Add support for plain TSS2 PEM files

Author: hslatman

command/api/token/create.go

@@ -2,13 +2,16 @@ package token
 
 import (
 	"bytes"
+	"context"
 	"crypto"
 	"crypto/tls"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"path"
 
 	"github.com/google/uuid"
@@ -19,7 +22,10 @@ import (
 	"github.com/smallstep/cli-utils/ui"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
+	"go.step.sm/crypto/tpm"
+	"go.step.sm/crypto/tpm/tss2"
 
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/internal/cryptoutil"
 	"github.com/smallstep/cli/internal/httptransport"
 )
@@ -35,6 +41,8 @@ func createCommand() cli.Command {
 		Flags: []cli.Flag{
 			apiURLFlag,
 			audienceFlag,
+			flags.PasswordFile,
+			tpmDeviceFlag,
 		},
 		Description: `**step ca api token create** creates a new token for connecting to the Smallstep API.
 
@@ -81,12 +89,14 @@ func createAction(ctx *cli.Context) (err error) {
 	}
 
 	var (
-		args       = ctx.Args()
-		teamID     = args.Get(0)
-		crtFile    = args.Get(1)
-		keyFile    = args.Get(2)
-		apiURLFlag = ctx.String("api-url")
-		audience   = ctx.String("audience")
+		args         = ctx.Args()
+		teamID       = args.Get(0)
+		crtFile      = args.Get(1)
+		keyFile      = args.Get(2)
+		passwordFile = ctx.String("password-file")
+		apiURLFlag   = ctx.String("api-url")
+		audience     = ctx.String("audience")
+		tpmDevice    = ctx.String("tpm-device")
 	)
 
 	parsedURL, err := url.Parse(apiURLFlag)
@@ -96,7 +106,7 @@ func createAction(ctx *cli.Context) (err error) {
 	parsedURL.Path = path.Join(parsedURL.Path, "api/auth")
 	apiURL := parsedURL.String()
 
-	clientCert, err := createClientCertificate(crtFile, keyFile)
+	clientCert, err := createClientCertificate(crtFile, keyFile, passwordFile, tpmDevice)
 	if err != nil {
 		return err
 	}
@@ -175,7 +185,7 @@ func newRequestID() string {
 	return requestID
 }
 
-func createClientCertificate(crtFile, keyFile string) (*tls.Certificate, error) {
+func createClientCertificate(crtFile, keyFile, passwordFile, tpmDevice string) (*tls.Certificate, error) {
 	certs, err := pemutil.ReadCertificateBundle(crtFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed reading %q: %w", crtFile, err)
@@ -186,26 +196,71 @@ func createClientCertificate(crtFile, keyFile string) (*tls.Certificate, error)
 		certificates[i] = c.Raw
 	}
 
-	var (
-		v      any
-		signer crypto.Signer
-	)
+	pk, err := getPrivateKey(keyFile, passwordFile, tpmDevice)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading key from %q: %w", keyFile, err)
+	}
+
+	if _, ok := pk.(crypto.Signer); !ok {
+		return nil, fmt.Errorf("private key type %T read from %q cannot be used as a signer", pk, keyFile)
+	}
+
+	return &tls.Certificate{
+		Certificate: certificates,
+		Leaf:        certs[0],
+		PrivateKey:  pk,
+	}, nil
+}
+
+func getPrivateKey(keyFile, passwordFile, tpmDevice string) (crypto.PrivateKey, error) {
 	if cryptoutil.IsKMS(keyFile) {
-		signer, err = cryptoutil.CreateSigner(keyFile, keyFile)
+		signer, err := cryptoutil.CreateSigner(keyFile, keyFile)
 		if err != nil {
 			return nil, fmt.Errorf("failed creating signer: %w", err)
 		}
-		v = signer
-	} else {
-		v, err = pemutil.Read(keyFile)
+
+		return signer, nil
+	}
+
+	b, err := os.ReadFile(keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// detect the type of the PEM file. if it's a TSS2 PEM file, pemutil
+	// can't be used to create a private key, as it does not support this
+	// type. Support could be added, but it could require some additional
+	// options, such as specifying the TPM device that backs the TSS2
+	// signer.
+	p, _ := pem.Decode(b)
+	if p.Type != "TSS2 PRIVATE KEY" {
+		pk, err := pemutil.Parse(b, pemutil.WithPasswordFile(passwordFile))
 		if err != nil {
-			return nil, fmt.Errorf("failed reading %q: %w", keyFile, err)
+			return nil, fmt.Errorf("failed parsing PEM: %w", err)
 		}
+
+		return pk, nil
 	}
 
-	return &tls.Certificate{
-		Certificate: certificates,
-		Leaf:        certs[0],
-		PrivateKey:  v,
-	}, nil
+	key, err := tss2.ParsePrivateKey(p.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating TSS2 private key: %w", err)
+	}
+
+	var tpmOpts = []tpm.NewTPMOption{}
+	if tpmDevice != "" {
+		tpmOpts = append(tpmOpts, tpm.WithDeviceName(tpmDevice))
+	}
+
+	t, err := tpm.New(tpmOpts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed initializing TPM: %w", err)
+	}
+
+	signer, err := tpm.CreateTSS2Signer(context.Background(), t, key)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating TSS2 signer: %w", err)
+	}
+
+	return signer, nil
 }

command/api/token/token.go

@@ -30,4 +30,8 @@ var (
 		Name:  "audience",
 		Usage: "Request a token for an audience other than the API Gateway",
 	}
+	tpmDeviceFlag = cli.StringFlag{
+		Name:  "tpm-device",
+		Usage: "(Optional) path to TPM device (e.g. /dev/tpmrm0)",
+	}
 )