in linux/sks.go [36:79]
func (tpm *tpmDevice) GenKeyPair(keyID string) (b []byte, err error) {
newKeyHandle, flush, err := tpm.keyHandler.Get(keyID)
if err != nil {
return nil, fmt.Errorf("cannot reseve handle for key ID %q: %w", keyID, err)
}
defer func() {
flush(err == nil)
}()
if flog.V(5) {
flog.Debugf("Got key handle for %q: %#x", keyID, newKeyHandle)
}
// First, validate we have an organization root key
orgRootKey, err := tpm.GetOrgRootKey()
if err != nil {
return nil, fmt.Errorf("error while getting root key: %w", err)
}
defer tpm.FlushKey(orgRootKey, true)
if flog.V(5) {
flog.Debug("Got org root key")
}
// Possible shortcut: we may be asked for the org root key here.
var newKey CryptoKey
if newKeyHandle != orgRootKey.GetHandle() {
newKey, err = tpm.LoadKey(keyID, orgRootKey.GetHandle(), newKeyHandle, nil)
if err != nil {
return nil, err
}
defer tpm.FlushKey(newKey, true)
if flog.V(5) {
flog.Debugf("Got %q key", keyID)
}
} else {
newKey = orgRootKey
}
pubkey, err := newKey.GetECPublicKey()
if err != nil {
return nil, fmt.Errorf("error generating ECC key: %w", err)
}
return elliptic.Marshal(elliptic.P256(), pubkey.X, pubkey.Y), nil
}