canonical · chrisccoulson · Aug 24, 2020
diff --git a/internal/testutil/tpm.go b/internal/testutil/tpm.go
@@ -421,7 +421,7 @@ func CertifyTPM(tpm *tpm2.TPMContext, ekCert []byte) error {
 	if err != nil {
 		return xerrors.Errorf("cannot define NV index for EK certificate: %w", err)
 	}
-	if err := tpm.NVWrite(tpm.PlatformHandleContext(), index, tpm2.MaxNVBuffer(ekCert), 0, nil); err != nil {
+	if err := tpm.NVWrite(tpm.PlatformHandleContext(), index, ekCert, 0, nil); err != nil {
 		return xerrors.Errorf("cannot write EK certificate to NV index: %w", err)
 	}
 	return nil

diff --git a/pin.go b/pin.go
@@ -189,7 +189,7 @@ func createPinNVIndex(tpm *tpm2.TPMContext, handle tpm2.Handle, updateKeyName tp
 		Signature: tpm2.SignatureU{
 			Data: &tpm2.SignatureRSAPSS{
 				Hash: signDigest,
-				Sig:  tpm2.PublicKeyRSA(sig)}}}
+				Sig:  sig}}}
 
 	// Execute the policy assertions
 	if err := tpm.PolicyCommandCode(policySession, tpm2.CommandNVIncrement); err != nil {

diff --git a/policy.go b/policy.go
@@ -162,7 +162,7 @@ func incrementDynamicPolicyCounter(tpm *tpm2.TPMContext, nvPublic *tpm2.NVPublic
 		Signature: tpm2.SignatureU{
 			Data: &tpm2.SignatureRSAPSS{
 				Hash: signDigest,
-				Sig:  tpm2.PublicKeyRSA(sig)}}}
+				Sig:  sig}}}
 
 	// Execute the policy assertions
 	if err := tpm.PolicyCommandCode(policySession, tpm2.CommandNVIncrement); err != nil {
@@ -351,7 +351,7 @@ func ensureLockNVIndex(tpm *tpm2.TPMContext, session tpm2.SessionContext) error
 		Signature: tpm2.SignatureU{
 			Data: &tpm2.SignatureRSAPSS{
 				Hash: signDigest,
-				Sig:  tpm2.PublicKeyRSA(sig)}}}
+				Sig:  sig}}}
 
 	// Execute the policy assertions
 	if err := tpm.PolicyCommandCode(policySession, tpm2.CommandNVWrite); err != nil {

diff --git a/policy_test.go b/policy_test.go
@@ -456,7 +456,7 @@ func TestReadAndValidateLockNVIndexPublic(t *testing.T) {
 			Signature: tpm2.SignatureU{
 				Data: &tpm2.SignatureRSAPSS{
 					Hash: tpm2.HashAlgorithmSHA256,
-					Sig:  tpm2.PublicKeyRSA(sig)}}}
+					Sig:  sig}}}
 
 		if err := tpm.PolicyCommandCode(policySession, tpm2.CommandNVWrite); err != nil {
 			t.Errorf("Assertion failed: %v", err)
@@ -2153,7 +2153,7 @@ func TestExecutePolicy(t *testing.T) {
 			}
 			s.AuthPublicKey.Params.RSADetail().KeyBits = uint16(key.N.BitLen())
 			s.AuthPublicKey.Params.RSADetail().Exponent = uint32(key.E)
-			s.AuthPublicKey.Unique.Data = tpm2.PublicKeyRSA(key.N.Bytes())
+			s.AuthPublicKey.Unique.Data = key.N.Bytes()
 		})
 		// Even though this error is caused by broken static metadata, we get a dynamicPolicyDataError error because the signature
 		// verification fails. Validation with validateKeyData will detect the real issue though.
@@ -2209,7 +2209,7 @@ func TestExecutePolicy(t *testing.T) {
 			if err != nil {
 				t.Fatalf("SignPSS failed: %v", err)
 			}
-			d.AuthorizedPolicySignature.Signature.RSAPSS().Sig = tpm2.PublicKeyRSA(sig)
+			d.AuthorizedPolicySignature.Signature.RSAPSS().Sig = sig
 		})
 		if !IsDynamicPolicyDataError(err) || err.Error() != "cannot verify dynamic authorization policy signature" {
 			t.Errorf("Unexpected error: %v", err)
@@ -2259,7 +2259,7 @@ func TestExecutePolicy(t *testing.T) {
 			}
 			s.AuthPublicKey.Params.RSADetail().KeyBits = uint16(key.N.BitLen())
 			s.AuthPublicKey.Params.RSADetail().Exponent = uint32(key.E)
-			s.AuthPublicKey.Unique.Data = tpm2.PublicKeyRSA(key.N.Bytes())
+			s.AuthPublicKey.Unique.Data = key.N.Bytes()
 
 			signAlg := d.AuthorizedPolicySignature.Signature.RSAPSS().Hash
 			h := signAlg.NewHash()
@@ -2269,7 +2269,7 @@ func TestExecutePolicy(t *testing.T) {
 			if err != nil {
 				t.Fatalf("SignPSS failed: %v", err)
 			}
-			d.AuthorizedPolicySignature.Signature.RSAPSS().Sig = tpm2.PublicKeyRSA(sig)
+			d.AuthorizedPolicySignature.Signature.RSAPSS().Sig = sig
 		})
 		if err != nil {
 			t.Errorf("Failed to execute policy session: %v", err)

diff --git a/provisioning.go b/provisioning.go
@@ -252,7 +252,7 @@ func ProvisionTPM(tpm *TPMConnection, mode ProvisionMode, newLockoutAuth []byte)
 	}
 
 	// Set the lockout hierarchy authorization.
-	if err := tpm.HierarchyChangeAuth(tpm.LockoutHandleContext(), tpm2.Auth(newLockoutAuth),
+	if err := tpm.HierarchyChangeAuth(tpm.LockoutHandleContext(), newLockoutAuth,
 		session.IncludeAttrs(tpm2.AttrCommandEncrypt)); err != nil {
 		return xerrors.Errorf("cannot set the lockout hierarchy authorization value: %w", err)
 	}

diff --git a/tpm.go b/tpm.go
@@ -155,7 +155,7 @@ func verifyEk(cert *x509.Certificate, ek tpm2.ResourceContext) error {
 	if pubKey.E != 65537 {
 		ekPublic.Params.RSADetail().Exponent = uint32(pubKey.E)
 	}
-	ekPublic.Unique.Data = tpm2.PublicKeyRSA(pubKey.N.Bytes())
+	ekPublic.Unique.Data = pubKey.N.Bytes()
 
 	expectedEkName, err := ekPublic.Name()
 	if err != nil {