smallstep · hslatman · Apr 28, 2022 · Apr 8, 2022 · Jun 1, 2022 · Oct 27, 2022
diff --git a/attest/application_key.go b/attest/application_key.go
@@ -72,6 +72,8 @@ type KeyConfig struct {
 	// Size is used to specify the bit size of the key or elliptic curve. For
 	// example, '256' is used to specify curve P-256.
 	Size int
+
+	QualifyingData []byte
 }
 
 // defaultConfig is used when no other configuration is specified.

diff --git a/attest/attest.go b/attest/attest.go
@@ -104,7 +104,7 @@ type ak interface {
 	activateCredential(tpm tpmBase, in EncryptedCredential) ([]byte, error)
 	quote(t tpmBase, nonce []byte, alg HashAlg) (*Quote, error)
 	attestationParameters() AttestationParameters
-	certify(tb tpmBase, handle interface{}) (*CertificationParameters, error)
+	certify(tb tpmBase, handle interface{}, qualifyingData []byte) (*CertificationParameters, error)
 }
 
 // AK represents a key which can be used for attestation.
@@ -152,7 +152,7 @@ func (k *AK) AttestationParameters() AttestationParameters {
 // key. Depending on the actual instantiation it can accept different handle
 // types (e.g., tpmutil.Handle on Linux or uintptr on Windows).
 func (k *AK) Certify(tpm *TPM, handle interface{}) (*CertificationParameters, error) {
-	return k.ak.certify(tpm.tpm, handle)
+	return k.ak.certify(tpm.tpm, handle, nil)
 }
 
 // AKConfig encapsulates parameters for minting keys. This type is defined

diff --git a/attest/certification.go b/attest/certification.go
@@ -159,7 +159,7 @@ func (p *CertificationParameters) Verify(opts VerifyOpts) error {
 
 // certify uses AK's handle and the passed signature scheme to certify the key
 // with the `hnd` handle.
-func certify(tpm io.ReadWriteCloser, hnd, akHnd tpmutil.Handle, scheme tpm2.SigScheme) (*CertificationParameters, error) {
+func certify(tpm io.ReadWriteCloser, hnd, akHnd tpmutil.Handle, qualifyingData []byte, scheme tpm2.SigScheme) (*CertificationParameters, error) {
 	pub, _, _, err := tpm2.ReadPublic(tpm, hnd)
 	if err != nil {
 		return nil, fmt.Errorf("tpm2.ReadPublic() failed: %v", err)
@@ -168,7 +168,7 @@ func certify(tpm io.ReadWriteCloser, hnd, akHnd tpmutil.Handle, scheme tpm2.SigS
 	if err != nil {
 		return nil, fmt.Errorf("could not encode public key: %v", err)
 	}
-	att, sig, err := tpm2.CertifyEx(tpm, "", "", hnd, akHnd, nil, scheme)
+	att, sig, err := tpm2.CertifyEx(tpm, "", "", hnd, akHnd, qualifyingData, scheme)
 	if err != nil {
 		return nil, fmt.Errorf("tpm2.Certify() failed: %v", err)
 	}

diff --git a/attest/key_windows.go b/attest/key_windows.go
@@ -24,22 +24,22 @@ import (
 	"github.com/google/go-tpm/tpm2"
 )
 
-// windowsKey12 represents a Windows-managed key on a TPM1.2 TPM.
-type windowsKey12 struct {
+// windowsAK12 represents a Windows-managed key on a TPM1.2 TPM.
+type windowsAK12 struct {
 	hnd        uintptr
 	pcpKeyName string
 	public     []byte
 }
 
-func newWindowsKey12(hnd uintptr, pcpKeyName string, public []byte) ak {
-	return &windowsKey12{
+func newWindowsAK12(hnd uintptr, pcpKeyName string, public []byte) ak {
+	return &windowsAK12{
 		hnd:        hnd,
 		pcpKeyName: pcpKeyName,
 		public:     public,
 	}
 }
 
-func (k *windowsKey12) marshal() ([]byte, error) {
+func (k *windowsAK12) marshal() ([]byte, error) {
 	out := serializedKey{
 		Encoding:   keyEncodingOSManaged,
 		TPMVersion: TPMVersion12,
@@ -49,7 +49,7 @@ func (k *windowsKey12) marshal() ([]byte, error) {
 	return out.Serialize()
 }
 
-func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
+func (k *windowsAK12) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
 	tpm, ok := t.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
@@ -61,7 +61,7 @@ func (k *windowsKey12) activateCredential(t tpmBase, in EncryptedCredential) ([]
 	return decryptCredential(secretKey, in.Secret)
 }
 
-func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
+func (k *windowsAK12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
 	if alg != HashSHA1 {
 		return nil, fmt.Errorf("only SHA1 algorithms supported on TPM 1.2, not %v", alg)
 	}
@@ -103,21 +103,21 @@ func (k *windowsKey12) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
 	}, nil
 }
 
-func (k *windowsKey12) close(tpm tpmBase) error {
+func (k *windowsAK12) close(tpm tpmBase) error {
 	return closeNCryptObject(k.hnd)
 }
 
-func (k *windowsKey12) attestationParameters() AttestationParameters {
+func (k *windowsAK12) attestationParameters() AttestationParameters {
 	return AttestationParameters{
 		Public: k.public,
 	}
 }
-func (k *windowsKey12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
+func (k *windowsAK12) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
 	return nil, fmt.Errorf("not implemented")
 }
 
-// windowsKey20 represents a key bound to a TPM 2.0.
-type windowsKey20 struct {
+// windowsAK20 represents a key bound to a TPM 2.0.
+type windowsAK20 struct {
 	hnd uintptr
 
 	pcpKeyName        string
@@ -127,8 +127,8 @@ type windowsKey20 struct {
 	createSignature   []byte
 }
 
-func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
-	return &windowsKey20{
+func newWindowsAK20(hnd uintptr, pcpKeyName string, public, createData, createAttest, createSig []byte) ak {
+	return &windowsAK20{
 		hnd:               hnd,
 		pcpKeyName:        pcpKeyName,
 		public:            public,
@@ -138,7 +138,7 @@ func newWindowsKey20(hnd uintptr, pcpKeyName string, public, createData, createA
 	}
 }
 
-func (k *windowsKey20) marshal() ([]byte, error) {
+func (k *windowsAK20) marshal() ([]byte, error) {
 	out := serializedKey{
 		Encoding:   keyEncodingOSManaged,
 		TPMVersion: TPMVersion20,
@@ -152,15 +152,15 @@ func (k *windowsKey20) marshal() ([]byte, error) {
 	return out.Serialize()
 }
 
-func (k *windowsKey20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
+func (k *windowsAK20) activateCredential(t tpmBase, in EncryptedCredential) ([]byte, error) {
 	tpm, ok := t.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", t)
 	}
 	return tpm.pcp.ActivateCredential(k.hnd, append(in.Credential, in.Secret...))
 }
 
-func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
+func (k *windowsAK20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
 	t, ok := tb.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)
@@ -177,11 +177,11 @@ func (k *windowsKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, err
 	return quote20(tpm, tpmKeyHnd, alg.goTPMAlg(), nonce)
 }
 
-func (k *windowsKey20) close(tpm tpmBase) error {
+func (k *windowsAK20) close(tpm tpmBase) error {
 	return closeNCryptObject(k.hnd)
 }
 
-func (k *windowsKey20) attestationParameters() AttestationParameters {
+func (k *windowsAK20) attestationParameters() AttestationParameters {
 	return AttestationParameters{
 		Public:            k.public,
 		CreateData:        k.createData,
@@ -190,7 +190,7 @@ func (k *windowsKey20) attestationParameters() AttestationParameters {
 	}
 }
 
-func (k *windowsKey20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
+func (k *windowsAK20) certify(tb tpmBase, handle interface{}) (*CertificationParameters, error) {
 	t, ok := tb.(*windowsTPM)
 	if !ok {
 		return nil, fmt.Errorf("expected *windowsTPM, got %T", tb)