Merge branch 'bitsize'

* bitsize: ssh-tpm-keygen: add --supported switch to list supported bit lengths signer: Implement support for multiple hashing algos key: move to noalg keys to support different hashing algos key: Support importing p256, p386 and p512 ssh-tpm-agent: support creation of p256 p384 and p512 keys key: fetch supported ecdsa bit sizes misc: update to go 1.22
Foxboron · Feb 22, 2024 · bc8a269 · bc8a269
2 parents 79ce85b + ae2e096
commit bc8a269
Show file tree

Hide file tree

Showing 10 changed files with 344 additions and 109 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [1.20.x]
+        go: [1.22.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -49,7 +49,7 @@ func TestAddKey(t *testing.T) {
 
 	client := agent.NewClient(conn)
 
-	k, err := key.CreateKey(tpm, tpm2.TPMAlgECDSA, []byte(""), []byte(""))
+	k, err := key.CreateKey(tpm, tpm2.TPMAlgECDSA, 256, []byte(""), []byte(""))
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/cmd/ssh-tpm-agent/main_test.go b/cmd/ssh-tpm-agent/main_test.go
@@ -104,13 +104,13 @@ func setupServer(listener net.Listener, clientKey ssh.PublicKey) (hostkey ssh.Pu
 	return hostSigner.PublicKey(), msgSent
 }
 
-func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID) {
+func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID, bits int) {
 	tpm, err := simulator.OpenSimulator()
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	k, err := key.CreateKey(tpm, keytype, []byte(""), []byte(""))
+	k, err := key.CreateKey(tpm, keytype, bits, []byte(""), []byte(""))
 	if err != nil {
 		t.Fatalf("failed creating key: %v", err)
 	}
@@ -184,10 +184,16 @@ func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID) {
 }
 
 func TestSSHAuth(t *testing.T) {
-	t.Run("ecdsa - agent", func(t *testing.T) {
-		runSSHAuth(t, tpm2.TPMAlgECDSA)
+	t.Run("ecdsa p256 - agent", func(t *testing.T) {
+		runSSHAuth(t, tpm2.TPMAlgECDSA, 256)
 	})
 	t.Run("rsa - agent", func(t *testing.T) {
-		runSSHAuth(t, tpm2.TPMAlgRSA)
+		runSSHAuth(t, tpm2.TPMAlgRSA, 2048)
+	})
+	t.Run("ecdsa p384 - agent", func(t *testing.T) {
+		runSSHAuth(t, tpm2.TPMAlgECDSA, 384)
+	})
+	t.Run("ecdsa p521 - agent", func(t *testing.T) {
+		runSSHAuth(t, tpm2.TPMAlgECDSA, 521)
 	})
 }
diff --git a/cmd/ssh-tpm-keygen/main.go b/cmd/ssh-tpm-keygen/main.go
@@ -34,8 +34,12 @@ Options:
     -f                          Output keyfile.
     -N                          PIN for the key.
     -t ecdsa | rsa              Specify the type of key to create. Defaults to ecdsa
+    -b bits                     Number of bits in the key to create.
+                                    rsa: 2048 (default)
+                                    ecdsa: 256 (default) | 384 | 521
     -I, --import PATH           Import existing key into ssh-tpm-agent.
     -A                          Generate host keys for all key types (rsa and ecdsa).
+    --supported                 List the supported keys of the TPM.
 
 Generate new TPM sealed keys for ssh-tpm-agent.
 
@@ -97,7 +101,9 @@ func main() {
 	var (
 		comment, outputFile, keyPin string
 		keyType, importKey          string
+		bits                        int
 		swtpmFlag, hostKeys         bool
+		listsupported               bool
 	)
 
 	defaultComment := func() string {
@@ -120,10 +126,12 @@ func main() {
 	flag.StringVar(&outputFile, "f", "", "output keyfile")
 	flag.StringVar(&keyPin, "N", "", "new pin for the key")
 	flag.StringVar(&keyType, "t", "ecdsa", "key to create")
+	flag.IntVar(&bits, "b", 0, "number of bits")
 	flag.StringVar(&importKey, "I", "", "import key")
 	flag.StringVar(&importKey, "import", "", "import key")
 	flag.BoolVar(&swtpmFlag, "swtpm", false, "use swtpm instead of actual tpm")
 	flag.BoolVar(&hostKeys, "A", false, "generate host keys")
+	flag.BoolVar(&listsupported, "supported", false, "list tpm caps")
 
 	flag.Parse()
 
@@ -133,6 +141,16 @@ func main() {
 	}
 	defer tpm.Close()
 
+	if listsupported {
+		fmt.Printf("ecdsa bit lengths:")
+		for _, alg := range key.SupportedECCAlgorithms(tpm) {
+			fmt.Printf(" %d", alg)
+		}
+		fmt.Println()
+		fmt.Println("rsa bit lengths: 2048")
+		os.Exit(0)
+	}
+
 	// Generate host keys
 	if hostKeys {
 		// Mimics the `ssh-keygen -A -f ./something` behaviour
@@ -141,9 +159,12 @@ func main() {
 			outputPath = path.Join(outputFile, outputPath)
 		}
 
-		lookup := map[string]tpm2.TPMAlgID{
-			"rsa":   tpm2.TPMAlgRSA,
-			"ecdsa": tpm2.TPMAlgECDSA,
+		lookup := map[string]struct {
+			alg  tpm2.TPMAlgID
+			bits int
+		}{
+			"rsa":   {alg: tpm2.TPMAlgRSA, bits: 2048},
+			"ecdsa": {alg: tpm2.TPMAlgECDSA, bits: 256},
 		}
 		for n, t := range lookup {
 			filename := fmt.Sprintf("ssh_tpm_host_%s_key", n)
@@ -156,7 +177,7 @@ func main() {
 
 			slog.Info("Generating new host key", slog.String("algorithm", strings.ToUpper(n)))
 
-			k, err := key.CreateKey(tpm, t, []byte(""), []byte(defaultComment))
+			k, err := key.CreateKey(tpm, t.alg, t.bits, []byte(""), []byte(defaultComment))
 			if err != nil {
 				log.Fatal(err)
 			}
@@ -311,7 +332,7 @@ func main() {
 			log.Fatal(err)
 		}
 	} else {
-		k, err = key.CreateKey(tpm, tpmkeyType, pin, []byte(comment))
+		k, err = key.CreateKey(tpm, tpmkeyType, bits, pin, []byte(comment))
 		if err != nil {
 			log.Fatal(err)
 		}

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/foxboron/ssh-tpm-agent
 
-go 1.20
+go 1.22
 
 require (
 	github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006

diff --git a/go.sum b/go.sum
@@ -6,14 +6,19 @@ github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006 h1:50sW4r0Pcvl
 github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006/go.mod h1:eIXCMsMYCaqq9m1KSSxXwQG11krpuNPGP3k0uaWrbas=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0=
+github.com/google/go-sev-guest v0.6.1/go.mod h1:UEi9uwoPbLdKGl1QHaq1G8pfCbQ4QP0swWX4J0k6r+Q=
 github.com/google/go-tpm v0.9.1-0.20230807150904-c49efc441a60 h1:WZpppXXHrrk6r76Vn2HPf1S/5MhuVjiaef3FHeLf0vA=
 github.com/google/go-tpm v0.9.1-0.20230807150904-c49efc441a60/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
 github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
 github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
+github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
+github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -36,8 +41,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/exp v0.0.0-20230801115018-d63ba01acd4b h1:r+vk0EmXNmekl0S0BascoeeoHk/L7wmaW2QF90K+kYI=
-golang.org/x/exp v0.0.0-20230801115018-d63ba01acd4b/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -65,7 +68,9 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=