salrashid123

## jwtTPM.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                salrashid123
                / jwtTPM.md
            
            
              Last active
              January 22, 2026 11:10
            
              
                Issue a TPM based JWT using `github.com/lestrrat-go/jwx/v3/jwt`
              
          
    Issue a JWT using github.com/lestrrat-go/jwx/v3/jwt
basically, you just have to pass in a crypto.Signer that represents the TPM-based key
there are several crypto.Signers around, i'm just using my own from
https://github.com/salrashid123/tpmsigner
also see

  
## mlkem_generate_externally.md

      
              1 file
            
          
              0 forks
            
          
                1 comment
              
            
              0 stars
            
          
                salrashid123
                / mlkem_generate_externally.md
            
            
              Last active
              January 5, 2026 11:15
            
              
                Generate MLKEM key using Trusted Platfrom Module as random number generator
              
          
    Generate MLKEM key using Trusted Platfrom Module  as random number generator

the following snippet generates an MLKEM key using a variety of sources and then writes the keys to file as PEM format

A) generate key internally in code
B) generate key externally using default crypto/rand source
C) generate a key externally using a TPM as the rand source ("github.com/salrashid123/tpmrand")
D) generate key externally using a given hex string statically

also see

  
## nv_offset.go
package main

import (
	"crypto/rand"
	"encoding/base64"
	"flag"
	"io"
	"log"
	"net"
	"slices"

## tls_message_signer.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                salrashid123
                / tls_message_signer.md
            
            
              Last active
              October 2, 2025 01:30
            
              
                TLS with Restricted TPM Signing key and crypto.MessageSigner
              
          
    ref:  golang/go#75656


install golang go 1.25.1  and override  handshake_server_tls13.go


create a restricted rsapss key and make it persistent


## server.go
package main

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"fmt"
	"io"

## handshake_server_tls13.go
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package tls

import (
	"bytes"
	"context"
	"crypto"

## ops_agent.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                salrashid123
                / ops_agent.md
            
            
              Created
              September 20, 2025 18:51
            
              
                GCE Metadata server emulator with the GCP OpsAgent
              
          
    The following describes how to run the GCE Metadata Server Emulator with the GCP OpsAgent
Note that the opsAgent is only supported on specific GCP VMs as described here ("The Ops Agent is not supported on Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises machines.")
However, if you really want to, you can coax it to run with this emulator and the following steps details such a configuration where the ops agent run in a local docker container alongside the emulator.
(Needless to say, this is unsupported and can result in unpredictable results (eg, the logs appear as if from a gce_vm).  Forr on-prem, you should use  bindplane)).


## exponent.go
package main

import (
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"io"
	"log"
	"net"

## getName.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                salrashid123
                / getName.md
            
            
              Last active
              August 22, 2025 12:53
            
              
                TPM "getName" from RSA|ECC PEM publickey
              
          
    get the TPM "name" from the RSA or ECC PEM public key

RSA EK

tpm2_createek -c /tmp/ek.ctx -G rsa -u /tmp/ek.pub 
tpm2_readpublic -c /tmp/ek.ctx -o /tmp/ek.pem -f PEM -n /tmp/ek.name

  
## main.py
import google.auth
from google.oauth2 import service_account
from google.cloud import storage
from google.cloud import pubsub_v1

## requirements.txt
# google-cloud-storage
# google-cloud-pubsub
# requests
# google-api-python-client
	package main

	import (
	"crypto/rand"
	"encoding/base64"
	"flag"
	"io"
	"log"
	"net"
	"slices"
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"fmt"
	"io"
	// Copyright 2018 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package tls

	import (
	"bytes"
	"context"
	"crypto"
	import google.auth
	from google.oauth2 import service_account
	from google.cloud import storage
	from google.cloud import pubsub_v1

	## requirements.txt
	# google-cloud-storage
	# google-cloud-pubsub
	# requests
	# google-api-python-client