(err)
}
domain := generateDomain(t)
policyKey, policyCert := domain.Keys, domain.Keys.Cert
hwCert := generateEndorsementCertficate(t, policyKey, hwPublicKey, policyCert)
rootCerts := x509.NewCertPool()
rootCerts.AddCert(policyCert)
taoname, err := tt.GetTaoName()
if err != nil {
t.Fatal(err)
}
err = validateEndorsementCertificate(hwCert, *generateGuard(t), &taoname, rootCerts)
if err != nil {
t.Fatal(err)
}
}
// NewTPMTao creates a new TPMTao and returns it under the Tao interface.
func NewTPMTao(tpmPath string, aikblob []byte, pcrNums []int) (Tao, error) {
var err error
tt := &TPMTao{pcrCount: 24}
tt.tpmfile, err = os.OpenFile(tpmPath, os.O_RDWR, 0)
if err != nil {
return nil, err
}
// Make sure the TPMTao releases all its resources
runtime.SetFinalizer(tt, FinalizeTPMTao)
// Flush all previously-loaded keys.
handles, _ := tpm.GetKeys(tt.tpmfile)
for _, h := range handles {
h.CloseKey(tt.tpmfile)
}
// For now, the SRK Auth value is all zero, which is the well-known value.
// So, we don't set it here.
// TODO(tmroeder): add support for general SRK auth values.
// TODO(tmroeder): the current tpm implementation in go-tpm assumes 24 PCRs.
// This is not true in general, and it should be generalized there then
// changed here.
tt.aikHandle, err = tpm.LoadKey2(tt.tpmfile, aikblob, tt.srkAuth[:])
if err != nil {
return nil, err
}
lastCreatedTPMTao = tt
tt.verifier, err = tpm.UnmarshalRSAPublicKey(aikblob)
if err != nil {
return nil, err
}
// Get the pcr values for the PCR nums.
tt.pcrNums = make([]int, len(pcrNums))
for i, v := range pcrNums {
tt.pcrNums[i] = v
}
tt.pcrVals, err = ReadPCRs(tt.tpmfile, pcrNums)
if err != nil {
return nil, err
}
// Create principal.
tt.name, err = MakeTPMPrin(tt.verifier, tt.pcrNums, tt.pcrVals)
if err != nil {
return nil, err
}
return tt, nil
}
func TestVerifyHostAttestation_stackedHost(t *testing.T) {
aikblob, err := ioutil.ReadFile("./aikblob")
if err != nil {
t.Skip("Skipping tests, since there's no ./aikblob file")
}
tpmtao, err := tao.NewTPMTao("/dev/tpm0", aikblob, []int{17, 18})
if err != nil {
t.Skip("Couldn't create a new TPM Tao:", err)
}
tt, ok := tpmtao.(*tao.TPMTao)
if !ok {
t.Fatal("Failed to create the right kind of Tao object from NewTPMTao")
}
defer tao.CleanUpTPMTao(tt)
hwPublicKey, err := tpm.UnmarshalRSAPublicKey(aikblob)
if err != nil {
t.Fatal(err)
}
domain := generateDomain(t)
policyKey, policyCert := domain.Keys, domain.Keys.Cert
hwCert := generateEndorsementCertficate(t, policyKey, hwPublicKey, policyCert)
hostKey, hostAtt := generateTpmAttestation(t, tt, hostName)
programKey, programAtt := generateAttestation(t, hostKey, programName)
rawEnd1, err := proto.Marshal(hostAtt)
if err != nil {
t.Fatal("Error serializing attestation.")
}
rawEnd2 := hwCert.Raw
programAtt.SerializedEndorsements = [][]byte{rawEnd1, rawEnd2}
rawAtt, err := proto.Marshal(programAtt)
if err != nil {
t.Fatal("Error serializing attestation.")
}
certPool := x509.NewCertPool()
certPool.AddCert(policyCert)
speaker, key, prog, err := VerifyHostAttestation(rawAtt, domain, certPool)
if err != nil {
t.Fatal("Test attesation failed verification checks.", err)
}
if !programName.Identical(prog) {
t.Fatal("Attestation program name not identical to expected program name.")
}
if !programKey.SigningKey.ToPrincipal().Identical(key) {
t.Fatal("Attestation program key not identical to expected program key.")
}
if !hostKey.SigningKey.ToPrincipal().Identical(speaker) {
t.Fatal("Attestation host key not identical to expected host key.")
}
}
func makeTPMPrin(tpmPath, aikFile string, pcrNums []int) auth.Prin {
// Read AIK blob (TPM's public key).
aikblob, err := ioutil.ReadFile(aikFile)
options.FailIf(err, "Can't read TPM aik file")
verifier, err := tpm.UnmarshalRSAPublicKey(aikblob)
options.FailIf(err, "Can't parse TPM key")
// Open a connection to the TPM.
tpmFile, err := os.OpenFile(tpmPath, os.O_RDWR, 0)
options.FailIf(err, "Can't access TPM")
// Read registers corresponding to pcrNums.
pcrVals, err := tao.ReadPCRs(tpmFile, pcrNums)
tpmFile.Close()
options.FailIf(err, "Can't read PCRs from TPM")
// Construct a TPM principal.
prin, err := tao.MakeTPMPrin(verifier, pcrNums, pcrVals)
options.FailIf(err, "Can't create TPM principal")
return prin
}
