Windows hacking#2
Draft
hslatman wants to merge 27 commits into
Draft
Conversation
There's currently no support for creating application keys on Windows systems. This patch transitions the Windows key type to specifically refer to attestation keys, and reuses the existing wrapped key support for application keys. This allows the creation of keys in the platform store, while still allowing said keys to be manipulated with existing TPM functionality rather than duplicating it.
When generating a new key using a Windows TPM, a `wrappedKey20` was returned, which couldn't be used for signing on Windows, as it's backed by a `windowsTPM`. The `wrappedKey20` seems to be a type specifically aimed at usage with a `wrappedTPM20`, which in turn seems to be used on Linux and for testing, but not when instantiating a TPM on Windows. This commit adds the `newWindowsKey20` function, which returns a key backed by a `windowsTPM`. The key is a `windowsAK20`, now also conforming to the `key` interface, so that it can be used for signing purposes.
|
/: gitStream was installed on this repo, but no automation rules were added. It can add estimated review time to your PRs. get started This message will appear only once for you in this repo |
|
|
On Windows, when the key is managed by the OS, keys are stored on the filesystem. When trying to create a key with the same name, this will fail with the following error: `NCryptCreatePersistedKey returned 8009000F: The operation completed successfully.` This commit adds support for deleting these keys, so that a new key can be created with the same name. Have only tested this on Windows so far. My assumption is that for keys created with `go-attestation` on Linux, the keys aren't persisted "inside the TPM", so there's nothing to do when deleting them, except for any keys managed externally.
hslatman
force-pushed
the
herman/windows-hacking
branch
from
a712630 to
0ad94dd
Compare
hslatman
force-pushed
the
herman/windows-hacking
branch
from
58e1b5d to
1bcb20a
Compare
S-code652
approved these changes
Jul 31, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.