Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move Alg checks to getSigningHashAlg #94

Merged
merged 1 commit into from
Dec 11, 2020
Merged

Move Alg checks to getSigningHashAlg #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 24 additions & 13 deletions tpm2tools/signer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,29 +88,40 @@ func (k *Key) GetSigner() (crypto.Signer, error) {
if k.hasAttribute(tpm2.FlagRestricted) {
return nil, fmt.Errorf("restricted keys are not supported")
}
hashAlg, err := getSigningHashAlg(k)
if err != nil {
return nil, err
}
// For crypto.Signer, Go does the hashing. Make sure the hash is supported.
hash, err := hashAlg.Hash()
if err != nil {
return nil, err
}
return &tpmSigner{k, hash}, nil
}

func getSigningHashAlg(k *Key) (tpm2.Algorithm, error) {
if !k.hasAttribute(tpm2.FlagSign) {
return nil, fmt.Errorf("non-signing key used with GetSigner()")
return tpm2.AlgNull, fmt.Errorf("non-signing key used with signing operation")
}

var sigScheme *tpm2.SigScheme

switch k.pubArea.Type {
case tpm2.AlgRSA:
sigScheme = k.pubArea.RSAParameters.Sign
if sigScheme.Alg != tpm2.AlgRSAPSS && sigScheme.Alg != tpm2.AlgRSASSA {
return nil, fmt.Errorf("unsupported signing algorithm: %v", sigScheme.Alg)
}
case tpm2.AlgECC:
sigScheme = k.pubArea.ECCParameters.Sign
if sigScheme.Alg != tpm2.AlgECDSA {
return nil, fmt.Errorf("unsupported signing algorithm: %v", sigScheme.Alg)
}
default:
return nil, fmt.Errorf("unsupported key type: %v", k.pubArea.Type)
return tpm2.AlgNull, fmt.Errorf("unsupported key type: %v", k.pubArea.Type)
}
hash, err := sigScheme.Hash.Hash()
if err != nil {
return nil, err

if sigScheme == nil {
return tpm2.AlgNull, fmt.Errorf("unsupported null signing scheme")
}
switch sigScheme.Alg {
case tpm2.AlgRSAPSS, tpm2.AlgRSASSA, tpm2.AlgECDSA:
return sigScheme.Hash, nil
default:
return tpm2.AlgNull, fmt.Errorf("unsupported signing algorithm: %v", sigScheme.Alg)
}
return &tpmSigner{k, hash}, nil
}
18 changes: 18 additions & 0 deletions tpm2tools/signer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,3 +242,21 @@ func TestFailSignPSS(t *testing.T) {
})
}
}

// Signing keys without a signature scheme are incompatible with GetSigner
func TestFailGetSignerNullScheme(t *testing.T) {
template := templateSSA(tpm2.AlgSHA256)
template.RSAParameters.Sign = nil

rwc := internal.GetTPM(t)
defer CheckedClose(t, rwc)
key, err := NewKey(rwc, tpm2.HandleEndorsement, template)
if err != nil {
t.Fatal(err)
}
defer key.Close()

if _, err = key.GetSigner(); err == nil {
t.Error("expected failure when calling GetSigner")
}
}