From 2622fc93ea9c31fe6c18e118bfa0f8abe23ddca4 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 19 Apr 2022 14:01:11 +0200 Subject: [PATCH] feat: rebase to tss-esapi 7.0 Signed-off-by: Patrick Uiterwijk --- Cargo.toml | 4 +- src/main.rs | 12 +++--- src/tpm_objects.rs | 96 +++++++++++++++++++++++----------------------- src/utils.rs | 6 +-- 4 files changed, 59 insertions(+), 59 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 293453b..f40a363 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,10 +11,10 @@ license = "MIT" [dependencies] anyhow = "1" -tss-esapi = "6.1.1" +tss-esapi = "7.0.0" serde = "1.0" josekit = "0.7.4" serde_json = "1.0" base64 = "0.12.1" atty = "0.2.14" -tpm2-policy = "0.5.3" +tpm2-policy = "0.6.0" diff --git a/src/main.rs b/src/main.rs index 6b7df05..8f7d050 100644 --- a/src/main.rs +++ b/src/main.rs @@ -26,7 +26,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec) -> Result<()> { let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?; let mut ctx = utils::get_tpm2_ctx()?; - let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?; + let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?; let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?; @@ -42,15 +42,15 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec) -> Result<()> { jwk.set_key_operations(vec!["encrypt", "decrypt"]); let jwk_str = serde_json::to_string(&jwk.as_ref())?; - let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?; + let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?.try_into()?; let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?; let jwk_result = ctx.execute_with_nullauth_session(|ctx| { - ctx.create(key_handle, &public, None, Some(&jwk_str), None, None) + ctx.create(key_handle, public, None, Some(jwk_str), None, None) })?; let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?; - let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?; + let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public.try_into()?)?; let private_hdr = ClevisInner { pin: pin_type.to_string(), @@ -187,7 +187,7 @@ fn perform_decrypt(input: Vec) -> Result<()> { bail!("JWE pin mismatch"); } - let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?; + let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?.try_into()?; let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?; let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?; @@ -196,7 +196,7 @@ fn perform_decrypt(input: Vec) -> Result<()> { let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?; let mut ctx = utils::get_tpm2_ctx()?; - let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?; + let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?; let key = ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?; diff --git a/src/tpm_objects.rs b/src/tpm_objects.rs index 79e0806..a9495b3 100644 --- a/src/tpm_objects.rs +++ b/src/tpm_objects.rs @@ -1,35 +1,62 @@ use std::convert::TryFrom; -use anyhow::{anyhow, bail, Result}; -use tss_esapi::attributes::object::ObjectAttributesBuilder; -use tss_esapi::constants::tss as tss_constants; -use tss_esapi::interface_types::ecc::EccCurve; -use tss_esapi::structures::Digest; -use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder}; -use tss_esapi::{abstraction::cipher::Cipher, interface_types::algorithm::HashingAlgorithm}; +use anyhow::{anyhow, bail, Context, Result}; +use tss_esapi::{ + attributes::object::ObjectAttributesBuilder, + constants::tss as tss_constants, + interface_types::{ + algorithm::{HashingAlgorithm, PublicAlgorithm}, + ecc::EccCurve, + }, + structures::{Digest, Public, SymmetricDefinitionObject}, +}; #[cfg(target_pointer_width = "64")] type Sizedu = u64; #[cfg(target_pointer_width = "32")] type Sizedu = u32; -pub(super) fn get_key_public( - key_type: &str, - name_alg: HashingAlgorithm, -) -> Result { +pub(super) fn get_key_public(key_type: &str, name_alg: HashingAlgorithm) -> Result { + let object_attributes = ObjectAttributesBuilder::new() + .with_fixed_tpm(true) + .with_fixed_parent(true) + .with_sensitive_data_origin(true) + .with_user_with_auth(true) + .with_decrypt(true) + .with_sign_encrypt(false) + .with_restricted(true) + .build()?; + + let builder = tss_esapi::structures::PublicBuilder::new() + .with_object_attributes(object_attributes) + .with_name_hashing_algorithm(name_alg); + match key_type { - "ecc" => Ok(create_restricted_ecc_public()), - "rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public( - Cipher::aes_128_cfb(), - 2048, - 0, - )?), - _ => Err(anyhow!("Unsupported key type used")), + "ecc" => builder + .with_public_algorithm(PublicAlgorithm::Ecc) + .with_ecc_parameters( + tss_esapi::structures::PublicEccParametersBuilder::new_restricted_decryption_key( + SymmetricDefinitionObject::AES_128_CFB, + EccCurve::NistP256, + ) + .build()?, + ) + .with_ecc_unique_identifier(Default::default()), + "rsa" => builder + .with_public_algorithm(PublicAlgorithm::Rsa) + .with_rsa_parameters( + tss_esapi::structures::PublicRsaParametersBuilder::new_restricted_decryption_key( + SymmetricDefinitionObject::AES_128_CFB, + tss_esapi::interface_types::key_bits::RsaKeyBits::Rsa2048, + tss_esapi::structures::RsaExponent::ZERO_EXPONENT, + ) + .build()?, + ) + .with_rsa_unique_identifier(Default::default()), + _ => return Err(anyhow!("Unsupported key type used")), } - .map(|mut public| { - public.publicArea.nameAlg = name_alg.into(); - public - }) + .build() + .context("Error building public key") } pub(super) fn create_tpm2b_public_sealed_object( @@ -142,28 +169,3 @@ pub(super) fn build_tpm2b_public(val: &[u8]) -> Result tss_esapi::tss2_esys::TPM2B_PUBLIC { - let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key( - Cipher::aes_128_cfb(), - EccCurve::NistP256, - ) - .build() - .unwrap(); - let object_attributes = ObjectAttributesBuilder::new() - .with_fixed_tpm(true) - .with_fixed_parent(true) - .with_sensitive_data_origin(true) - .with_user_with_auth(true) - .with_decrypt(true) - .with_sign_encrypt(false) - .with_restricted(true); - - Tpm2BPublicBuilder::new() - .with_type(tss_constants::TPM2_ALG_ECC) - .with_name_alg(tss_constants::TPM2_ALG_SHA256) - .with_object_attributes(object_attributes.build().unwrap()) - .with_parms(PublicParmsUnion::EccDetail(ecc_params)) - .build() - .unwrap() -} diff --git a/src/utils.rs b/src/utils.rs index 5c99cd1..a411140 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -8,6 +8,7 @@ use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep}; use tss_esapi::{ handles::KeyHandle, interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy}, + structures::Public, Context, Tcti, }; @@ -95,10 +96,7 @@ pub(crate) fn get_tpm2_ctx() -> Result { Context::new(tcti).context("Error initializing TPM2 context") } -pub(crate) fn get_tpm2_primary_key( - ctx: &mut Context, - pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC, -) -> Result { +pub(crate) fn get_tpm2_primary_key(ctx: &mut Context, pub_template: Public) -> Result { ctx.execute_with_nullauth_session(|ctx| { ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None) .map(|r| r.key_handle)