class TPM::KeyAttestation

Constants

ROOT_CERTIFICATES

docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates

VERSION

Attributes

certificates[R]
certified_key[R]
certify_info[R]
hash_algorithm[R]
qualifying_data[R]
root_certificates[R]
signature[R]
signature_algorithm[R]

Public Class Methods

new( certify_info, signature, certified_key, certificates, qualifying_data, signature_algorithm: ALG_RSASSA, hash_algorithm: ALG_SHA256, root_certificates: ROOT_CERTIFICATES ) click to toggle source
# File lib/tpm/key_attestation.rb, line 35
def initialize(
  certify_info,
  signature,
  certified_key,
  certificates,
  qualifying_data,
  signature_algorithm: ALG_RSASSA,
  hash_algorithm: ALG_SHA256,
  root_certificates: ROOT_CERTIFICATES
)
  @certify_info = certify_info
  @signature = signature

  @certified_key = certified_key
  @certificates = certificates
  @signature_algorithm = signature_algorithm
  @hash_algorithm = hash_algorithm
  @qualifying_data = qualifying_data
  @root_certificates = root_certificates
end

Public Instance Methods

key() click to toggle source
# File lib/tpm/key_attestation.rb, line 56
def key
  if valid?
    public_area.key
  end
end
valid?() click to toggle source
# File lib/tpm/key_attestation.rb, line 62
def valid?
  certify_validator.valid?(aik_certificate.public_key) &&
    aik_certificate.conformant? &&
    trustworthy?
end

Private Instance Methods

aik_certificate() click to toggle source
# File lib/tpm/key_attestation.rb, line 95
def aik_certificate
  @aik_certificate ||= TPM::AIKCertificate.from_der(certificates.first)
end
certify_validator() click to toggle source
# File lib/tpm/key_attestation.rb, line 70
def certify_validator
  @certify_validator ||=
    TPM::CertifyValidator.new(
      certify_info,
      signature,
      qualifying_data,
      public_area,
      signature_algorithm: signature_algorithm,
      hash_algorithm: hash_algorithm
    )
end
public_area() click to toggle source
# File lib/tpm/key_attestation.rb, line 99
def public_area
  @public_area ||= TPM::PublicArea.new(certified_key)
end
trust_store() click to toggle source
# File lib/tpm/key_attestation.rb, line 88
def trust_store
  @trust_store ||=
    OpenSSL::X509::Store.new.tap do |trust_store|
      root_certificates.uniq(&:serial).each { |root_certificate| trust_store.add_cert(root_certificate) }
    end
end
trustworthy?() click to toggle source
# File lib/tpm/key_attestation.rb, line 82
def trustworthy?
  x509_certificates = certificates.map { |c| OpenSSL::X509::Certificate.new(c) }

  trust_store.verify(x509_certificates[0], x509_certificates[1..-1])
end