Merge pull request #11 from fedora-iot/hashfix
fix: use hash for name oject hash alg
This commit is contained in:
commit
6bcb830067
5 changed files with 25 additions and 9 deletions
|
@ -72,7 +72,13 @@ impl TPM2Config {
|
||||||
pub(super) fn get_pcr_hash_alg(
|
pub(super) fn get_pcr_hash_alg(
|
||||||
&self,
|
&self,
|
||||||
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
|
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
|
||||||
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
crate::utils::get_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(super) fn get_name_hash_alg(
|
||||||
|
&self,
|
||||||
|
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
|
||||||
|
crate::utils::get_hash_alg_from_name(self.hash.as_ref())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn get_pcr_ids(&self) -> Option<Vec<u64>> {
|
pub(super) fn get_pcr_ids(&self) -> Option<Vec<u64>> {
|
||||||
|
|
11
src/main.rs
11
src/main.rs
|
@ -146,7 +146,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<(), PinError> {
|
||||||
None => "ecc",
|
None => "ecc",
|
||||||
Some(key_type) => key_type,
|
Some(key_type) => key_type,
|
||||||
};
|
};
|
||||||
let key_public = tpm_objects::get_key_public(&key_type)?;
|
let key_public = tpm_objects::get_key_public(&key_type, cfg.get_name_hash_alg())?;
|
||||||
|
|
||||||
let mut ctx = utils::get_tpm2_ctx()?;
|
let mut ctx = utils::get_tpm2_ctx()?;
|
||||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||||
|
@ -206,7 +206,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<(), PinError> {
|
||||||
clevis: ClevisInner {
|
clevis: ClevisInner {
|
||||||
pin: pin_type.to_string(),
|
pin: pin_type.to_string(),
|
||||||
tpm2: Tpm2Inner {
|
tpm2: Tpm2Inner {
|
||||||
hash: "sha256".to_string(),
|
hash: cfg.hash.as_ref().unwrap_or(&"sha256".to_string()).clone(),
|
||||||
key: key_type.to_string(),
|
key: key_type.to_string(),
|
||||||
jwk_pub,
|
jwk_pub,
|
||||||
jwk_priv,
|
jwk_priv,
|
||||||
|
@ -282,7 +282,7 @@ impl TryFrom<&Tpm2Inner> for TPMPolicyStep {
|
||||||
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
||||||
Ok(TPMPolicyStep::Or([
|
Ok(TPMPolicyStep::Or([
|
||||||
Box::new(TPMPolicyStep::PCRs(
|
Box::new(TPMPolicyStep::PCRs(
|
||||||
utils::get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
utils::get_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
||||||
cfg.get_pcr_ids().unwrap(),
|
cfg.get_pcr_ids().unwrap(),
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
)),
|
)),
|
||||||
|
@ -300,7 +300,7 @@ impl TryFrom<&Tpm2Inner> for TPMPolicyStep {
|
||||||
]))
|
]))
|
||||||
} else if cfg.pcr_ids.is_some() {
|
} else if cfg.pcr_ids.is_some() {
|
||||||
Ok(TPMPolicyStep::PCRs(
|
Ok(TPMPolicyStep::PCRs(
|
||||||
utils::get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
utils::get_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
||||||
cfg.get_pcr_ids().unwrap(),
|
cfg.get_pcr_ids().unwrap(),
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
))
|
))
|
||||||
|
@ -345,7 +345,8 @@ fn perform_decrypt(input: Vec<u8>) -> Result<(), PinError> {
|
||||||
|
|
||||||
let policy = TPMPolicyStep::try_from(&hdr.private.clevis.tpm2)?;
|
let policy = TPMPolicyStep::try_from(&hdr.private.clevis.tpm2)?;
|
||||||
|
|
||||||
let key_public = tpm_objects::get_key_public(hdr.private.clevis.tpm2.key.as_str())?;
|
let name_alg = crate::utils::get_hash_alg_from_name(Some(&hdr.private.clevis.tpm2.hash));
|
||||||
|
let key_public = tpm_objects::get_key_public(hdr.private.clevis.tpm2.key.as_str(), name_alg)?;
|
||||||
|
|
||||||
let mut ctx = utils::get_tpm2_ctx()?;
|
let mut ctx = utils::get_tpm2_ctx()?;
|
||||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
use std::convert::TryFrom;
|
use std::convert::TryFrom;
|
||||||
|
|
||||||
use tss_esapi::abstraction::cipher::Cipher;
|
|
||||||
use tss_esapi::attributes::object::ObjectAttributesBuilder;
|
use tss_esapi::attributes::object::ObjectAttributesBuilder;
|
||||||
use tss_esapi::constants::tss as tss_constants;
|
use tss_esapi::constants::tss as tss_constants;
|
||||||
use tss_esapi::interface_types::ecc::EccCurve;
|
use tss_esapi::interface_types::ecc::EccCurve;
|
||||||
use tss_esapi::structures::Digest;
|
use tss_esapi::structures::Digest;
|
||||||
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
|
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
|
||||||
|
use tss_esapi::{abstraction::cipher::Cipher, interface_types::algorithm::HashingAlgorithm};
|
||||||
|
|
||||||
#[cfg(target_pointer_width = "64")]
|
#[cfg(target_pointer_width = "64")]
|
||||||
type Sizedu = u64;
|
type Sizedu = u64;
|
||||||
|
@ -16,6 +16,7 @@ use crate::PinError;
|
||||||
|
|
||||||
pub(super) fn get_key_public(
|
pub(super) fn get_key_public(
|
||||||
key_type: &str,
|
key_type: &str,
|
||||||
|
name_alg: HashingAlgorithm,
|
||||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
match key_type {
|
match key_type {
|
||||||
"ecc" => Ok(create_restricted_ecc_public()),
|
"ecc" => Ok(create_restricted_ecc_public()),
|
||||||
|
@ -25,7 +26,10 @@ pub(super) fn get_key_public(
|
||||||
0,
|
0,
|
||||||
)?),
|
)?),
|
||||||
_ => Err(PinError::Text("Unsupported key type used")),
|
_ => Err(PinError::Text("Unsupported key type used")),
|
||||||
}
|
}.map(|mut public| {
|
||||||
|
public.publicArea.nameAlg = name_alg.into();
|
||||||
|
public
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn create_tpm2b_public_sealed_object(
|
pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
|
|
|
@ -45,7 +45,7 @@ pub(crate) fn get_authorized_policy_step(
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn get_pcr_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm {
|
pub(crate) fn get_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm {
|
||||||
match name {
|
match name {
|
||||||
None => HashingAlgorithm::Sha256,
|
None => HashingAlgorithm::Sha256,
|
||||||
Some(val) => match val.to_lowercase().as_str() {
|
Some(val) => match val.to_lowercase().as_str() {
|
||||||
|
|
|
@ -13,6 +13,11 @@ echo "Working: no sealing (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 enc
|
||||||
echo "Working: no sealing (clevis encrypt)" | clevis encrypt tpm2 '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing (clevis encrypt)"; exit 1)
|
echo "Working: no sealing (clevis encrypt)" | clevis encrypt tpm2 '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing (clevis encrypt)"; exit 1)
|
||||||
echo "Working: no sealing (renamed encrypt)" | ./target/debug/clevis-encrypt-tpm2plus '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
echo "Working: no sealing (renamed encrypt)" | ./target/debug/clevis-encrypt-tpm2plus '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
||||||
echo "Working: no sealing (renamed decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | ./target/debug/clevis-decrypt-tpm2plus || (echo "Failed: no sealing (clevis decrypt)"; exit 1)
|
echo "Working: no sealing (renamed decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | ./target/debug/clevis-decrypt-tpm2plus || (echo "Failed: no sealing (clevis decrypt)"; exit 1)
|
||||||
|
name_alg_out=$(echo "Working: with name alg" | ./target/debug/clevis-pin-tpm2 encrypt '{"hash": "sha1"}')
|
||||||
|
echo $name_alg_out | cut -d'.' -f1 | jose b64 dec -i- | grep "\"hash\":\"sha1\"" || (echo "Failed: with name alg: not using sha1"; exit 1)
|
||||||
|
echo $name_alg_out | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with name alg"; exit 1)
|
||||||
|
echo "Working: with name alg (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"hash": "sha1"}' | clevis decrypt || (echo "Failed: with name alg (clevis decrypt)"; exit 1)
|
||||||
|
echo "Working: with name alg (clevis encrypt)" | clevis encrypt tpm2 '{"hash": "sha1"}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with name alg (clevis encrypt)"; exit 1)
|
||||||
echo "Working: with PCRs" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs"; exit 1)
|
echo "Working: with PCRs" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs"; exit 1)
|
||||||
echo "Working: with PCRs (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | clevis decrypt || (echo "Failed: with PCRs (clevis decrypt)"; exit 1)
|
echo "Working: with PCRs (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | clevis decrypt || (echo "Failed: with PCRs (clevis decrypt)"; exit 1)
|
||||||
echo "Working: with PCRs (clevis encrypt)" | clevis encrypt tpm2 '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs (clevis encrypt)"; exit 1)
|
echo "Working: with PCRs (clevis encrypt)" | clevis encrypt tpm2 '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs (clevis encrypt)"; exit 1)
|
||||||
|
|
Loading…
Reference in a new issue