diff --git a/Cargo.toml b/Cargo.toml index ab8ba9c..7a85f34 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,10 +7,10 @@ edition = "2018" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -tss-esapi = "4.0.5-alpha.1" +tss-esapi = "4.0.6-alpha.1" serde = "1.0" biscuit = "0.5.0-beta2" serde_json = "1.0" base64 = "0.12.1" atty = "0.2.14" -tpm2-policy = "0.1.0" +tpm2-policy = "0.2.0" diff --git a/src/cli.rs b/src/cli.rs index 9e95c7f..71dda0e 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -63,9 +63,7 @@ impl TryFrom<&TPM2Config> for TPMPolicyStep { } impl TPM2Config { - pub(super) fn get_pcr_hash_alg( - &self, - ) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm { + pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm { crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref()) } diff --git a/src/main.rs b/src/main.rs index 411b420..7e802b1 100644 --- a/src/main.rs +++ b/src/main.rs @@ -39,13 +39,15 @@ mod utils; use cli::TPM2Config; +use tss_esapi::algorithm::structures::SensitiveData; + #[derive(Debug)] enum PinError { Text(&'static str), NoCommand, Serde(serde_json::Error), IO(std::io::Error), - TPM(tss_esapi::response_code::Error), + TPM(tss_esapi::Error), JWE(biscuit::errors::Error), Base64Decoding(base64::DecodeError), Utf8(std::str::Utf8Error), @@ -117,8 +119,8 @@ impl From for PinError { } } -impl From for PinError { - fn from(err: tss_esapi::response_code::Error) -> Self { +impl From for PinError { + fn from(err: tss_esapi::Error) -> Self { PinError::TPM(err) } } @@ -161,7 +163,8 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> { let policy_digest = policy_runner.send_policy(&mut ctx, true)?; - let key_bytes: Vec = ctx.get_random(32)?; + let key_bytes = ctx.get_random(32)?; + let key_bytes: &[u8] = key_bytes.value(); let mut jwk = biscuit::jwk::JWK::new_octet_key(&key_bytes, biscuit::Empty {}); jwk.common.algorithm = Some(biscuit::jwa::Algorithm::ContentEncryption( biscuit::jwa::ContentEncryptionAlgorithm::A256GCM, @@ -173,8 +176,9 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> { let jwk_str = serde_json::to_string(&jwk)?; let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?; + let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?; let (jwk_priv, jwk_pub) = - ctx.create_key(key_handle, &public, &[], jwk_str.as_bytes(), &[], &[])?; + ctx.create_key(key_handle, &public, None, Some(&jwk_str), None, &[])?; let jwk_priv = tpm_objects::get_tpm2b_private(jwk_priv)?; @@ -218,7 +222,9 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> { }; let rand_nonce = ctx.get_random(12)?; - let jwe_enc_options = biscuit::jwa::EncryptionOptions::AES_GCM { nonce: rand_nonce }; + let jwe_enc_options = biscuit::jwa::EncryptionOptions::AES_GCM { + nonce: rand_nonce.value().to_vec(), + }; let jwe_token = biscuit::jwe::Compact::new_decrypted(hdr, input.as_bytes().to_vec()); let jwe_token_compact = jwe_token.encrypt(&jwk, &jwe_enc_options)?; @@ -344,7 +350,7 @@ fn perform_decrypt(input: &str) -> Result<(), PinError> { let mut ctx = utils::get_tpm2_ctx()?; let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?; - utils::create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::TPM2_SE_HMAC)?; + utils::create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::tss::TPM2_SE_HMAC)?; let key = ctx.load(key_handle, jwkpriv, jwkpub)?; policy.send_policy(&mut ctx, false)?; diff --git a/src/tpm_objects.rs b/src/tpm_objects.rs index ac449fa..7a33d86 100644 --- a/src/tpm_objects.rs +++ b/src/tpm_objects.rs @@ -1,7 +1,11 @@ use std::convert::TryFrom; -use tss_esapi::constants; -use tss_esapi::utils; +use tss_esapi::constants::algorithm; +use tss_esapi::constants::tss as tss_constants; +use tss_esapi::structures::Digest; +use tss_esapi::utils::{ + ObjectAttributes, PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder, +}; use crate::PinError; @@ -11,7 +15,7 @@ pub(super) fn get_key_public( match key_type { "ecc" => Ok(create_restricted_ecc_public()), "rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public( - utils::algorithm_specifiers::Cipher::aes_128_cfb(), + algorithm::Cipher::aes_128_cfb(), 2048, 0, )?), @@ -20,9 +24,9 @@ pub(super) fn get_key_public( } pub(super) fn create_tpm2b_public_sealed_object( - policy: Option, + policy: Option, ) -> Result { - let mut object_attributes = utils::ObjectAttributes(0); + let mut object_attributes = ObjectAttributes(0); object_attributes.set_fixed_tpm(true); object_attributes.set_fixed_parent(true); object_attributes.set_no_da(true); @@ -33,17 +37,17 @@ pub(super) fn create_tpm2b_public_sealed_object( } let policy = match policy { Some(p) => p, - None => tss_esapi::utils::Digest::try_from(vec![])?, + None => Digest::try_from(vec![])?, }; let mut params: tss_esapi::tss2_esys::TPMU_PUBLIC_PARMS = Default::default(); - params.keyedHashDetail.scheme.scheme = tss_esapi::constants::TPM2_ALG_NULL; + params.keyedHashDetail.scheme.scheme = tss_constants::TPM2_ALG_NULL; Ok(tss_esapi::tss2_esys::TPM2B_PUBLIC { size: std::mem::size_of::() as u16, publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC { - type_: tss_esapi::constants::TPM2_ALG_KEYEDHASH, - nameAlg: tss_esapi::constants::TPM2_ALG_SHA256, + type_: tss_constants::TPM2_ALG_KEYEDHASH, + nameAlg: tss_constants::TPM2_ALG_SHA256, objectAttributes: object_attributes.0, authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?, parameters: params, @@ -139,13 +143,13 @@ pub(super) fn build_tpm2b_public( } pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC { - let ecc_params = utils::TpmsEccParmsBuilder::new_restricted_decryption_key( - utils::algorithm_specifiers::Cipher::aes_128_cfb(), - utils::algorithm_specifiers::EllipticCurve::NistP256, + let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key( + algorithm::Cipher::aes_128_cfb(), + algorithm::EllipticCurve::NistP256, ) .build() .unwrap(); - let mut object_attributes = utils::ObjectAttributes(0); + let mut object_attributes = ObjectAttributes(0); object_attributes.set_fixed_tpm(true); object_attributes.set_fixed_parent(true); object_attributes.set_sensitive_data_origin(true); @@ -154,11 +158,11 @@ pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBL object_attributes.set_sign_encrypt(false); object_attributes.set_restricted(true); - utils::Tpm2BPublicBuilder::new() - .with_type(constants::TPM2_ALG_ECC) - .with_name_alg(constants::TPM2_ALG_SHA256) + Tpm2BPublicBuilder::new() + .with_type(tss_constants::TPM2_ALG_ECC) + .with_name_alg(tss_constants::TPM2_ALG_SHA256) .with_object_attributes(object_attributes) - .with_parms(utils::PublicParmsUnion::EccDetail(ecc_params)) + .with_parms(PublicParmsUnion::EccDetail(ecc_params)) .build() .unwrap() } diff --git a/src/utils.rs b/src/utils.rs index 8a0c553..a1e06a5 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,9 +1,11 @@ use std::fs; use std::str::FromStr; +use tss_esapi::constants::algorithm::HashingAlgorithm; +use tss_esapi::constants::tss as tss_constants; use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER}; -use tss_esapi::utils::tcti; use tss_esapi::Context; +use tss_esapi::Tcti; use serde::Deserialize; @@ -42,16 +44,14 @@ pub(crate) fn get_authorized_policy_step( }) } -pub(crate) fn get_pcr_hash_alg_from_name( - name: Option<&String>, -) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm { +pub(crate) fn get_pcr_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm { match name { - None => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256, + None => HashingAlgorithm::Sha256, Some(val) => match val.to_lowercase().as_str() { - "sha1" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha1, - "sha256" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256, - "sha384" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha384, - "sha512" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha512, + "sha1" => HashingAlgorithm::Sha1, + "sha256" => HashingAlgorithm::Sha256, + "sha384" => HashingAlgorithm::Sha384, + "sha512" => HashingAlgorithm::Sha512, _ => panic!(format!("Unsupported hash algo: {:?}", name)), }, } @@ -76,16 +76,15 @@ where }) } -pub(crate) fn get_tpm2_ctx() -> Result { - unsafe { - Context::new(tcti::Tcti::Device(tcti::DeviceConfig::from_str( - if std::path::Path::new("/dev/tpmrm0").exists() { - "/dev/tpmrm0" - } else { - "/dev/tpm0" - }, - )?)) - } +pub(crate) fn get_tpm2_ctx() -> Result { + let tcti_path = if std::path::Path::new("/dev/tpmrm0").exists() { + "device:/dev/tpmrm0" + } else { + "device:/dev/tpm0" + }; + + let tcti = Tcti::from_str(tcti_path)?; + unsafe { Context::new(tcti) } } pub(crate) fn perform_with_other_sessions( @@ -95,7 +94,7 @@ pub(crate) fn perform_with_other_sessions( ) -> Result where F: Fn(&mut Context) -> Result, - E: From + From, + E: From + From, { let oldses = ctx.sessions(); @@ -119,8 +118,8 @@ pub(crate) fn get_tpm2_primary_key( ctx: &mut Context, pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC, ) -> Result { - perform_with_other_sessions(ctx, tss_esapi::constants::TPM2_SE_HMAC, |ctx| { - ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, &[], &[], &[], &[]) + perform_with_other_sessions(ctx, tss_constants::TPM2_SE_HMAC, |ctx| { + ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, None, None, None, &[]) .map_err(|e| e.into()) }) } @@ -134,14 +133,14 @@ pub(crate) fn create_and_set_tpm2_session( let session = ctx.start_auth_session( ESYS_TR_NONE, ESYS_TR_NONE, - &[], + None, session_type, symdef, - tss_esapi::constants::TPM2_ALG_SHA256, + tss_constants::TPM2_ALG_SHA256, )?; let session_attr = tss_esapi::utils::TpmaSessionBuilder::new() - .with_flag(tss_esapi::constants::TPMA_SESSION_DECRYPT) - .with_flag(tss_esapi::constants::TPMA_SESSION_ENCRYPT) + .with_flag(tss_constants::TPMA_SESSION_DECRYPT) + .with_flag(tss_constants::TPMA_SESSION_ENCRYPT) .build(); ctx.tr_sess_set_attributes(session, session_attr)?; @@ -155,10 +154,10 @@ fn tpm_sym_def( _ctx: &mut tss_esapi::Context, ) -> Result { Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF { - algorithm: tss_esapi::constants::TPM2_ALG_AES, + algorithm: tss_constants::TPM2_ALG_AES, keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 }, mode: tss_esapi::tss2_esys::TPMU_SYM_MODE { - aes: tss_esapi::constants::TPM2_ALG_CFB, + aes: tss_constants::TPM2_ALG_CFB, }, }) }