Merge pull request #18 from fedora-iot/rebase-tss-70

feat: rebase to tss-esapi 7.0
2022-04-20 14:07:19 +02:00 · 2022-04-20 14:07:19 +02:00 · 750b7495e4
parent e2ea458a0b 2622fc93ea
commit 750b7495e4
4 changed files with 59 additions and 59 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -11,10 +11,10 @@ license = "MIT"

 [dependencies]
 anyhow = "1"
-tss-esapi = "6.1.1"
+tss-esapi = "7.0.0"
 serde = "1.0"
 josekit = "0.7.4"
 serde_json = "1.0"
 base64 = "0.12.1"
 atty = "0.2.14"
-tpm2-policy = "0.5.3"
+tpm2-policy = "0.6.0"
--- a/src/main.rs
+++ b/src/main.rs
@ -26,7 +26,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
    let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?;

    let mut ctx = utils::get_tpm2_ctx()?;
-    let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
+    let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;

    let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;

@ -42,15 +42,15 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
    jwk.set_key_operations(vec!["encrypt", "decrypt"]);
    let jwk_str = serde_json::to_string(&jwk.as_ref())?;

-    let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
+    let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?.try_into()?;
    let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
    let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
-        ctx.create(key_handle, &public, None, Some(&jwk_str), None, None)
+        ctx.create(key_handle, public, None, Some(jwk_str), None, None)
    })?;

    let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;

-    let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
+    let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public.try_into()?)?;

    let private_hdr = ClevisInner {
        pin: pin_type.to_string(),
@ -187,7 +187,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
        bail!("JWE pin mismatch");
    }

-    let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?;
+    let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?.try_into()?;
    let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?;

    let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?;
@ -196,7 +196,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
    let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?;

    let mut ctx = utils::get_tpm2_ctx()?;
-    let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
+    let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;

    let key =
        ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?;
--- a/src/tpm_objects.rs
+++ b/src/tpm_objects.rs
@ -1,35 +1,62 @@
 use std::convert::TryFrom;

-use anyhow::{anyhow, bail, Result};
-use tss_esapi::attributes::object::ObjectAttributesBuilder;
-use tss_esapi::constants::tss as tss_constants;
-use tss_esapi::interface_types::ecc::EccCurve;
-use tss_esapi::structures::Digest;
-use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
-use tss_esapi::{abstraction::cipher::Cipher, interface_types::algorithm::HashingAlgorithm};
+use anyhow::{anyhow, bail, Context, Result};
+use tss_esapi::{
+    attributes::object::ObjectAttributesBuilder,
+    constants::tss as tss_constants,
+    interface_types::{
+        algorithm::{HashingAlgorithm, PublicAlgorithm},
+        ecc::EccCurve,
+    },
+    structures::{Digest, Public, SymmetricDefinitionObject},
+};

 #[cfg(target_pointer_width = "64")]
 type Sizedu = u64;
 #[cfg(target_pointer_width = "32")]
 type Sizedu = u32;

-pub(super) fn get_key_public(
-    key_type: &str,
-    name_alg: HashingAlgorithm,
-) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC> {
+pub(super) fn get_key_public(key_type: &str, name_alg: HashingAlgorithm) -> Result<Public> {
+    let object_attributes = ObjectAttributesBuilder::new()
+        .with_fixed_tpm(true)
+        .with_fixed_parent(true)
+        .with_sensitive_data_origin(true)
+        .with_user_with_auth(true)
+        .with_decrypt(true)
+        .with_sign_encrypt(false)
+        .with_restricted(true)
+        .build()?;
+
+    let builder = tss_esapi::structures::PublicBuilder::new()
+        .with_object_attributes(object_attributes)
+        .with_name_hashing_algorithm(name_alg);
+
    match key_type {
-        "ecc" => Ok(create_restricted_ecc_public()),
-        "rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
-            Cipher::aes_128_cfb(),
-            2048,
-            0,
-        )?),
-        _ => Err(anyhow!("Unsupported key type used")),
+        "ecc" => builder
+            .with_public_algorithm(PublicAlgorithm::Ecc)
+            .with_ecc_parameters(
+                tss_esapi::structures::PublicEccParametersBuilder::new_restricted_decryption_key(
+                    SymmetricDefinitionObject::AES_128_CFB,
+                    EccCurve::NistP256,
+                )
+                .build()?,
+            )
+            .with_ecc_unique_identifier(Default::default()),
+        "rsa" => builder
+            .with_public_algorithm(PublicAlgorithm::Rsa)
+            .with_rsa_parameters(
+                tss_esapi::structures::PublicRsaParametersBuilder::new_restricted_decryption_key(
+                    SymmetricDefinitionObject::AES_128_CFB,
+                    tss_esapi::interface_types::key_bits::RsaKeyBits::Rsa2048,
+                    tss_esapi::structures::RsaExponent::ZERO_EXPONENT,
+                )
+                .build()?,
+            )
+            .with_rsa_unique_identifier(Default::default()),
+        _ => return Err(anyhow!("Unsupported key type used")),
    }
-    .map(|mut public| {
-        public.publicArea.nameAlg = name_alg.into();
-        public
-    })
+    .build()
+    .context("Error building public key")
 }

 pub(super) fn create_tpm2b_public_sealed_object(
@ -142,28 +169,3 @@ pub(super) fn build_tpm2b_public(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM

    Ok(resp)
 }
-
-pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
-    let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
-        Cipher::aes_128_cfb(),
-        EccCurve::NistP256,
-    )
-    .build()
-    .unwrap();
-    let object_attributes = ObjectAttributesBuilder::new()
-        .with_fixed_tpm(true)
-        .with_fixed_parent(true)
-        .with_sensitive_data_origin(true)
-        .with_user_with_auth(true)
-        .with_decrypt(true)
-        .with_sign_encrypt(false)
-        .with_restricted(true);
-
-    Tpm2BPublicBuilder::new()
-        .with_type(tss_constants::TPM2_ALG_ECC)
-        .with_name_alg(tss_constants::TPM2_ALG_SHA256)
-        .with_object_attributes(object_attributes.build().unwrap())
-        .with_parms(PublicParmsUnion::EccDetail(ecc_params))
-        .build()
-        .unwrap()
-}
--- a/src/utils.rs
+++ b/src/utils.rs
@ -8,6 +8,7 @@ use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
 use tss_esapi::{
    handles::KeyHandle,
    interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
+    structures::Public,
    Context, Tcti,
 };

@ -95,10 +96,7 @@ pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context> {
    Context::new(tcti).context("Error initializing TPM2 context")
 }

-pub(crate) fn get_tpm2_primary_key(
-    ctx: &mut Context,
-    pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
-) -> Result<KeyHandle> {
+pub(crate) fn get_tpm2_primary_key(ctx: &mut Context, pub_template: Public) -> Result<KeyHandle> {
    ctx.execute_with_nullauth_session(|ctx| {
        ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
            .map(|r| r.key_handle)