Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decodeCertify not returning signature #262

Open
salrashid123 opened this issue Aug 30, 2021 · 0 comments
Open

decodeCertify not returning signature #262

salrashid123 opened this issue Aug 30, 2021 · 0 comments

Comments

@salrashid123
Copy link

The signature portion from the decoeCertify seems to just return the whole response/

I can' confirm the exact root cause but can state that the verification of the cetified signature using the AK signer worked with github.com/google/go-tpm v0.3.1 (sample repro here)

not with latest@ github.com/google/go-tpm v0.3.3-0.20210409082102-d3310770bfec (sample repro here)

the change was made here:
ecde583#diff-92947631269f2d84f2baa92d703b215f7843a553a375c945715f669e2e831d7fL1747

the diff between working

https://github.com/google/go-tpm/blob/master/tpm2/tpm2.go#L1756

func decodeCertify(resp []byte) ([]byte, []byte, error) {
	var paramSize uint32
	var attest, signature tpmutil.U16Bytes
	var sigAlg, hashAlg Algorithm

	buf := bytes.NewBuffer(resp)
	if err := tpmutil.UnpackBuf(buf, &paramSize); err != nil {
		return nil, nil, err
	}
	buf.Truncate(int(paramSize))
	if err := tpmutil.UnpackBuf(buf, &attest, &sigAlg); err != nil {
		return nil, nil, err
	}
	// If sigAlg is AlgNull, there will be no hashAlg or signature.
	// This will happen if AlgNull was passed in the Certify() as
	// the signing key (no need to sign the response).
	// See TPM2 spec part4 pg227 SignAttestInfo()
	if sigAlg != AlgNull {
		if sigAlg == AlgECDSA {
			var r, s tpmutil.U16Bytes
			if err := tpmutil.UnpackBuf(buf, &hashAlg, &r, &s); err != nil {
				return nil, nil, err
			}
			signature = append(r, s...)
		} else {
			if err := tpmutil.UnpackBuf(buf, &hashAlg, &signature); err != nil {
				return nil, nil, err
			}
		}
	}
	return attest, signature, nil
}

and not working

https://github.com/google/go-tpm/blob/v0.3.1/tpm2/tpm2.go#L1600

func decodeCertify(resp []byte) ([]byte, []byte, error) {
	var paramSize uint32
	var attest tpmutil.U16Bytes

	buf := bytes.NewBuffer(resp)
	if err := tpmutil.UnpackBuf(buf, &paramSize); err != nil {
		return nil, nil, err
	}
	buf.Truncate(int(paramSize))
	if err := tpmutil.UnpackBuf(buf, &attest); err != nil {
		return nil, nil, err
	}
	return attest, buf.Bytes(), nil
}
salrashid123 added a commit to salrashid123/go_tpm_remote_attestation that referenced this issue Sep 1, 2021
@salrashid123
override tpm2.Certify google/go-tpm#262
0ab090f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@salrashid123