salrashid123 · October 2, 2025 02:03
diff --git a/server.go b/server.go
 package main

 import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
 	"flag"
 	"fmt"
 	"io"
 	"log"
 	"net"
 	"net/http"
 	"os"
 	"slices"

 	"github.com/google/go-tpm-tools/simulator"
 	"github.com/google/go-tpm/tpm2"
 	"github.com/google/go-tpm/tpm2/transport"
 	"github.com/google/go-tpm/tpmutil"
 	"github.com/gorilla/mux"
 	"github.com/salrashid123/tpmsigner"
 	"golang.org/x/net/http2"
 )

 var (
 	servercert = flag.String("servercert", "ECcert.pem", "Server certificate (x509)")
 	tpmPath    = flag.String("tpm-path", "127.0.0.1:2321", "Path to the TPM device (character device or a Unix socket).")
 )

 func gethandler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprint(w, "ok")
 }

 var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}

 func OpenTPM(path string) (io.ReadWriteCloser, error) {
 	if slices.Contains(TPMDEVICES, path) {
 		return tpmutil.OpenTPM(path)
 	} else if path == "simulator" {
 		return simulator.GetWithFixedSeedInsecure(1073741825)
 	} else {
 		return net.Dial("tcp", path)
 	}
 }

 func main() {

 	flag.Parse()

 	router := mux.NewRouter()
 	router.Methods(http.MethodGet).Path("/").HandlerFunc(gethandler)

 	// *************************

 	// start externally managed
 	// managed externally, this will block all other access to the tpm
 	rwc, err := OpenTPM(*tpmPath)
 	if err != nil {
 		log.Fatalf("can't open TPM %q: %v", *tpmPath, err)
 	}
 	defer func() {
 		if err := rwc.Close(); err != nil {
 			log.Fatalf("can't close TPM %q: %v", *tpmPath, err)
 		}
 	}()
 	rwr := transport.FromReadWriter(rwc)

 	log.Printf("======= EK ========")

 	// read from handle
 	// EKReservedHandle uint32 = 0x81010001
 	cCreateEK, err := tpm2.ReadPublic{
 		ObjectHandle: tpm2.TPMHandle(0x81010001),
 	}.Execute(rwr)
 	if err != nil {
 		log.Fatalf("can't create object TPM %q: %v", *tpmPath, err)
 	}
 	log.Printf("Name %s\n", hex.EncodeToString(cCreateEK.Name.Buffer))

 	rsaEKpub, err := cCreateEK.OutPublic.Contents()
 	if err != nil {
 		log.Fatalf("Failed to get rsa public: %v", err)
 	}
 	rsaEKDetail, err := rsaEKpub.Parameters.RSADetail()
 	if err != nil {
 		log.Fatalf("Failed to get rsa details: %v", err)
 	}
 	rsaEKUnique, err := rsaEKpub.Unique.RSA()
 	if err != nil {
 		log.Fatalf("Failed to get rsa unique: %v", err)
 	}

 	primaryRsaEKPub, err := tpm2.RSAPub(rsaEKDetail, rsaEKUnique)
 	if err != nil {
 		log.Fatalf("Failed to get rsa public key: %v", err)
 	}

 	b4, err := x509.MarshalPKIXPublicKey(primaryRsaEKPub)
 	if err != nil {
 		log.Fatalf("Unable to convert rsaGCEAKPub: %v", err)
 	}

 	block := &pem.Block{
 		Type:  "PUBLIC KEY",
 		Bytes: b4,
 	}
 	primaryEKPEMByte := pem.EncodeToMemory(block)

 	log.Printf("RSA createPrimary public \n%s\n", string(primaryEKPEMByte))

 	pubPEMData, err := os.ReadFile(*servercert)

 	if err != nil {
 		log.Fatalf("can't load  certificate : %v", err)
 	}

 	sblock, _ := pem.Decode(pubPEMData)
 	if err != nil {
 		log.Fatalf("can't decode  certificate : %v", err)
 	}

 	filex509, err := x509.ParseCertificate(sblock.Bytes)
 	if err != nil {
 		log.Fatalf("can't parse  certificate : %v", err)
 	}

 	se, err := tpmsigner.NewPolicySecretSession(rwr, tpm2.AuthHandle{
 		Handle: tpm2.TPMRHEndorsement,
 		Auth:   tpm2.PasswordAuth([]byte(nil))}, 0)
 	if err != nil {
 		log.Fatalf("can't parse  certificate : %v", err)
 	}
 	r, err := tpmsigner.NewTPMCrypto(&tpmsigner.TPM{
 		TpmDevice:       rwc,
 		Handle:          tpm2.TPMHandle(0x81010001), //cCreateEK.ObjectHandle,
 		X509Certificate: filex509,
 		AuthSession:     se,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}

 	crt, err := r.TLSCertificate()
 	if err != nil {
 		log.Fatal(err)
 	}

 	tlsConfig := &tls.Config{
 		Certificates:  []tls.Certificate{crt},
 		MinVersion:    tls.VersionTLS13,
 		Renegotiation: tls.RenegotiateNever,
 	}

 	server := &http.Server{
 		Addr:      ":8081",
 		Handler:   router,
 		TLSConfig: tlsConfig,
 	}
 	http2.ConfigureServer(server, &http2.Server{})
 	fmt.Println("Starting Server..")
 	err = server.ListenAndServeTLS("", "")
 	fmt.Printf("Unable to start Server %v", err)

 }
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"fmt"
	"io"
	"log"
	"net"
	"net/http"
	"os"
	"slices"

	"github.com/google/go-tpm-tools/simulator"
	"github.com/google/go-tpm/tpm2"
	"github.com/google/go-tpm/tpm2/transport"
	"github.com/google/go-tpm/tpmutil"
	"github.com/gorilla/mux"
	"github.com/salrashid123/tpmsigner"
	"golang.org/x/net/http2"
	)

	var (
	servercert = flag.String("servercert", "ECcert.pem", "Server certificate (x509)")
	tpmPath = flag.String("tpm-path", "127.0.0.1:2321", "Path to the TPM device (character device or a Unix socket).")
	)

	func gethandler(w http.ResponseWriter, r *http.Request) {
	fmt.Fprint(w, "ok")
	}

	var TPMDEVICES = []string{"/dev/tpm0", "/dev/tpmrm0"}

	func OpenTPM(path string) (io.ReadWriteCloser, error) {
	if slices.Contains(TPMDEVICES, path) {
	return tpmutil.OpenTPM(path)
	} else if path == "simulator" {
	return simulator.GetWithFixedSeedInsecure(1073741825)
	} else {
	return net.Dial("tcp", path)
	}
	}

	func main() {

	flag.Parse()

	router := mux.NewRouter()
	router.Methods(http.MethodGet).Path("/").HandlerFunc(gethandler)

	// *************************

	// start externally managed
	// managed externally, this will block all other access to the tpm
	rwc, err := OpenTPM(*tpmPath)
	if err != nil {
	log.Fatalf("can't open TPM %q: %v", *tpmPath, err)
	}
	defer func() {
	if err := rwc.Close(); err != nil {
	log.Fatalf("can't close TPM %q: %v", *tpmPath, err)
	}
	}()
	rwr := transport.FromReadWriter(rwc)

	log.Printf("======= EK ========")

	// read from handle
	// EKReservedHandle uint32 = 0x81010001
	cCreateEK, err := tpm2.ReadPublic{
	ObjectHandle: tpm2.TPMHandle(0x81010001),
	}.Execute(rwr)
	if err != nil {
	log.Fatalf("can't create object TPM %q: %v", *tpmPath, err)
	}
	log.Printf("Name %s\n", hex.EncodeToString(cCreateEK.Name.Buffer))

	rsaEKpub, err := cCreateEK.OutPublic.Contents()
	if err != nil {
	log.Fatalf("Failed to get rsa public: %v", err)
	}
	rsaEKDetail, err := rsaEKpub.Parameters.RSADetail()
	if err != nil {
	log.Fatalf("Failed to get rsa details: %v", err)
	}
	rsaEKUnique, err := rsaEKpub.Unique.RSA()
	if err != nil {
	log.Fatalf("Failed to get rsa unique: %v", err)
	}

	primaryRsaEKPub, err := tpm2.RSAPub(rsaEKDetail, rsaEKUnique)
	if err != nil {
	log.Fatalf("Failed to get rsa public key: %v", err)
	}

	b4, err := x509.MarshalPKIXPublicKey(primaryRsaEKPub)
	if err != nil {
	log.Fatalf("Unable to convert rsaGCEAKPub: %v", err)
	}

	block := &pem.Block{
	Type: "PUBLIC KEY",
	Bytes: b4,
	}
	primaryEKPEMByte := pem.EncodeToMemory(block)

	log.Printf("RSA createPrimary public \n%s\n", string(primaryEKPEMByte))

	pubPEMData, err := os.ReadFile(*servercert)

	if err != nil {
	log.Fatalf("can't load certificate : %v", err)
	}

	sblock, _ := pem.Decode(pubPEMData)
	if err != nil {
	log.Fatalf("can't decode certificate : %v", err)
	}

	filex509, err := x509.ParseCertificate(sblock.Bytes)
	if err != nil {
	log.Fatalf("can't parse certificate : %v", err)
	}

	se, err := tpmsigner.NewPolicySecretSession(rwr, tpm2.AuthHandle{
	Handle: tpm2.TPMRHEndorsement,
	Auth: tpm2.PasswordAuth([]byte(nil))}, 0)
	if err != nil {
	log.Fatalf("can't parse certificate : %v", err)
	}
	r, err := tpmsigner.NewTPMCrypto(&tpmsigner.TPM{
	TpmDevice: rwc,
	Handle: tpm2.TPMHandle(0x81010001), //cCreateEK.ObjectHandle,
	X509Certificate: filex509,
	AuthSession: se,
	})
	if err != nil {
	log.Fatal(err)
	}

	crt, err := r.TLSCertificate()
	if err != nil {
	log.Fatal(err)
	}

	tlsConfig := &tls.Config{
	Certificates: []tls.Certificate{crt},
	MinVersion: tls.VersionTLS13,
	Renegotiation: tls.RenegotiateNever,
	}

	server := &http.Server{
	Addr: ":8081",
	Handler: router,
	TLSConfig: tlsConfig,
	}
	http2.ConfigureServer(server, &http2.Server{})
	fmt.Println("Starting Server..")
	err = server.ListenAndServeTLS("", "")
	fmt.Printf("Unable to start Server %v", err)

	}
No results found