Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certify example with TPMless authority #568

Open
nicolaspernoud opened this issue Mar 12, 2025 · 6 comments
Open

Certify example with TPMless authority #568

nicolaspernoud opened this issue Mar 12, 2025 · 6 comments

Comments

@nicolaspernoud
Copy link

Hello,

In the certify example it is indicated that " The Authority in this process does not require a TPM - for brevity we use one in this example but it is possible to perform this certification without a TPM on the authority."

Could the example give some guidance on how to do so ?
Precisely, how to mimic ctx.make_credential, ctx.load_external_public, ctx.hash, ctx.verify_signature without a TPM ?

Thanks,
Best regards.

@wiktor-k
Copy link
Collaborator

Just out of curiosity have you seen #563?

@nicolaspernoud
Copy link
Author

Yes, I did saw it. It would cover make_credentials, so only verify_signature would be missing, as the hash is straightforward...

@ionut-arm
Copy link
Member

Hi!

When you say ctx.verify_signature, do you mean this?

ctx.verify_signature(ak_handle, attest_digest, signature)

@nicolaspernoud
Copy link
Author

Hi,
Exactly, in a nutshell, all operations that are done within the context_2 should be done outside of a tpm...

@ionut-arm
Copy link
Member

Hmm, true, especially for the way certify works for TPMs, you should be able to do all of those without a TPM.

I guess we could provide an example for how to do verification outside of a TPM, it shouldn't be too hard with the right tools in place. What you'd need is a way to extract the public part of the key in a neutral format (something like PublicKey), and then get that in a shape that's suitable for some software library (e.g., OpenSSL).

Unfortunately, we don't have docs or an example of how that could / should look like...

@baloo
Copy link
Contributor

baloo commented Mar 18, 2025

I think this could be done with the APIs introduced in #537

Get a p256::PublicKey from a PublicKey (there is a TryFrom). From that p256::PublicKey, get a p256::ecdsa::VerifyingKey (https://docs.rs/p256/latest/p256/ecdsa/type.VerifyingKey.html#impl-From%3C%26PublicKey%3CC%3E%3E-for-VerifyingKey%3CC%3E) then you should be able to do a verifying_key.verify_digest(digest, signature).

Note: The signature will also need to be converted.

I don't have time to test that right now sadly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants