feat: rebase to tss-esapi 7.0
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
parent
e2ea458a0b
commit
2622fc93ea
4 changed files with 59 additions and 59 deletions
|
@ -11,10 +11,10 @@ license = "MIT"
|
|||
|
||||
[dependencies]
|
||||
anyhow = "1"
|
||||
tss-esapi = "6.1.1"
|
||||
tss-esapi = "7.0.0"
|
||||
serde = "1.0"
|
||||
josekit = "0.7.4"
|
||||
serde_json = "1.0"
|
||||
base64 = "0.12.1"
|
||||
atty = "0.2.14"
|
||||
tpm2-policy = "0.5.3"
|
||||
tpm2-policy = "0.6.0"
|
||||
|
|
12
src/main.rs
12
src/main.rs
|
@ -26,7 +26,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
|
|||
let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?;
|
||||
|
||||
let mut ctx = utils::get_tpm2_ctx()?;
|
||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
|
||||
|
||||
let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;
|
||||
|
||||
|
@ -42,15 +42,15 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
|
|||
jwk.set_key_operations(vec!["encrypt", "decrypt"]);
|
||||
let jwk_str = serde_json::to_string(&jwk.as_ref())?;
|
||||
|
||||
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
||||
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?.try_into()?;
|
||||
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
|
||||
let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
|
||||
ctx.create(key_handle, &public, None, Some(&jwk_str), None, None)
|
||||
ctx.create(key_handle, public, None, Some(jwk_str), None, None)
|
||||
})?;
|
||||
|
||||
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
|
||||
|
||||
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
|
||||
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public.try_into()?)?;
|
||||
|
||||
let private_hdr = ClevisInner {
|
||||
pin: pin_type.to_string(),
|
||||
|
@ -187,7 +187,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
|
|||
bail!("JWE pin mismatch");
|
||||
}
|
||||
|
||||
let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?;
|
||||
let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?.try_into()?;
|
||||
let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?;
|
||||
|
||||
let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?;
|
||||
|
@ -196,7 +196,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
|
|||
let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?;
|
||||
|
||||
let mut ctx = utils::get_tpm2_ctx()?;
|
||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
|
||||
|
||||
let key =
|
||||
ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?;
|
||||
|
|
|
@ -1,35 +1,62 @@
|
|||
use std::convert::TryFrom;
|
||||
|
||||
use anyhow::{anyhow, bail, Result};
|
||||
use tss_esapi::attributes::object::ObjectAttributesBuilder;
|
||||
use tss_esapi::constants::tss as tss_constants;
|
||||
use tss_esapi::interface_types::ecc::EccCurve;
|
||||
use tss_esapi::structures::Digest;
|
||||
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
|
||||
use tss_esapi::{abstraction::cipher::Cipher, interface_types::algorithm::HashingAlgorithm};
|
||||
use anyhow::{anyhow, bail, Context, Result};
|
||||
use tss_esapi::{
|
||||
attributes::object::ObjectAttributesBuilder,
|
||||
constants::tss as tss_constants,
|
||||
interface_types::{
|
||||
algorithm::{HashingAlgorithm, PublicAlgorithm},
|
||||
ecc::EccCurve,
|
||||
},
|
||||
structures::{Digest, Public, SymmetricDefinitionObject},
|
||||
};
|
||||
|
||||
#[cfg(target_pointer_width = "64")]
|
||||
type Sizedu = u64;
|
||||
#[cfg(target_pointer_width = "32")]
|
||||
type Sizedu = u32;
|
||||
|
||||
pub(super) fn get_key_public(
|
||||
key_type: &str,
|
||||
name_alg: HashingAlgorithm,
|
||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC> {
|
||||
pub(super) fn get_key_public(key_type: &str, name_alg: HashingAlgorithm) -> Result<Public> {
|
||||
let object_attributes = ObjectAttributesBuilder::new()
|
||||
.with_fixed_tpm(true)
|
||||
.with_fixed_parent(true)
|
||||
.with_sensitive_data_origin(true)
|
||||
.with_user_with_auth(true)
|
||||
.with_decrypt(true)
|
||||
.with_sign_encrypt(false)
|
||||
.with_restricted(true)
|
||||
.build()?;
|
||||
|
||||
let builder = tss_esapi::structures::PublicBuilder::new()
|
||||
.with_object_attributes(object_attributes)
|
||||
.with_name_hashing_algorithm(name_alg);
|
||||
|
||||
match key_type {
|
||||
"ecc" => Ok(create_restricted_ecc_public()),
|
||||
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
||||
Cipher::aes_128_cfb(),
|
||||
2048,
|
||||
0,
|
||||
)?),
|
||||
_ => Err(anyhow!("Unsupported key type used")),
|
||||
"ecc" => builder
|
||||
.with_public_algorithm(PublicAlgorithm::Ecc)
|
||||
.with_ecc_parameters(
|
||||
tss_esapi::structures::PublicEccParametersBuilder::new_restricted_decryption_key(
|
||||
SymmetricDefinitionObject::AES_128_CFB,
|
||||
EccCurve::NistP256,
|
||||
)
|
||||
.build()?,
|
||||
)
|
||||
.with_ecc_unique_identifier(Default::default()),
|
||||
"rsa" => builder
|
||||
.with_public_algorithm(PublicAlgorithm::Rsa)
|
||||
.with_rsa_parameters(
|
||||
tss_esapi::structures::PublicRsaParametersBuilder::new_restricted_decryption_key(
|
||||
SymmetricDefinitionObject::AES_128_CFB,
|
||||
tss_esapi::interface_types::key_bits::RsaKeyBits::Rsa2048,
|
||||
tss_esapi::structures::RsaExponent::ZERO_EXPONENT,
|
||||
)
|
||||
.build()?,
|
||||
)
|
||||
.with_rsa_unique_identifier(Default::default()),
|
||||
_ => return Err(anyhow!("Unsupported key type used")),
|
||||
}
|
||||
.map(|mut public| {
|
||||
public.publicArea.nameAlg = name_alg.into();
|
||||
public
|
||||
})
|
||||
.build()
|
||||
.context("Error building public key")
|
||||
}
|
||||
|
||||
pub(super) fn create_tpm2b_public_sealed_object(
|
||||
|
@ -142,28 +169,3 @@ pub(super) fn build_tpm2b_public(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM
|
|||
|
||||
Ok(resp)
|
||||
}
|
||||
|
||||
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
||||
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
|
||||
Cipher::aes_128_cfb(),
|
||||
EccCurve::NistP256,
|
||||
)
|
||||
.build()
|
||||
.unwrap();
|
||||
let object_attributes = ObjectAttributesBuilder::new()
|
||||
.with_fixed_tpm(true)
|
||||
.with_fixed_parent(true)
|
||||
.with_sensitive_data_origin(true)
|
||||
.with_user_with_auth(true)
|
||||
.with_decrypt(true)
|
||||
.with_sign_encrypt(false)
|
||||
.with_restricted(true);
|
||||
|
||||
Tpm2BPublicBuilder::new()
|
||||
.with_type(tss_constants::TPM2_ALG_ECC)
|
||||
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
|
||||
.with_object_attributes(object_attributes.build().unwrap())
|
||||
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
|
||||
.build()
|
||||
.unwrap()
|
||||
}
|
||||
|
|
|
@ -8,6 +8,7 @@ use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
|
|||
use tss_esapi::{
|
||||
handles::KeyHandle,
|
||||
interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
|
||||
structures::Public,
|
||||
Context, Tcti,
|
||||
};
|
||||
|
||||
|
@ -95,10 +96,7 @@ pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context> {
|
|||
Context::new(tcti).context("Error initializing TPM2 context")
|
||||
}
|
||||
|
||||
pub(crate) fn get_tpm2_primary_key(
|
||||
ctx: &mut Context,
|
||||
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||
) -> Result<KeyHandle> {
|
||||
pub(crate) fn get_tpm2_primary_key(ctx: &mut Context, pub_template: Public) -> Result<KeyHandle> {
|
||||
ctx.execute_with_nullauth_session(|ctx| {
|
||||
ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
|
||||
.map(|r| r.key_handle)
|
||||
|
|
Loading…
Reference in a new issue