search

tpm2-software / tpm2-pytss

Python bindings for TSS
https://tpm2-pytss.readthedocs.io/en/latest/
BSD 2-Clause "Simplified" License
60 stars 44 forks source link

FAPI: Support hmac import and hmac operations #598

Closed salrashid123 closed 2 hours ago

salrashid123 commented 1 week ago

FR to add support for HMAC operations for Fapi

  1. Allow easy import of an external hmac key

    Currently, you can import a key set in a variety of formats (eg PEM format or as pub/priv blobs).

    However, there isn't an apparent way to import just a plain hmac key

    I suppose a workaround for now is to import the pub/priv blobs representation of a created key (eg, the two links above)

    TBH, i couldn't find the specifications/json representations for the Fapi import format (pg 21 of TSS_FAPI_v0p94_r09_pub.pdf just says importData

  2. Allow fapi.hmac() operations

    Support hmac() generation for any hmac key (imported or created on tpm)

i can do all this with esap (esapi_import_hmac.py) but it'd be nice to do this with fapi.

a side context is if you can import hmac keys, you can authenticate to aws (see AWS v4 signed request using Trusted Platform Module and in golang aws tpm process credentials )

whooo commented 1 week ago

we mostly wrap the FAPI api from tpm2-tss and it doesn't seem that the FAPI specification has any HMAC function directly, perhaps FAPI.sign could support it. You could use https://github.com/tpm2-software/tpm2-pytss/blob/146c3f4442f48d634297487b7f215c0d42e30f36/src/tpm2_pytss/types.py#L1424 and then https://github.com/tpm2-software/tpm2-pytss/blob/146c3f4442f48d634297487b7f215c0d42e30f36/src/tpm2_pytss/utils.py#L134 to get the public and private parts

salrashid123 commented 2 hours ago

thanks, i decicded to just go with the esapi for now, if you want, i curated a set of examples in python here, if any of them are useful, pls feel free to lift or document

i ended up migrating to esapi here: https://github.com/salrashid123/cloud_auth_tpm