tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Possible missing hash computation in tpm2_pem_encoded_key_to_fingerprint

Open niooss-ledger opened this issue 3 years ago • 0 comments

Hello, Function tpm2_pem_encoded_key_to_fingerprint (https://github.com/tpm2-software/tpm2-tools/blob/5.2/lib/tpm2_util.c#L1028-L1081) seems to compute a SHA256 fingerprint of a PEM public key:

    TPM2B_DIGEST digest;
    rc = tpm2_openssl_hash_compute_data(TPM2_ALG_SHA256, buffer,
        buffer_length, &digest);
    if(!rc){
        LOG_ERR("%s", "tpm2_openssl_hash_compute_data");
        return false;
    }
    rc = tpm2_base64_encode(buffer, buffer_length, base64);
    if(!rc){
        LOG_ERR("%s", "tpm2_base64_decode");
        return false;
    }
    strcpy(fingerprint, "SHA256:");
    strcat(fingerprint, base64);

However the parameter of tpm2_base64_encode is the raw public key (decoded from the PEM file), instead of the result of the SHA256 computation. Was the code supposed to use digest.buffer (i.e. rc = tpm2_base64_encode(digest.buffer, digest.size, base64);) instead?

If the code is actually working as expected, what magic makes the function use the computed SHA256 digest in the fingerprint?

(By the way, there is also a minor copy-paste error in the error message: tpm2_base64_decode is used instead of tpm2_base64_encode.)

niooss-ledger avatar Oct 08 '21 22:10 niooss-ledger