// This program creates a key hierarchy consisting of a
// primary key, and quoting key for cloudproxy
// and makes their handles permanent.
func main() {
keySize := flag.Int("modulus size", 2048, "Modulus size for keys")
policyKeyFile := flag.String("Policy save file", "policy.go.bin",
"policy save file")
policyKeyPassword := flag.String("Policy key password", "xxzzy",
"policy key password")
policyCertFile := flag.String("Policy cert save file", "policy.cert.go.der",
"policy cert save file")
flag.Parse()
// Open tpm
rw, err := tpm2.OpenTPM("/dev/tpm0")
if err != nil {
fmt.Printf("OpenTPM failed %s\n", err)
return
}
defer rw.Close()
// Flushall
err = tpm2.Flushall(rw)
if err != nil {
fmt.Printf("Flushall failed\n")
return
}
var notBefore time.Time
notBefore = time.Now()
validFor := 365 * 24 * time.Hour
notAfter := notBefore.Add(validFor)
policyKey, err := rsa.GenerateKey(rand.Reader, *keySize)
if err != nil {
fmt.Printf("Can't generate policy key\n")
return
}
fmt.Printf("policyKey: %x\n", policyKey)
derPolicyCert, err := tpm2.GenerateSelfSignedCertFromKey(policyKey,
"Cloudproxy Authority", "Application Policy Key",
tpm2.GetSerialNumber(), notBefore, notAfter)
fmt.Printf("policyKey: %x\n", policyKey)
ioutil.WriteFile(*policyCertFile, derPolicyCert, 0644)
if err != nil {
fmt.Printf("Can't write policy cert\n")
return
}
// Marshal policy key
serializedPolicyKey, err := tpm2.SerializeRsaPrivateKey(policyKey)
if err != nil {
fmt.Printf("Cant serialize rsa key\n")
return
}
ioutil.WriteFile(*policyKeyFile, serializedPolicyKey, 0644)
if err == nil {
fmt.Printf("Policy Key generation succeeded, password: %s\n",
*policyKeyPassword)
} else {
fmt.Printf("Policy Key generation failed\n")
}
}
// This program makes the endorsement certificate given the Policy key.
func main() {
keySize := flag.Int("modulus size", 2048, "Modulus size for keys")
keyName := flag.String("Endorsement key name",
"JohnsHw", "endorsement key name")
endorsementCertFile := flag.String("Endorsement save file",
"endorsement.cert.der", "endorsement save file")
policyCertFile := flag.String("Policy cert file",
"policy.cert.go.der", "cert file")
policyKeyFile := flag.String("Policy key file", "policy.go.bin",
"policy save file")
policyKeyPassword := flag.String("Policy key password", "xxzzy",
"policy key password")
flag.Parse()
fmt.Printf("Policy key password: %s\n", *policyKeyPassword)
// TODO
pcrs := []int{7}
// Open tpm
rw, err := tpm2.OpenTPM("/dev/tpm0")
if err != nil {
fmt.Printf("OpenTPM failed %s\n", err)
return
}
defer rw.Close()
// Flushall
err = tpm2.Flushall(rw)
if err != nil {
fmt.Printf("Flushall failed\n")
return
}
var notBefore time.Time
notBefore = time.Now()
validFor := 365 * 24 * time.Hour
notAfter := notBefore.Add(validFor)
serializePolicyKey, err := ioutil.ReadFile(*policyKeyFile)
if err != nil {
fmt.Printf("Can't get serialized policy key\n")
return
}
derPolicyCert, err := ioutil.ReadFile(*policyCertFile)
if err != nil {
fmt.Printf("Can't get policy cert %s\n", *policyCertFile)
return
}
policyKey, err := tpm2.DeserializeRsaKey(serializePolicyKey)
if err != nil {
fmt.Printf("Can't get deserialize policy key\n")
return
}
ekHandle, _, err := tpm2.CreateEndorsement(rw, uint16(*keySize), pcrs)
if err != nil {
fmt.Printf("Can't CreateEndorsement\n")
return
}
defer tpm2.FlushContext(rw, ekHandle)
endorsementCert, err := tpm2.GenerateHWCert(rw, ekHandle,
*keyName, notBefore, notAfter, tpm2.GetSerialNumber(),
derPolicyCert, policyKey)
if err != nil {
fmt.Printf("Can't create endorsement cert\n")
}
fmt.Printf("Endorsement cert: %x\n", endorsementCert)
ioutil.WriteFile(*endorsementCertFile, endorsementCert, 0644)
fmt.Printf("Endorsement cert created")
}