github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/go/tao/tpm2_tao_app_helper.go (about) 1 // Copyright (c) 2016, Google, Inc. All rights reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package tao 16 17 import ( 18 "crypto/ecdsa" 19 "crypto/rand" 20 "crypto/rsa" 21 "crypto/x509" 22 "crypto/x509/pkix" 23 "fmt" 24 "io/ioutil" 25 "log" 26 "net" 27 "time" 28 29 "github.com/jlmucb/cloudproxy/go/tpm2" 30 "github.com/jlmucb/cloudproxy/go/util" 31 ) 32 33 func HandleEndorsement(keySize int, keyName, endorsementCertFile, policyCertFile, 34 policyKeyFile, policyKeyPassword, policyKeyDir string, policyKeyIsEcdsa bool) error { 35 pcrs := []int{17, 18} 36 37 // Open tpm 38 rw, err := tpm2.OpenTPM("/dev/tpm0") 39 if err != nil { 40 return fmt.Errorf("OpenTPM failed: %s", err) 41 } 42 defer rw.Close() 43 44 // Flushall 45 err = tpm2.Flushall(rw) 46 if err != nil { 47 return fmt.Errorf("Flushall failed: %s", err) 48 } 49 50 // TODO(jlm): Currently a year. This should be specified in a flag witht the 51 // default being a year. 52 var notBefore time.Time 53 notBefore = time.Now() 54 validFor := 365 * 24 * time.Hour 55 notAfter := notBefore.Add(validFor) 56 57 ekHandle, _, err := tpm2.CreateEndorsement(rw, uint16(keySize), pcrs) 58 if err != nil { 59 return fmt.Errorf("Can't CreateEndorsement: %s", err) 60 } 61 defer tpm2.FlushContext(rw, ekHandle) 62 63 var endorsementCert []byte 64 if policyKeyIsEcdsa { 65 // Load keys from policyKeyDir if keys are present there. 66 policyKey, err := NewOnDiskPBEKeys(Signing, []byte(policyKeyPassword), policyKeyDir, nil) 67 if err != nil { 68 return fmt.Errorf("Error in getting policy cert: %s", err) 69 } 70 if policyKey.Cert == nil { 71 return fmt.Errorf("Missing cert in policy key: %s", err) 72 } 73 hwPublic, err := tpm2.GetRsaKeyFromHandle(rw, ekHandle) 74 if err != nil { 75 return fmt.Errorf("Can't get endorsement public key: %s", err) 76 } 77 // TODO(sidtelang): move this to tpm2/support.go 78 serialNumber := tpm2.GetSerialNumber() 79 fmt.Printf("Serial: %x\n", serialNumber) 80 fmt.Printf("notBefore: %s, notAfter: %s\n", notBefore, notAfter) 81 signTemplate := x509.Certificate{ 82 SerialNumber: serialNumber, 83 Subject: pkix.Name{ 84 Organization: []string{keyName}, 85 CommonName: keyName, 86 }, 87 NotBefore: notBefore, 88 NotAfter: notAfter, 89 KeyUsage: x509.KeyUsageCertSign, 90 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 91 BasicConstraintsValid: true, 92 // IsCA: false, 93 IsCA: true, 94 } 95 endorsementCert, err = x509.CreateCertificate(rand.Reader, &signTemplate, policyKey.Cert, 96 hwPublic, policyKey.SigningKey.GetSignerPrivateKey()) 97 if err != nil { 98 return fmt.Errorf("Can't create endorsement certificate: %s", err) 99 } 100 } else { 101 serializePolicyKey, err := ioutil.ReadFile(policyKeyFile) 102 if err != nil { 103 return fmt.Errorf("Can't get serialized policy key: %s", err) 104 } 105 derPolicyCert, err := ioutil.ReadFile(policyCertFile) 106 if err != nil { 107 return fmt.Errorf("Can't get policy cert: %s", err) 108 } 109 110 policyKey, err := tpm2.DeserializeRsaKey(serializePolicyKey) 111 if err != nil { 112 return fmt.Errorf("Can't get deserialize policy key: %s", err) 113 } 114 endorsementCert, err = tpm2.GenerateHWCert(rw, ekHandle, 115 keyName, notBefore, notAfter, tpm2.GetSerialNumber(), 116 derPolicyCert, policyKey) 117 if err != nil { 118 return fmt.Errorf("Can't create endorsement cert: %s", err) 119 } 120 } 121 fmt.Printf("Endorsement cert: %x\n", endorsementCert) 122 ioutil.WriteFile(endorsementCertFile, endorsementCert, 0644) 123 fmt.Printf("Endorsement cert created") 124 return nil 125 } 126 127 func HandlePolicyKey(keySize int, policyKeyFile, policyKeyPassword, policyCertFile string) error { 128 // Open tpm 129 rw, err := tpm2.OpenTPM("/dev/tpm0") 130 if err != nil { 131 return fmt.Errorf("OpenTPM failed %s", err) 132 } 133 defer rw.Close() 134 135 // Flushall 136 err = tpm2.Flushall(rw) 137 if err != nil { 138 return fmt.Errorf("Flushall failed: %s", err) 139 } 140 var notBefore time.Time 141 notBefore = time.Now() 142 validFor := 365 * 24 * time.Hour 143 notAfter := notBefore.Add(validFor) 144 145 policyKey, err := rsa.GenerateKey(rand.Reader, keySize) 146 if err != nil { 147 return fmt.Errorf("Can't generate policy key: %s", err) 148 } 149 fmt.Printf("policyKey: %x\n", policyKey) 150 151 derPolicyCert, err := tpm2.GenerateSelfSignedCertFromKey(policyKey, 152 "Cloudproxy Authority", "Application Policy Key", 153 tpm2.GetSerialNumber(), notBefore, notAfter) 154 fmt.Printf("policyKey: %x\n", policyKey) 155 ioutil.WriteFile(policyCertFile, derPolicyCert, 0644) 156 if err != nil { 157 return fmt.Errorf("Can't write policy cert: %s", err) 158 } 159 160 // Marshal policy key 161 serializedPolicyKey, err := tpm2.SerializeRsaPrivateKey(policyKey) 162 if err != nil { 163 return fmt.Errorf("Cant serialize rsa key: %s", err) 164 } 165 166 ioutil.WriteFile(policyKeyFile, serializedPolicyKey, 0644) 167 if err != nil { 168 return fmt.Errorf("Policy Key generation failed: %s", err) 169 } 170 fmt.Printf("Policy Key generation succeeded, password: %s\n", 171 policyKeyPassword) 172 173 return nil 174 } 175 176 // TODO: probably receive a kill channel to kill this function.. 177 func HandleQuote(network, addr, pass, path string, details X509Details) error { 178 ln, err := net.Listen(network, addr) 179 if err != nil { 180 log.Fatalln("Quote server: could not listen at port:", err) 181 } 182 183 // Generate/Load policy key 184 policyKey, err := NewOnDiskPBEKeys(Signing, []byte(pass), path, 185 NewX509Name(&details)) 186 if err != nil { 187 return fmt.Errorf("Error loading policy key: %s", err) 188 } 189 if policyKey.Cert == nil || policyKey.Cert.Raw == nil { 190 log.Fatalln("Quote server: cert missing in policy key.") 191 } 192 for { 193 conn, err := ln.Accept() 194 if err != nil { 195 return fmt.Errorf("Quote server: could not accept connection: %s", err) 196 } 197 ms := util.NewMessageStream(conn) 198 var request tpm2.AttestCertRequest 199 if err := ms.ReadMessage(&request); err != nil { 200 log.Printf("Quote server: Couldn't read request from channel: %s\n", err) 201 continue 202 } 203 // FIX: only ecdsa is supported here, should check type 204 response, err := tpm2.ProcessQuoteDomainRequest(request, 205 (policyKey.SigningKey.GetSignerPrivateKey()).(*ecdsa.PrivateKey), policyKey.Cert.Raw) 206 if err != nil { 207 continue 208 } 209 if _, err := ms.WriteMessage(response); err != nil { 210 log.Printf("Quote server: Error sending response on the channel: %s\n ", err) 211 } 212 } 213 }