Check for padding bytes in EK cert #397
Conversation
Some TPM chips "pad" the EK cert that is stored in the TPM to completely fill up the NV index. Most TPM chips do NOT do this. If we try to parse the certificate with this extra padding, the x509.ParseCertificate function will return an "trailing bytes" error. Before trying to parse the certificate, we need to identify how many bytes should be stripped from bytes that were read from the TPM. To do this, we can use the ASN.1 Unmarshal function to get the "padding" bytes. From there, we can use the length of the padding bytes and remove those bytes from the bytes we send to the x509.ParseCertificate function so it will parse correctly.
|
Hi @dwaynebradley! Thanks for the suggestion. go-tpm is more about support for software that interfaces with the TPM 2.0 standard, whereas a helper function for cleaning up x.509 certs (that happen to be stored in TPM NV) might be better suited for https://github.com/google/go-tpm-tools. |
|
That being said, I see this is just a change to one of the examples, so if you still want to just make this change here, that seems fine. Let me know how you'd like to proceed! |
|
Hey @chrisfenner. Yeah, I wasn't trying to change anything about |
|
Works for me. Especially given it's example code, I think that's a good reason to add this. |
| @@ -79,8 +80,18 @@ func readEKCert(path string, certIdx, tmplIdx uint32) ([]byte, error) { | |||
| if err != nil { | |||
| return nil, fmt.Errorf("reading EK cert: %v", err) | |||
| } | |||
|
|
|||
| // Identify if any `padding` exists in the EK cert that was read | |||
There was a problem hiding this comment.
Would it be possible to add a little more context? For example, is there some specific TPM model that does this?
There was a problem hiding this comment.
I do have a specific TPM where this happens which is what drove me to finding a solution. I have only found 1 TPM where this happens so far. Right now, the documentation for this TPM describing how the padding is added to the EK is under NDA. I will need to check to see if I can actually share the company and model of this TPM. I will post back once I know if I can share.
There was a problem hiding this comment.
Sounds good to me. If you end up being able to share, please send another PR updating this comment!
Some TPM chips "pad" the EK cert that is stored in the TPM to completely fill up the NV index. Most TPM chips do NOT do this. If we try to parse the certificate with this extra padding, the x509.ParseCertificate function will return an "trailing bytes" error. Before trying to parse the certificate, we need to identify how many bytes should be stripped from bytes that were read from the TPM. To do this, we can use the ASN.1 Unmarshal function to get the "padding" bytes. From there, we can use the length of the padding bytes and remove those bytes from the bytes we send to the x509.ParseCertificate function so it will parse correctly.
Some TPM chips "pad" the EK cert that is stored in the TPM to completely fill up the NV index. Most TPM chips do NOT do this. If we try to parse the certificate with this extra padding, the x509.ParseCertificate function will return an "trailing bytes" error.
Before trying to parse the certificate, we need to identify how many bytes should be stripped from bytes that were read from the TPM. To do this, we can use the ASN.1 Unmarshal function to get the "padding" bytes. From there, we can use the length of the padding bytes and remove those bytes from the bytes we send to the x509.ParseCertificate function so it will parse correctly.