ref: golang/go#75656
-
install golang
go 1.25.1and override handshake_server_tls13.go -
create a restricted rsapss key and make it persistent
salrashid123
salrashid123
/ nv_offset.go
Last active
October 13, 2025 07:41
write to tpm nv buffered (https://github.com/google/go-tpm/issues/416)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/rand" | |
| "encoding/base64" | |
| "flag" | |
| "io" | |
| "log" | |
| "net" | |
| "slices" |
salrashid123
/ tls_message_signer.md
Last active
October 2, 2025 01:30
TLS with Restricted TPM Signing key and crypto.MessageSigner
salrashid123
/ server.go
Last active
October 2, 2025 02:03
server code for crypto.messagesigner patch for TLS (https://github.com/golang/go/issues/75656)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/tls" | |
| "crypto/x509" | |
| "encoding/hex" | |
| "encoding/pem" | |
| "flag" | |
| "fmt" | |
| "io" |
salrashid123
/ handshake_server_tls13.go
Created
October 1, 2025 22:56
crypto.messagesigner patch for TLS (https://github.com/golang/go/issues/75656)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Copyright 2018 The Go Authors. All rights reserved. | |
| // Use of this source code is governed by a BSD-style | |
| // license that can be found in the LICENSE file. | |
| package tls | |
| import ( | |
| "bytes" | |
| "context" | |
| "crypto" |
salrashid123
/ ops_agent.md
Created
September 20, 2025 18:51
GCE Metadata server emulator with the GCP OpsAgent
The following describes how to run the GCE Metadata Server Emulator with the GCP OpsAgent
Note that the opsAgent is only supported on specific GCP VMs as described here ("The Ops Agent is not supported on Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises machines.")
However, if you really want to, you can coax it to run with this emulator and the following steps details such a configuration where the ops agent run in a local docker container alongside the emulator.
(Needless to say, this is unsupported and can result in unpredictable results (eg, the logs appear as if from a gce_vm). Forr on-prem, you should use bindplane)).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/x509" | |
| "encoding/hex" | |
| "encoding/pem" | |
| "flag" | |
| "io" | |
| "log" | |
| "net" |
salrashid123
/ getName.md
Last active
August 22, 2025 12:53
TPM "getName" from RSA|ECC PEM publickey
salrashid123
/ main.py
Last active
August 1, 2025 04:00
Adding x-request-reason to python google cloud clients
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import google.auth | |
| from google.oauth2 import service_account | |
| from google.cloud import storage | |
| from google.cloud import pubsub_v1 | |
| ## requirements.txt | |
| # google-cloud-storage | |
| # google-cloud-pubsub | |
| # requests | |
| # google-api-python-client |
salrashid123
/ tpm2_duplicateselct_policyAuthValue_policy_or.md
Last active
July 31, 2025 23:27
PolicyDuplicateSelect and PolicyAuthValue bound PolicyDuplicate
The following transfer a key from TPM-A to TPM-B and demonstrates policies that prevent further duplication to TPM-C
ref:
salrashid123
/ envoy_ekm.md
Last active
April 4, 2025 23:08
Envoy EKM : extract the EKM value for a TLS connection with envoy
The following diff extracts the EKM value for a given TLS connection and then surfaces that to LUA (which emits the EKM as a header to the backend)
the LUA config will log the EKM in trace logs
# envoy -c envoy_server.yaml -l trace
[2025-04-04 08:36:29.396][3334775][info][lua] [source/extensions/filters/common/lua/lua.cc:26] script log: >>>>>>>>>>>> EKM: XGurfnlqXyjXphhJrrCmHRoKXAwC7CjrD7vixHdqOIo=
which has the same derived EKM value as a sample client app (eg, golang)
NewerOlder