o sh+L@sddlmZddlmZmZmZmZmZmZm Z ddl m Z ddl m Z mZddlmZmZddlmZdd lmZmZdd lmZdd lmZdd lmZdd lmZddlm Z m!Z!m"Z"ddl#Z#dZ$e%dZ&eGdddeZ'eGdddeZ(eGdddeZ)eGdddZ*dZ+dZ,eGdddZ-eGdddZ.Gd d!d!e/Z0eGd"d#d#eZ1eGd$d%d%eZ2eGd&d'd'Z3eGd(d)d)Z4eGd*d+d+eZ5e!ej6ej7fZ8e!e.e3fZ9e!e0e4fZ:eGd,d-d-Z;d.d/ZdatazTuple[int, int, int, bool] clock_infointfirmware_versionr<attestedr2c Cst|}|d}|tkrtd|d}|tkrtdzL||d}||d}|d}|d}|d}|d} | d vrPtd | d d | d k} |d} ||d} ||d} Wntjy{}zt|d}~ww||||||| f| t| | ddS)Nr.z generated value field is invalidr ztpmi_st_attest field is invalid!Hz!Q!LB)rrzinvalid value 0xxz for booleanr)r>r?)r>rBrCrErF) rreadTPM_GENERATED_VALUE ValueErrorTPM_ST_ATTEST_CERTIFYunpackstructerrorr<)clsrBreadergenerated_valuetpmi_st_attestr>clock reset_count restart_count safe_valuesaferE attested_nameattested_qualified_nameer'r'r(parsesB        zTpmAttestationFormat.parseN)rBr=r2rAr r!r"__doc__r@ classmethodr^r'r'r'r(rAhs rAc@s>eZdZUdZded<ded<ded<ded<eddZd S) TpmsRsaParmszParse TPMS_RSA_PARMS struct See: https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf section 12.2.3.5 rD symmetricschemekey_bitsexponentc Cs|d}|tjtjB@}|tjtjBk}|s|tkrtd|d}|tjtjB@}|tjk}|r@|ttjtj fvr@td|tjtjBk} | rV|tjtj fvrVtd|tjk} | rj|tj tj tfvrjtd|ru|tfvrutd|d} |d} | dkrd } |||| | S) NrG symmetric is expected to be NULLzlkey is an unrestricted signing key, scheme is expected to be TPM_ALG_RSAPSS, TPM_ALG_RSASSA, or TPM_ALG_NULLz[key is a restricted signing key, scheme is expected to be TPM_ALG_RSAPSS, or TPM_ALG_RSASSAzlkey is an unrestricted decryption key, scheme is expected to be TPM_ALG_RSAES, TPM_ALG_OAEP, or TPM_ALG_NULLzJkey is an restricted decryption key, scheme is expected to be TPM_ALG_NULLrHri) rO ATTRIBUTES RESTRICTEDDECRYPT TPM_ALG_NULLrM SIGN_ENCRYPTrr#r$r%r&) rRrS attributesrcrestricted_decryptionis_restricted_decryption_keyrdrestricted_signis_unrestricted_signing_keyis_restricted_signing_keyis_unrestricted_decryption_keyrerfr'r'r(r^s`          zTpmsRsaParms.parseNr_r'r'r'r(rbs rbc@seZdZedddZdS)Tpm2bPublicKeyRsarSrr2cCs|||dSNrGrKrO)rRrSr'r'r(r^szTpm2bPublicKeyRsa.parseN)rSrr2rt)r r!r"rar^r'r'r'r(rtsrtc@s>eZdZdZdZdZdZdZdZdZ dZ d Z d Z dd dZ dS) TpmEccCurvezTPM_ECC_CURVE https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf section 6.4 rrr r.r r2ec.EllipticCurvecCsv|tjkr td|tjkrtS|tjkrtS|tjkr$t S|tj kr-t S|tj kr6t Std|)Nz No such curvezcurve is not supported)rwNONErM NIST_P192r SECP192R1 NIST_P224 SECP224R1 NIST_P256 SECP256R1 NIST_P384 SECP384R1 NIST_P521 SECP521R1r9r'r'r(to_curve&s       zTpmEccCurve.to_curveN)r2r|)r r!r"r`r}r~rrrrBN_P256BN_P638SM2_P256rr'r'r'r(rwsrwc@s eZdZdZeZdZdZdZdS) TpmiAlgKdfzTPMI_ALG_KDF https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf section 9.28 r{!"N) r r!r"r`rkNULLKDF1_SP800_56AKDF2KDF1_SP800_108r'r'r'r(r7s rc@s<eZdZUded<ded<ded<ded<edd d Zd S) TpmsEccParmsrDrcrdrwcurve_idrkdfrSrr2cCs^|d}|d}|tkrtd|tkrtdt|d}t|d}|||||S)NrGrgzscheme is expected to be NULL)rOrkrMrwr)rRrSrcrdr kdf_schemer'r'r(r^Ks  zTpmsEccParms.parseN)rSrr2r)r r!r"r@rar^r'r'r'r(rDs rc@s0eZdZUdZded<ded<ed dd Zd S) TpmsEccPointzTPMS_ECC_POINT https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 11.2.5.2 r=rJyrSrr2cCs*||d}||d}|||Srurv)rRrSrJrr'r'r(r^ds zTpmsEccPoint.parseN)rSrr2rr_r'r'r'r(rZs rc@s@eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdS)rhzObject attributes see section 8.3 https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf r r.rr{@iiiiil sN)r r!r"r` FIXED_TPMST_CLEAR FIXED_PARENTSENSITIVE_DATA_ORIGINUSER_WITH_AUTHADMIN_WITH_POLICYNO_DAENCRYPTED_DUPLICATIONrirjrl SHALL_BE_ZEROr'r'r'r(rhlsrhc@sleZdZUdZded<ded<ded<ded <d ed <d ed <ded<edddZdddZdddZdS)TpmPublicFormatathe public area structure is defined by [TPMv2-Part2] Section 12.2.4 (TPMT_PUBLIC) as: TPMI_ALG_PUBLIC - type TPMI_ALG_HASH - nameAlg or + to indicate TPM_ALG_NULL TPMA_OBJECT - objectAttributes TPM2B_DIGEST - authPolicy TPMU_PUBLIC_PARMS - type parameters TPMU_PUBLIC_ID - uniq See: https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf r)sign_algr-name_algrDrmr= auth_policy _Parameters parameters_UniquerrBr2c Cst|}t|d}t|d}|d}|tj@dkr&td|d||d}|tjkr?t ||}t |}n|tj krOt |}t |}n td|dd|} t| dkrftd||||||||S) NrGrHrz(attributes is not formated correctly: 0xrJz sign alg z is not supportedz+there should not be any data left in buffer)rr)rOr-rhrrMrKr+rbr^rtr,rrr8len) rRrBrSrrrmrrrrestr'r'r(r^s(        zTpmPublicFormat.parse _PublicKeycCs|jtjkrtt|jj}ttt|j }t || t S|jtjkrCtt|j }tt|jt|jtt|jj t Std|j)Nzpublic_key not implemented for )rr)r+rrbrrfr rtrrRSAPublicNumbers public_keyrr,rrEllipticCurvePublicNumbersrJrrrrr8)r:rfmodulusrr'r'r(rs   zTpmPublicFormat.public_keycCs@td|j}tj|jtd}||j|| 7}|S)u Computing Entity Names see: https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf section 16 Names Name ≔ nameAlg || HnameAlg (handle→nvPublicArea) where nameAlg algorithm used to compute Name HnameAlg hash using the nameAlg parameter in the NV Index location associated with handle nvPublicArea contents of the TPMS_NV_PUBLIC associated with handle rGbackend) rPpackrrHashr;rupdaterBfinalize)r:outputdigestr'r'r(r>s   zTpmPublicFormat.nameN)rBr=r2r)r2r)r2r=) r r!r"r`r@rar^rr>r'r'r'r(rs   rcCsnt||jtj}|rtd|jtj}|std|jtj }dd|j D}d|vr5tddS)Nz#Certificate should not have Subjectz.Certificate should have SubjectAlternativeNamecSsg|]}|tkqSr')OID_AIK_CERTIFICATE).0rJr'r'r( sz&_validate_tpm_cert..TzExtended key usage MUST contain the "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.) r subjectget_attributes_for_oidrNameOIDr extensionsget_extension_for_classSubjectAlternativeNameExtendedKeyUsagevalue)certsexthas_aikr'r'r(_validate_tpm_certsrc@seZdZdZeddZdS)TpmAttestationtpmc CsHd|vrtd|d}|d}|d}t|dt}t|t||}z t |d} Wnt yE} zt d| d} ~ ww|j j| |j jkrWtd zAt |} ||} |j} tj| td }|| |}| j|kr~td | jj| krt d |||d ttj|WStytdw)N ecdaaKeyIdzECDAA not implementedalgx5ccertInforpubAreazunable to parse pubAreaz9attestation pubArea does not match attestedCredentialDatarz5attestation does not sign for authData and ClientDataz;TPMS_CERTIFY_INFO does not include a valid name for pubAreasigz$signature of certInfo does not match)r8rload_der_x509_certificaterrr for_algfrom_cryptography_keyrrr^ Exceptionrcredential_datarrA _HASH_ALGrrrrrBrFr>verifyrrATT_CA_InvalidSignature)r: statement auth_dataclient_data_hashrr cert_inforpub_keypub_arear]ratt_to_be_signedhash_algrrBr'r'r(rsT      zTpmAttestation.verifyN)r r!r"FORMATr rr'r'r'r(rsr)> __future__rbaserrrrrr r coser utilsr renumrrcryptography.hazmat.backendsr)cryptography.hazmat.primitives.asymmetricrrcryptography.hazmat.primitivesr cryptographyrcryptography.exceptionsr dataclassesrtypingrrrrPrkObjectIdentifierrrr)r-r<rLrNrArbr=rtrwrrrrh RSAPublicKeyEllipticCurvePublicKeyrrrrrrr'r'r'r(s^ $       QT!   [