salrashid123

Cosign SignBlob with GCP Identity Token from TPM

Snippet which uses a TPM based service account key to acquire an identity_token used to sign-blob using cosin

Normally, if you want to use cosign and a TPM, you would use the built in pkcs11 capability as described here:

• Container Signing with Cosign and TPM PKCS-11

However, this snippet encodes the service account private key into a TPM and then making it issue an id_token directly using:

salrashid123

Decoding ENCRYPTED SIGSTORE PRIVATE KEY cosign key format

basically, -----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- is not ans1 encoded but a JSON struct which looks like the follwoing

You need to decode/decrypt the EC key thats embedded inside it. The following keypair in the code does not have passphrase

also see cosign signature-specification

salrashid123

Sign and Verify TPM based JWT using github.com/lestrrat-go/jwx

Using a crypto.Signer from github.com/salrashid123/tpmsigner

Following using a swtpm

rm -rf /tmp/myvtpm && mkdir /tmp/myvtpm
swtpm_setup --tpmstate /tmp/myvtpm --tpm2 --create-ek-cert

salrashid123

GCP Python Workload Federation TPM based mTLS

If you want to use a TPM with GCP mTLS Workload Federation where the private key is embeded in a TPM.

GCP's native workload federation support in the SDK uses python request library which will autmoatically load and use a TPM based private key through openssl's provider interface.

For detailes about that, see:

• Python mTLS client/server with TPM based key
• GCP Workload Identity Federation using x509 certificates

salrashid123

package main

/*
rm -rf /tmp/myvtpm && mkdir /tmp/myvtpm && swtpm_setup --tpmstate /tmp/myvtpm --tpm2 --create-ek-cert && swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear --log level=2

export TPM2TOOLS_TCTI="swtpm:port=2321"
export TPMB="127.0.0.1:2321"


 go run main.go --parentKeyType=ecc_srk  --tpm-path=127.0.0.1:2321

salrashid123

Issue a JWT using github.com/lestrrat-go/jwx/v3/jwt

basically, you just have to pass in a crypto.Signer that represents the TPM-based key

there are several crypto.Signers around, i'm just using my own from

https://github.com/salrashid123/tpmsigner

also see

salrashid123

Generate MLKEM key using Trusted Platfrom Module as random number generator

the following snippet generates an MLKEM key using a variety of sources and then writes the keys to file as PEM format

• A) generate key internally in code
• B) generate key externally using default crypto/rand source
• C) generate a key externally using a TPM as the rand source ("github.com/salrashid123/tpmrand")
• D) generate key externally using a given hex string statically

also see

salrashid123

package main

import (
	"crypto/rand"
	"encoding/base64"
	"flag"
	"io"
	"log"
	"net"
	"slices"

salrashid123

ref: golang/go#75656

1. install golang go 1.25.1 and override handshake_server_tls13.go

2. create a restricted rsapss key and make it persistent

salrashid123

package main

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"fmt"
	"io"