Enrollz TPM 1.2 RotateAIK() enrollment flow README

Author: muntazirsal

feature/security/attestz/tests/enrollz_tpm12/README.md

@@ -0,0 +1,180 @@
+# Enrollz-2: TPM 1.2 RotateAIK Flow
+
+## Summary
+
+This document details the RotateAIK enrollment flow for devices equipped with TPM 1.2. It describes the interaction between the EnrollZ Service and the device, the cryptographic structures involved, and the mapping to the `RotateAIKCertRequest` and `RotateAIKCertResponse` Protocol Buffers.
+
+The RotateAIK flow for TPM 1.2 is used to generate an Attestation Identity Key (AIK) pair on the device, certify it using the device's Endorsement Key (EK), and install the resulting AIK Certificate. This flow requires the service to have prior knowledge of the device's public Endorsement Key (EK), which is typically retrieved from the device's Endorsement Certificate.
+
+TPM 1.2 utilizes the `MakeIdentity` protocol. This process involves the device generating a `TPM_IDENTITY_REQ`, and the service responding with an encrypted credential that only the device's EK can decrypt.
+
+## Procedure
+
+### Protocol Buffer Definitions
+
+The flow relies on the `RotateAIKCertRequest` and `RotateAIKCertResponse` messages.
+
+```protobuf
+// The RotateAIKCertRequest handles the workflow for enrollment of TPM1.2
+// devices. The initial request will include the issuer_public_key to allow
+// the building of the AIK which will then be returned and used to generate
+// the AIK cert. For any updates after initial enrollment the new AIK cert
+// can just be returned.
+message RotateAIKCertRequest {
+  message IssuerCertPayload {
+    // Symmetric key used to encrypt the AIK Cert blob.
+    // Note: This corresponds to the TPM_ASYM_CA_CONTENTS structure encrypted
+    // with the EK. It contains the session key.
+    bytes symmetric_key_blob = 1;
+    // AIK Cert in PEM format that is encrypted with the provided symmetric
+    // key.
+    bytes aik_cert_blob = 2;
+  }
+
+  oneof value {
+    bytes issuer_public_key = 1;
+    // Encrypted payload that only the targeted device should be able
+    // to decrypt via the EK.
+    IssuerCertPayload issuer_cert_payload = 2;
+    // Finalize tells the server that the AIK cert is correct.
+    bool finalize = 3;
+  }
+
+  // Switch control card selected identifier.
+  ControlCardSelection control_card_selection = 4;
+}
+
+message RotateAIKCertResponse {
+  oneof value {
+    bytes application_identity_request = 1;
+    // The decrypted cert in PEM format is returned so the caller can validate
+    // that the device did in fact have the proper EK.
+    string aik_cert = 2;
+  }
+   
+  // Vendor identity fields of the selected control card.
+  ControlCardVendorId control_card_id = 3;
+}
+```
+
+### TPM 1.2 Structures (from `tpm12_utils.go`)
+
+The workflow relies on the correct formation, serialization, and parsing of several TPM 1.2 structures which are defined in the TPM 1.2 TCG specifications, including:
+
+  * `TPM_IDENTITY_REQ`
+  * `TPM_IDENTITY_PROOF`
+  * `TPM_IDENTITY_CONTENTS`
+  * `TPM_PUBKEY`
+  * `TPM_SYMMETRIC_KEY`
+  * `TPM_ASYM_CA_CONTENTS`
+  * `TPM_SYM_CA_ATTESTATION`
+
+## Test Cases (enrollz-2)
+
+This section validates that the device correctly implements the service-driven TPM 1.2 RotateAIK enrollment workflow.
+
+| ID | Case | Expected Result |
+| :--- | :--- | :--- |
+| **enrollz-2.1** | Successful RotateAIK flow. | Device generates AIK, provides `application_identity_request`, decrypts `IssuerCertPayload`, installs AIK cert, and returns cert for verification. |
+| **enrollz-2.2** | Service sends `RotateAIKCertRequest` with malformed/missing `issuer_public_key`. | Device returns an error and closes the stream. |
+| **enrollz-2.3** | Service sends `RotateAIKCertRequest` with `issuer_cert_payload` but `symmetric_key_blob` is not decryptable (wrong EK). | Device cannot decrypt session key; returns error and closes stream. |
+| **enrollz-2.4** | `symmetric_key_blob` decrypts, but `TPM_ASYM_CA_CONTENTS` digest does not match the AIK. | TPM fails `TPM_ActivateIdentity`; device returns error. |
+| **enrollz-2.5** | `aik_cert_blob` is not decryptable with the recovered session key. | Device cannot decrypt AIK certificate; returns error. |
+| **enrollz-2.6** | Decrypted `aik_cert_blob` is a malformed `TPM_SYM_CA_ATTESTATION` structure. | Device fails to parse structure; returns error. |
+| **enrollz-2.7** | Decrypted `aik_cert_blob` contains malformed PEM certificate. | Device fails to install certificate; returns error. |
+| **enrollz-2.8** | Service sends `finalize = true` *before* device returns `aik_cert` (Phase 4). | Device ignores premature finalize or returns state error. |
+| **enrollz-2.9** | Service closes stream prematurely. | Enrollment aborted; no new AIK persisted. |
+| **enrollz-2.10** | Invalid `ControlCardSelection`. | Device returns invalid request error. |
+| **enrollz-2.11** | Device fails to generate `TPM_IDENTITY_REQ` after receiving `issuer_public_key`. | Device returns error to service. |
+
+-----
+
+### Workflow Steps
+
+#### Phase 1: Initialization & Key Generation
+
+1.  **Service**: Generates an RSA 2048-bit Issuer key pair.
+2.  **Service**: Sends the `RotateAIKCertRequest` containing the `issuer_public_key` to the device.
+3.  **Device**: Calls `TPM_MakeIdentity` (via `Tspi_TPM_collateIdentityRequest` or similar).
+      * This generates the new AIK key pair.
+      * This creates a `TPM_IDENTITY_REQ` structure containing the `TPM_IDENTITY_PROOF`.
+      * **Note**: The `TPM_IDENTITY_REQ` involves a symmetric key (`symBlob`) and an asymmetric encryption of that key (`asymBlob`) using the provided `issuer_public_key`.
+4.  **Device**: Sends `RotateAIKCertResponse` containing the `application_identity_request` (the raw `TPM_IDENTITY_REQ` bytes).
+
+#### Phase 2: Verification (Service Side)
+
+Upon receiving the `application_identity_request`, the EnrollZ Service performs the following:
+
+1.  **Parse Request**: Parses the `TPM_IDENTITY_REQ` structure.
+2.  **Decrypt Session Key**: Uses the Issuer Private Key to decrypt the `asymBlob`, retrieving the `TPM_SYMMETRIC_KEY`.
+3.  **Decrypt Proof**: Uses the `TPM_SYMMETRIC_KEY` to decrypt the `symBlob`, retrieving the `TPM_IDENTITY_PROOF`.
+4.  **Reconstruct Contents**: Constructs the `TPM_IDENTITY_CONTENTS` structure to verify the signature.
+      * `Ver`: `0x01010000`
+      * `Ordinal`: `0x00000079`
+      * `labelPrivCADigest`: `SHA1(identityLabel || privacyCA)`
+      * `identityLabel`: `"Identity"` (UTF-8: `0x4964656e74697479`)
+      * `privacyCA`: The `issuer_public_key` (`TPM_PUBKEY`)
+      * `identityPubKey`: The AIK Public Key extracted from the `TPM_IDENTITY_PROOF`.
+5.  **Verify Signature**: Verifies the `identityBinding` signature (from the proof) against the hash of the reconstructed `TPM_IDENTITY_CONTENTS` using the `identityPubKey` (AIK Public Key).
+
+#### Phase 3: Certification & Encryption (Service Side)
+
+Once the AIK is verified:
+
+1.  **Generate Cert**: The Service sends the AIK Public Key (the `identityPubKey` from `TPM_IDENTITY_PROOF`) to the CA and receives the AIK Certificate (PEM).
+2.  **Create Session Key**: Generates a new AES-256 symmetric key.
+3.  **Encapsulate Key (`TPM_ASYM_CA_CONTENTS`)**:
+      * Creates a `TPM_ASYM_CA_CONTENTS` structure **containing the AES-256 session key generated in Step 2**.
+      * `Digest`: `SHA1(TPM_PUBKEY)` (Hash of the AIK Public Key).
+      * **Encryption**: Encrypts this structure using the device's Endorsement Key (EK) public key.
+          * `Algorithm`: RSAES-OAEP with SHA-1 and MGF1.
+          * `OAEP Parameter`: `"TCPA"` (Required for TPM 1.2 compatibility).
+      * **Output**: This forms the `symmetric_key_blob` field in `IssuerCertPayload`.
+4.  **Encrypt Certificate**:
+      * Encrypts the PEM-encoded AIK Certificate using the AES-256 session key generated in Step 2 (AES CBC).
+      * A unique Initialization Vector (IV) must be used and is typically prepended to the ciphertext.
+      * **Output**: This forms the `aik_cert_blob` field in `IssuerCertPayload` (e.g., `iv || ciphertext`).
+5.  **Send**: The Service sends the `RotateAIKCertRequest` containing the `IssuerCertPayload` to the device.
+
+#### Phase 4: Activation (Device Side)
+
+1.  **Device**: Receives the `IssuerCertPayload`.
+2.  **Decrypt (Activate Identity)**:
+      * The device uses its EK Private Key to decrypt the `symmetric_key_blob`. This recovers the AES-256 session key.
+      * **Note**: In standard TSS, this maps to `TPM_ActivateIdentity`, which validates the `TPM_ASYM_CA_CONTENTS` digest against the loaded AIK.
+3.  **Decrypt Certificate**: The device uses the recovered session key to decrypt the `aik_cert_blob`.
+4.  **Install**: The device installs/stores the plaintext AIK Certificate.
+5.  **Prove Possession**: The device sends a `RotateAIKCertResponse` containing the plaintext `aik_cert` back to the Service.
+
+#### Phase 5: Finalization
+
+1.  **Service**: Compares the received `aik_cert` with the original certificate it generated.
+2.  **Service**: If they match, sends a `RotateAIKCertRequest` with `finalize = true`.
+3.  **Device**: Marks the enrollment as complete.
+
+### Cryptographic Parameters Summary
+
+| Parameter | Value |
+|---|---|
+| TPM Version | 1.2 |
+| Identity Label | `"Identity"` (`0x4964656e74697479`) |
+| Structure Version | `0x01010000` |
+| OAEP Parameter | `"TCPA"` |
+| Hash Algorithm | SHA-1 |
+| Symmetric Key | AES-256 (for Cert encryption) |
+| Issuer Key | RSA 2048 |
+
+## OpenConfig Path and RPC Coverage
+
+```yaml
+paths:
+rpcs:
+  gnmi:
+    gNMI.Subscribe:
+```
+
+## Canonical OC
+
+```json
+{}
+```

feature/security/attestz/tests/enrollz_tpm12/metadata.textproto

@@ -0,0 +1,7 @@
+# proto-file: github.com/openconfig/featureprofiles/proto/metadata.proto
+# proto-message: Metadata
+
+uuid:  "6ea4e7c6-0a54-40e0-8d61-bd036f305ff6"
+plan_id:  "Enrollz-2"
+description:  "TPM 1.2 RotateAIK Flow"
+testbed:  TESTBED_DUT_ATE_2LINKS