Upgrade go-attestation

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/schollz/jsonstore v1.1.0
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2
+	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/crypto v0.18.0
 	golang.org/x/net v0.20.0

go.sum

@@ -697,8 +697,8 @@ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrf
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
-github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2 h1:UIAS8DTWkeclraEGH2aiJPyNPu16VbT41w4JoBlyFfU=
-github.com/smallstep/go-attestation v0.4.4-0.20230627102604-cf579e53cbd2/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
+github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 h1:kjYvkvS/Wdy0PVRDUAA0gGJIVSEZYhiAJtfwYgOYoGA=
+github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=

tpm/tpm_simulator_test.go

@@ -14,6 +14,7 @@ import (
 	"encoding/base64"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"io"
 	"math"
 	"strings"
@@ -797,14 +798,35 @@ func Test_signer_Sign(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, signer)
 
+	pub, ok := signer.Public().(*rsa.PublicKey)
+	require.True(t, ok)
+
 	random := make([]byte, 32)
 	n, err := rand.Read(random)
 	require.NoError(t, err)
 	require.Equal(t, 32, n)
 
+	// PKCS #1 v1.5 signing
 	signature, err := signer.Sign(rand.Reader, random, crypto.SHA256)
 	require.NoError(t, err)
 	require.NotNil(t, signature)
+
+	err = rsa.VerifyPKCS1v15(pub, crypto.SHA256, random, signature)
+	assert.NoError(t, err)
+
+	// PSS signing
+	for _, saltLength := range []int{rsa.PSSSaltLengthAuto, rsa.PSSSaltLengthEqualsHash, 32} {
+		t.Run(fmt.Sprintf("saltLength: %d", saltLength), func(t *testing.T) {
+			opts := &rsa.PSSOptions{
+				SaltLength: saltLength,
+				Hash:       crypto.SHA256,
+			}
+			signature, err := signer.Sign(rand.Reader, random, opts)
+			require.NoError(t, err)
+			assert.NoError(t, rsa.VerifyPSS(pub, crypto.SHA256, random, signature, opts))
+			assert.NoError(t, rsa.VerifyPSS(pub, crypto.SHA256, random, signature, nil))
+		})
+	}
 }
 
 func TestCreateTSS2Signer(t *testing.T) {