Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Improve tpm2.verify_ek to speed up cert matching
See original GitHub issueCurrently we are brute forcing the entire list of signing certs by TPM manufacturers: see https://github.com/mit-ll/python-keylime/blob/master/keylime/tpm2.py#L625
for signer in trusted_certs:
signcert = M2Crypto.X509.load_cert_string(trusted_certs[signer])
signkey = signcert.get_pubkey()
if ek509.verify(signkey) == 1:
logger.debug("EK cert matched signer %s"%signer)
return True
This can be improved by determining the correct CA to check against based on info from the EK certificate, saving the trouble of a brute force.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:14 (9 by maintainers)
Top Results From Across the Web
Solved: How to validate endorsement key certificate in Inf...
Solved: Hi We are trying to find a proper way to validate TPM EK certificate when we received it from shipment.
Read more >Simple TPM2 Remote Attestation - safeboot
When the user wants to connect to another computer over the network, they typicaly authenticate with a password and some sort of two...
Read more >TPM 2.0 Keys for Device Identity and Attestation
4.1 Verifying TPM Protection of an Attestation Key. ... attestation key, with the certificate subject matching the LDevID certificate.
Read more >Owner creation of LAK certificate based on IAK certificate #3095
Hi, I am trying to reconstruct the whole process of DevID enrollment according section 5.7 of specification TPM 2.0 Keys for Device Identity ......
Read more >Using TPMs to Cryptographically Verify Devices at Scale
Using TPMs to Cryptographically Verify Devices at Scale - Matthew Garrett & Tom D'Netto, GoogleOnce a new device leaves IT and enters user ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for assigning. I appreciate that.
currently you extract the CA=certificate authority, i.e. the signer from each certificate in the array [trusted_certs].
With a public key of that CA you verify the X.509 certificate.
To avoid a brute force trying each trusted certificate you would like to determine the correct CA first. And verify with the correct CA.
The X.509 certificates are PEM-encoded.
🎉 This issue has been resolved in version 4.0.1 🎉
The release is available on GitHub release
Your semantic-release bot 📦🚀