Minor fixes and additions (#207)

* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible
* drop handle() from the ak interface: it is unnecessary
* add Blobs() to attest.Key: to allow agnostic key marshaling

Author: pszal

attest/application_key.go

@@ -28,6 +28,7 @@ type key interface {
 	certificationParameters() CertificationParameters
 	sign(tpmBase, []byte) ([]byte, error)
 	decrypt(tpmBase, []byte) ([]byte, error)
+	blobs() ([]byte, []byte, error)
 }
 
 // Key represents a key which can be used for signing and decrypting
@@ -101,3 +102,8 @@ func (k *Key) Marshal() ([]byte, error) {
 func (k *Key) CertificationParameters() CertificationParameters {
 	return k.key.certificationParameters()
 }
+
+// Blobs returns public and private blobs to be used by tpm2.Load().
+func (k *Key) Blobs() (pub, priv []byte, err error) {
+	return k.key.blobs()
+}

attest/attest.go

@@ -24,7 +24,6 @@ import (
 	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/go-tpm/tpm"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpmutil"
 )
 
 // TPMVersion is used to configure a preference in
@@ -104,7 +103,6 @@ type ak interface {
 	activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error)
 	quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error)
 	attestationParameters() AttestationParameters
-	handle() (tpmutil.Handle, error)
 }
 
 // AK represents a key which can be used for attestation.

attest/key_linux.go

@@ -19,7 +19,6 @@ package attest
 import (
 	"fmt"
 
-	"github.com/google/go-tpm/tpmutil"
 	"github.com/google/go-tspi/attestation"
 )
 
@@ -92,7 +91,3 @@ func (k *trousersKey12) attestationParameters() AttestationParameters {
 		UseTCSDActivationFormat: true,
 	}
 }
-
-func (k *trousersKey12) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}

attest/key_windows.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 
 	tpm1 "github.com/google/go-tpm/tpm"
-	"github.com/google/go-tpm/tpmutil"
 )
 
 // windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
@@ -112,10 +111,6 @@ func (k *windowsKey12) attestationParameters() AttestationParameters {
 	}
 }
 
-func (k *windowsKey12) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}
-
 // windowsKey20 represents a key bound to a TPM 2.0.
 type windowsKey20 struct {
 	hnd uintptr
@@ -189,7 +184,3 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
 		CreateSignature:   k.createSignature,
 	}
 }
-
-func (k *windowsKey20) handle() (tpmutil.Handle, error) {
-	return 0, fmt.Errorf("not implemented")
-}

attest/wrapped_tpm20.go

@@ -159,9 +159,9 @@ func (t *wrappedTPM20) newAK(opts *AKConfig) (*AK, error) {
 
 func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 	// TODO(szp): TODO(jsonp): Abstract choice of hierarchy & parent.
-	certifierHandle, err := ak.ak.handle()
-	if err != nil {
-		return nil, fmt.Errorf("cannot get AK's handle: %v", err)
+	k, ok := ak.ak.(*wrappedKey20)
+	if !ok {
+		return nil, fmt.Errorf("expected *wrappedKey20, got: %T", k)
 	}
 
 	srk, _, err := t.getPrimaryKeyHandle(commonSrkEquivalentHandle)
@@ -185,7 +185,7 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 	}()
 
 	// Certify application key by AK
-	attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, certifierHandle, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
+	attestation, sig, err := tpm2.CertifyCreation(t.rwc, "", keyHandle, k.hnd, nil, creationHash, tpm2.SigScheme{tpm2.AlgRSASSA, tpm2.AlgSHA256, 0}, tix)
 	if err != nil {
 		return nil, fmt.Errorf("CertifyCreation failed: %v", err)
 	}
@@ -195,13 +195,13 @@ func (t *wrappedTPM20) newKey(ak *AK, opts *KeyConfig) (*Key, error) {
 		return nil, fmt.Errorf("failed to pack TPMT_SIGNATURE: %v", err)
 	}
 
-	tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, keyHandle)
+	tpmPub, err := tpm2.DecodePublic(pub)
 	if err != nil {
-		return nil, fmt.Errorf("read public blob: %v", err)
+		return nil, fmt.Errorf("decode public key: %v", err)
 	}
 	pubKey, err := tpmPub.Key()
 	if err != nil {
-		return nil, fmt.Errorf("decode public key: %v", err)
+		return nil, fmt.Errorf("access public key: %v", err)
 	}
 	return &Key{key: newWrappedKey20(keyHandle, blob, pub, creationData, attestation, signature), pub: pubKey, tpm: t}, nil
 }
@@ -239,13 +239,13 @@ func (t *wrappedTPM20) loadKey(opaqueBlob []byte) (*Key, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot load signing key: %v", err)
 	}
-	tpmPub, _, _, err := tpm2.ReadPublic(t.rwc, hnd)
+	tpmPub, err := tpm2.DecodePublic(sKey.Public)
 	if err != nil {
-		return nil, fmt.Errorf("read public blob: %v", err)
+		return nil, fmt.Errorf("decode public blob: %v", err)
 	}
 	pub, err := tpmPub.Key()
 	if err != nil {
-		return nil, fmt.Errorf("decode public key: %v", err)
+		return nil, fmt.Errorf("access public key: %v", err)
 	}
 	return &Key{key: newWrappedKey20(hnd, sKey.Blob, sKey.Public, sKey.CreateData, sKey.CreateAttestation, sKey.CreateSignature), pub: pub, tpm: t}, nil
 }
@@ -396,10 +396,6 @@ func (k *wrappedKey20) certificationParameters() CertificationParameters {
 	}
 }
 
-func (k *wrappedKey20) handle() (tpmutil.Handle, error) {
-	return k.hnd, nil
-}
-
 func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
 	t, ok := tb.(*wrappedTPM20)
 	if !ok {
@@ -424,3 +420,7 @@ func (k *wrappedKey20) sign(tb tpmBase, digest []byte) ([]byte, error) {
 func (k *wrappedKey20) decrypt(tb tpmBase, ctxt []byte) ([]byte, error) {
 	return nil, fmt.Errorf("not implemented")
 }
+
+func (k *wrappedKey20) blobs() ([]byte, []byte, error) {
+	return k.public, k.blob, nil
+}