Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support p256, p384 and p521 #40

Merged
merged 7 commits into from
Feb 22, 2024
Merged

Support p256, p384 and p521 #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
48a29b4
misc: update to go 1.22
Foxboron Feb 18, 2024
ab5e213
key: fetch supported ecdsa bit sizes
Foxboron Feb 18, 2024
e58264d
ssh-tpm-agent: support creation of p256 p384 and p512 keys
Foxboron Feb 18, 2024
f3f80e3
key: Support importing p256, p386 and p512
Foxboron Feb 18, 2024
fb875a0
key: move to noalg keys to support different hashing algos
Foxboron Feb 18, 2024
d3c049b
signer: Implement support for multiple hashing algos
Foxboron Feb 21, 2024
ae2e096
ssh-tpm-keygen: add --supported switch to list supported bit lengths
Foxboron Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
strategy:
fail-fast: false
matrix:
go: [1.20.x]
go: [1.22.x]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
Expand Down
2 changes: 1 addition & 1 deletion agent/agent_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func TestAddKey(t *testing.T) {

client := agent.NewClient(conn)

k, err := key.CreateKey(tpm, tpm2.TPMAlgECDSA, []byte(""), []byte(""))
k, err := key.CreateKey(tpm, tpm2.TPMAlgECDSA, 256, []byte(""), []byte(""))
if err != nil {
t.Fatal(err)
}
Expand Down
16 changes: 11 additions & 5 deletions cmd/ssh-tpm-agent/main_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,13 @@ func setupServer(listener net.Listener, clientKey ssh.PublicKey) (hostkey ssh.Pu
return hostSigner.PublicKey(), msgSent
}

func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID) {
func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID, bits int) {
tpm, err := simulator.OpenSimulator()
if err != nil {
t.Fatal(err)
}

k, err := key.CreateKey(tpm, keytype, []byte(""), []byte(""))
k, err := key.CreateKey(tpm, keytype, bits, []byte(""), []byte(""))
if err != nil {
t.Fatalf("failed creating key: %v", err)
}
Expand Down Expand Up @@ -184,10 +184,16 @@ func runSSHAuth(t *testing.T, keytype tpm2.TPMAlgID) {
}

func TestSSHAuth(t *testing.T) {
t.Run("ecdsa - agent", func(t *testing.T) {
runSSHAuth(t, tpm2.TPMAlgECDSA)
t.Run("ecdsa p256 - agent", func(t *testing.T) {
runSSHAuth(t, tpm2.TPMAlgECDSA, 256)
})
t.Run("rsa - agent", func(t *testing.T) {
runSSHAuth(t, tpm2.TPMAlgRSA)
runSSHAuth(t, tpm2.TPMAlgRSA, 2048)
})
t.Run("ecdsa p384 - agent", func(t *testing.T) {
runSSHAuth(t, tpm2.TPMAlgECDSA, 384)
})
t.Run("ecdsa p521 - agent", func(t *testing.T) {
runSSHAuth(t, tpm2.TPMAlgECDSA, 521)
})
}
31 changes: 26 additions & 5 deletions cmd/ssh-tpm-keygen/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,12 @@ Options:
-f Output keyfile.
-N PIN for the key.
-t ecdsa | rsa Specify the type of key to create. Defaults to ecdsa
-b bits Number of bits in the key to create.
rsa: 2048 (default)
ecdsa: 256 (default) | 384 | 521
-I, --import PATH Import existing key into ssh-tpm-agent.
-A Generate host keys for all key types (rsa and ecdsa).
--supported List the supported keys of the TPM.

Generate new TPM sealed keys for ssh-tpm-agent.

Expand Down Expand Up @@ -97,7 +101,9 @@ func main() {
var (
comment, outputFile, keyPin string
keyType, importKey string
bits int
swtpmFlag, hostKeys bool
listsupported bool
)

defaultComment := func() string {
Expand All @@ -120,10 +126,12 @@ func main() {
flag.StringVar(&outputFile, "f", "", "output keyfile")
flag.StringVar(&keyPin, "N", "", "new pin for the key")
flag.StringVar(&keyType, "t", "ecdsa", "key to create")
flag.IntVar(&bits, "b", 0, "number of bits")
flag.StringVar(&importKey, "I", "", "import key")
flag.StringVar(&importKey, "import", "", "import key")
flag.BoolVar(&swtpmFlag, "swtpm", false, "use swtpm instead of actual tpm")
flag.BoolVar(&hostKeys, "A", false, "generate host keys")
flag.BoolVar(&listsupported, "supported", false, "list tpm caps")

flag.Parse()

Expand All @@ -133,6 +141,16 @@ func main() {
}
defer tpm.Close()

if listsupported {
fmt.Printf("ecdsa bit lengths:")
for _, alg := range key.SupportedECCAlgorithms(tpm) {
fmt.Printf(" %d", alg)
}
fmt.Println()
fmt.Println("rsa bit lengths: 2048")
os.Exit(0)
}

// Generate host keys
if hostKeys {
// Mimics the `ssh-keygen -A -f ./something` behaviour
Expand All @@ -141,9 +159,12 @@ func main() {
outputPath = path.Join(outputFile, outputPath)
}

lookup := map[string]tpm2.TPMAlgID{
"rsa": tpm2.TPMAlgRSA,
"ecdsa": tpm2.TPMAlgECDSA,
lookup := map[string]struct {
alg tpm2.TPMAlgID
bits int
}{
"rsa": {alg: tpm2.TPMAlgRSA, bits: 2048},
"ecdsa": {alg: tpm2.TPMAlgECDSA, bits: 256},
}
for n, t := range lookup {
filename := fmt.Sprintf("ssh_tpm_host_%s_key", n)
Expand All @@ -156,7 +177,7 @@ func main() {

slog.Info("Generating new host key", slog.String("algorithm", strings.ToUpper(n)))

k, err := key.CreateKey(tpm, t, []byte(""), []byte(defaultComment))
k, err := key.CreateKey(tpm, t.alg, t.bits, []byte(""), []byte(defaultComment))
if err != nil {
log.Fatal(err)
}
Expand Down Expand Up @@ -311,7 +332,7 @@ func main() {
log.Fatal(err)
}
} else {
k, err = key.CreateKey(tpm, tpmkeyType, pin, []byte(comment))
k, err = key.CreateKey(tpm, tpmkeyType, bits, pin, []byte(comment))
if err != nil {
log.Fatal(err)
}
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/foxboron/ssh-tpm-agent

go 1.20
go 1.22

require (
github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006
Expand Down
9 changes: 7 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,19 @@ github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006 h1:50sW4r0Pcvl
github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006/go.mod h1:eIXCMsMYCaqq9m1KSSxXwQG11krpuNPGP3k0uaWrbas=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0=
github.com/google/go-sev-guest v0.6.1/go.mod h1:UEi9uwoPbLdKGl1QHaq1G8pfCbQ4QP0swWX4J0k6r+Q=
github.com/google/go-tpm v0.9.1-0.20230807150904-c49efc441a60 h1:WZpppXXHrrk6r76Vn2HPf1S/5MhuVjiaef3FHeLf0vA=
github.com/google/go-tpm v0.9.1-0.20230807150904-c49efc441a60/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Expand All @@ -36,8 +41,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
golang.org/x/exp v0.0.0-20230801115018-d63ba01acd4b h1:r+vk0EmXNmekl0S0BascoeeoHk/L7wmaW2QF90K+kYI=
golang.org/x/exp v0.0.0-20230801115018-d63ba01acd4b/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
Expand Down Expand Up @@ -65,7 +68,9 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
Loading
Loading