Skip to content

Features/tpm#44

Merged
jjrdk merged 16 commits intomasterfrom
features/tpm
Apr 12, 2026
Merged

Features/tpm#44
jjrdk merged 16 commits intomasterfrom
features/tpm

Conversation

@jjrdk
Copy link
Copy Markdown
Owner

@jjrdk jjrdk commented Apr 12, 2026

Add support for key storage in TPM

Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds TPM-backed CA key storage to OpenCertServer by introducing a new opencertserver.tpm module (with a vendored managed TSS.NET dependency) and an accompanying Reqnroll/xUnit test suite that runs against an IBM TPM2 simulator in Docker.

Changes:

  • Introduce opencertserver.tpm with ITpmKeyProvider + TPM-backed RSA/ECDsa wrappers and a CA profile factory/DI integration.
  • Vendor a managed TSS.NET snapshot (OpenCertServer.TSS.Net.Managed) including a minimal AES-CMAC shim to avoid platform-specific crypto dependencies.
  • Add opencertserver.tpm.tests that provisions keys, signs/verifies, and exercises rollover using a Dockerized IBM TPM2 simulator.

Reviewed changes

Copilot reviewed 48 out of 52 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
tests/opencertserver.tpm.tests/TpmSimulatorContainer.cs Testcontainer wrapper for IBM TPM2 simulator + options helper for tests
tests/opencertserver.tpm.tests/TpmFactAttribute.cs Test attribute intended for TPM tests (docs/constructor behavior)
tests/opencertserver.tpm.tests/TpmContainerHooks.cs Reqnroll hooks to start/stop simulator container and inject into scenarios
tests/opencertserver.tpm.tests/StepDefinitions/TpmKeyProvisioningSteps.cs Step definitions for provisioning/signing/profile/rollover scenarios
tests/opencertserver.tpm.tests/opencertserver.tpm.tests.csproj New TPM test project + Testcontainers/Reqnroll/xUnit dependencies
tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature.cs Generated Reqnroll feature runner for TPM provisioning scenarios
tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature Feature specification for TPM provisioning/signing/profile/rollover
tests/opencertserver.tpm.tests/Dockerfile.tpm2sim Builds IBM SW TPM2 simulator image for tests
src/OpenCertServer.TSS.Net.Managed/Tpm2Helpers.cs Vendored helper APIs for TPM operations
src/OpenCertServer.TSS.Net.Managed/Tpm2Device.cs Vendored device abstraction base class
src/OpenCertServer.TSS.Net.Managed/Tpm2Abstractions.cs Vendored async TPM command abstractions
src/OpenCertServer.TSS.Net.Managed/TbsDevice.cs Vendored Windows TBS TPM device implementation
src/OpenCertServer.TSS.Net.Managed/SupportClasses.cs Vendored utility/support classes
src/OpenCertServer.TSS.Net.Managed/SlotContext.cs Vendored handle/session context management
src/OpenCertServer.TSS.Net.Managed/Sessions.cs Vendored session primitives (PWAP/HMAC/etc.)
src/OpenCertServer.TSS.Net.Managed/README.md Notes describing the vendored TSS.NET copy
src/OpenCertServer.TSS.Net.Managed/Properties/AssemblyInfo.cs Vendored assembly metadata (GenerateAssemblyInfo disabled)
src/OpenCertServer.TSS.Net.Managed/Policy.cs Vendored policy tree/serialization implementation
src/OpenCertServer.TSS.Net.Managed/Org/BouncyCastle/Crypto/Parameters/KeyParameter.cs Minimal BouncyCastle shim used by vendored crypto code
src/OpenCertServer.TSS.Net.Managed/Org/BouncyCastle/Crypto/Macs/CMac.cs Minimal AES-CMAC implementation (RFC 4493) for vendored code
src/OpenCertServer.TSS.Net.Managed/OpenCertServer.TSS.Net.Managed.csproj New vendored managed TSS.NET project definition
src/OpenCertServer.TSS.Net.Managed/Messages.resx Vendored message resources
src/OpenCertServer.TSS.Net.Managed/MarshallingAttributes.cs Vendored marshalling attributes
src/OpenCertServer.TSS.Net.Managed/Marshaller.cs Vendored marshalling implementation
src/OpenCertServer.TSS.Net.Managed/LinuxTpmDevice.cs Vendored Linux TPM device implementation
src/OpenCertServer.TSS.Net.Managed/KeyWrapping.cs Vendored TPM object wrapping helpers
src/OpenCertServer.TSS.Net.Managed/GlobalSuppressions.cs Code analysis suppressions for vendored library
src/OpenCertServer.TSS.Net.Managed/CustomExceptions.cs Vendored exception types
src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Vendored symmetric crypto wrapper
src/opencertserver.tpm/TssTpmKeyProvider.cs TPM key provider implementation using vendored TSS.NET devices
src/opencertserver.tpm/TpmRsa.cs RSA wrapper delegating signing to TPM
src/opencertserver.tpm/TpmMode.cs Mode selection for Linux/Windows/Simulator
src/opencertserver.tpm/TpmEcDsa.cs ECDsa wrapper delegating signing to TPM
src/opencertserver.tpm/TpmCaProfileFactory.cs Create/load CA profiles backed by TPM keys + self-signed CA cert creation
src/opencertserver.tpm/TpmCaOptions.cs Options for TPM mode, handles, simulator endpoints, cert validity/store
src/opencertserver.tpm/TpmCaExtensions.cs DI registration for TPM-backed CA services
src/opencertserver.tpm/TpmCaCertificateStore.cs OS X509Store persistence for CA public certificates
src/opencertserver.tpm/README.md End-user documentation for TPM CA usage + migration notes
src/opencertserver.tpm/opencertserver.tpm.csproj New TPM module project definition + reference to vendored TSS.NET project
src/opencertserver.tpm/ITpmKeyProvider.cs Swap-seam interface for TPM key operations
opencertserver.slnx Adds the new TPM projects and test project to the solution
Files not reviewed (1)
  • tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature.cs: Language not supported

Comment thread tests/opencertserver.tpm.tests/TpmFactAttribute.cs
Comment thread tests/opencertserver.tpm.tests/TpmFactAttribute.cs
Comment thread tests/opencertserver.tpm.tests/TpmSimulatorContainer.cs
Comment thread src/opencertserver.tpm/TpmCaCertificateStore.cs
Comment thread src/opencertserver.tpm/TpmCaCertificateStore.cs
Comment thread src/opencertserver.tpm/TpmCaExtensions.cs
Comment thread src/opencertserver.tpm/TssTpmKeyProvider.cs
Comment thread src/opencertserver.tpm/README.md Outdated
Comment thread src/opencertserver.tpm/README.md
jjrdk and others added 7 commits April 12, 2026 21:43
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
…ged instead of Microsoft.TSS

Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/5d24d2aa-390f-4b22-a8c5-702aae02f2bc

Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
jjrdk and others added 2 commits April 12, 2026 22:48
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
Comment thread src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs Fixed
jjrdk and others added 2 commits April 12, 2026 22:56
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@jjrdk jjrdk merged commit bce51df into master Apr 12, 2026
7 checks passed
@jjrdk jjrdk deleted the features/tpm branch April 12, 2026 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants