Add TPM 2 application key support for Windows

There's currently no support for creating application keys on Windows systems. This patch transitions the Windows key type to specifically refer to attestation keys, and reuses the existing wrapped key support for application keys. This allows the creation of keys in the platform store, while still allowing said keys to be manipulated with existing TPM functionality rather than duplicating it.
google · Apr 28, 2022 · 08ff268 · 08ff268
1 parent 8235370
commit 08ff268
Show file tree

Hide file tree

Showing 3 changed files with 252 additions and 53 deletions.
diff --git a/attest/key_windows.go b/attest/key_windows.go
@@ -24,22 +24,22 @@ import (
 	"github.com/google/go-tpm/tpm2"
 )
 
-// windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
-type windowsKey12 struct {
+// windowsAK12 represents a Windows-managed key on a TPM1.2 TPM.
+type windowsAK12 struct {
 	hnd        uintptr
 	pcpKeyName string
 	public     []byte
 }
 
-func newWindowsKey12(hnd uintptr, pcpKeyName string, public []byte) ak {
-	return &windowsKey12{
+func newWindowsAK12(hnd uintptr, pcpKeyName string, public []byte) ak {
+	return &windowsAK12{
 		hnd:        hnd,
 		pcpKeyName: pcpKeyName,
 		public:     public,
 	}
 }
 
-func (k *windowsKey12) marshal() ([]byte, error) {
+func (k *windowsAK12) marshal() ([]byte, error) {
 	out := serializedKey{
 		Encoding:   keyEncodingOSManaged,
 		TPMVersion: TPMVersion12,
@@ -49,7 +49,7 @@ func (k *windowsKey12) marshal() ([]byte, error) {
 	return out.Serialize()
 }
 
-func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
+func (k *windowsAK12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
 	tpm, ok := t.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
@@ -61,7 +61,7 @@ func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]
 	return decryptCredential(secretKey, in.Secret)
 }
 
-func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
+func (k *windowsAK12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
 	if alg != HashSHA1 {
 		return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg)
 	}
@@ -103,21 +103,21 @@ func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
 	}, nil
 }
 
-func (k *windowsKey12) close(tpm tpmBase) error {
+func (k *windowsAK12) close(tpm tpmBase) error {
 	return closeNCryptObject(k.hnd)
 }
 
-func (k *windowsKey12) attestationParameters() AttestationParameters {
+func (k *windowsAK12) attestationParameters() AttestationParameters {
 	return AttestationParameters{
 		Public: k.public,
 	}
 }
-func (k *windowsKey12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
+func (k *windowsAK12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
 	return nil, fmt.Errorf("not implemented")
 }
 
-// windowsKey20 represents a key bound to a TPM 2.0.
-type windowsKey20 struct {
+// windowsAK20 represents a key bound to a TPM 2.0.
+type windowsAK20 struct {
 	hnd uintptr
 
 	pcpKeyName        string
@@ -127,8 +127,8 @@ type windowsKey20 struct {
 	createSignature   []byte
 }
 
-func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
-	return &windowsKey20{
+func newWindowsAK20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
+	return &windowsAK20{
 		hnd:               hnd,
 		pcpKeyName:        pcpKeyName,
 		public:            public,
@@ -138,7 +138,7 @@ func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createA
 	}
 }
 
-func (k *windowsKey20) marshal() ([]byte, error) {
+func (k *windowsAK20) marshal() ([]byte, error) {
 	out := serializedKey{
 		Encoding:   keyEncodingOSManaged,
 		TPMVersion: TPMVersion20,
@@ -152,15 +152,15 @@ func (k *windowsKey20) marshal() ([]byte, error) {
 	return out.Serialize()
 }
 
-func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
+func (k *windowsAK20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
 	tpm, ok := t.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
 	}
 	return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...))
 }
 
-func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
+func (k *windowsAK20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
 	t, ok := tb.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)
@@ -177,11 +177,11 @@ func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
 	return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce)
 }
 
-func (k *windowsKey20) close(tpm tpmBase) error {
+func (k *windowsAK20) close(tpm tpmBase) error {
 	return closeNCryptObject(k.hnd)
 }
 
-func (k *windowsKey20) attestationParameters() AttestationParameters {
+func (k *windowsAK20) attestationParameters() AttestationParameters {
 	return AttestationParameters{
 		Public:            k.public,
 		CreateData:        k.createData,
@@ -190,7 +190,7 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
 	}
 }
 
-func (k *windowsKey20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
+func (k *windowsAK20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
 	t, ok := tb.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)