From 17990d8d60ddc1df6912b51999989f1e9be16bcc Mon Sep 17 00:00:00 2001
From: Saloni Gupta <gsaloni@google.com>
Date: Wed, 14 Jan 2026 01:10:01 +0000
Subject: [PATCH 1/2] allow ek cert to be parsed as TPMT_pub

---
 service/biz/tpm20_utils.go      | 17 ++++++++++++++---
 service/biz/tpm20_utils_test.go | 25 ++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/service/biz/tpm20_utils.go b/service/biz/tpm20_utils.go
index 5ee1869..2c258a0 100644
--- a/service/biz/tpm20_utils.go
+++ b/service/biz/tpm20_utils.go
@@ -826,10 +826,21 @@ func (u *DefaultTPM20Utils) ParseTCGCSRIDevIDContent(csrBytes []byte) (*TCGCSRID
 		return nil, fmt.Errorf("failed to read TCG_CSR_IDEVID_CONTENT.ekCert (size %d): %w", ekCertSize, err)
 	}
 	ekCert, err := certificateDerToPem(ekCertBytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to convert EK Cert to PEM: %w", err)
+	if err == nil {
+		result.EKCert = ekCert
+	} else {
+		pub, tpmErr := tpm20.Unmarshal[tpm20.TPMTPublic](ekCertBytes)
+		if tpmErr == nil {
+			log.Infof("Successfully parsed ekCertBytes as TPMTPublic structure. Converting to PEM.")
+			pubPEM, pubErr := u.TPMTPublicToPEM(pub)
+			if pubErr != nil {
+				return nil, fmt.Errorf("failed to convert TPMTPublic to PEM: %w", pubErr)
+			}
+			result.EKCert = pubPEM
+		} else {
+			return nil, fmt.Errorf("failed to parse ekCert as X509 certificate (%v) or TPMTPublic (%v)", err, tpmErr)
+		}
 	}
-	result.EKCert = ekCert
 
 	// attestPub - Attestation Key public key (IAK)
 	attestPubBytes, err := readBytes(reader, attestPubSize)
diff --git a/service/biz/tpm20_utils_test.go b/service/biz/tpm20_utils_test.go
index c5822a5..23cc660 100644
--- a/service/biz/tpm20_utils_test.go
+++ b/service/biz/tpm20_utils_test.go
@@ -636,6 +636,23 @@ func generateCsrBytes(options CsrOptions) []byte {
 }
 
 func TestParseTCGCSRIDevIDContent(t *testing.T) {
+	u := DefaultTPM20Utils{}
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate RSA key for testing: %v", err)
+	}
+	tpmtPub, err := u.RSAEKPublicKeyToTPMTPublic(&privKey.PublicKey)
+	if err != nil {
+		t.Fatalf("Failed to create TPMT Public for testing: %v", err)
+	}
+	tpmtPubPEM, err := u.TPMTPublicToPEM(tpmtPub)
+	if err != nil {
+		t.Fatalf("Failed to convert TPMT Public to PEM for testing: %v", err)
+	}
+	tpmtPubBytes := tpm20.Marshal(tpmtPub)
+
+	validCSRWithTPMTPub := *validCSR
+	validCSRWithTPMTPub.EKCert = tpmtPubPEM
 	// Define test cases
 	tests := []struct {
 		name           string
@@ -736,7 +753,7 @@ func TestParseTCGCSRIDevIDContent(t *testing.T) {
 		{
 			name:          "Invalid EK Cert",
 			csrBytes:      generateCsrBytes(CsrOptions{EKCert: []byte("invalid-ek-cert")}),
-			expectedError: errors.New("failed to convert EK Cert to PEM"),
+			expectedError: errors.New("ailed to parse ekCert as X509 certificate"),
 		},
 		{
 			name:          "Invalid Attest Pub Bytes",
@@ -763,6 +780,12 @@ func TestParseTCGCSRIDevIDContent(t *testing.T) {
 			csrBytes:      generateCsrBytes(CsrOptions{AddExtraBytesToEnd: true}),
 			expectedError: errors.New("leftover bytes in TCG_CSR_IDEVID_CONTENT block after parsing"),
 		},
+		{
+			name:           "Valid CSR bytes: PPK in EkCert field as TPMTPublic",
+			csrBytes:       generateCsrBytes(CsrOptions{EKCert: tpmtPubBytes}),
+			expectedError:  nil,
+			expectedResult: &validCSRWithTPMTPub,
+		},
 	}
 
 	for _, tc := range tests {

From d2105ff56d5318f6521b1385d8ddbdb24d3ce9a4 Mon Sep 17 00:00:00 2001
From: Saloni Gupta <gsaloni@google.com>
Date: Wed, 14 Jan 2026 17:55:43 +0000
Subject: [PATCH 2/2] addressing comments

---
 service/biz/tpm20_utils.go      | 21 ++++++++++-----------
 service/biz/tpm20_utils_test.go |  2 +-
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/service/biz/tpm20_utils.go b/service/biz/tpm20_utils.go
index 2c258a0..5eb6ee6 100644
--- a/service/biz/tpm20_utils.go
+++ b/service/biz/tpm20_utils.go
@@ -826,22 +826,21 @@ func (u *DefaultTPM20Utils) ParseTCGCSRIDevIDContent(csrBytes []byte) (*TCGCSRID
 		return nil, fmt.Errorf("failed to read TCG_CSR_IDEVID_CONTENT.ekCert (size %d): %w", ekCertSize, err)
 	}
 	ekCert, err := certificateDerToPem(ekCertBytes)
-	if err == nil {
-		result.EKCert = ekCert
-	} else {
+	if err != nil {
 		pub, tpmErr := tpm20.Unmarshal[tpm20.TPMTPublic](ekCertBytes)
-		if tpmErr == nil {
-			log.Infof("Successfully parsed ekCertBytes as TPMTPublic structure. Converting to PEM.")
-			pubPEM, pubErr := u.TPMTPublicToPEM(pub)
-			if pubErr != nil {
-				return nil, fmt.Errorf("failed to convert TPMTPublic to PEM: %w", pubErr)
-			}
-			result.EKCert = pubPEM
-		} else {
+		if tpmErr != nil {
 			return nil, fmt.Errorf("failed to parse ekCert as X509 certificate (%v) or TPMTPublic (%v)", err, tpmErr)
 		}
+
+		log.Infof("Successfully parsed ekCertBytes as TPMTPublic structure. Converting to PEM.")
+		ekCert, err = u.TPMTPublicToPEM(pub)
+		if err != nil {
+			return nil, fmt.Errorf("failed to convert TPMTPublic to PEM: %w", err)
+		}
 	}
 
+	result.EKCert = ekCert
+
 	// attestPub - Attestation Key public key (IAK)
 	attestPubBytes, err := readBytes(reader, attestPubSize)
 	if err != nil {
diff --git a/service/biz/tpm20_utils_test.go b/service/biz/tpm20_utils_test.go
index 23cc660..6ae601c 100644
--- a/service/biz/tpm20_utils_test.go
+++ b/service/biz/tpm20_utils_test.go
@@ -753,7 +753,7 @@ func TestParseTCGCSRIDevIDContent(t *testing.T) {
 		{
 			name:          "Invalid EK Cert",
 			csrBytes:      generateCsrBytes(CsrOptions{EKCert: []byte("invalid-ek-cert")}),
-			expectedError: errors.New("ailed to parse ekCert as X509 certificate"),
+			expectedError: errors.New("failed to parse ekCert as X509 certificate"),
 		},
 		{
 			name:          "Invalid Attest Pub Bytes",