metropolis/test/swtpm/swtpm_cert/main.go - monogon - Gitiles

 package main

 // swtpm_cert (from swtpm project) reimplemented in Go.
 //
 // This tool generates a TPM EK or Platform certificate. These certificates have
 // to be in a very specific format and include non-standard extensions and
 // subjectAltNames.

 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/hex"
 	"encoding/pem"
 	"log"
 	"math/big"
 	"os"
 	"strings"
 	"time"

 	"github.com/spf13/pflag"

 	"source.monogon.dev/metropolis/pkg/pki"
 )

 func getSignkey() *rsa.PrivateKey {
 	if strings.HasPrefix(flagSignKey, "tpmkey:") || strings.HasPrefix(flagSignKey, "pkcs11:") {
 		log.Fatalf("Loading tpmkey: and pkcs11: sign keys unimplemented")
 	}
 	bytes, err := os.ReadFile(flagSignKey)
 	if err != nil {
 		log.Fatalf("Could not read private key: %v", err)
 	}
 	block, _ := pem.Decode(bytes)
 	if block.Type != "RSA PRIVATE KEY" {
 		log.Fatalf("Private key contains invalid PEM data")
 	}
 	res, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 	if err != nil {
 		log.Fatalf("Could not parse private key: %v", err)
 	}
 	return res
 }

 func getPubkey() any {
 	if flagModulus != "" {
 		if flagECCX != "" || flagECCY != "" || flagECCCurveID != "" {
 			log.Fatalf("--modulus and --ecc* cannot be set simultaneously")
 		}
 		var modulus big.Int
 		modulusBytes, err := hex.DecodeString(flagModulus)
 		if err != nil {
 			log.Fatalf("Could not decode modulus: %v", err)
 		}
 		modulus.SetBytes(modulusBytes)
 		return &rsa.PublicKey{
 			N: &modulus,
 			E: flagExponent,
 		}
 	}
 	if flagECCX != "" && flagECCY != "" && flagECCCurveID != "" {
 		if flagModulus != "" {
 			log.Fatalf("--modulus and --ecc* cannot be set simultaneously")
 		}
 		var x, y big.Int
 		xBytes, err := hex.DecodeString(flagECCX)
 		if err != nil {
 			log.Fatalf("Could not decode ECC X: %v", err)
 		}
 		x.SetBytes(xBytes)
 		yBytes, err := hex.DecodeString(flagECCY)
 		if err != nil {
 			log.Fatalf("Could not decode ECC Y: %v", err)
 		}
 		y.SetBytes(yBytes)
 		res := ecdsa.PublicKey{X: &x, Y: &y}
 		switch flagECCCurveID {
 		case "secp256r1":
 			res.Curve = elliptic.P256()
 		case "secp384r1":
 			res.Curve = elliptic.P384()
 		default:
 			log.Fatalf("Unknown ECC curve ID %q", flagECCCurveID)
 		}
 		return &res
 	}
 	log.Fatalf("--modulus or --ecc* must be set")
 	panic("unreachable")
 }

 func getIssuerCert() *x509.Certificate {
 	bytes, err := os.ReadFile(flagIssuerCert)
 	if err != nil {
 		log.Fatalf("Could not read issuer certificate: %v", err)
 	}
 	block, _ := pem.Decode(bytes)
 	if block.Type != "CERTIFICATE" {
 		log.Fatalf("Issuer certificate contains invalid PEM data")
 	}
 	res, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		log.Fatalf("Could not parse issuer certificate: %v", err)
 	}
 	return res
 }

 type certType string

 const (
 	certTypeEK       certType = "ek"
 	certTypePlatform certType = "platform"
 )

 var (
 	flagType                 string
 	flagSubject              string
 	flagPlatformManufacturer string
 	flagPlatformVersion      string
 	flagPlatformModel        string
 	flagTPM2                 bool
 	flagTPMSpecFamily        string
 	flagTPMSpecLevel         int
 	flagTPMSpecRevision      int
 	flagTPMManufacturer      string
 	flagTPMModel             string
 	flagTPMVersion           string
 	flagOutCert              string
 	flagExponent             int
 	flagSignKey              string
 	flagIssuerCert           string
 	flagDays                 int
 	flagSerial               string

 	flagModulus string

 	flagECCX       string
 	flagECCY       string
 	flagECCCurveID string
 )

 func main() {
 	pflag.BoolVar(&flagTPM2, "tpm2", false, "Enable TPM2 mode (no-op, only mode supported)")
 	pflag.StringVar(&flagType, "type", "ek", "Type of certificate to create, ek or platform")

 	pflag.StringVar(&flagPlatformManufacturer, "platform-manufacturer", "", "TPM platform manufacturer")
 	pflag.StringVar(&flagPlatformVersion, "platform-version", "", "TPM platform version")
 	pflag.StringVar(&flagPlatformModel, "platform-model", "", "TPM platform model")

 	pflag.StringVar(&flagTPMSpecFamily, "tpm-spec-family", "", "TPM Specification family")
 	pflag.IntVar(&flagTPMSpecLevel, "tpm-spec-level", -1, "TPM Specification level")
 	pflag.IntVar(&flagTPMSpecRevision, "tpm-spec-revision", -1, "TPM Specification revision")

 	pflag.StringVar(&flagTPMManufacturer, "tpm-manufacturer", "", "TPM device manufacturer")
 	pflag.StringVar(&flagTPMModel, "tpm-model", "", "TPM device model")
 	pflag.StringVar(&flagTPMVersion, "tpm-version", "", "TPM device version")

 	pflag.StringVar(&flagSubject, "subject", "", "Certificate subject (only cn=... is implemented)")
 	pflag.IntVar(&flagDays, "days", 0, "")
 	pflag.StringVar(&flagSerial, "serial", "", "")

 	pflag.StringVar(&flagOutCert, "out-cert", "", "Path to generated certificate (.pem)")
 	pflag.StringVar(&flagIssuerCert, "issuercert", "", "Path to issuer certificate (.pem)")
 	pflag.StringVar(&flagSignKey, "signkey", "", "Path to private key used to sign certificate")

 	pflag.IntVar(&flagExponent, "exponent", 0x10001, "RSA key exponent")
 	pflag.StringVar(&flagModulus, "modulus", "", "RSA key modulus")

 	pflag.StringVar(&flagECCX, "ecc-x", "", "ECC key x component")
 	pflag.StringVar(&flagECCY, "ecc-y", "", "ECC key y component")
 	pflag.StringVar(&flagECCCurveID, "ecc-curveid", "", "ECC curve id (one of secp256r1, secp384r1)")
 	pflag.Parse()

 	var ty certType
 	switch flagType {
 	case "ek":
 		ty = certTypeEK
 	case "platform":
 		ty = certTypePlatform
 	default:
 		log.Fatalf("Unknown type %q (must be ek or platform)", flagType)
 	}
 	if ty == certTypeEK || ty == certTypePlatform {
 		if flagTPMManufacturer == "" {
 			log.Fatalf("--tpm-manufacturer must be set")
 		}
 		if flagTPMModel == "" {
 			log.Fatalf("--tpm-model must be set")
 		}
 		if flagTPMVersion == "" {
 			log.Fatalf("--tpm-version must be set")
 		}
 	}
 	if ty == certTypeEK {
 		if flagTPMSpecFamily == "" {
 			log.Fatalf("--tpm-spec-family must be set")
 		}
 		if flagTPMSpecLevel == -1 {
 			log.Fatalf("--tpm-spec-level must be set")
 		}
 		if flagTPMSpecRevision == -1 {
 			log.Fatalf("--tpm-spec-revision must be set")
 		}
 	}
 	if ty == certTypePlatform {
 		if flagPlatformManufacturer == "" {
 			log.Fatalf("--platform-manufacturer must be set")
 		}
 		if flagPlatformModel == "" {
 			log.Fatalf("--platform-model must be set")
 		}
 		if flagPlatformVersion == "" {
 			log.Fatalf("--platform-version must be set")
 		}
 	}

 	pubkey := getPubkey()
 	signkey := getSignkey()
 	issuercert := getIssuerCert()

 	var cert x509.Certificate
 	cert.Version = 3
 	cert.SerialNumber = big.NewInt(0)
 	if _, ok := cert.SerialNumber.SetString(flagSerial, 10); !ok {
 		log.Fatalf("Could not parse serial %q", flagSerial)
 	}
 	cert.NotBefore = time.Now()
 	if flagDays > 0 {
 		cert.NotAfter = time.Now().Add(time.Hour * 24 * time.Duration(flagDays))
 	} else {
 		cert.NotAfter = pki.UnknownNotAfter
 	}
 	if flagSubject != "" {
 		parts := strings.Split(flagSubject, ",")
 		for _, part := range parts {
 			part = strings.TrimSpace(part)
 			els := strings.SplitN(part, "=", 2)
 			k := strings.ToLower(els[0])
 			switch k {
 			case "cn":
 				cert.Subject.CommonName = els[1]
 			default:
 				log.Fatalf("Unparseable subject: %q", flagSubject)
 			}
 		}
 	}
 	var sanValues = []asn1.RawValue{}
 	switch ty {
 	case certTypeEK:
 		sanValues = append(sanValues, asn1.RawValue{
 			Tag: 4, Class: 2, Bytes: buildManufacturerInfo(flagTPMManufacturer, flagTPMModel, flagTPMVersion),
 		})
 	case certTypePlatform:
 		sanValues = append(sanValues, asn1.RawValue{
 			Tag: 4, Class: 2, Bytes: buildPlatformManufacturerInfo(flagPlatformManufacturer, flagPlatformModel, flagPlatformVersion),
 		})
 	}
 	sanBytes, err := asn1.Marshal(sanValues)
 	if err != nil {
 		log.Fatalf("Failed to marshal SAN values: %v", err)
 	}
 	cert.ExtraExtensions = []pkix.Extension{
 		{
 			Id:    asn1.ObjectIdentifier{2, 5, 29, 17}, // subjectAltName
 			Value: sanBytes,
 		},
 	}
 	if ty == certTypeEK {
 		cert.ExtraExtensions = append(cert.ExtraExtensions, pkix.Extension{
 			Id:    asn1.ObjectIdentifier{2, 5, 29, 9}, // directoryName
 			Value: buildSpecificationInfo(flagTPMSpecFamily, flagTPMSpecLevel, flagTPMSpecRevision),
 		})
 	}
 	cert.BasicConstraintsValid = true
 	cert.IsCA = false
 	switch ty {
 	case certTypeEK:
 		// tcg-kp-EKCertificate
 		cert.UnknownExtKeyUsage = []asn1.ObjectIdentifier{{2, 23, 133, 8, 1}}
 	case certTypePlatform:
 		// tcg-kp-PlatformAttributeCertificate
 		cert.UnknownExtKeyUsage = []asn1.ObjectIdentifier{{2, 23, 133, 8, 2}}
 	}

 	derBytes, err := x509.CreateCertificate(rand.Reader, &cert, issuercert, pubkey, signkey)
 	if err != nil {
 		log.Fatalf("Generating certificate failed: %v", err)
 	}
 	block := pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: derBytes,
 	}
 	if err := os.WriteFile(flagOutCert, pem.EncodeToMemory(&block), 0644); err != nil {
 		log.Fatalf("Writing certificate failed: %v", err)
 	}
 }
	package main

	// swtpm_cert (from swtpm project) reimplemented in Go.
	//
	// This tool generates a TPM EK or Platform certificate. These certificates have
	// to be in a very specific format and include non-standard extensions and
	// subjectAltNames.

	import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/asn1"
	"encoding/hex"
	"encoding/pem"
	"log"
	"math/big"
	"os"
	"strings"
	"time"

	"github.com/spf13/pflag"

	"source.monogon.dev/metropolis/pkg/pki"
	)

	func getSignkey() *rsa.PrivateKey {
	if strings.HasPrefix(flagSignKey, "tpmkey:") \|\| strings.HasPrefix(flagSignKey, "pkcs11:") {
	log.Fatalf("Loading tpmkey: and pkcs11: sign keys unimplemented")
	}
	bytes, err := os.ReadFile(flagSignKey)
	if err != nil {
	log.Fatalf("Could not read private key: %v", err)
	}
	block, _ := pem.Decode(bytes)
	if block.Type != "RSA PRIVATE KEY" {
	log.Fatalf("Private key contains invalid PEM data")
	}
	res, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
	log.Fatalf("Could not parse private key: %v", err)
	}
	return res
	}

	func getPubkey() any {
	if flagModulus != "" {
	if flagECCX != "" \|\| flagECCY != "" \|\| flagECCCurveID != "" {
	log.Fatalf("--modulus and --ecc* cannot be set simultaneously")
	}
	var modulus big.Int
	modulusBytes, err := hex.DecodeString(flagModulus)
	if err != nil {
	log.Fatalf("Could not decode modulus: %v", err)
	}
	modulus.SetBytes(modulusBytes)
	return &rsa.PublicKey{
	N: &modulus,
	E: flagExponent,
	}
	}
	if flagECCX != "" && flagECCY != "" && flagECCCurveID != "" {
	if flagModulus != "" {
	log.Fatalf("--modulus and --ecc* cannot be set simultaneously")
	}
	var x, y big.Int
	xBytes, err := hex.DecodeString(flagECCX)
	if err != nil {
	log.Fatalf("Could not decode ECC X: %v", err)
	}
	x.SetBytes(xBytes)
	yBytes, err := hex.DecodeString(flagECCY)
	if err != nil {
	log.Fatalf("Could not decode ECC Y: %v", err)
	}
	y.SetBytes(yBytes)
	res := ecdsa.PublicKey{X: &x, Y: &y}
	switch flagECCCurveID {
	case "secp256r1":
	res.Curve = elliptic.P256()
	case "secp384r1":
	res.Curve = elliptic.P384()
	default:
	log.Fatalf("Unknown ECC curve ID %q", flagECCCurveID)
	}
	return &res
	}
	log.Fatalf("--modulus or --ecc* must be set")
	panic("unreachable")
	}

	func getIssuerCert() *x509.Certificate {
	bytes, err := os.ReadFile(flagIssuerCert)
	if err != nil {
	log.Fatalf("Could not read issuer certificate: %v", err)
	}
	block, _ := pem.Decode(bytes)
	if block.Type != "CERTIFICATE" {
	log.Fatalf("Issuer certificate contains invalid PEM data")
	}
	res, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
	log.Fatalf("Could not parse issuer certificate: %v", err)
	}
	return res
	}

	type certType string

	const (
	certTypeEK certType = "ek"
	certTypePlatform certType = "platform"
	)

	var (
	flagType string
	flagSubject string
	flagPlatformManufacturer string
	flagPlatformVersion string
	flagPlatformModel string
	flagTPM2 bool
	flagTPMSpecFamily string
	flagTPMSpecLevel int
	flagTPMSpecRevision int
	flagTPMManufacturer string
	flagTPMModel string
	flagTPMVersion string
	flagOutCert string
	flagExponent int
	flagSignKey string
	flagIssuerCert string
	flagDays int
	flagSerial string

	flagModulus string

	flagECCX string
	flagECCY string
	flagECCCurveID string
	)

	func main() {
	pflag.BoolVar(&flagTPM2, "tpm2", false, "Enable TPM2 mode (no-op, only mode supported)")
	pflag.StringVar(&flagType, "type", "ek", "Type of certificate to create, ek or platform")

	pflag.StringVar(&flagPlatformManufacturer, "platform-manufacturer", "", "TPM platform manufacturer")
	pflag.StringVar(&flagPlatformVersion, "platform-version", "", "TPM platform version")
	pflag.StringVar(&flagPlatformModel, "platform-model", "", "TPM platform model")

	pflag.StringVar(&flagTPMSpecFamily, "tpm-spec-family", "", "TPM Specification family")
	pflag.IntVar(&flagTPMSpecLevel, "tpm-spec-level", -1, "TPM Specification level")
	pflag.IntVar(&flagTPMSpecRevision, "tpm-spec-revision", -1, "TPM Specification revision")

	pflag.StringVar(&flagTPMManufacturer, "tpm-manufacturer", "", "TPM device manufacturer")
	pflag.StringVar(&flagTPMModel, "tpm-model", "", "TPM device model")
	pflag.StringVar(&flagTPMVersion, "tpm-version", "", "TPM device version")

	pflag.StringVar(&flagSubject, "subject", "", "Certificate subject (only cn=... is implemented)")
	pflag.IntVar(&flagDays, "days", 0, "")
	pflag.StringVar(&flagSerial, "serial", "", "")

	pflag.StringVar(&flagOutCert, "out-cert", "", "Path to generated certificate (.pem)")
	pflag.StringVar(&flagIssuerCert, "issuercert", "", "Path to issuer certificate (.pem)")
	pflag.StringVar(&flagSignKey, "signkey", "", "Path to private key used to sign certificate")

	pflag.IntVar(&flagExponent, "exponent", 0x10001, "RSA key exponent")
	pflag.StringVar(&flagModulus, "modulus", "", "RSA key modulus")

	pflag.StringVar(&flagECCX, "ecc-x", "", "ECC key x component")
	pflag.StringVar(&flagECCY, "ecc-y", "", "ECC key y component")
	pflag.StringVar(&flagECCCurveID, "ecc-curveid", "", "ECC curve id (one of secp256r1, secp384r1)")
	pflag.Parse()

	var ty certType
	switch flagType {
	case "ek":
	ty = certTypeEK
	case "platform":
	ty = certTypePlatform
	default:
	log.Fatalf("Unknown type %q (must be ek or platform)", flagType)
	}
	if ty == certTypeEK \|\| ty == certTypePlatform {
	if flagTPMManufacturer == "" {
	log.Fatalf("--tpm-manufacturer must be set")
	}
	if flagTPMModel == "" {
	log.Fatalf("--tpm-model must be set")
	}
	if flagTPMVersion == "" {
	log.Fatalf("--tpm-version must be set")
	}
	}
	if ty == certTypeEK {
	if flagTPMSpecFamily == "" {
	log.Fatalf("--tpm-spec-family must be set")
	}
	if flagTPMSpecLevel == -1 {
	log.Fatalf("--tpm-spec-level must be set")
	}
	if flagTPMSpecRevision == -1 {
	log.Fatalf("--tpm-spec-revision must be set")
	}
	}
	if ty == certTypePlatform {
	if flagPlatformManufacturer == "" {
	log.Fatalf("--platform-manufacturer must be set")
	}
	if flagPlatformModel == "" {
	log.Fatalf("--platform-model must be set")
	}
	if flagPlatformVersion == "" {
	log.Fatalf("--platform-version must be set")
	}
	}

	pubkey := getPubkey()
	signkey := getSignkey()
	issuercert := getIssuerCert()

	var cert x509.Certificate
	cert.Version = 3
	cert.SerialNumber = big.NewInt(0)
	if _, ok := cert.SerialNumber.SetString(flagSerial, 10); !ok {
	log.Fatalf("Could not parse serial %q", flagSerial)
	}
	cert.NotBefore = time.Now()
	if flagDays > 0 {
	cert.NotAfter = time.Now().Add(time.Hour * 24 * time.Duration(flagDays))
	} else {
	cert.NotAfter = pki.UnknownNotAfter
	}
	if flagSubject != "" {
	parts := strings.Split(flagSubject, ",")
	for _, part := range parts {
	part = strings.TrimSpace(part)
	els := strings.SplitN(part, "=", 2)
	k := strings.ToLower(els[0])
	switch k {
	case "cn":
	cert.Subject.CommonName = els[1]
	default:
	log.Fatalf("Unparseable subject: %q", flagSubject)
	}
	}
	}
	var sanValues = []asn1.RawValue{}
	switch ty {
	case certTypeEK:
	sanValues = append(sanValues, asn1.RawValue{
	Tag: 4, Class: 2, Bytes: buildManufacturerInfo(flagTPMManufacturer, flagTPMModel, flagTPMVersion),
	})
	case certTypePlatform:
	sanValues = append(sanValues, asn1.RawValue{
	Tag: 4, Class: 2, Bytes: buildPlatformManufacturerInfo(flagPlatformManufacturer, flagPlatformModel, flagPlatformVersion),
	})
	}
	sanBytes, err := asn1.Marshal(sanValues)
	if err != nil {
	log.Fatalf("Failed to marshal SAN values: %v", err)
	}
	cert.ExtraExtensions = []pkix.Extension{
	{
	Id: asn1.ObjectIdentifier{2, 5, 29, 17}, // subjectAltName
	Value: sanBytes,
	},
	}
	if ty == certTypeEK {
	cert.ExtraExtensions = append(cert.ExtraExtensions, pkix.Extension{
	Id: asn1.ObjectIdentifier{2, 5, 29, 9}, // directoryName
	Value: buildSpecificationInfo(flagTPMSpecFamily, flagTPMSpecLevel, flagTPMSpecRevision),
	})
	}
	cert.BasicConstraintsValid = true
	cert.IsCA = false
	switch ty {
	case certTypeEK:
	// tcg-kp-EKCertificate
	cert.UnknownExtKeyUsage = []asn1.ObjectIdentifier{{2, 23, 133, 8, 1}}
	case certTypePlatform:
	// tcg-kp-PlatformAttributeCertificate
	cert.UnknownExtKeyUsage = []asn1.ObjectIdentifier{{2, 23, 133, 8, 2}}
	}

	derBytes, err := x509.CreateCertificate(rand.Reader, &cert, issuercert, pubkey, signkey)
	if err != nil {
	log.Fatalf("Generating certificate failed: %v", err)
	}
	block := pem.Block{
	Type: "CERTIFICATE",
	Bytes: derBytes,
	}
	if err := os.WriteFile(flagOutCert, pem.EncodeToMemory(&block), 0644); err != nil {
	log.Fatalf("Writing certificate failed: %v", err)
	}
	}