Skip to content

Commit

Permalink
Explicitly set scheme for ECDSA signing
Browse files Browse the repository at this point in the history
My system is returning RCScheme if TPM_ALG_NULL is passed here. This should
be causing the key's default scheme to be used, but for some reason it
seems unhappy. Just explicitly set the scheme for now to avoid that.
  • Loading branch information
mjg59 committed May 24, 2023
1 parent 23380a3 commit 6e414e2
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
2 changes: 1 addition & 1 deletion attest/key_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ func (k *windowsAK20) sign(tb tpmBase, digest []byte, pub crypto.PublicKey, opts

switch p := pub.(type) {
case *ecdsa.PublicKey:
return signECDSA(rw, hnd, digest, p.Curve)
return signECDSA(rw, hnd, digest, p.Curve, opts)
case *rsa.PublicKey:
return signRSA(rw, hnd, digest, opts)
}
Expand Down
16 changes: 13 additions & 3 deletions attest/wrapped_tpm20.go
Original file line number Diff line number Diff line change
Expand Up @@ -503,14 +503,24 @@ func (k *wrappedKey20) sign(tb tpmBase, digest []byte, pub crypto.PublicKey, opt
}
switch p := pub.(type) {
case *ecdsa.PublicKey:
return signECDSA(t.rwc, k.hnd, digest, p.Curve)
return signECDSA(t.rwc, k.hnd, digest, p.Curve, opts)
case *rsa.PublicKey:
return signRSA(t.rwc, k.hnd, digest, opts)
}
return nil, fmt.Errorf("unsupported signing key type: %T", pub)
}

func signECDSA(rw io.ReadWriter, key tpmutil.Handle, digest []byte, curve elliptic.Curve) ([]byte, error) {
func signECDSA(rw io.ReadWriter, key tpmutil.Handle, digest []byte, curve elliptic.Curve, opts crypto.SignerOpts) ([]byte, error) {
h, err := tpm2.HashToAlgorithm(opts.HashFunc())
if err != nil {
return nil, fmt.Errorf("incorrect hash algorithm: %v", err)
}

scheme := &tpm2.SigScheme{
Alg: tpm2.AlgECDSA,
Hash: h,
}

// https://cs.opensource.google/go/go/+/refs/tags/go1.19.2:src/crypto/ecdsa/ecdsa.go;l=181
orderBits := curve.Params().N.BitLen()
orderBytes := (orderBits + 7) / 8
Expand All @@ -524,7 +534,7 @@ func signECDSA(rw io.ReadWriter, key tpmutil.Handle, digest []byte, curve ellipt
}
digest = ret.Bytes()

sig, err := tpm2.Sign(rw, key, "", digest, nil, nil)
sig, err := tpm2.Sign(rw, key, "", digest, nil, scheme)
if err != nil {
return nil, fmt.Errorf("cannot sign: %v", err)
}
Expand Down

0 comments on commit 6e414e2

Please sign in to comment.