use pcr and password policy callbacks

README.md

@@ -83,6 +83,11 @@ On the TPM device, prepare the key and then use `tpm2_tools` to create a primary
 cat tpm-svc-account.json | jq -r '.private_key' > /tmp/f.json
 openssl rsa -in /tmp/f.json -out /tmp/key_rsa.pem 
 
+## if you want to test using a software TPM instead:
+##  rm -rf /tmp/myvtpm && mkdir /tmp/myvtpm
+##  sudo swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear
+##  export TPM2TOOLS_TCTI="swtpm:port=2321"
+
 ## create the primary
 ### the specific primary here happens to be the h2 template described later on but you are free to define any template and policy
 
@@ -92,7 +97,9 @@ tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedpare
 # import
 
 tpm2_import -C primary.ctx -G rsa2048:rsassa:null -g sha256 -i /tmp/key_rsa.pem -u key.pub -r key.prv
+tpm2_flushcontext  -t
 tpm2_load -C primary.ctx -u key.pub -r key.prv -c key.ctx 
+tpm2_flushcontext  -t
 ```
 
 Delete the svc account json and the extracted formats; theyr'e no longer needed 
@@ -174,7 +181,7 @@ You can also invoke this binary as a full TokenSource as well:  see
 for `gcloud` cli, you could apply the token directly using [--access-token-file](https://cloud.google.com/sdk/gcloud/reference#--access-token-file):
 
 ```bash
-gcp-adc-tpm --persistentHandle=0x81008000 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com"  | jq -r '.access_token' > token.txt
+gcp-adc-tpm --persistentHandle=0x81010002 --svcAccountEmail="tpm-sa@$PROJECT_ID.iam.gserviceaccount.com"  | jq -r '.access_token' > token.txt
 
 gcloud storage ls --access-token-file=token.txt
 ``` 
@@ -194,9 +201,11 @@ printf '\x00\x00' > unique.dat
 tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u unique.dat
 
 tpm2_import -C primary.ctx -G rsa2048:rsassa:null -g sha256 -i /tmp/key_rsa.pem -u key.pub -r key.prv -L policy.dat
+tpm2_flushcontext  -t
 tpm2_load -C primary.ctx -u key.pub -r key.prv -c key.ctx 
 
 tpm2_evictcontrol -C o -c key.ctx 0x81010003
+tpm2_flushcontext  -t
 ```
 
 Then run it and specify the pcr back to construct the policy against:
@@ -233,10 +242,12 @@ if you want to create a service account key which has a Password policy attached
 printf '\x00\x00' > unique.dat
 tpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt" -u unique.dat
 
-tpm2_import -C primary.ctx -G rsa2048:rsassa:null -g sha256 -i /tmp/key_rsa.pem -u key.pub -r key.prv -L policy.dat  -p testpwd
+tpm2_import -C primary.ctx -G rsa2048:rsassa:null  -p testpwd -g sha256 -i /tmp/key_rsa.pem -u key.pub -r key.prv 
+tpm2_flushcontext  -t
 tpm2_load -C primary.ctx -u key.pub -r key.prv -c key.ctx 
 
 tpm2_evictcontrol -C o -c key.ctx 0x81010004
+tpm2_flushcontext  -t
 ```
 
 Now run without the password, you'll see an error

adc.go

@@ -246,7 +246,7 @@ func main() {
 		_, _ = flushContextCmd.Execute(rwr)
 	}()
 
-	var sess tpm2.Session
+	var se tpmjwt.Session
 
 	if *pcrs != "" {
 		strpcrs := strings.Split(*pcrs, ",")
@@ -261,41 +261,16 @@ func main() {
 			pcrList = append(pcrList, uint(j))
 		}
 
-		var cleanup func() error
-		sess, cleanup, err = tpm2.PolicySession(rwr, tpm2.TPMAlgSHA256, 16)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "ERROR:  could not get PolicySession: %v", err)
-			os.Exit(1)
-		}
-		defer cleanup()
-
-		selection := tpm2.TPMLPCRSelection{
-			PCRSelections: []tpm2.TPMSPCRSelection{
-				{
-					Hash:      tpm2.TPMAlgSHA256,
-					PCRSelect: tpm2.PCClientCompatible.PCRs(pcrList...),
-				},
+		sel := []tpm2.TPMSPCRSelection{
+			{
+				Hash:      tpm2.TPMAlgSHA256,
+				PCRSelect: tpm2.PCClientCompatible.PCRs(pcrList...),
 			},
 		}
+		se, err = tpmjwt.NewPCRSession(rwr, sel)
 
-		expectedDigest, err := getExpectedPCRDigest(rwr, selection, tpm2.TPMAlgSHA256)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "ERROR:  could not get PolicySession: %v", err)
-			os.Exit(1)
-		}
-		_, err = tpm2.PolicyPCR{
-			PolicySession: sess.Handle(),
-			Pcrs:          selection,
-			PcrDigest: tpm2.TPM2BDigest{
-				Buffer: expectedDigest,
-			},
-		}.Execute(rwr)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Unable to create policyPCR: %v", err)
-			os.Exit(1)
-		}
-	} else {
-		sess = tpm2.PasswordAuth([]byte(keyPasswordAuth))
+	} else if keyPasswordAuth != "" {
+		se, err = tpmjwt.NewPasswordSession(rwr, []byte(keyPasswordAuth))
 	}
 
 	if err != nil {
@@ -324,11 +299,11 @@ func main() {
 
 	config := &tpmjwt.TPMConfig{
 		TPMDevice: rwc,
-		AuthHandle: &tpm2.AuthHandle{
+		NamedHandle: tpm2.NamedHandle{
 			Handle: svcAccountKey,
 			Name:   svcAccountKeyName,
-			Auth:   sess,
 		},
+		AuthSession:      se,
 		EncryptionHandle: encryptionSessionHandle,
 		EncryptionPub:    encryptionPub,
 	}

go.mod

@@ -5,18 +5,18 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/foxboron/go-tpm-keyfiles v0.0.0-20240602112003-cb560bbb13d0
+	github.com/foxboron/go-tpm-keyfiles v0.0.0-20240605202447-9bee816335b2
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/go-tpm v0.9.1-0.20240514145214-58e3e47cd434
 	github.com/google/go-tpm-tools v0.4.4
-	github.com/salrashid123/golang-jwt-tpm v1.7.0
+	github.com/salrashid123/golang-jwt-tpm v1.8.1-0.20240606202535-4a9cc73e10e7
 )
 
 require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-sev-guest v0.11.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 )

go.sum

@@ -2,6 +2,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/foxboron/go-tpm-keyfiles v0.0.0-20240602112003-cb560bbb13d0 h1:xjkw6mnSWU9pi9QLQFRTvguUXwlxqgYPDI9O5xMHfTc=
 github.com/foxboron/go-tpm-keyfiles v0.0.0-20240602112003-cb560bbb13d0/go.mod h1:4CoszHnb6jqN2brhdGJQXKUKlEILXBiW+VcIsBmrla8=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20240605202447-9bee816335b2 h1:gO3hDiOpqFkKDF8Yyr1vpkoPLC9eVkgY/d0+tw8Q1ZY=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20240605202447-9bee816335b2/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -28,14 +30,22 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/salrashid123/golang-jwt-tpm v1.7.0 h1:BhV1F0r2eGVqjaIB35qw63w6kAqK2DMGdqzu/s4V4sM=
 github.com/salrashid123/golang-jwt-tpm v1.7.0/go.mod h1:j09G3lbE4f1xA8b/iJylp+vjM9zjbXU56+OS70eifTg=
+github.com/salrashid123/golang-jwt-tpm v1.8.0 h1:p0nvn6Fpu9BnWyQY6Wv8fDrwTxjN4Sz6I/r7lYdLh+w=
+github.com/salrashid123/golang-jwt-tpm v1.8.0/go.mod h1:j09G3lbE4f1xA8b/iJylp+vjM9zjbXU56+OS70eifTg=
+github.com/salrashid123/golang-jwt-tpm v1.8.1-0.20240606202535-4a9cc73e10e7 h1:Pf1R4jEDRNICUvVh3dILCNpJMAXSOTbJf+gsXzNl4kw=
+github.com/salrashid123/golang-jwt-tpm v1.8.1-0.20240606202535-4a9cc73e10e7/go.mod h1:j09G3lbE4f1xA8b/iJylp+vjM9zjbXU56+OS70eifTg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=