bugfix: defer TPM close

yzp0n · yzp0n · commit 02d59619cca1 · 2024-12-06T11:39:29.000Z
diff --git a/cmd/h132/envelope/edit.go b/cmd/h132/envelope/edit.go
@@ -78,6 +78,7 @@ var editCommand = &cli.Command{
 		if err != nil {
 			return err
 		}
+		defer ak.Close()
 
 		if err := lws.Edit(l, ak, envelopePath, envelopeBs, plaintextPath); err != nil {
 			return err
diff --git a/cmd/h132/envelope/seal.go b/cmd/h132/envelope/seal.go
@@ -67,6 +67,7 @@ var sealCommand = &cli.Command{
 		if err != nil {
 			return err
 		}
+		defer ak.Close()
 
 		if err := lws.Seal(l, ak, fileName, contents); err != nil {
 			return err
diff --git a/cmd/h132/envelope/unseal.go b/cmd/h132/envelope/unseal.go
@@ -70,6 +70,7 @@ var unsealCommand = &cli.Command{
 		if err != nil {
 			return err
 		}
+		defer ak.Close()
 
 		if err := lws.Unseal(ak, envelopeFileName, bs); err != nil {
 			return fmt.Errorf("failed to unseal file %q: %w", envelopeFileName, err)
diff --git a/cmd/h132/keys/access/access.go b/cmd/h132/keys/access/access.go
@@ -38,7 +38,11 @@ func AccessKey(lwsName string, k *pb.KeyImpl) (envelope.AssymmetricKey, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to get TPM: %w", err)
 		}
-		defer tpm.Close()
+		defer func() {
+			if tpm != nil {
+				tpm.Close()
+			}
+		}()
 
 		wwt := ki.WebauthnWrappedTpm
 
@@ -73,6 +77,8 @@ func AccessKey(lwsName string, k *pb.KeyImpl) (envelope.AssymmetricKey, error) {
 		if err != nil {
 			return nil, err
 		}
+		// `bk` has taken over ownership of tpm. Don't close it here.
+		tpm = nil
 
 		return bk, nil
 
diff --git a/cmd/h132/keys/testcmd.go b/cmd/h132/keys/testcmd.go
@@ -42,6 +42,7 @@ var testCommand = &cli.Command{
 		if err != nil {
 			return err
 		}
+		defer ak.Close()
 
 		testSha256 := sha256.Sum256([]byte("test"))
 		if _, err := ak.Sign(testSha256[:]); err != nil {
diff --git a/envelope/key.go b/envelope/key.go
@@ -11,6 +11,7 @@ type AssymmetricKey interface {
 	Public() *ecdsa.PublicKey
 	Sign(s256digest []byte) ([]byte, error)
 	ECDH(pub *ecdsa.PublicKey) ([]byte, error)
+	io.Closer
 }
 
 type LocalPrivateKey struct {
@@ -49,3 +50,7 @@ func (k *LocalPrivateKey) ECDH(pub *ecdsa.PublicKey) ([]byte, error) {
 
 	return privDH.ECDH(pubDH)
 }
+
+func (k *LocalPrivateKey) Close() error {
+	return nil
+}
diff --git a/keys/webauthnwrappedtpm/key.go b/keys/webauthnwrappedtpm/key.go
@@ -105,14 +105,29 @@ func derivePassword(prf, salt []byte, tpmKeyHandle tpm2.TPMHandle) []byte {
 	return tpmPassword
 }
 
+func nopCloser(tpm transport.TPM) transport.TPMCloser {
+	return nopCloserT{tpm}
+}
+
+type nopCloserT struct {
+	transport.TPM
+}
+
+func (nopCloserT) Close() error { return nil }
+
+func (t nopCloserT) Send(input []byte) ([]byte, error) {
+	return t.TPM.Send(input)
+}
+
 func (wk *WebAuthnWrappedTPMKey) Provision(tpm transport.TPM, prf []byte) error {
 	tpmPassword := derivePassword(prf, wk.HkdfSalt, wk.TpmKeyHandle)
 
 	cfg := h132_tpm2.BackedP256KeyConfig{
 		KeyHandle: wk.TpmKeyHandle,
 		Password:  tpmPassword,
 	}
-	bk, err := h132_tpm2.ProvisionBackedP256Key(cfg, tpm)
+
+	bk, err := h132_tpm2.ProvisionBackedP256Key(cfg, nopCloser(tpm))
 	if err != nil {
 		return fmt.Errorf("failed to provision backed key: %w", err)
 	}
@@ -172,7 +187,7 @@ func (wk *WebAuthnWrappedTPMKey) SetImplProto(p *pb.KeyImpl) error {
 	return nil
 }
 
-func (wk *WebAuthnWrappedTPMKey) Unwrap(tpm transport.TPM, prf []byte) (*h132_tpm2.BackedP256Key, error) {
+func (wk *WebAuthnWrappedTPMKey) Unwrap(tpm transport.TPMCloser, prf []byte) (*h132_tpm2.BackedP256Key, error) {
 	tpmPassword := derivePassword(prf, wk.HkdfSalt, wk.TpmKeyHandle)
 	cfg := h132_tpm2.BackedP256KeyConfig{
 		KeyHandle: wk.TpmKeyHandle,
diff --git a/tpm2/backedkey.go b/tpm2/backedkey.go
@@ -20,13 +20,13 @@ type BackedP256KeyConfig struct {
 
 type BackedP256Key struct {
 	cfg BackedP256KeyConfig
-	t   transport.TPM
+	t   transport.TPMCloser
 
 	name   tpm2.TPM2BName
 	public *ecdsa.PublicKey
 }
 
-func ProvisionBackedP256Key(cfg BackedP256KeyConfig, t transport.TPM) (*BackedP256Key, error) {
+func ProvisionBackedP256Key(cfg BackedP256KeyConfig, t transport.TPMCloser) (*BackedP256Key, error) {
 	k := &BackedP256Key{
 		cfg: cfg,
 		t:   t,
@@ -106,7 +106,7 @@ func ProvisionBackedP256Key(cfg BackedP256KeyConfig, t transport.TPM) (*BackedP2
 	return k, nil
 }
 
-func LoadBackedP256Key(cfg BackedP256KeyConfig, t transport.TPM) (*BackedP256Key, error) {
+func LoadBackedP256Key(cfg BackedP256KeyConfig, t transport.TPMCloser) (*BackedP256Key, error) {
 	k := &BackedP256Key{
 		cfg: cfg,
 		t:   t,
@@ -281,3 +281,7 @@ func (k *BackedP256Key) smokeTest() error {
 
 	return nil
 }
+
+func (k *BackedP256Key) Close() error {
+	return k.t.Close()
+}

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ var editCommand = &cli.Command{`
`78`	`78`	`if err != nil {`
`79`	`79`	`return err`
`80`	`80`	`}`
	`81`	`+ defer ak.Close()`
`81`	`82`
`82`	`83`	`if err := lws.Edit(l, ak, envelopePath, envelopeBs, plaintextPath); err != nil {`
`83`	`84`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ var sealCommand = &cli.Command{`
`67`	`67`	`if err != nil {`
`68`	`68`	`return err`
`69`	`69`	`}`
	`70`	`+ defer ak.Close()`
`70`	`71`
`71`	`72`	`if err := lws.Seal(l, ak, fileName, contents); err != nil {`
`72`	`73`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ var unsealCommand = &cli.Command{`
`70`	`70`	`if err != nil {`
`71`	`71`	`return err`
`72`	`72`	`}`
	`73`	`+ defer ak.Close()`
`73`	`74`
`74`	`75`	`if err := lws.Unseal(ak, envelopeFileName, bs); err != nil {`
`75`	`76`	`return fmt.Errorf("failed to unseal file %q: %w", envelopeFileName, err)`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ var testCommand = &cli.Command{`
`42`	`42`	`if err != nil {`
`43`	`43`	`return err`
`44`	`44`	`}`
	`45`	`+ defer ak.Close()`
`45`	`46`
`46`	`47`	`testSha256 := sha256.Sum256([]byte("test"))`
`47`	`48`	`if _, err := ak.Sign(testSha256[:]); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ type AssymmetricKey interface {`
`11`	`11`	`Public() *ecdsa.PublicKey`
`12`	`12`	`Sign(s256digest []byte) ([]byte, error)`
`13`	`13`	`ECDH(pub *ecdsa.PublicKey) ([]byte, error)`
	`14`	`+ io.Closer`
`14`	`15`	`}`
`15`	`16`
`16`	`17`	`type LocalPrivateKey struct {`
`@@ -49,3 +50,7 @@ func (k LocalPrivateKey) ECDH(pub ecdsa.PublicKey) ([]byte, error) {`
`49`	`50`
`50`	`51`	`return privDH.ECDH(pubDH)`
`51`	`52`	`}`
	`53`	`+`
	`54`	`+func (k *LocalPrivateKey) Close() error {`
	`55`	`+ return nil`
	`56`	`+}`