Skip to content

support for pure-rust make credentials #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

support for pure-rust make credentials #563

wants to merge 2 commits into from

Conversation

baloo
Copy link
Contributor

@baloo baloo commented Jan 29, 2025
edited
Loading

This brings support for a pure rust implementation of make credentials which will not involve the TPM or tpm2-tss.

Fixes #160

@baloo baloo mentioned this pull request Jan 29, 2025
Open
@baloo baloo force-pushed the baloo/make-credentials branch 2 times, most recently from 75b7750 to 3671522 Compare January 29, 2025 06:06
@baloo baloo changed the title WIP; support for pure-rust make credentials WIP: support for pure-rust make credentials Jan 29, 2025
@baloo baloo force-pushed the baloo/make-credentials branch from 3671522 to 75fa54b Compare January 29, 2025 06:11
wiktor-k
wiktor-k reviewed Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really cool. Of course error handling and other niceties are missing but that's not the point. Happy to see tests, I've skimmed them.

Thanks! 👍

@baloo baloo mentioned this pull request Jan 29, 2025
Merged
@baloo baloo force-pushed the baloo/make-credentials branch 3 times, most recently from 55774ad to 573d67e Compare January 29, 2025 21:11
baloo
baloo commented Jan 29, 2025
View reviewed changes
tss-esapi/tests/integration_tests/abstraction_tests/credential_tests.rs
let cred = vec![1, 2, 3, 4, 5];
let expected = Digest::try_from(vec![1, 2, 3, 4, 5]).unwrap();

let (credential_blob, secret) = utils::make_credential_ecc::<_, sha2::Sha256, aes::Aes128>(
Copy link
Contributor Author

@baloo baloo Jan 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sha2::Sha256, aes::Aes128 here codes for EKHash and EkCipher.
Those should be read from the template of the EK ideally.

Although in reality, the template would have been dropped already and we're only working with a PEM encoded public key, and there should be some kind of default value.
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_makecredential.c#L340

Anyone with an opinion?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?

I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No that was an API question.

I know how to get the parameters from a Public, but I don't expect the public or its template to always available.

@baloo baloo force-pushed the baloo/make-credentials branch 7 times, most recently from 9b21b16 to 89021e0 Compare January 30, 2025 06:12
@baloo baloo mentioned this pull request Jan 30, 2025
Merged
@baloo baloo force-pushed the baloo/make-credentials branch 2 times, most recently from 451ae4f to c652a60 Compare January 30, 2025 23:47
@baloo baloo changed the title WIP: support for pure-rust make credentials support for pure-rust make credentials Jan 30, 2025
@baloo
Copy link
Contributor Author

baloo commented Jan 30, 2025

I've finished support for both RSA and ECC, and there is now error management.
There isn't much else I can do.

@baloo baloo force-pushed the baloo/make-credentials branch 6 times, most recently from 7b03a64 to 969e006 Compare February 4, 2025 17:23
ionut-arm
ionut-arm reviewed Feb 8, 2025
View reviewed changes
Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only had a brief look, will come back for more :)

tss-esapi/tests/integration_tests/abstraction_tests/credential_tests.rs
let cred = vec![1, 2, 3, 4, 5];
let expected = Digest::try_from(vec![1, 2, 3, 4, 5]).unwrap();

let (credential_blob, secret) = utils::make_credential_ecc::<_, sha2::Sha256, aes::Aes128>(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is your question about this test in particular, or about the interface of make_credential_ecc, and whether we can deduce the type params from the inputs?

I think generally you should be able to deduce the hash and the cipher for the EK if you know the nature of the public key, for example by doing the reverse of the mapping done here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/src/abstraction/ek.rs

@baloo baloo force-pushed the baloo/make-credentials branch 9 times, most recently from 77cf12b to d29f8ad Compare June 9, 2025 16:14
@baloo baloo force-pushed the baloo/make-credentials branch from d29f8ad to 38aafb3 Compare August 11, 2025 05:05
@baloo baloo force-pushed the baloo/make-credentials branch from 38aafb3 to c2af564 Compare August 23, 2025 06:02
@Firstyear Firstyear mentioned this pull request Aug 28, 2025
Closed
@baloo baloo force-pushed the baloo/make-credentials branch 2 times, most recently from a23ad53 to 0fee1eb Compare September 5, 2025 20:08
@baloo baloo force-pushed the baloo/make-credentials branch 2 times, most recently from 22eeb4c to 2a13fe1 Compare September 19, 2025 05:37
@baloo
Copy link
Contributor Author

baloo commented Sep 19, 2025
edited
Loading

There is something that locks up the TPM in the CI, but I don't know what it is.

EDIT: a regression in the weak key detection or something
EDIT2: no I'm just an idiot and somehow had the test backwards.

@baloo baloo force-pushed the baloo/make-credentials branch 3 times, most recently from 4677cb5 to b37d4ab Compare September 20, 2025 05:40
@baloo baloo force-pushed the baloo/make-credentials branch 4 times, most recently from b75948f to 86e3bc6 Compare September 30, 2025 19:12
@baloo baloo force-pushed the baloo/make-credentials branch from 86e3bc6 to d9daeb7 Compare October 10, 2025 17:05
@baloo
bump rustcrypto dependencies to pre-release
7f416f2 
Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
@baloo baloo force-pushed the baloo/make-credentials branch from d9daeb7 to c6ed022 Compare October 10, 2025 18:04
@baloo
Create credentials
c7d2de4 
Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
@baloo baloo force-pushed the baloo/make-credentials branch from c6ed022 to c7d2de4 Compare October 10, 2025 19:57
@su-sd
Copy link

su-sd commented Oct 10, 2025

This is getting into great shape 🔥
Thanks to anyone involved!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Firstyear Firstyear Firstyear requested changes

@wiktor-k wiktor-k wiktor-k left review comments

@ionut-arm ionut-arm ionut-arm left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Calling MakeCredential without a TPM

5 participants

@baloo @Firstyear @su-sd @wiktor-k @ionut-arm