Skip to content

allow ek cert to be parsed as TPMT_PUBLIC #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gh4683 merged 2 commits into from
Jan 14, 2026
Merged

allow ek cert to be parsed as TPMT_PUBLIC #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
17990d8
allow ek cert to be parsed as TPMT_pub
gh4683 Jan 14, 2026
d2105ff
addressing comments
gh4683 Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion service/biz/tpm20_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -827,8 +827,18 @@ func (u *DefaultTPM20Utils) ParseTCGCSRIDevIDContent(csrBytes []byte) (*TCGCSRID
}
ekCert, err := certificateDerToPem(ekCertBytes)
if err != nil {
return nil, fmt.Errorf("failed to convert EK Cert to PEM: %w", err)
pub, tpmErr := tpm20.Unmarshal[tpm20.TPMTPublic](ekCertBytes)
if tpmErr != nil {
return nil, fmt.Errorf("failed to parse ekCert as X509 certificate (%v) or TPMTPublic (%v)", err, tpmErr)
}

log.Infof("Successfully parsed ekCertBytes as TPMTPublic structure. Converting to PEM.")
ekCert, err = u.TPMTPublicToPEM(pub)
if err != nil {
return nil, fmt.Errorf("failed to convert TPMTPublic to PEM: %w", err)
}
}

result.EKCert = ekCert

// attestPub - Attestation Key public key (IAK)
Expand Down
25 changes: 24 additions & 1 deletion service/biz/tpm20_utils_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,23 @@ func generateCsrBytes(options CsrOptions) []byte {
}

func TestParseTCGCSRIDevIDContent(t *testing.T) {
u := DefaultTPM20Utils{}
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("Failed to generate RSA key for testing: %v", err)
}
tpmtPub, err := u.RSAEKPublicKeyToTPMTPublic(&privKey.PublicKey)
if err != nil {
t.Fatalf("Failed to create TPMT Public for testing: %v", err)
}
tpmtPubPEM, err := u.TPMTPublicToPEM(tpmtPub)
if err != nil {
t.Fatalf("Failed to convert TPMT Public to PEM for testing: %v", err)
}
tpmtPubBytes := tpm20.Marshal(tpmtPub)

validCSRWithTPMTPub := *validCSR
validCSRWithTPMTPub.EKCert = tpmtPubPEM
// Define test cases
tests := []struct {
name string
Expand Down Expand Up @@ -736,7 +753,7 @@ func TestParseTCGCSRIDevIDContent(t *testing.T) {
{
name: "Invalid EK Cert",
csrBytes: generateCsrBytes(CsrOptions{EKCert: []byte("invalid-ek-cert")}),
expectedError: errors.New("failed to convert EK Cert to PEM"),
expectedError: errors.New("failed to parse ekCert as X509 certificate"),
},
{
name: "Invalid Attest Pub Bytes",
Expand All @@ -763,6 +780,12 @@ func TestParseTCGCSRIDevIDContent(t *testing.T) {
csrBytes: generateCsrBytes(CsrOptions{AddExtraBytesToEnd: true}),
expectedError: errors.New("leftover bytes in TCG_CSR_IDEVID_CONTENT block after parsing"),
},
{
name: "Valid CSR bytes: PPK in EkCert field as TPMTPublic",
csrBytes: generateCsrBytes(CsrOptions{EKCert: tpmtPubBytes}),
expectedError: nil,
expectedResult: &validCSRWithTPMTPub,
},
}

for _, tc := range tests {
Expand Down