Remove P224 support and upgrade deprecated methods

google · Aug 23, 2024 · 1993889 · 1993889
1 parent b8bf8f0
commit 1993889
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 12 deletions.
diff --git a/cmd/token.go b/cmd/token.go
@@ -107,7 +107,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 			}
 
 			cloudLogger = cloudLogClient.Logger(toolName)
-			fmt.Fprintf(debugOutput(), "cloudLogger created for project: "+projectID+"\n")
+			fmt.Fprint(debugOutput(), "cloudLogger created for project: "+projectID+"\n")
 		}
 
 		key = "gceAK"
@@ -175,7 +175,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 		}
 
 		if output == "" {
-			fmt.Fprintf(messageOutput(), string(token)+"\n")
+			fmt.Fprint(messageOutput(), string(token)+"\n")
 		} else {
 			out := []byte(token)
 			if _, err := dataOutput().Write(out); err != nil {
@@ -194,7 +194,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 			}
 		}
 
-		fmt.Fprintf(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")
+		fmt.Fprint(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")
 
 		return nil
 	},

diff --git a/server/import.go b/server/import.go
@@ -5,13 +5,14 @@ import (
 	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/elliptic"
+	"crypto/ecdsa"
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
 	"fmt"
 	"hash"
 	"io"
+	"math/big"
 
 	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
@@ -131,25 +132,45 @@ func createECCSeed(ek tpm2.Public) (seed, encryptedSeed []byte, err error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	priv, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
+
+	ecdsaPriv, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	ecdhPriv, err := ecdsaPriv.ECDH()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pub, err := ek.Key()
 	if err != nil {
 		return nil, nil, err
 	}
-	ekPoint := ek.ECCParameters.Point
-	z, _ := curve.ScalarMult(ekPoint.X(), ekPoint.Y(), priv)
-	xBytes := eccIntToBytes(curve, x)
+
+	ekPub, err := pub.(*ecdsa.PublicKey).ECDH()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	zBytes, err := ecdhPriv.ECDH(ekPub)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	xBytes := eccIntToBytes(curve, ecdsaPriv.X)
 
 	seed, err = tpm2.KDFe(
 		ek.NameAlg,
-		eccIntToBytes(curve, z),
+		eccIntToBytes(curve, new(big.Int).SetBytes(zBytes)),
 		"DUPLICATE",
 		xBytes,
-		eccIntToBytes(curve, ekPoint.X()),
+		eccIntToBytes(curve, ek.ECCParameters.Point.X()),
 		getHash(ek.NameAlg).Size()*8)
 	if err != nil {
 		return nil, nil, err
 	}
-	encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, y)))
+	encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, ecdsaPriv.Y)))
 	return seed, encryptedSeed, err
 }
 

diff --git a/server/import_test.go b/server/import_test.go
@@ -25,7 +25,6 @@ func TestImport(t *testing.T) {
 		{"ECC", client.DefaultEKTemplateECC()},
 		{"SRK-RSA", client.SRKTemplateRSA()},
 		{"SRK-ECC", client.SRKTemplateECC()},
-		{"ECC-P224", getECCTemplate(tpm2.CurveNISTP224)},
 		{"ECC-P256", getECCTemplate(tpm2.CurveNISTP256)},
 		{"ECC-P384", getECCTemplate(tpm2.CurveNISTP384)},
 		{"ECC-P521", getECCTemplate(tpm2.CurveNISTP521)},