github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/go/tpm2/apps/FakePolicySign/FakePolicySign.go (about) 1 // Copyright (c) 2014, Google, Inc. All rights reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 16 package main 17 18 import ( 19 "crypto/ecdsa" 20 "crypto/elliptic" 21 "crypto/rand" 22 "crypto/x509" 23 "crypto/x509/pkix" 24 "flag" 25 "fmt" 26 "io/ioutil" 27 "math/big" 28 "time" 29 30 "github.com/golang/protobuf/proto" 31 "github.com/jlmucb/cloudproxy/go/tpm2" 32 ) 33 34 // This program reads the quote key, generates a policy key, 35 // self-signs the policy cert, readsa the quote key info and 36 // signs a cert for the quote key with the new policy key. 37 func main() { 38 policyKeyFile := flag.String("policyKeyFile", "policy_private.bin", 39 "policy save file") 40 policyKeyPassword := flag.String("policyKeyPassword", "xxx", 41 "policy key password") 42 policyCertFile := flag.String("policyCertFile", "policy_cert.der", 43 "policy cert save file") 44 quoteKeyInfoFile := flag.String("quoteKeyInfoFile", "quoteinfo.der", 45 "quote info file name") 46 quoteCertFile := flag.String("quoteCertFile", "quote_cert.der", 47 "quote cert save file") 48 49 flag.Parse() 50 51 // Generate Policy key. 52 policyKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 53 if err != nil { 54 fmt.Printf("Can't generate policy key") 55 return 56 } 57 fmt.Printf("policyKey: %x\n", policyKey) 58 59 var notBefore time.Time 60 notBefore = time.Now() 61 validFor := 365 * 24 * time.Hour 62 notAfter := notBefore.Add(validFor) 63 64 // Self-sign policy key and save it. 65 us := "US" 66 issuerName := "PolicyAuthority" 67 x509SubjectName := &pkix.Name{ 68 Organization: []string{issuerName}, 69 OrganizationalUnit: []string{issuerName}, 70 CommonName: issuerName, 71 Country: []string{us}, 72 } 73 var sn big.Int 74 sn.SetUint64(1) 75 certificateTemplate := x509.Certificate{ 76 SerialNumber: &sn, 77 Issuer: *x509SubjectName, 78 Subject: *x509SubjectName, 79 NotBefore: notBefore, 80 NotAfter: notAfter, 81 KeyUsage: x509.KeyUsageCertSign | 82 x509.KeyUsageKeyAgreement | x509.KeyUsageDigitalSignature, 83 BasicConstraintsValid: true, 84 IsCA: true, 85 } 86 87 var priv interface{} 88 var pub interface{} 89 priv = policyKey 90 pub = policyKey.Public() 91 derPolicyCert, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, 92 &certificateTemplate, pub, priv) 93 if err != nil { 94 fmt.Printf("Can't self sign policy key\n") 95 return 96 } 97 98 ioutil.WriteFile(*policyCertFile, derPolicyCert, 0644) 99 if err != nil { 100 fmt.Printf("Can't write policy cert\n") 101 return 102 } 103 104 policyCert, err := x509.ParseCertificate(derPolicyCert) 105 if err != nil { 106 fmt.Printf("Can't parse policy cert\n") 107 return 108 } 109 110 // Marshal policy key and save it. 111 serializedPolicyKey, err := x509.MarshalECPrivateKey(policyKey) 112 if err != nil { 113 fmt.Printf("Cant serialize rsa key\n") 114 return 115 } 116 117 ioutil.WriteFile(*policyKeyFile, serializedPolicyKey, 0644) 118 if err == nil { 119 fmt.Printf("Policy Key generation succeeded, password: %s\n", 120 *policyKeyPassword) 121 } else { 122 fmt.Printf("Policy Key generation failed\n") 123 } 124 125 // Read request buffer 126 buf, err := ioutil.ReadFile(*quoteKeyInfoFile) 127 if err != nil { 128 fmt.Printf("Can't read quote key info\n") 129 return 130 } 131 var request tpm2.AttestCertRequest 132 err = proto.Unmarshal(buf, &request) 133 if err != nil { 134 fmt.Printf("Can't unmarshal quote key info\n") 135 return 136 } 137 138 // Should be an rsa key. 139 if *request.KeyType != "rsa" { 140 fmt.Printf("Quote key is not an rsa key\n") 141 return 142 } 143 144 // Parse Der subject name. 145 quoteKey, err := x509.ParsePKIXPublicKey(request.SubjectPublicKey) 146 if err != nil { 147 fmt.Printf("Can't parse quote key\n") 148 return 149 } 150 151 // Sign quote certificate and save it. 152 sn.SetUint64(2) 153 localhost := "localhost" 154 x509QuoteKeySubjectName := &pkix.Name{ 155 Organization: []string{*request.KeyName}, 156 OrganizationalUnit: []string{*request.KeyName}, 157 CommonName: localhost, 158 Country: []string{us}, 159 } 160 quoteCertificateTemplate := x509.Certificate{ 161 SerialNumber: &sn, 162 Issuer: *x509SubjectName, 163 Subject: *x509QuoteKeySubjectName, 164 NotBefore: notBefore, 165 NotAfter: notAfter, 166 KeyUsage: x509.KeyUsageCertSign | 167 x509.KeyUsageKeyAgreement | x509.KeyUsageDigitalSignature, 168 } 169 derQuoteCert, err := x509.CreateCertificate(rand.Reader, "eCertificateTemplate, 170 policyCert, quoteKey, priv) 171 if err != nil { 172 fmt.Printf("Can't self sign policy key\n") 173 return 174 } 175 176 ioutil.WriteFile(*quoteCertFile, derQuoteCert, 0644) 177 if err != nil { 178 fmt.Printf("Can't write quote cert\n") 179 return 180 } 181 fmt.Printf("Quote cert: %x\n", derQuoteCert) 182 }