From 199388976309adcd4f7c1b01cbf12a101bcbe6ce Mon Sep 17 00:00:00 2001 From: yawangwang Date: Fri, 23 Aug 2024 03:28:11 +0000 Subject: [PATCH] Remove P224 support and upgrade deprecated methods --- cmd/token.go | 6 +++--- server/import.go | 37 +++++++++++++++++++++++++++++-------- server/import_test.go | 1 - 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/cmd/token.go b/cmd/token.go index cf7cbbfa..ef31ac23 100644 --- a/cmd/token.go +++ b/cmd/token.go @@ -107,7 +107,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest } cloudLogger = cloudLogClient.Logger(toolName) - fmt.Fprintf(debugOutput(), "cloudLogger created for project: "+projectID+"\n") + fmt.Fprint(debugOutput(), "cloudLogger created for project: "+projectID+"\n") } key = "gceAK" @@ -175,7 +175,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest } if output == "" { - fmt.Fprintf(messageOutput(), string(token)+"\n") + fmt.Fprint(messageOutput(), string(token)+"\n") } else { out := []byte(token) if _, err := dataOutput().Write(out); err != nil { @@ -194,7 +194,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest } } - fmt.Fprintf(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n") + fmt.Fprint(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n") return nil }, diff --git a/server/import.go b/server/import.go index 7e2248f4..98010112 100644 --- a/server/import.go +++ b/server/import.go @@ -5,13 +5,14 @@ import ( "crypto" "crypto/aes" "crypto/cipher" - "crypto/elliptic" + "crypto/ecdsa" "crypto/hmac" "crypto/rand" "crypto/rsa" "fmt" "hash" "io" + "math/big" "github.com/google/go-tpm/legacy/tpm2" "github.com/google/go-tpm/tpmutil" @@ -131,25 +132,45 @@ func createECCSeed(ek tpm2.Public) (seed, encryptedSeed []byte, err error) { if err != nil { return nil, nil, err } - priv, x, y, err := elliptic.GenerateKey(curve, rand.Reader) + + ecdsaPriv, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + return nil, nil, err + } + + ecdhPriv, err := ecdsaPriv.ECDH() + if err != nil { + return nil, nil, err + } + + pub, err := ek.Key() if err != nil { return nil, nil, err } - ekPoint := ek.ECCParameters.Point - z, _ := curve.ScalarMult(ekPoint.X(), ekPoint.Y(), priv) - xBytes := eccIntToBytes(curve, x) + + ekPub, err := pub.(*ecdsa.PublicKey).ECDH() + if err != nil { + return nil, nil, err + } + + zBytes, err := ecdhPriv.ECDH(ekPub) + if err != nil { + return nil, nil, err + } + + xBytes := eccIntToBytes(curve, ecdsaPriv.X) seed, err = tpm2.KDFe( ek.NameAlg, - eccIntToBytes(curve, z), + eccIntToBytes(curve, new(big.Int).SetBytes(zBytes)), "DUPLICATE", xBytes, - eccIntToBytes(curve, ekPoint.X()), + eccIntToBytes(curve, ek.ECCParameters.Point.X()), getHash(ek.NameAlg).Size()*8) if err != nil { return nil, nil, err } - encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, y))) + encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, ecdsaPriv.Y))) return seed, encryptedSeed, err } diff --git a/server/import_test.go b/server/import_test.go index c41baf6a..310e8604 100644 --- a/server/import_test.go +++ b/server/import_test.go @@ -25,7 +25,6 @@ func TestImport(t *testing.T) { {"ECC", client.DefaultEKTemplateECC()}, {"SRK-RSA", client.SRKTemplateRSA()}, {"SRK-ECC", client.SRKTemplateECC()}, - {"ECC-P224", getECCTemplate(tpm2.CurveNISTP224)}, {"ECC-P256", getECCTemplate(tpm2.CurveNISTP256)}, {"ECC-P384", getECCTemplate(tpm2.CurveNISTP384)}, {"ECC-P521", getECCTemplate(tpm2.CurveNISTP521)},