using:
golang custom credential provider which allows for arbitrary aws source credential usage (eg AWS_WEB_IDENTITY_TOKEN_FILE
)
AwsSecurityCredentialsSupplier
using:
golang custom credential provider which allows for arbitrary aws source credential usage (eg AWS_WEB_IDENTITY_TOKEN_FILE
)
AwsSecurityCredentialsSupplier
using:
python custom credential provider which allows for arbitrary aws source credential usage (eg AWS_WEB_IDENTITY_TOKEN_FILE
)
also see in golang here
crate prmiary
create key
evict primary to persistent handle 0x81000000
save key with go-tpm-keyfiles
load key using go-tpm-keyfile
module main
Generate a primary using the specified format described in ASN.1 Specification for TPM 2.0 Key Files where the template h-2 is described in pg 43 TCG EK Credential Profile
the priamry is formatted for use with openssl
## create the primary
seal an external hmac key to a tpm with a PCR policy
export secret="change this password to a secret"
export plain="foo"
echo -n $secret > hmac.key
hexkey=$(xxd -p -c 256 < hmac.key)
echo $hexkey
echo -n $plain > data.in
openssl dgst -sha256 -mac hmac -macopt hexkey:$hexkey data.in
sample demonstrating cross-usage/compatiblity between
go-tpm go-tpm-keyfile go-tpm-tools
package main
EC permanent handle as parent:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#section-3.1.8
// pg26: 7.5.1: https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
// pg 43: B.4.5 Template H-2: ECC NIST P256 (Storage) https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf
/* | |
self-signed jwt access to google cloud iap | |
https://cloud.google.com/iap/docs/authentication-howto#authenticating_with_a_self-signed_jwt | |
using google auth library | |
and service account bound inside Trusted Platform Module | |
*/ | |
package main |
This procedure will transfer an HMAC key created inside TPM-A to TPM-B but prevent TPM-B to transfer it to TPM-C.
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B but
using tpm2_policyduplicationselect
tp prevent further duplication
Step 1 below will transfer a key from A->B, step 2 attempts B->C but is prevented duplication on B by policy
This procedure will transfer an HMAC key created inside TPM-A
to TPM-B
and then to TPM-C
using tpm2_policycommandcode
Basically, and extension of As an end-to-end example, the following will transfer an RSA key generated on TPM-A to TPM-B
To use this, you'll need three VMs.