Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
Adds TPM-backed CA key storage to OpenCertServer by introducing a new opencertserver.tpm module (with a vendored managed TSS.NET dependency) and an accompanying Reqnroll/xUnit test suite that runs against an IBM TPM2 simulator in Docker.
Changes:
- Introduce
opencertserver.tpmwithITpmKeyProvider+ TPM-backedRSA/ECDsawrappers and a CA profile factory/DI integration. - Vendor a managed TSS.NET snapshot (
OpenCertServer.TSS.Net.Managed) including a minimal AES-CMAC shim to avoid platform-specific crypto dependencies. - Add
opencertserver.tpm.teststhat provisions keys, signs/verifies, and exercises rollover using a Dockerized IBM TPM2 simulator.
Reviewed changes
Copilot reviewed 48 out of 52 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/opencertserver.tpm.tests/TpmSimulatorContainer.cs | Testcontainer wrapper for IBM TPM2 simulator + options helper for tests |
| tests/opencertserver.tpm.tests/TpmFactAttribute.cs | Test attribute intended for TPM tests (docs/constructor behavior) |
| tests/opencertserver.tpm.tests/TpmContainerHooks.cs | Reqnroll hooks to start/stop simulator container and inject into scenarios |
| tests/opencertserver.tpm.tests/StepDefinitions/TpmKeyProvisioningSteps.cs | Step definitions for provisioning/signing/profile/rollover scenarios |
| tests/opencertserver.tpm.tests/opencertserver.tpm.tests.csproj | New TPM test project + Testcontainers/Reqnroll/xUnit dependencies |
| tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature.cs | Generated Reqnroll feature runner for TPM provisioning scenarios |
| tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature | Feature specification for TPM provisioning/signing/profile/rollover |
| tests/opencertserver.tpm.tests/Dockerfile.tpm2sim | Builds IBM SW TPM2 simulator image for tests |
| src/OpenCertServer.TSS.Net.Managed/Tpm2Helpers.cs | Vendored helper APIs for TPM operations |
| src/OpenCertServer.TSS.Net.Managed/Tpm2Device.cs | Vendored device abstraction base class |
| src/OpenCertServer.TSS.Net.Managed/Tpm2Abstractions.cs | Vendored async TPM command abstractions |
| src/OpenCertServer.TSS.Net.Managed/TbsDevice.cs | Vendored Windows TBS TPM device implementation |
| src/OpenCertServer.TSS.Net.Managed/SupportClasses.cs | Vendored utility/support classes |
| src/OpenCertServer.TSS.Net.Managed/SlotContext.cs | Vendored handle/session context management |
| src/OpenCertServer.TSS.Net.Managed/Sessions.cs | Vendored session primitives (PWAP/HMAC/etc.) |
| src/OpenCertServer.TSS.Net.Managed/README.md | Notes describing the vendored TSS.NET copy |
| src/OpenCertServer.TSS.Net.Managed/Properties/AssemblyInfo.cs | Vendored assembly metadata (GenerateAssemblyInfo disabled) |
| src/OpenCertServer.TSS.Net.Managed/Policy.cs | Vendored policy tree/serialization implementation |
| src/OpenCertServer.TSS.Net.Managed/Org/BouncyCastle/Crypto/Parameters/KeyParameter.cs | Minimal BouncyCastle shim used by vendored crypto code |
| src/OpenCertServer.TSS.Net.Managed/Org/BouncyCastle/Crypto/Macs/CMac.cs | Minimal AES-CMAC implementation (RFC 4493) for vendored code |
| src/OpenCertServer.TSS.Net.Managed/OpenCertServer.TSS.Net.Managed.csproj | New vendored managed TSS.NET project definition |
| src/OpenCertServer.TSS.Net.Managed/Messages.resx | Vendored message resources |
| src/OpenCertServer.TSS.Net.Managed/MarshallingAttributes.cs | Vendored marshalling attributes |
| src/OpenCertServer.TSS.Net.Managed/Marshaller.cs | Vendored marshalling implementation |
| src/OpenCertServer.TSS.Net.Managed/LinuxTpmDevice.cs | Vendored Linux TPM device implementation |
| src/OpenCertServer.TSS.Net.Managed/KeyWrapping.cs | Vendored TPM object wrapping helpers |
| src/OpenCertServer.TSS.Net.Managed/GlobalSuppressions.cs | Code analysis suppressions for vendored library |
| src/OpenCertServer.TSS.Net.Managed/CustomExceptions.cs | Vendored exception types |
| src/OpenCertServer.TSS.Net.Managed/CryptoSymm.cs | Vendored symmetric crypto wrapper |
| src/opencertserver.tpm/TssTpmKeyProvider.cs | TPM key provider implementation using vendored TSS.NET devices |
| src/opencertserver.tpm/TpmRsa.cs | RSA wrapper delegating signing to TPM |
| src/opencertserver.tpm/TpmMode.cs | Mode selection for Linux/Windows/Simulator |
| src/opencertserver.tpm/TpmEcDsa.cs | ECDsa wrapper delegating signing to TPM |
| src/opencertserver.tpm/TpmCaProfileFactory.cs | Create/load CA profiles backed by TPM keys + self-signed CA cert creation |
| src/opencertserver.tpm/TpmCaOptions.cs | Options for TPM mode, handles, simulator endpoints, cert validity/store |
| src/opencertserver.tpm/TpmCaExtensions.cs | DI registration for TPM-backed CA services |
| src/opencertserver.tpm/TpmCaCertificateStore.cs | OS X509Store persistence for CA public certificates |
| src/opencertserver.tpm/README.md | End-user documentation for TPM CA usage + migration notes |
| src/opencertserver.tpm/opencertserver.tpm.csproj | New TPM module project definition + reference to vendored TSS.NET project |
| src/opencertserver.tpm/ITpmKeyProvider.cs | Swap-seam interface for TPM key operations |
| opencertserver.slnx | Adds the new TPM projects and test project to the solution |
Files not reviewed (1)
- tests/opencertserver.tpm.tests/Features/TpmKeyProvisioning.feature.cs: Language not supported
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ged instead of Microsoft.TSS Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/5d24d2aa-390f-4b22-a8c5-702aae02f2bc Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
…r lifecycle Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/eb5c94a1-b2c7-4077-95f4-80e2d7335694 Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/a305edfa-ebbd-4173-ae12-5cf6ebac9e53 Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for key storage in TPM