Revert "add session encryption"

salrashid123 · salrashid123 · commit 019188dcba8c · 2025-08-15T16:45:01.000-04:00
This reverts commit 93875e0. Signed-off-by: sal rashid <salrashid123@gmail.com>
diff --git a/gcp-adc-tpm.go b/gcp-adc-tpm.go
@@ -246,10 +246,6 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {
 		_, _ = flushContextCmd.Execute(rwr)
 	}()
 
-	if encryptionSessionHandle != 0 {
-		encryptionSessionHandle = primaryKey.ObjectHandle
-	}
-
 	var se tpmjwt.Session
 	var err error
 	if cfg.Pcrs != "" {
@@ -273,7 +269,7 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {
 
 		if cfg.UseEKParent {
 
-			se, err = tpmjwt.NewPCRAndDuplicateSelectSession(rwr, sel, tpm2.TPM2BDigest{Buffer: nil}, []byte(cfg.Keypass), primaryKey.Name, encryptionSessionHandle)
+			se, err = tpmjwt.NewPCRAndDuplicateSelectSession(rwr, sel, []byte(cfg.Keypass), primaryKey.Name)
 			if err != nil {
 				return Token{}, fmt.Errorf("can't create autsession: %v", err)
 			}
@@ -282,13 +278,13 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {
 			}
 			_, _ = flushContextCmd.Execute(rwr)
 		} else {
-			se, err = tpmjwt.NewPCRSession(rwr, sel, tpm2.TPM2BDigest{Buffer: nil}, primaryKey.ObjectHandle)
+			se, err = tpmjwt.NewPCRSession(rwr, sel)
 		}
 
 	} else if keyPasswordAuth != "" {
 
 		if cfg.UseEKParent {
-			se, err = tpmjwt.NewPolicyAuthValueAndDuplicateSelectSession(rwr, []byte(cfg.Keypass), primaryKey.Name, encryptionSessionHandle)
+			se, err = tpmjwt.NewPolicyAuthValueAndDuplicateSelectSession(rwr, []byte(cfg.Keypass), primaryKey.Name)
 			if err != nil {
 				return Token{}, fmt.Errorf("can't create autsession: %v", err)
 			}
@@ -297,7 +293,7 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {
 			}
 			_, _ = flushContextCmd.Execute(rwr)
 		} else {
-			se, err = tpmjwt.NewPasswordSession(rwr, []byte(keyPasswordAuth), encryptionSessionHandle)
+			se, err = tpmjwt.NewPasswordSession(rwr, []byte(keyPasswordAuth))
 		}
 	}
 
diff --git a/go.mod b/go.mod
@@ -6,22 +6,23 @@ toolchain go1.24.0
 
 require (
 	github.com/foxboron/go-tpm-keyfiles v0.0.0-20250520203025-c3c3a4ec1653
-	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/golang-jwt/jwt/v5 v5.2.3
 	github.com/google/go-tpm v0.9.5
 	github.com/google/go-tpm-tools v0.4.5
-	github.com/salrashid123/golang-jwt-tpm v1.8.93
+	github.com/salrashid123/golang-jwt-tpm v1.8.92
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/oauth2 v0.30.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	google.golang.org/protobuf v1.36.7 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,18 +1,24 @@
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e h1:2jjYsGgM13xId2Ku+UGDQTO5It50LhT6lljiVJvBj1Y=
+github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80=
 github.com/foxboron/go-tpm-keyfiles v0.0.0-20250520203025-c3c3a4ec1653 h1:QpQsORx5N2EwomFMgeeY2Vzjf4h3nS2XtD8ETonNJVY=
 github.com/foxboron/go-tpm-keyfiles v0.0.0-20250520203025-c3c3a4ec1653/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80=
 github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006 h1:50sW4r0PcvlpG4PV8tYh2RVCapszJgaOLRCS2subvV4=
 github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006/go.mod h1:eIXCMsMYCaqq9m1KSSxXwQG11krpuNPGP3k0uaWrbas=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
+github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc h1:SG12DWUUM5igxm+//YX5Yq4vhdoRnOG9HkCodkOn+YU=
 github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
 github.com/google/go-sev-guest v0.12.1 h1:H4rFYnPIn8HtqEsNTmh56Zxcf9BI9n48ZSYCnpYLYvc=
 github.com/google/go-sev-guest v0.12.1/go.mod h1:SK9vW+uyfuzYdVN0m8BShL3OQCtXZe/JPF7ZkpD3760=
 github.com/google/go-tdx-guest v0.3.2-0.20241009005452-097ee70d0843 h1:+MoPobRN9HrDhGyn6HnF5NYo4uMBKaiFqAtf/D/OB4A=
 github.com/google/go-tdx-guest v0.3.2-0.20241009005452-097ee70d0843/go.mod h1:g/n8sKITIT9xRivBUbizo34DTsUm2nN2uU3A662h09g=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
 github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/go-tpm-tools v0.4.5 h1:3fhthtyMDbIZFR5/0y1hvUoZ1Kf4i1eZ7C73R4Pvd+k=
@@ -32,22 +38,30 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/salrashid123/golang-jwt-tpm v1.8.93 h1:Zyhx03DO6um2KMzSqaRwDWsi4mFtZnPFFyDRLc2wsqk=
-github.com/salrashid123/golang-jwt-tpm v1.8.93/go.mod h1:VHtf9HQTgrlKPfQazUt8ey8DuqZoKpc1Y1WhPtM35FA=
+github.com/salrashid123/golang-jwt-tpm v1.8.9 h1:IvUWjP/ErgqlAkj7IoZWSqGuS5PaObjBe0lcUO9rNLY=
+github.com/salrashid123/golang-jwt-tpm v1.8.9/go.mod h1:qIaGYwvtBLNUXVWqJy1xNZLVxCikKIyC+vHVNtqF7do=
+github.com/salrashid123/golang-jwt-tpm v1.8.92 h1:vy113IFgPG1fzGs8QqvBVl4k0dvEbAigd1OrSQXQk5o=
+github.com/salrashid123/golang-jwt-tpm v1.8.92/go.mod h1:VHtf9HQTgrlKPfQazUt8ey8DuqZoKpc1Y1WhPtM35FA=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

Original file line number	Diff line number	Diff line change
`@@ -246,10 +246,6 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {`
`246`	`246`	`_, _ = flushContextCmd.Execute(rwr)`
`247`	`247`	`}()`
`248`	`248`
`249`		`- if encryptionSessionHandle != 0 {`
`250`		`- encryptionSessionHandle = primaryKey.ObjectHandle`
`251`		`- }`
`252`		`-`
`253`	`249`	`var se tpmjwt.Session`
`254`	`250`	`var err error`
`255`	`251`	`if cfg.Pcrs != "" {`
`@@ -273,7 +269,7 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {`
`273`	`269`
`274`	`270`	`if cfg.UseEKParent {`
`275`	`271`
`276`		`- se, err = tpmjwt.NewPCRAndDuplicateSelectSession(rwr, sel, tpm2.TPM2BDigest{Buffer: nil}, []byte(cfg.Keypass), primaryKey.Name, encryptionSessionHandle)`
	`272`	`+ se, err = tpmjwt.NewPCRAndDuplicateSelectSession(rwr, sel, []byte(cfg.Keypass), primaryKey.Name)`
`277`	`273`	`if err != nil {`
`278`	`274`	`return Token{}, fmt.Errorf("can't create autsession: %v", err)`
`279`	`275`	`}`
`@@ -282,13 +278,13 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {`
`282`	`278`	`}`
`283`	`279`	`_, _ = flushContextCmd.Execute(rwr)`
`284`	`280`	`} else {`
`285`		`- se, err = tpmjwt.NewPCRSession(rwr, sel, tpm2.TPM2BDigest{Buffer: nil}, primaryKey.ObjectHandle)`
	`281`	`+ se, err = tpmjwt.NewPCRSession(rwr, sel)`
`286`	`282`	`}`
`287`	`283`
`288`	`284`	`} else if keyPasswordAuth != "" {`
`289`	`285`
`290`	`286`	`if cfg.UseEKParent {`
`291`		`- se, err = tpmjwt.NewPolicyAuthValueAndDuplicateSelectSession(rwr, []byte(cfg.Keypass), primaryKey.Name, encryptionSessionHandle)`
	`287`	`+ se, err = tpmjwt.NewPolicyAuthValueAndDuplicateSelectSession(rwr, []byte(cfg.Keypass), primaryKey.Name)`
`292`	`288`	`if err != nil {`
`293`	`289`	`return Token{}, fmt.Errorf("can't create autsession: %v", err)`
`294`	`290`	`}`
`@@ -297,7 +293,7 @@ func NewGCPTPMCredential(cfg *GCPTPMConfig) (Token, error) {`
`297`	`293`	`}`
`298`	`294`	`_, _ = flushContextCmd.Execute(rwr)`
`299`	`295`	`} else {`
`300`		`- se, err = tpmjwt.NewPasswordSession(rwr, []byte(keyPasswordAuth), encryptionSessionHandle)`
	`296`	`+ se, err = tpmjwt.NewPasswordSession(rwr, []byte(keyPasswordAuth))`
`301`	`297`	`}`
`302`	`298`	`}`
`303`	`299`