support for pure-rust make credentials #563
Conversation
baloo
force-pushed
the
baloo/make-credentials
branch
2 times, most recently
from
75b7750 to
3671522
Compare
baloo
changed the title
baloo
force-pushed
the
baloo/make-credentials
branch
from
3671522 to
75fa54b
Compare
tss-esapi/tests/integration_tests/abstraction_tests/credential_tests.rs
Outdated
Show resolved
Hide resolved
baloo
force-pushed
the
baloo/make-credentials
branch
3 times, most recently
from
55774ad to
573d67e
Compare
| let cred = vec![1, 2, 3, 4, 5]; | ||
| let expected = Digest::try_from(vec![1, 2, 3, 4, 5]).unwrap(); | ||
|
|
||
| let (credential_blob, secret) = utils::make_credential_ecc::<_, sha2::Sha256, aes::Aes128>( |
There was a problem hiding this comment.
sha2::Sha256, aes::Aes128 here codes for EKHash and EkCipher.
Those should be read from the template of the EK ideally.
Although in reality, the template would have been dropped already and we're only working with a PEM encoded public key, and there should be some kind of default value.
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_makecredential.c#L340
Anyone with an opinion?
There was a problem hiding this comment.
Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?
I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs
There was a problem hiding this comment.
No that was an API question.
I know how to get the parameters from a Public, but I don't expect the public or its template to always available.
baloo
force-pushed
the
baloo/make-credentials
branch
7 times, most recently
from
9b21b16 to
89021e0
Compare
baloo
force-pushed
the
baloo/make-credentials
branch
2 times, most recently
from
451ae4f to
c652a60
Compare
baloo
changed the title
|
I've finished support for both RSA and ECC, and there is now error management. |
baloo
force-pushed
the
baloo/make-credentials
branch
6 times, most recently
from
7b03a64 to
969e006
Compare
| let cred = vec![1, 2, 3, 4, 5]; | ||
| let expected = Digest::try_from(vec![1, 2, 3, 4, 5]).unwrap(); | ||
|
|
||
| let (credential_blob, secret) = utils::make_credential_ecc::<_, sha2::Sha256, aes::Aes128>( |
There was a problem hiding this comment.
Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?
I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs
baloo
force-pushed
the
baloo/make-credentials
branch
2 times, most recently
from
a23ad53 to
0fee1eb
Compare
baloo
force-pushed
the
baloo/make-credentials
branch
2 times, most recently
from
22eeb4c to
2a13fe1
Compare
|
There is something that locks up the TPM in the CI, but I don't know what it is. EDIT: a regression in the weak key detection or something |
baloo
force-pushed
the
baloo/make-credentials
branch
3 times, most recently
from
4677cb5 to
b37d4ab
Compare
baloo
force-pushed
the
baloo/make-credentials
branch
4 times, most recently
from
b75948f to
86e3bc6
Compare
baloo
force-pushed
the
baloo/make-credentials
branch
from
86e3bc6 to
d9daeb7
Compare
Signed-off-by: Arthur Gautier <[email protected]>
baloo
force-pushed
the
baloo/make-credentials
branch
2 times, most recently
from
c6ed022 to
c7d2de4
Compare
|
This is getting into great shape 🔥 |
baloo
force-pushed
the
baloo/make-credentials
branch
3 times, most recently
from
b40b767 to
53fa082
Compare
|
I've split the secret sharing, from the credentials which I intend to reuse for duplicate (#585) |
baloo
force-pushed
the
baloo/make-credentials
branch
4 times, most recently
from
96f9ade to
98e18d9
Compare
Signed-off-by: Arthur Gautier <[email protected]>
baloo
force-pushed
the
baloo/make-credentials
branch
from
98e18d9 to
711a354
Compare
|
I tested the pull request and is just great to have this feature coming! I noticed a bad error message that need to be documented. If the challenge payload is to big the error message is If you want to created a challenge from a bigger payload is considered safe to split in 96-bytes-long chunks and make separate attestation? |
6 participants
This brings support for a pure rust implementation of make credentials which will not involve the TPM or
tpm2-tss.Fixes #160