v/tpm2-store
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #18 from fedora-iot/rebase-tss-70

Browse source 
feat: rebase to tss-esapi 7.0
This commit is contained in:
Patrick Uiterwijk 2022-04-20 14:07:19 +02:00 committed by GitHub
parent e2ea458a0b 2622fc93ea
commit 750b7495e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 59 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Cargo.toml
View file

@ -11,10 +11,10 @@ license = "MIT"
[dependencies] [dependencies]
anyhow = "1" anyhow = "1"
tss-esapi = "6.1.1" tss-esapi = "7.0.0"
serde = "1.0" serde = "1.0"
josekit = "0.7.4" josekit = "0.7.4"
serde_json = "1.0" serde_json = "1.0"
base64 = "0.12.1" base64 = "0.12.1"
atty = "0.2.14" atty = "0.2.14"
tpm2-policy = "0.5.3" tpm2-policy = "0.6.0"

12
src/main.rs
View file

@ -26,7 +26,7 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?; let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?;
let mut ctx = utils::get_tpm2_ctx()?; let mut ctx = utils::get_tpm2_ctx()?;
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?; let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?; let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;
@ -42,15 +42,15 @@ fn perform_encrypt(cfg: TPM2Config, input: Vec<u8>) -> Result<()> {
jwk.set_key_operations(vec!["encrypt", "decrypt"]); jwk.set_key_operations(vec!["encrypt", "decrypt"]);
let jwk_str = serde_json::to_string(&jwk.as_ref())?; let jwk_str = serde_json::to_string(&jwk.as_ref())?;
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?; let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?.try_into()?;
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?; let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
let jwk_result = ctx.execute_with_nullauth_session(|ctx| { let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
ctx.create(key_handle, &public, None, Some(&jwk_str), None, None) ctx.create(key_handle, public, None, Some(jwk_str), None, None)
})?; })?;
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?; let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?; let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public.try_into()?)?;
let private_hdr = ClevisInner { let private_hdr = ClevisInner {
pin: pin_type.to_string(), pin: pin_type.to_string(),
@ -187,7 +187,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
bail!("JWE pin mismatch"); bail!("JWE pin mismatch");
} }
let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?; let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?.try_into()?;
let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?; let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?;
let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?; let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?;
@ -196,7 +196,7 @@ fn perform_decrypt(input: Vec<u8>) -> Result<()> {
let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?; let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?;
let mut ctx = utils::get_tpm2_ctx()?; let mut ctx = utils::get_tpm2_ctx()?;
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?; let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
let key = let key =
ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?; ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?;

96
src/tpm_objects.rs
View file

@ -1,35 +1,62 @@
use std::convert::TryFrom; use std::convert::TryFrom;
use anyhow::{anyhow, bail, Result}; use anyhow::{anyhow, bail, Context, Result};
use tss_esapi::attributes::object::ObjectAttributesBuilder; use tss_esapi::{
use tss_esapi::constants::tss as tss_constants; attributes::object::ObjectAttributesBuilder,
use tss_esapi::interface_types::ecc::EccCurve; constants::tss as tss_constants,
use tss_esapi::structures::Digest; interface_types::{
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder}; algorithm::{HashingAlgorithm, PublicAlgorithm},
use tss_esapi::{abstraction::cipher::Cipher, interface_types::algorithm::HashingAlgorithm}; ecc::EccCurve,
},
structures::{Digest, Public, SymmetricDefinitionObject},
};
#[cfg(target_pointer_width = "64")] #[cfg(target_pointer_width = "64")]
type Sizedu = u64; type Sizedu = u64;
#[cfg(target_pointer_width = "32")] #[cfg(target_pointer_width = "32")]
type Sizedu = u32; type Sizedu = u32;
pub(super) fn get_key_public( pub(super) fn get_key_public(key_type: &str, name_alg: HashingAlgorithm) -> Result<Public> {
key_type: &str, let object_attributes = ObjectAttributesBuilder::new()
name_alg: HashingAlgorithm, .with_fixed_tpm(true)
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC> { .with_fixed_parent(true)
.with_sensitive_data_origin(true)
.with_user_with_auth(true)
.with_decrypt(true)
.with_sign_encrypt(false)
.with_restricted(true)
.build()?;
let builder = tss_esapi::structures::PublicBuilder::new()
.with_object_attributes(object_attributes)
.with_name_hashing_algorithm(name_alg);
match key_type { match key_type {
"ecc" => Ok(create_restricted_ecc_public()), "ecc" => builder
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public( .with_public_algorithm(PublicAlgorithm::Ecc)
Cipher::aes_128_cfb(), .with_ecc_parameters(
2048, tss_esapi::structures::PublicEccParametersBuilder::new_restricted_decryption_key(
0, SymmetricDefinitionObject::AES_128_CFB,
)?), EccCurve::NistP256,
_ => Err(anyhow!("Unsupported key type used")), )
.build()?,
)
.with_ecc_unique_identifier(Default::default()),
"rsa" => builder
.with_public_algorithm(PublicAlgorithm::Rsa)
.with_rsa_parameters(
tss_esapi::structures::PublicRsaParametersBuilder::new_restricted_decryption_key(
SymmetricDefinitionObject::AES_128_CFB,
tss_esapi::interface_types::key_bits::RsaKeyBits::Rsa2048,
tss_esapi::structures::RsaExponent::ZERO_EXPONENT,
)
.build()?,
)
.with_rsa_unique_identifier(Default::default()),
_ => return Err(anyhow!("Unsupported key type used")),
} }
.map(|mut public| { .build()
public.publicArea.nameAlg = name_alg.into(); .context("Error building public key")
public
})
} }
pub(super) fn create_tpm2b_public_sealed_object( pub(super) fn create_tpm2b_public_sealed_object(
@ -142,28 +169,3 @@ pub(super) fn build_tpm2b_public(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM
Ok(resp) Ok(resp)
} }
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
Cipher::aes_128_cfb(),
EccCurve::NistP256,
)
.build()
.unwrap();
let object_attributes = ObjectAttributesBuilder::new()
.with_fixed_tpm(true)
.with_fixed_parent(true)
.with_sensitive_data_origin(true)
.with_user_with_auth(true)
.with_decrypt(true)
.with_sign_encrypt(false)
.with_restricted(true);
Tpm2BPublicBuilder::new()
.with_type(tss_constants::TPM2_ALG_ECC)
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
.with_object_attributes(object_attributes.build().unwrap())
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
.build()
.unwrap()
}

6
src/utils.rs
View file

@ -8,6 +8,7 @@ use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
use tss_esapi::{ use tss_esapi::{
handles::KeyHandle, handles::KeyHandle,
interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy}, interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
structures::Public,
Context, Tcti, Context, Tcti,
}; };
@ -95,10 +96,7 @@ pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context> {
Context::new(tcti).context("Error initializing TPM2 context") Context::new(tcti).context("Error initializing TPM2 context")
} }
pub(crate) fn get_tpm2_primary_key( pub(crate) fn get_tpm2_primary_key(ctx: &mut Context, pub_template: Public) -> Result<KeyHandle> {
ctx: &mut Context,
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
) -> Result<KeyHandle> {
ctx.execute_with_nullauth_session(|ctx| { ctx.execute_with_nullauth_session(|ctx| {
ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None) ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
.map(|r| r.key_handle) .map(|r| r.key_handle)