salrashid123

The following diff extracts the EKM value for a given TLS connection and then surfaces that to LUA (which emits the EKM as a header to the backend)

the LUA config will log the EKM in trace logs

# envoy -c envoy_server.yaml -l trace
[2025-04-04 08:36:29.396][3334775][info][lua] [source/extensions/filters/common/lua/lua.cc:26] script log: >>>>>>>>>>>> EKM: XGurfnlqXyjXphhJrrCmHRoKXAwC7CjrD7vixHdqOIo=

which has the same derived EKM value as a sample client app (eg, golang)

Simple openssl c client/server which prints the Exported Key Material (EKM)

https://docs.openssl.org/1.1.1/man3/SSL_export_keying_material/

also see https://github.com/salrashid123/go_ekm_tls

$  gcc server.c -lcrypto -lssl -o server

$ ./server

TLS with TPM based private key

Requires openssl-tpm2 provider

# export OPENSSL_MODULES=/usr/lib/x86_64-linux-gnu/ossl-modules/
# 
# cat /etc/ssl/openssl.cnf
# [openssl_init]

Simple demo of istio authorization rules using GCP OIDC tokens

Basically, this will allow inbound OIDC authentication and authorization for a service using a google issued id_token

Setup

First install minikube (i'm using kvm2 but you can use anything)

TLS 1.2, 1.3 PSK with C

also see

https://github.com/salrashid123/tls_psk_tpm

$ gcc server.c -lcrypto -lssl -o server
k$ ./server

GCS CSEK with Object versioning

The following will upload a file into a bucket with object versioning.

The file will have a CSEK

Then encrypt it with another CSEK and recall the first version using its original CSEK

### create two cseks

Simple DIY STS server Google Cloud Application Default Credential

or...how to use ADC and run your own STS token broker

An STS server will exchange one token for another. This protocol is used by GCP Workload Federation.

THis example runs your own STS server with GCP where the STS server accepts a source token, validates it and the returns a gcp access_token

For more information about STS servers, see

	package main
	/*
	Authenticate to GCP using the GCP embedded vTPM AttestationKey

	this specific implementation acquires a JWTAccessToken with scopes

	https://github.com/salrashid123/gcp-vtpm-ek-ak/tree/main?tab=readme-ov-file#sign-jwt-with-tpm

	1. first create a gce instance with confidentialcompute and vtpm enabled


	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>
	#include <sys/socket.h>
	#include <arpa/inet.h>
	#include <openssl/ssl.h>
	#include <openssl/err.h>
	#include <openssl/hmac.h>

	package main

	import (
	"encoding/binary"
	"encoding/hex"
	"flag"
	"io"
	"log"
	"net"
	"os"