Breaking: replace NameHandle with Handle

salrashid123 · salrashid123 · commit a9c81c08d3cd · 2025-03-31T12:08:02.000-04:00
Signed-off-by: sal rashid &lt;salrashid123@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -79,16 +79,9 @@ If you just want to issue JWT's, see
 	rwc, err := OpenTPM(*tpmPath)
 	rwr := transport.FromReadWriter(rwc)
 
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		Handle:    tpm2.TPMHandle(persistentHandle),
 	})
 
 	s, err := r.Sign(rand.Reader, digest, crypto.SHA256)
@@ -274,10 +267,7 @@ which you can call as:
 
 	rr, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		Handle:    tpm2.TPMHandle(*handle*),
 		AuthSession: se,
 	})
 ```
diff --git a/example/sign_verify_tpm/ecc/main.go b/example/sign_verify_tpm/ecc/main.go
@@ -17,7 +17,6 @@ import (
 
 	"github.com/google/go-tpm-tools/simulator"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpm2/transport"
 	"github.com/google/go-tpm/tpmutil"
 	saltpm "github.com/salrashid123/signer/tpm"
 )
@@ -68,15 +67,6 @@ func main() {
 		}
 	}()
 
-	rwr := transport.FromReadWriter(rwc)
-
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -87,11 +77,8 @@ func main() {
 	digest := h.Sum(nil)
 
 	er, err := saltpm.NewTPMCrypto(&saltpm.TPM{
-		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		TpmDevice:    rwc,
+		Handle:       tpm2.TPMHandle(*handle),
 		ECCRawOutput: true, // use raw output; not asn1
 	})
 	if err != nil {
@@ -130,10 +117,7 @@ func main() {
 	// now verify with ASN1 output format for ecc using library managed device
 	erasn, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		Handle:    tpm2.TPMHandle(*handle),
 		//ECCRawOutput: false,
 	})
 	if err != nil {
diff --git a/example/sign_verify_tpm/keyfile/main.go b/example/sign_verify_tpm/keyfile/main.go
@@ -108,13 +108,6 @@ func main() {
 		log.Fatalf("can't load  hmacKey : %v", err)
 	}
 
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: rsaKey.ObjectHandle,
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -126,10 +119,7 @@ func main() {
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: rsaKey.ObjectHandle,
-			Name:   pub.Name,
-		},
+		Handle:    rsaKey.ObjectHandle,
 	})
 
 	if err != nil {
diff --git a/example/sign_verify_tpm/policy_password/main.go b/example/sign_verify_tpm/policy_password/main.go
@@ -75,13 +75,6 @@ func main() {
 
 	rwr := transport.FromReadWriter(rwc)
 
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -98,11 +91,8 @@ func main() {
 	}
 
 	rr, err := saltpm.NewTPMCrypto(&saltpm.TPM{
-		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		TpmDevice:   rwc,
+		Handle:      tpm2.TPMHandle(*handle),
 		AuthSession: se,
 	})
 
diff --git a/example/sign_verify_tpm/policy_pcr/main.go b/example/sign_verify_tpm/policy_pcr/main.go
@@ -83,13 +83,6 @@ func main() {
 
 	rwr := transport.FromReadWriter(rwc)
 
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -111,11 +104,8 @@ func main() {
 	}
 
 	rr, err := saltpm.NewTPMCrypto(&saltpm.TPM{
-		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		TpmDevice:   rwc,
+		Handle:      tpm2.TPMHandle(*handle),
 		AuthSession: se,
 	})
 
diff --git a/example/sign_verify_tpm/rsapss/main.go b/example/sign_verify_tpm/rsapss/main.go
@@ -16,7 +16,6 @@ import (
 
 	"github.com/google/go-tpm-tools/simulator"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpm2/transport"
 	"github.com/google/go-tpm/tpmutil"
 	saltpm "github.com/salrashid123/signer/tpm"
 )
@@ -68,15 +67,6 @@ func main() {
 		}
 	}()
 
-	rwr := transport.FromReadWriter(rwc)
-
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -88,10 +78,7 @@ func main() {
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		Handle:    tpm2.TPMHandle(*handle),
 	})
 
 	if err != nil {
diff --git a/example/sign_verify_tpm/rsassa/main.go b/example/sign_verify_tpm/rsassa/main.go
@@ -16,7 +16,6 @@ import (
 
 	"github.com/google/go-tpm-tools/simulator"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpm2/transport"
 	"github.com/google/go-tpm/tpmutil"
 	saltpm "github.com/salrashid123/signer/tpm"
 )
@@ -67,15 +66,6 @@ func main() {
 		}
 	}()
 
-	rwr := transport.FromReadWriter(rwc)
-
-	pub, err := tpm2.ReadPublic{
-		ObjectHandle: tpm2.TPMHandle(*handle),
-	}.Execute(rwr)
-	if err != nil {
-		log.Fatalf("error executing tpm2.ReadPublic %v", err)
-	}
-
 	stringToSign := "foo"
 	fmt.Printf("Data to sign %s\n", stringToSign)
 
@@ -87,10 +77,7 @@ func main() {
 
 	r, err := saltpm.NewTPMCrypto(&saltpm.TPM{
 		TpmDevice: rwc,
-		NamedHandle: &tpm2.NamedHandle{
-			Handle: tpm2.TPMHandle(*handle),
-			Name:   pub.Name,
-		},
+		Handle:    tpm2.TPMHandle(*handle),
 	})
 
 	if err != nil {
diff --git a/tpm/tpm.go b/tpm/tpm.go
@@ -43,11 +43,12 @@ type TPM struct {
 	publicKey       crypto.PublicKey
 	tpmPublic       tpm2.TPMTPublic
 
-	NamedHandle      *tpm2.NamedHandle  // the name handle to the key to use
+	//NamedHandle      *tpm2.NamedHandle  // the name handle to the key to use
+	Handle           tpm2.TPMHandle // the name handle to the key to use
+	name             tpm2.TPM2BName
 	AuthSession      Session            // If the key needs a session, supply `Session` from this repo
 	TpmDevice        io.ReadWriteCloser // TPM read closer
 	EncryptionHandle tpm2.TPMHandle     // (optional) handle to use for transit encryption
-	EncryptionPub    *tpm2.TPMTPublic   // (optional) public key to use for transit encryption
 }
 
 // Configure a new TPM crypto.Signer
@@ -60,18 +61,17 @@ func NewTPMCrypto(conf *TPM) (TPM, error) {
 	if conf.TpmDevice == nil {
 		return TPM{}, fmt.Errorf("salrashid123/signer: TpmDevice must be specified")
 	}
-	if conf.NamedHandle == nil {
-		return TPM{}, fmt.Errorf("salrashid123/signer: NameHandke must be specified")
-	}
+
 	rwr := transport.FromReadWriter(conf.TpmDevice)
 
 	// todo: we should supply the encrypted session here, if set
 	pub, err := tpm2.ReadPublic{
-		ObjectHandle: conf.NamedHandle.Handle,
+		ObjectHandle: tpm2.TPMIDHObject(conf.Handle.HandleValue()),
 	}.Execute(rwr)
 	if err != nil {
 		return TPM{}, fmt.Errorf("salrashid123/signer: Unable to Read Public data from TPM: %v", err)
 	}
+	conf.name = pub.Name
 
 	pc, err := pub.OutPublic.Contents()
 	if err != nil {
@@ -131,8 +131,18 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 
 	var sess tpm2.Session
 
-	if t.EncryptionHandle != 0 && t.EncryptionPub != nil {
-		sess = tpm2.HMAC(tpm2.TPMAlgSHA256, 16, tpm2.AESEncryption(128, tpm2.EncryptIn), tpm2.Salted(t.EncryptionHandle, *t.EncryptionPub))
+	if t.EncryptionHandle != 0 {
+		encryptionPub, err := tpm2.ReadPublic{
+			ObjectHandle: t.EncryptionHandle,
+		}.Execute(rwr)
+		if err != nil {
+			return nil, err
+		}
+		ePubName, err := encryptionPub.OutPublic.Contents()
+		if err != nil {
+			return nil, err
+		}
+		sess = tpm2.HMAC(tpm2.TPMAlgSHA256, 16, tpm2.AESEncryption(128, tpm2.EncryptIn), tpm2.Salted(t.EncryptionHandle, *ePubName))
 	} else {
 		sess = tpm2.HMAC(tpm2.TPMAlgSHA256, 16, tpm2.AESEncryption(128, tpm2.EncryptIn))
 	}
@@ -175,8 +185,8 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 		}
 		rspSign, err := tpm2.Sign{
 			KeyHandle: tpm2.AuthHandle{
-				Handle: t.NamedHandle.Handle,
-				Name:   t.NamedHandle.Name,
+				Handle: t.Handle,
+				Name:   t.name,
 				Auth:   se,
 			},
 
@@ -220,8 +230,8 @@ func (t TPM) Sign(rr io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte,
 		}
 		rspSign, err := tpm2.Sign{
 			KeyHandle: tpm2.AuthHandle{
-				Handle: t.NamedHandle.Handle,
-				Name:   t.NamedHandle.Name,
+				Handle: t.Handle,
+				Name:   t.name,
 				Auth:   se,
 			},
 
diff --git a/tpm/tpm_test.go b/tpm/tpm_test.go
diff --git a/util/certgen/certgen.go b/util/certgen/certgen.go
diff --git a/util/csrgen/csrgen.go b/util/csrgen/csrgen.go
