From fbbd355c9f81d4b35a10b2befcbb174fcea2ef8a Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Tue, 27 Jun 2023 22:35:03 +0200
Subject: [PATCH 1/3] Upgrade to `go.step.sm/crypto` v0.32.2

---
 go.mod |  6 +++---
 go.sum | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index fb1485186..142fede8e 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/urfave/cli v1.22.14
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.6
-	go.step.sm/crypto v0.32.1
+	go.step.sm/crypto v0.32.2
 	go.step.sm/linkedca v0.19.1
 	golang.org/x/crypto v0.10.0
 	golang.org/x/sys v0.9.0
@@ -127,12 +127,12 @@ require (
 	golang.org/x/oauth2 v0.8.0 // indirect
 	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
-	google.golang.org/api v0.127.0 // indirect
+	google.golang.org/api v0.128.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
-	google.golang.org/grpc v1.56.0 // indirect
+	google.golang.org/grpc v1.56.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 	k8s.io/klog/v2 v2.90.0 // indirect
diff --git a/go.sum b/go.sum
index 01a6f1bf9..abb02255c 100644
--- a/go.sum
+++ b/go.sum
@@ -1058,8 +1058,8 @@ go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16g
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g=
 go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY=
-go.step.sm/crypto v0.32.1 h1:kAiL21zTqAgYu1geOYxH+ApUCUX+oclB25TccnNEYTU=
-go.step.sm/crypto v0.32.1/go.mod h1:JwarCq+Sn6N8IbRSKfSJfjUNKfO8c4N1mcNxYXuxXzc=
+go.step.sm/crypto v0.32.2 h1:EhJpFRNgU3RaNEO3WZ62Kn2gF9NWNglNG4DvSPeuiTs=
+go.step.sm/crypto v0.32.2/go.mod h1:JwarCq+Sn6N8IbRSKfSJfjUNKfO8c4N1mcNxYXuxXzc=
 go.step.sm/linkedca v0.19.1 h1:uY0ByT/uB3FCQ8zIo9mU7MWG7HKf5sDXNEBeN94MuP8=
 go.step.sm/linkedca v0.19.1/go.mod h1:vPV2ad3LFQJmV7XWt87VlnJSs6UOqgsbVGVWe3veEmI=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -1483,8 +1483,8 @@ google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtuk
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
 google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
 google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.127.0 h1:v7rj0vA0imM3Ou81k1eyFxQNScLzn71EyGnJDr+V/XI=
-google.golang.org/api v0.127.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750=
+google.golang.org/api v0.128.0 h1:RjPESny5CnQRn9V6siglged+DZCgfu9l6mO9dkX9VOg=
+google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1603,8 +1603,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE=
-google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ=
+google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

From ddf12f1ac488f9e27c963b405a9e46b1a9f79bc9 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Wed, 28 Jun 2023 00:39:28 +0200
Subject: [PATCH 2/3] Support providing a TPM device name

---
 command/ca/certificate.go  |  4 ++++
 utils/cautils/acmeutils.go | 17 ++++++++++++++++-
 utils/cautils/tpm.go       |  3 ++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/command/ca/certificate.go b/command/ca/certificate.go
index 78cdae403..e0124232e 100644
--- a/command/ca/certificate.go
+++ b/command/ca/certificate.go
@@ -173,6 +173,10 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 				Usage: "The directory where TPM keys and certificates will be stored",
 				Value: filepath.Join(step.Path(), "tpm"),
 			},
+			cli.StringFlag{
+				Name:  "tpm-device",
+				Usage: "The TPM device (name) to use",
+			},
 			flags.TemplateSet,
 			flags.TemplateSetFile,
 			flags.CaConfig,
diff --git a/utils/cautils/acmeutils.go b/utils/cautils/acmeutils.go
index fe350b146..bb2b31eae 100644
--- a/utils/cautils/acmeutils.go
+++ b/utils/cautils/acmeutils.go
@@ -32,6 +32,8 @@ import (
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/tpm"
+	"go.step.sm/crypto/kms/apiv1"
+	"go.step.sm/crypto/kms/uri"
 	tpmstorage "go.step.sm/crypto/tpm/storage"
 
 	"github.com/smallstep/certificates/acme"
@@ -401,8 +403,20 @@ type attestationObject struct {
 // doDeviceAttestation performs `device-attest-01` challenge validation.
 func doDeviceAttestation(clictx *cli.Context, ac *ca.ACMEClient, ch *acme.Challenge, identifier string, af *acmeFlow) error {
 	// TODO(hs): make TPM flow work with CreateAttestor()/Attest() too
+	// TODO: prepare the full attestation-uri: fill in missing data, fill in values from flags, 
+	// get defaults (AK name, based on TPM presence); fail early if no TPM available.
 	attestationURI := clictx.String("attestation-uri")
 	if strings.HasPrefix(attestationURI, "tpmkms:") {
+		u, err := uri.ParseWithScheme(string(apiv1.TPMKMS), attestationURI)
+		if err != nil {
+			return fmt.Errorf("failed to parse %q", err)
+		}
+		if device := clictx.String("tpm-device"); device != "" {
+			u.Values.Set("device", device)
+			clictx.Set("attestation-uri", u.String())
+			attestationURI = clictx.String("attestation-uri")
+		}
+
 		return doTPMAttestation(clictx, ac, ch, identifier, af)
 	}
 
@@ -831,7 +845,8 @@ func (af *acmeFlow) GetCertificate() ([]*x509.Certificate, error) {
 	// instead of creating a new instance.
 	if af.tpmSigner != nil {
 		tpmStorageDirectory := af.ctx.String("tpm-storage-directory")
-		t, err := tpm.New(tpm.WithStore(tpmstorage.NewDirstore(tpmStorageDirectory)))
+		tpmDevice := af.ctx.String("tpm-device")
+		t, err := tpm.New(tpm.WithStore(tpmstorage.NewDirstore(tpmStorageDirectory)), tpm.WithDeviceName(tpmDevice))
 		if err != nil {
 			return nil, fmt.Errorf("failed initializing TPM: %w", err)
 		}
diff --git a/utils/cautils/tpm.go b/utils/cautils/tpm.go
index 77bf2713d..5ca66111c 100644
--- a/utils/cautils/tpm.go
+++ b/utils/cautils/tpm.go
@@ -38,7 +38,8 @@ import (
 
 func doTPMAttestation(clictx *cli.Context, ac *ca.ACMEClient, ch *acme.Challenge, identifier string, af *acmeFlow) error {
 	tpmStorageDirectory := clictx.String("tpm-storage-directory")
-	t, err := tpm.New(tpm.WithStore(tpmstorage.NewDirstore(tpmStorageDirectory)))
+	tpmDevice := clictx.String("tpm-device")
+	t, err := tpm.New(tpm.WithStore(tpmstorage.NewDirstore(tpmStorageDirectory)), tpm.WithDeviceName(tpmDevice))
 	if err != nil {
 		return fmt.Errorf("failed initializing TPM: %w", err)
 	}

From 4daa9dd6f5d9f2ca8905ad32f58e0d7bc9766cc1 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Wed, 25 Oct 2023 00:02:14 +0200
Subject: [PATCH 3/3] Fix linter issues

---
 utils/cautils/acmeutils.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/utils/cautils/acmeutils.go b/utils/cautils/acmeutils.go
index 1366057c4..b4f2fdfba 100644
--- a/utils/cautils/acmeutils.go
+++ b/utils/cautils/acmeutils.go
@@ -409,12 +409,11 @@ func doDeviceAttestation(clictx *cli.Context, ac *ca.ACMEClient, ch *acme.Challe
 	if strings.HasPrefix(attestationURI, "tpmkms:") {
 		u, err := uri.ParseWithScheme(string(apiv1.TPMKMS), attestationURI)
 		if err != nil {
-			return fmt.Errorf("failed to parse %q", err)
+			return fmt.Errorf("failed to parse %q: %w", attestationURI, err)
 		}
 		if device := clictx.String("tpm-device"); device != "" {
 			u.Values.Set("device", device)
 			clictx.Set("attestation-uri", u.String())
-			attestationURI = clictx.String("attestation-uri")
 		}
 
 		return doTPMAttestation(clictx, ac, ch, identifier, af)