Remove P224 support and upgrade deprecated methods

yawangwang · yawangwang · commit 199388976309 · 2024-08-23T18:46:45.000Z
diff --git a/cmd/token.go b/cmd/token.go
@@ -107,7 +107,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 			}
 
 			cloudLogger = cloudLogClient.Logger(toolName)
-			fmt.Fprintf(debugOutput(), "cloudLogger created for project: "+projectID+"\n")
+			fmt.Fprint(debugOutput(), "cloudLogger created for project: "+projectID+"\n")
 		}
 
 		key = "gceAK"
@@ -175,7 +175,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 		}
 
 		if output == "" {
-			fmt.Fprintf(messageOutput(), string(token)+"\n")
+			fmt.Fprint(messageOutput(), string(token)+"\n")
 		} else {
 			out := []byte(token)
 			if _, err := dataOutput().Write(out); err != nil {
@@ -194,7 +194,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 			}
 		}
 
-		fmt.Fprintf(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")
+		fmt.Fprint(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")
 
 		return nil
 	},
diff --git a/server/import.go b/server/import.go
@@ -5,13 +5,14 @@ import (
 	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/elliptic"
+	"crypto/ecdsa"
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
 	"fmt"
 	"hash"
 	"io"
+	"math/big"
 
 	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
@@ -131,25 +132,45 @@ func createECCSeed(ek tpm2.Public) (seed, encryptedSeed []byte, err error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	priv, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
+
+	ecdsaPriv, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	ecdhPriv, err := ecdsaPriv.ECDH()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pub, err := ek.Key()
 	if err != nil {
 		return nil, nil, err
 	}
-	ekPoint := ek.ECCParameters.Point
-	z, _ := curve.ScalarMult(ekPoint.X(), ekPoint.Y(), priv)
-	xBytes := eccIntToBytes(curve, x)
+
+	ekPub, err := pub.(*ecdsa.PublicKey).ECDH()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	zBytes, err := ecdhPriv.ECDH(ekPub)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	xBytes := eccIntToBytes(curve, ecdsaPriv.X)
 
 	seed, err = tpm2.KDFe(
 		ek.NameAlg,
-		eccIntToBytes(curve, z),
+		eccIntToBytes(curve, new(big.Int).SetBytes(zBytes)),
 		"DUPLICATE",
 		xBytes,
-		eccIntToBytes(curve, ekPoint.X()),
+		eccIntToBytes(curve, ek.ECCParameters.Point.X()),
 		getHash(ek.NameAlg).Size()*8)
 	if err != nil {
 		return nil, nil, err
 	}
-	encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, y)))
+	encryptedSeed, err = tpmutil.Pack(tpmutil.U16Bytes(xBytes), tpmutil.U16Bytes(eccIntToBytes(curve, ecdsaPriv.Y)))
 	return seed, encryptedSeed, err
 }
 
diff --git a/server/import_test.go b/server/import_test.go
@@ -25,7 +25,6 @@ func TestImport(t *testing.T) {
 		{"ECC", client.DefaultEKTemplateECC()},
 		{"SRK-RSA", client.SRKTemplateRSA()},
 		{"SRK-ECC", client.SRKTemplateECC()},
-		{"ECC-P224", getECCTemplate(tpm2.CurveNISTP224)},
 		{"ECC-P256", getECCTemplate(tpm2.CurveNISTP256)},
 		{"ECC-P384", getECCTemplate(tpm2.CurveNISTP384)},
 		{"ECC-P521", getECCTemplate(tpm2.CurveNISTP521)},

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`cloudLogger = cloudLogClient.Logger(toolName)`
`110`		`- fmt.Fprintf(debugOutput(), "cloudLogger created for project: "+projectID+"\n")`
	`110`	`+ fmt.Fprint(debugOutput(), "cloudLogger created for project: "+projectID+"\n")`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`key = "gceAK"`
`@@ -175,7 +175,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`if output == "" {`
`178`		`- fmt.Fprintf(messageOutput(), string(token)+"\n")`
	`178`	`+ fmt.Fprint(messageOutput(), string(token)+"\n")`
`179`	`179`	`} else {`
`180`	`180`	`out := []byte(token)`
`181`	`181`	`if _, err := dataOutput().Write(out); err != nil {`
`@@ -194,7 +194,7 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest`
`194`	`194`	`}`
`195`	`195`	`}`
`196`	`196`
`197`		`- fmt.Fprintf(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")`
	`197`	`+ fmt.Fprint(debugOutput(), string(claimsString)+"\n"+"Note: these Claims are for debugging purpose and not verified"+"\n")`
`198`	`198`
`199`	`199`	`return nil`
`200`	`200`	`},`