-
Notifications
You must be signed in to change notification settings - Fork 63
support for pure-rust make credentials #563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
75b7750 to
3671522
Compare
3671522 to
75fa54b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks really cool. Of course error handling and other niceties are missing but that's not the point. Happy to see tests, I've skimmed them.
Thanks! 👍
tss-esapi/tests/integration_tests/abstraction_tests/credential_tests.rs
Outdated
Show resolved
Hide resolved
55774ad to
573d67e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sha2::Sha256, aes::Aes128 here codes for EKHash and EkCipher.
Those should be read from the template of the EK ideally.
Although in reality, the template would have been dropped already and we're only working with a PEM encoded public key, and there should be some kind of default value.
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_makecredential.c#L340
Anyone with an opinion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?
I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No that was an API question.
I know how to get the parameters from a Public, but I don't expect the public or its template to always available.
9b21b16 to
89021e0
Compare
451ae4f to
c652a60
Compare
I've finished support for both RSA and ECC, and there is now error management.
There isn't much else I can do.
7b03a64 to
969e006
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only had a brief look, will come back for more :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?
I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs
a23ad53 to
0fee1eb
Compare
22eeb4c to
2a13fe1
Compare
There is something that locks up the TPM in the CI, but I don't know what it is.
EDIT: a regression in the weak key detection or something
EDIT2: no I'm just an idiot and somehow had the test backwards.
4677cb5 to
b37d4ab
Compare
b75948f to
86e3bc6
Compare
86e3bc6 to
d9daeb7
Compare
Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
c6ed022 to
c7d2de4
Compare
su-sd
commented
Oct 10, 2025
This is getting into great shape 🔥
Thanks to anyone involved!
b40b767 to
53fa082
Compare
I've split the secret sharing, from the credentials which I intend to reuse for duplicate (#585)
96f9ade to
98e18d9
Compare
Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
98e18d9 to
711a354
Compare
gibix
commented
Oct 23, 2025
I tested the pull request and is just great to have this feature coming! I noticed a bad error message that need to be documented. If the challenge payload is to big the error message is Invalid bytes(&[u8]) size(> 132), but the real allowed size of the payload is 96 bytes.
If you want to created a challenge from a bigger payload is considered safe to split in 96-bytes-long chunks and make separate attestation?
Uh oh!
There was an error while loading. Please reload this page.
This brings support for a pure rust implementation of make credentials which will not involve the TPM or
tpm2-tss.Fixes #160