From 50babf9b9c5ecd8a1f98a50bc5ef0ed7ee6ab5ff Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Tue, 6 Apr 2021 09:45:14 +0200
Subject: [PATCH] Rebase on tss-esapi 5.0 and tpm2-policy 0.4

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 Cargo.toml         |  8 ++++----
 src/cli.rs         |  4 +++-
 src/main.rs        | 13 +++----------
 src/tpm_objects.rs | 48 +++++++++++++++++++++++-----------------------
 src/utils.rs       | 17 +++++-----------
 5 files changed, 39 insertions(+), 51 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 28c9fd1..2529bba 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "clevis-pin-tpm2"
-version = "0.2.0"
+version = "0.3.0"
 description = "Clevis TPM2 PIN with policy support"
 authors = ["Patrick Uiterwijk <patrick@puiterwijk.org>"]
 edition = "2018"
@@ -10,10 +10,10 @@ license = "EUPL-1.2"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-tss-esapi = "4.0.10-alpha.1"
+tss-esapi = "5.0"
 serde = "1.0"
-biscuit = "0.5.0-beta2"
+biscuit = "0.5.0"
 serde_json = "1.0"
 base64 = "0.12.1"
 atty = "0.2.14"
-tpm2-policy = "0.3.1"
+tpm2-policy = { version = "0.4.0", path = "../rust-tpm2-policy" }
diff --git a/src/cli.rs b/src/cli.rs
index d0b8a3d..a82264c 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -69,7 +69,9 @@ pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
 pub(crate) const DEFAULT_POLICY_REF: &str = "";
 
 impl TPM2Config {
-    pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
+    pub(super) fn get_pcr_hash_alg(
+        &self,
+    ) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
         crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
     }
 
diff --git a/src/main.rs b/src/main.rs
index e3d8f81..dd2fcb5 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -32,7 +32,7 @@ mod utils;
 
 use cli::TPM2Config;
 
-use tss_esapi::structures::{PcrSelectionListBuilder, SensitiveData};
+use tss_esapi::structures::SensitiveData;
 
 #[derive(Debug)]
 enum PinError {
@@ -171,17 +171,10 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
     let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
     let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
     let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
-        ctx.create_key(
-            key_handle,
-            &public,
-            None,
-            Some(&jwk_str),
-            None,
-            PcrSelectionListBuilder::new().build(),
-        )
+        ctx.create(key_handle, &public, None, Some(&jwk_str), None, None)
     })?;
 
-    let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.try_into()?)?;
+    let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
 
     let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
 
diff --git a/src/tpm_objects.rs b/src/tpm_objects.rs
index fef4df1..aa84ba8 100644
--- a/src/tpm_objects.rs
+++ b/src/tpm_objects.rs
@@ -1,11 +1,11 @@
 use std::convert::TryFrom;
 
-use tss_esapi::constants::algorithm;
+use tss_esapi::abstraction::cipher::Cipher;
+use tss_esapi::attributes::object::ObjectAttributesBuilder;
 use tss_esapi::constants::tss as tss_constants;
+use tss_esapi::interface_types::ecc::EccCurve;
 use tss_esapi::structures::Digest;
-use tss_esapi::utils::{
-    ObjectAttributes, PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder,
-};
+use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
 
 #[cfg(target_pointer_width = "64")]
 type Sizedu = u64;
@@ -20,7 +20,7 @@ pub(super) fn get_key_public(
     match key_type {
         "ecc" => Ok(create_restricted_ecc_public()),
         "rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
-            algorithm::Cipher::aes_128_cfb(),
+            Cipher::aes_128_cfb(),
             2048,
             0,
         )?),
@@ -31,14 +31,14 @@ pub(super) fn get_key_public(
 pub(super) fn create_tpm2b_public_sealed_object(
     policy: Option<Digest>,
 ) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
-    let mut object_attributes = ObjectAttributes(0);
-    object_attributes.set_fixed_tpm(true);
-    object_attributes.set_fixed_parent(true);
-    object_attributes.set_no_da(true);
-    object_attributes.set_admin_with_policy(true);
+    let mut object_attributes = ObjectAttributesBuilder::new()
+        .with_fixed_tpm(true)
+        .with_fixed_parent(true)
+        .with_no_da(true)
+        .with_admin_with_policy(true);
 
     if policy.is_none() {
-        object_attributes.set_user_with_auth(true);
+        object_attributes = object_attributes.with_user_with_auth(true);
     }
     let policy = match policy {
         Some(p) => p,
@@ -53,8 +53,8 @@ pub(super) fn create_tpm2b_public_sealed_object(
         publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
             type_: tss_constants::TPM2_ALG_KEYEDHASH,
             nameAlg: tss_constants::TPM2_ALG_SHA256,
-            objectAttributes: object_attributes.0,
-            authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?,
+            objectAttributes: object_attributes.build()?.0,
+            authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::from(policy),
             parameters: params,
             unique: Default::default(),
         },
@@ -149,24 +149,24 @@ pub(super) fn build_tpm2b_public(
 
 pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
     let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
-        algorithm::Cipher::aes_128_cfb(),
-        algorithm::EllipticCurve::NistP256,
+        Cipher::aes_128_cfb(),
+        EccCurve::NistP256,
     )
     .build()
     .unwrap();
-    let mut object_attributes = ObjectAttributes(0);
-    object_attributes.set_fixed_tpm(true);
-    object_attributes.set_fixed_parent(true);
-    object_attributes.set_sensitive_data_origin(true);
-    object_attributes.set_user_with_auth(true);
-    object_attributes.set_decrypt(true);
-    object_attributes.set_sign_encrypt(false);
-    object_attributes.set_restricted(true);
+    let object_attributes = ObjectAttributesBuilder::new()
+        .with_fixed_tpm(true)
+        .with_fixed_parent(true)
+        .with_sensitive_data_origin(true)
+        .with_user_with_auth(true)
+        .with_decrypt(true)
+        .with_sign_encrypt(false)
+        .with_restricted(true);
 
     Tpm2BPublicBuilder::new()
         .with_type(tss_constants::TPM2_ALG_ECC)
         .with_name_alg(tss_constants::TPM2_ALG_SHA256)
-        .with_object_attributes(object_attributes)
+        .with_object_attributes(object_attributes.build().unwrap())
         .with_parms(PublicParmsUnion::EccDetail(ecc_params))
         .build()
         .unwrap()
diff --git a/src/utils.rs b/src/utils.rs
index 4d3f9c6..4e271b4 100644
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -3,9 +3,9 @@ use std::fs;
 use std::str::FromStr;
 
 use tss_esapi::{
-    constants::algorithm::HashingAlgorithm, handles::KeyHandle,
-    interface_types::resource_handles::Hierarchy, structures::PcrSelectionListBuilder, Context,
-    Tcti,
+    handles::KeyHandle,
+    interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
+    Context, Tcti,
 };
 
 use serde::Deserialize;
@@ -98,15 +98,8 @@ pub(crate) fn get_tpm2_primary_key(
     pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
 ) -> Result<KeyHandle, PinError> {
     ctx.execute_with_nullauth_session(|ctx| {
-        ctx.create_primary_key(
-            Hierarchy::Owner,
-            pub_template,
-            None,
-            None,
-            None,
-            PcrSelectionListBuilder::new().build(),
-        )
-        .map(|r| r.key_handle)
+        ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
+            .map(|r| r.key_handle)
     })
     .map_err(|e| e.into())
 }