Make 0x81000001 the default SRK handle when outputting TSS2

smallstep · Jan 23, 2024 · 6d9979c · 6d9979c
1 parent d67e158
commit 6d9979c
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 20 deletions.
diff --git a/tpm/ak.go b/tpm/ak.go
@@ -15,7 +15,6 @@ import (
 	x509ext "github.com/smallstep/go-attestation/x509"
 
 	"go.step.sm/crypto/tpm/storage"
-	"go.step.sm/crypto/tpm/tss2"
 )
 
 // AK models a TPM 2.0 Attestation Key. An AK can be used
@@ -458,15 +457,6 @@ func (ak *AK) HasValidPermanentIdentifier(permanentIdentifier string) bool {
 	return false
 }
 
-// ToTSS2 gets the public and private blobs and returns a [*tss2.TPMKey].
-func (ak *AK) ToTSS2(ctx context.Context) (*tss2.TPMKey, error) {
-	blobs, err := ak.Blobs(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return tss2.New(blobs.public, blobs.private), nil
-}
-
 // toStorage transforms the AK to the struct used for
 // persisting AKs.
 func (ak *AK) toStorage() *storage.AK {

diff --git a/tpm/key.go b/tpm/key.go
@@ -12,7 +12,6 @@ import (
 	"github.com/smallstep/go-attestation/attest"
 	internalkey "go.step.sm/crypto/tpm/internal/key"
 	"go.step.sm/crypto/tpm/storage"
-	"go.step.sm/crypto/tpm/tss2"
 )
 
 // Key models a TPM 2.0 Key. A Key can be used
@@ -105,15 +104,6 @@ func (k *Key) MarshalJSON() ([]byte, error) {
 	return json.Marshal(o)
 }
 
-// ToTSS2 gets the public and private blobs and returns a [*tss2.TPMKey].
-func (k *Key) ToTSS2(ctx context.Context) (*tss2.TPMKey, error) {
-	blobs, err := k.Blobs(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return tss2.New(blobs.public, blobs.private), nil
-}
-
 // comparablePublicKey is an interface that allows a crypto.PublicKey to be
 // compared to another crypto.PublicKey.
 type comparablePublicKey interface {

diff --git a/tpm/tss2.go b/tpm/tss2.go
@@ -0,0 +1,30 @@
+package tpm
+
+import (
+	"context"
+
+	"go.step.sm/crypto/tpm/tss2"
+)
+
+const (
+	// Defined in "Registry of reserved TPM 2.0 handles and localities", and checked on a glinux machine.
+	commonSrkEquivalentHandle = 0x81000001
+)
+
+// ToTSS2 gets the public and private blobs and returns a [*tss2.TPMKey].
+func (ak *AK) ToTSS2(ctx context.Context) (*tss2.TPMKey, error) {
+	blobs, err := ak.Blobs(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return tss2.New(blobs.public, blobs.private, tss2.WithParent(commonSrkEquivalentHandle)), nil
+}
+
+// ToTSS2 gets the public and private blobs and returns a [*tss2.TPMKey].
+func (k *Key) ToTSS2(ctx context.Context) (*tss2.TPMKey, error) {
+	blobs, err := k.Blobs(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return tss2.New(blobs.public, blobs.private, tss2.WithParent(commonSrkEquivalentHandle)), nil
+}
diff --git a/tpm/tss2/encode.go b/tpm/tss2/encode.go
@@ -10,6 +10,13 @@ const handleOwner = 0x40000001
 // TPMOption is the type used to modify a [TPMKey].
 type TPMOption func(*TPMKey)
 
+// WithParent sets the [TPMKey] parent's handle
+func WithParent(parent int) TPMOption {
+	return func(t *TPMKey) {
+		t.Parent = parent
+	}
+}
+
 // New creates a new [TPMKey] with the given public and private keys.
 func New(pub, priv []byte, opts ...TPMOption) *TPMKey {
 	key := &TPMKey{