diff --git a/attest/attest.go b/attest/attest.go index 226a4bd7..c2adb2f4 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -398,10 +398,10 @@ func (a HashAlg) String() string { // the booted state of the machine the TPM is attached to. // // The digests contained in the event log can be considered authentic if: -// - The AK public corresponds to the known AK for that platform. -// - All quotes are verified with AKPublic.Verify(), and return no errors. -// - The event log parsed successfully using ParseEventLog(), and a call -// to EventLog.Verify() with the full set of PCRs returned no error. +// - The AK public corresponds to the known AK for that platform. +// - All quotes are verified with AKPublic.Verify(), and return no errors. +// - The event log parsed successfully using ParseEventLog(), and a call +// to EventLog.Verify() with the full set of PCRs returned no error. type PlatformParameters struct { // The version of the TPM which generated this attestation. TPMVersion TPMVersion diff --git a/attest/eventlog.go b/attest/eventlog.go index 77cc81f5..4629c1f1 100644 --- a/attest/eventlog.go +++ b/attest/eventlog.go @@ -383,7 +383,7 @@ func (a *AKPublic) validate20Quote(quote Quote, pcrs []PCR, nonce []byte) error sigHash.Write(digest) } - for index, _ := range pcrByIndex { + for index := range pcrByIndex { if _, exists := quotePCRs[index]; !exists { return fmt.Errorf("provided PCR %d was not included in quote", index) } diff --git a/attest/internal/events.go b/attest/internal/events.go index f2b2fae2..cf3564f6 100644 --- a/attest/internal/events.go +++ b/attest/internal/events.go @@ -48,7 +48,7 @@ var ( // EventType describes the type of event signalled in the event log. type EventType uint32 -// BIOS Events (TCG PC Client Specific Implementation Specification for Conventional BIOS 1.21) +// BIOS Events (TCG PC Client Specific Implementation Specification for Conventional BIOS 1.21) const ( PrebootCert EventType = 0x00000000 PostCode EventType = 0x00000001 @@ -280,9 +280,9 @@ func ParseUEFIVariableAuthority(v UEFIVariableData) (UEFIVariableAuthority, erro // Skip parsing new SBAT section logged by shim. // See https://github.com/rhboot/shim/blob/main/SBAT.md for more. unicodeNameEquals(v, shimSbatVarName) || //https://github.com/rhboot/shim/blob/20e4d9486fcae54ee44d2323ae342ffe68c920e6/include/sbat.h#L9-L12 - // Skip parsing new MokListTrusted section logged by shim. - // See https://github.com/rhboot/shim/blob/main/MokVars.txt for more. - unicodeNameEquals(v, shimMokListTrustedVarName)) { //https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/mok.c#L169-L182 + // Skip parsing new MokListTrusted section logged by shim. + // See https://github.com/rhboot/shim/blob/main/MokVars.txt for more. + unicodeNameEquals(v, shimMokListTrustedVarName)) { //https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/mok.c#L169-L182 return UEFIVariableAuthority{}, nil } certs, err := parseEfiSignature(v.VariableData) diff --git a/attest/key_windows.go b/attest/key_windows.go index 9d153c71..62b49aac 100644 --- a/attest/key_windows.go +++ b/attest/key_windows.go @@ -81,7 +81,7 @@ func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err } selectedPCRs := make([]int, 24) - for pcr, _ := range selectedPCRs { + for pcr := range selectedPCRs { selectedPCRs[pcr] = pcr } diff --git a/attest/pcp_windows.go b/attest/pcp_windows.go index a139ec6f..b78a3812 100644 --- a/attest/pcp_windows.go +++ b/attest/pcp_windows.go @@ -369,8 +369,8 @@ func (h *winPCP) Close() error { return closeNCryptObject(h.hProv) } -// DeleteKey permanently removes the key with the given handle -// from the system, and frees its handle. +// DeleteKey permanently removes the key with the given handle from the system, +// and frees its handle. func (h *winPCP) DeleteKey(kh uintptr) error { r, _, msg := nCryptDeleteKey.Call(kh, 0) if r != 0 { diff --git a/attest/tpm.go b/attest/tpm.go index 9ad82563..40181df3 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -303,7 +303,7 @@ type tpmBase interface { measurementLog() ([]byte, error) } -//TPM interfaces with a TPM device on the system. +// TPM interfaces with a TPM device on the system. type TPM struct { // tpm refers to a concrete implementation of TPM logic, based on the current // platform and TPM version. diff --git a/attest/tpm_test.go b/attest/tpm_test.go index a350a036..7699a989 100644 --- a/attest/tpm_test.go +++ b/attest/tpm_test.go @@ -10,8 +10,7 @@ import ( // Generated using the following command: // -// openssl genrsa 2048|openssl rsa -outform PEM -pubout -// +// openssl genrsa 2048|openssl rsa -outform PEM -pubout var testRSAKey = mustParseRSAKey(`-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8zyTXCjVALZzjS8wgNH nAVdt4ZGM3N450xOnLplx/RbCVwXyu83SWh0B3Ka+92aocqcHzo+j6e6Urppre/I diff --git a/attest/win_events_test.go b/attest/win_events_test.go index 39ffb259..1522f0f9 100644 --- a/attest/win_events_test.go +++ b/attest/win_events_test.go @@ -31,7 +31,7 @@ func TestParseWinEvents(t *testing.T) { CodeIntegrityEnabled: TernaryTrue, BitlockerUnlocks: []BitlockerStatus{0, 0}, LoadedModules: map[string]WinModuleLoad{ - "0fdce7d71936f79445e7d2c84cbeb97c948d3730e0b839166b0a4e625c2d4547": WinModuleLoad{ + "0fdce7d71936f79445e7d2c84cbeb97c948d3730e0b839166b0a4e625c2d4547": { FilePath: `\Windows\System32\drivers\vioscsi.sys`, ImageBase: []uint64{81416192}, ImageSize: uint64(86016), @@ -49,7 +49,7 @@ func TestParseWinEvents(t *testing.T) { }, AuthenticodeHash: []byte{15, 220, 231, 215, 25, 54, 247, 148, 69, 231, 210, 200, 76, 190, 185, 124, 148, 141, 55, 48, 224, 184, 57, 22, 107, 10, 78, 98, 92, 45, 69, 71}, }, - "055a36a9921b98cc04042ca95249c7eca655536868dafcec7508947ebe5e71f4": WinModuleLoad{ + "055a36a9921b98cc04042ca95249c7eca655536868dafcec7508947ebe5e71f4": { FilePath: `\Windows\System32\Drivers\ksecpkg.sys`, ImageBase: []uint64{82952192}, ImageSize: uint64(204800), @@ -67,7 +67,7 @@ func TestParseWinEvents(t *testing.T) { }, AuthenticodeHash: []byte{5, 90, 54, 169, 146, 27, 152, 204, 4, 4, 44, 169, 82, 73, 199, 236, 166, 85, 83, 104, 104, 218, 252, 236, 117, 8, 148, 126, 190, 94, 113, 244}, }, - "2bedd1589410b6fa13c82f35db735025b6a160595922750248771f5abd0fee58": WinModuleLoad{ + "2bedd1589410b6fa13c82f35db735025b6a160595922750248771f5abd0fee58": { FilePath: `\Windows\System32\drivers\volmgrx.sys`, ImageBase: []uint64{80875520}, ImageSize: uint64(405504), @@ -87,7 +87,7 @@ func TestParseWinEvents(t *testing.T) { }, }, ELAM: map[string]WinELAM{ - "Windows Defender": WinELAM{Measured: []byte{0x06, 0x7d, 0x5b, 0x9d, 0xc5, 0x62, 0x7f, 0x97, 0xdc, 0xf3, 0xfe, 0xff, 0x60, 0x2a, 0x34, 0x2e, 0xd6, 0x98, 0xd2, 0xcc}}, + "Windows Defender": {Measured: []byte{0x06, 0x7d, 0x5b, 0x9d, 0xc5, 0x62, 0x7f, 0x97, 0xdc, 0xf3, 0xfe, 0xff, 0x60, 0x2a, 0x34, 0x2e, 0xd6, 0x98, 0xd2, 0xcc}}, }, } @@ -121,7 +121,7 @@ func TestParseWinEvents(t *testing.T) { "055a36a9921b98cc04042ca95249c7eca655536868dafcec7508947ebe5e71f4": true, "2bedd1589410b6fa13c82f35db735025b6a160595922750248771f5abd0fee58": true, } - for k, _ := range winState.LoadedModules { + for k := range winState.LoadedModules { if _, keep := keep[k]; !keep { delete(winState.LoadedModules, k) } diff --git a/attributecert/attributecert.go b/attributecert/attributecert.go index 49e04d53..ea4331b3 100644 --- a/attributecert/attributecert.go +++ b/attributecert/attributecert.go @@ -129,50 +129,50 @@ func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) x509.SignatureAlgo return x509.UnknownSignatureAlgorithm } -//RFC 5280 4.2.2.1 +// RFC 5280 4.2.2.1 type authorityInfoAccess struct { Method asn1.ObjectIdentifier Location asn1.RawValue } -//RFC 5280 4.2.1.1 +// RFC 5280 4.2.1.1 type authKeyID struct { ID []byte `asn1:"optional,tag:0"` IssuerName asn1.RawValue `asn1:"set,optional,tag:1"` SerialNumber *big.Int `asn1:"optional,tag:2"` } -//RFC 5280 4.2.1.4 +// RFC 5280 4.2.1.4 type cpsPolicy struct { ID asn1.ObjectIdentifier Value string } -//RFC 5280 4.2.1.4 +// RFC 5280 4.2.1.4 type policyInformation struct { Raw asn1.RawContent ID asn1.ObjectIdentifier Policy asn1.RawValue } -//RFC 5280 4.1.2.5 +// RFC 5280 4.1.2.5 type validity struct { NotBefore, NotAfter time.Time } -//RFC 5280 4.2.1.4 -type NoticeReference struct { +// RFC 5280 4.2.1.4 +type noticeReference struct { Organization string NoticeNumbers []int } -//RFC 5280 4.2.1.4 +// RFC 5280 4.2.1.4 type userNotice struct { - NoticeRef NoticeReference `asn1:"optional"` + NoticeRef noticeReference `asn1:"optional"` ExplicitText string `asn1:"optional"` } -//RFC 5755 4.1 +// RFC 5755 4.1 type objectDigestInfo struct { DigestedObjectType asn1.Enumerated OtherObjectTypeID asn1.ObjectIdentifier @@ -180,14 +180,14 @@ type objectDigestInfo struct { ObjectDigest asn1.BitString } -//RFC 5755 4.1 +// RFC 5755 4.1 type attCertIssuer struct { IssuerName asn1.RawValue `asn1:"set,optional"` BaseCertificateID issuerSerial `asn1:"optional,tag:0"` ObjectDigestInfo objectDigestInfo `asn1:"optional,tag:1"` } -//RFC 5755 4.1 +// RFC 5755 4.1 type issuerSerial struct { Raw asn1.RawContent Issuer asn1.RawValue @@ -195,7 +195,7 @@ type issuerSerial struct { IssuerUID asn1.BitString `asn1:"optional"` } -//RFC 5755 4.1 +// RFC 5755 4.1 type holder struct { Raw asn1.RawContent BaseCertificateID issuerSerial `asn1:"optional,tag:0"` @@ -203,13 +203,13 @@ type holder struct { ObjectDigestInfo objectDigestInfo `asn1:"optional,tag:2"` } -//RFC 5755 4.1 +// RFC 5755 4.1 type attribute struct { ID asn1.ObjectIdentifier RawValues []asn1.RawValue `asn1:"set"` } -//RFC 5755 4.1 +// RFC 5755 4.1 type tbsAttributeCertificate struct { Raw asn1.RawContent Version int diff --git a/x509/x509ext.go b/x509/x509ext.go index 0a8f8bf1..26660300 100644 --- a/x509/x509ext.go +++ b/x509/x509ext.go @@ -18,9 +18,9 @@ var ( oidPermanentIdentifier = []int{1, 3, 6, 1, 5, 5, 7, 8, 3} ) -// OtherName ::= SEQUENCE { -// type-id OBJECT IDENTIFIER, -// value [0] EXPLICIT ANY DEFINED BY type-id } +// OtherName ::= SEQUENCE { +// type-id OBJECT IDENTIFIER, +// value [0] EXPLICIT ANY DEFINED BY type-id } type otherName struct { TypeID asn1.ObjectIdentifier Value asn1.RawValue @@ -42,10 +42,13 @@ func marshalOtherName(typeID asn1.ObjectIdentifier, value interface{}) (asn1.Raw return asn1.RawValue{FullBytes: bytes}, nil } -// PermanentIdentifier ::= SEQUENCE { -// identifierValue UTF8String OPTIONAL, -// assigner OBJECT IDENTIFIER OPTIONAL -// } +// PermanentIdentifier represents an ASN.1 encoded "permanent identifier" as +// defined by RFC4043. +// +// PermanentIdentifier ::= SEQUENCE { +// identifierValue UTF8String OPTIONAL, +// assigner OBJECT IDENTIFIER OPTIONAL +// } // // https://datatracker.ietf.org/doc/html/rfc4043 type PermanentIdentifier struct {