The following transfer a key from TPM-A to TPM-B and demonstrates policies that prevent further duplication to TPM-C
ref:
salrashid123
salrashid123
/ main.py
Last active
August 1, 2025 04:00
Adding x-request-reason to python google cloud clients
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import google.auth | |
| from google.oauth2 import service_account | |
| from google.cloud import storage | |
| from google.cloud import pubsub_v1 | |
| ## requirements.txt | |
| # google-cloud-storage | |
| # google-cloud-pubsub | |
| # requests | |
| # google-api-python-client |
salrashid123
/ tpm2_duplicateselct_policyAuthValue_policy_or.md
Last active
July 31, 2025 23:27
PolicyDuplicateSelect and PolicyAuthValue bound PolicyDuplicate
salrashid123
/ envoy_ekm.md
Last active
April 4, 2025 23:08
Envoy EKM : extract the EKM value for a TLS connection with envoy
The following diff extracts the EKM value for a given TLS connection and then surfaces that to LUA (which emits the EKM as a header to the backend)
the LUA config will log the EKM in trace logs
# envoy -c envoy_server.yaml -l trace
[2025-04-04 08:36:29.396][3334775][info][lua] [source/extensions/filters/common/lua/lua.cc:26] script log: >>>>>>>>>>>> EKM: XGurfnlqXyjXphhJrrCmHRoKXAwC7CjrD7vixHdqOIo=
which has the same derived EKM value as a sample client app (eg, golang)
salrashid123
/ openssl_ekm.md
Last active
April 3, 2025 11:31
Openssl server and client which prints the EKM
also see https://github.com/salrashid123/go_ekm_tls
$ gcc server.c -lcrypto -lssl -o server
$ ./server
salrashid123
/ openssl_server_tpm.md
Last active
March 18, 2025 11:23
openssl server with TPM based private key
Requires openssl-tpm2 provider
# export OPENSSL_MODULES=/usr/lib/x86_64-linux-gnu/ossl-modules/
#
# cat /etc/ssl/openssl.cnf
# [openssl_init]
salrashid123
/ attestationkeyauth.go
Last active
March 5, 2025 15:18
GCE Attestation Key based authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| Authenticate to GCP using the GCP embedded vTPM AttestationKey | |
| this specific implementation acquires a JWTAccessToken with scopes | |
| https://github.com/salrashid123/gcp-vtpm-ek-ak/tree/main?tab=readme-ov-file#sign-jwt-with-tpm | |
| 1. first create a gce instance with confidentialcompute and vtpm enabled |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <string.h> | |
| #include <sys/socket.h> | |
| #include <arpa/inet.h> | |
| #include <openssl/ssl.h> | |
| #include <openssl/err.h> | |
| #include <openssl/hmac.h> |
salrashid123
/ jwt_thumnail.go
Last active
January 6, 2026 18:24
JWT Thumprint calculation for ML-DSA-44 https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/sha256" | |
| "encoding/base64" | |
| "fmt" | |
| ) | |
| // JWT Thumprint: https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ | |
| // Appendix A. Examples |
also see
$ gcc server.c -lcrypto -lssl -o server
k$ ./server