Rebase to tss-esapi-4.0.6 and tpm2-policy-0.2.0
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
parent
e10391c4fb
commit
d2aa6b3d9e
|
@ -7,10 +7,10 @@ edition = "2018"
|
||||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
tss-esapi = "4.0.5-alpha.1"
|
tss-esapi = "4.0.6-alpha.1"
|
||||||
serde = "1.0"
|
serde = "1.0"
|
||||||
biscuit = "0.5.0-beta2"
|
biscuit = "0.5.0-beta2"
|
||||||
serde_json = "1.0"
|
serde_json = "1.0"
|
||||||
base64 = "0.12.1"
|
base64 = "0.12.1"
|
||||||
atty = "0.2.14"
|
atty = "0.2.14"
|
||||||
tpm2-policy = "0.1.0"
|
tpm2-policy = "0.2.0"
|
||||||
|
|
|
@ -63,9 +63,7 @@ impl TryFrom<&TPM2Config> for TPMPolicyStep {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl TPM2Config {
|
impl TPM2Config {
|
||||||
pub(super) fn get_pcr_hash_alg(
|
pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
|
||||||
&self,
|
|
||||||
) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
|
||||||
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
20
src/main.rs
20
src/main.rs
|
@ -39,13 +39,15 @@ mod utils;
|
||||||
|
|
||||||
use cli::TPM2Config;
|
use cli::TPM2Config;
|
||||||
|
|
||||||
|
use tss_esapi::algorithm::structures::SensitiveData;
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
enum PinError {
|
enum PinError {
|
||||||
Text(&'static str),
|
Text(&'static str),
|
||||||
NoCommand,
|
NoCommand,
|
||||||
Serde(serde_json::Error),
|
Serde(serde_json::Error),
|
||||||
IO(std::io::Error),
|
IO(std::io::Error),
|
||||||
TPM(tss_esapi::response_code::Error),
|
TPM(tss_esapi::Error),
|
||||||
JWE(biscuit::errors::Error),
|
JWE(biscuit::errors::Error),
|
||||||
Base64Decoding(base64::DecodeError),
|
Base64Decoding(base64::DecodeError),
|
||||||
Utf8(std::str::Utf8Error),
|
Utf8(std::str::Utf8Error),
|
||||||
|
@ -117,8 +119,8 @@ impl From<serde_json::Error> for PinError {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl From<tss_esapi::response_code::Error> for PinError {
|
impl From<tss_esapi::Error> for PinError {
|
||||||
fn from(err: tss_esapi::response_code::Error) -> Self {
|
fn from(err: tss_esapi::Error) -> Self {
|
||||||
PinError::TPM(err)
|
PinError::TPM(err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -161,7 +163,8 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
|
|
||||||
let policy_digest = policy_runner.send_policy(&mut ctx, true)?;
|
let policy_digest = policy_runner.send_policy(&mut ctx, true)?;
|
||||||
|
|
||||||
let key_bytes: Vec<u8> = ctx.get_random(32)?;
|
let key_bytes = ctx.get_random(32)?;
|
||||||
|
let key_bytes: &[u8] = key_bytes.value();
|
||||||
let mut jwk = biscuit::jwk::JWK::new_octet_key(&key_bytes, biscuit::Empty {});
|
let mut jwk = biscuit::jwk::JWK::new_octet_key(&key_bytes, biscuit::Empty {});
|
||||||
jwk.common.algorithm = Some(biscuit::jwa::Algorithm::ContentEncryption(
|
jwk.common.algorithm = Some(biscuit::jwa::Algorithm::ContentEncryption(
|
||||||
biscuit::jwa::ContentEncryptionAlgorithm::A256GCM,
|
biscuit::jwa::ContentEncryptionAlgorithm::A256GCM,
|
||||||
|
@ -173,8 +176,9 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
let jwk_str = serde_json::to_string(&jwk)?;
|
let jwk_str = serde_json::to_string(&jwk)?;
|
||||||
|
|
||||||
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
||||||
|
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
|
||||||
let (jwk_priv, jwk_pub) =
|
let (jwk_priv, jwk_pub) =
|
||||||
ctx.create_key(key_handle, &public, &[], jwk_str.as_bytes(), &[], &[])?;
|
ctx.create_key(key_handle, &public, None, Some(&jwk_str), None, &[])?;
|
||||||
|
|
||||||
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_priv)?;
|
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_priv)?;
|
||||||
|
|
||||||
|
@ -218,7 +222,9 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
};
|
};
|
||||||
|
|
||||||
let rand_nonce = ctx.get_random(12)?;
|
let rand_nonce = ctx.get_random(12)?;
|
||||||
let jwe_enc_options = biscuit::jwa::EncryptionOptions::AES_GCM { nonce: rand_nonce };
|
let jwe_enc_options = biscuit::jwa::EncryptionOptions::AES_GCM {
|
||||||
|
nonce: rand_nonce.value().to_vec(),
|
||||||
|
};
|
||||||
|
|
||||||
let jwe_token = biscuit::jwe::Compact::new_decrypted(hdr, input.as_bytes().to_vec());
|
let jwe_token = biscuit::jwe::Compact::new_decrypted(hdr, input.as_bytes().to_vec());
|
||||||
let jwe_token_compact = jwe_token.encrypt(&jwk, &jwe_enc_options)?;
|
let jwe_token_compact = jwe_token.encrypt(&jwk, &jwe_enc_options)?;
|
||||||
|
@ -344,7 +350,7 @@ fn perform_decrypt(input: &str) -> Result<(), PinError> {
|
||||||
let mut ctx = utils::get_tpm2_ctx()?;
|
let mut ctx = utils::get_tpm2_ctx()?;
|
||||||
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||||
|
|
||||||
utils::create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::TPM2_SE_HMAC)?;
|
utils::create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::tss::TPM2_SE_HMAC)?;
|
||||||
let key = ctx.load(key_handle, jwkpriv, jwkpub)?;
|
let key = ctx.load(key_handle, jwkpriv, jwkpub)?;
|
||||||
|
|
||||||
policy.send_policy(&mut ctx, false)?;
|
policy.send_policy(&mut ctx, false)?;
|
||||||
|
|
|
@ -1,7 +1,11 @@
|
||||||
use std::convert::TryFrom;
|
use std::convert::TryFrom;
|
||||||
|
|
||||||
use tss_esapi::constants;
|
use tss_esapi::constants::algorithm;
|
||||||
use tss_esapi::utils;
|
use tss_esapi::constants::tss as tss_constants;
|
||||||
|
use tss_esapi::structures::Digest;
|
||||||
|
use tss_esapi::utils::{
|
||||||
|
ObjectAttributes, PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder,
|
||||||
|
};
|
||||||
|
|
||||||
use crate::PinError;
|
use crate::PinError;
|
||||||
|
|
||||||
|
@ -11,7 +15,7 @@ pub(super) fn get_key_public(
|
||||||
match key_type {
|
match key_type {
|
||||||
"ecc" => Ok(create_restricted_ecc_public()),
|
"ecc" => Ok(create_restricted_ecc_public()),
|
||||||
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
||||||
utils::algorithm_specifiers::Cipher::aes_128_cfb(),
|
algorithm::Cipher::aes_128_cfb(),
|
||||||
2048,
|
2048,
|
||||||
0,
|
0,
|
||||||
)?),
|
)?),
|
||||||
|
@ -20,9 +24,9 @@ pub(super) fn get_key_public(
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn create_tpm2b_public_sealed_object(
|
pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
policy: Option<tss_esapi::utils::Digest>,
|
policy: Option<Digest>,
|
||||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
let mut object_attributes = utils::ObjectAttributes(0);
|
let mut object_attributes = ObjectAttributes(0);
|
||||||
object_attributes.set_fixed_tpm(true);
|
object_attributes.set_fixed_tpm(true);
|
||||||
object_attributes.set_fixed_parent(true);
|
object_attributes.set_fixed_parent(true);
|
||||||
object_attributes.set_no_da(true);
|
object_attributes.set_no_da(true);
|
||||||
|
@ -33,17 +37,17 @@ pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
}
|
}
|
||||||
let policy = match policy {
|
let policy = match policy {
|
||||||
Some(p) => p,
|
Some(p) => p,
|
||||||
None => tss_esapi::utils::Digest::try_from(vec![])?,
|
None => Digest::try_from(vec![])?,
|
||||||
};
|
};
|
||||||
|
|
||||||
let mut params: tss_esapi::tss2_esys::TPMU_PUBLIC_PARMS = Default::default();
|
let mut params: tss_esapi::tss2_esys::TPMU_PUBLIC_PARMS = Default::default();
|
||||||
params.keyedHashDetail.scheme.scheme = tss_esapi::constants::TPM2_ALG_NULL;
|
params.keyedHashDetail.scheme.scheme = tss_constants::TPM2_ALG_NULL;
|
||||||
|
|
||||||
Ok(tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
Ok(tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
||||||
size: std::mem::size_of::<tss_esapi::tss2_esys::TPMT_PUBLIC>() as u16,
|
size: std::mem::size_of::<tss_esapi::tss2_esys::TPMT_PUBLIC>() as u16,
|
||||||
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
|
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
|
||||||
type_: tss_esapi::constants::TPM2_ALG_KEYEDHASH,
|
type_: tss_constants::TPM2_ALG_KEYEDHASH,
|
||||||
nameAlg: tss_esapi::constants::TPM2_ALG_SHA256,
|
nameAlg: tss_constants::TPM2_ALG_SHA256,
|
||||||
objectAttributes: object_attributes.0,
|
objectAttributes: object_attributes.0,
|
||||||
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?,
|
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?,
|
||||||
parameters: params,
|
parameters: params,
|
||||||
|
@ -139,13 +143,13 @@ pub(super) fn build_tpm2b_public(
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
||||||
let ecc_params = utils::TpmsEccParmsBuilder::new_restricted_decryption_key(
|
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
|
||||||
utils::algorithm_specifiers::Cipher::aes_128_cfb(),
|
algorithm::Cipher::aes_128_cfb(),
|
||||||
utils::algorithm_specifiers::EllipticCurve::NistP256,
|
algorithm::EllipticCurve::NistP256,
|
||||||
)
|
)
|
||||||
.build()
|
.build()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let mut object_attributes = utils::ObjectAttributes(0);
|
let mut object_attributes = ObjectAttributes(0);
|
||||||
object_attributes.set_fixed_tpm(true);
|
object_attributes.set_fixed_tpm(true);
|
||||||
object_attributes.set_fixed_parent(true);
|
object_attributes.set_fixed_parent(true);
|
||||||
object_attributes.set_sensitive_data_origin(true);
|
object_attributes.set_sensitive_data_origin(true);
|
||||||
|
@ -154,11 +158,11 @@ pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBL
|
||||||
object_attributes.set_sign_encrypt(false);
|
object_attributes.set_sign_encrypt(false);
|
||||||
object_attributes.set_restricted(true);
|
object_attributes.set_restricted(true);
|
||||||
|
|
||||||
utils::Tpm2BPublicBuilder::new()
|
Tpm2BPublicBuilder::new()
|
||||||
.with_type(constants::TPM2_ALG_ECC)
|
.with_type(tss_constants::TPM2_ALG_ECC)
|
||||||
.with_name_alg(constants::TPM2_ALG_SHA256)
|
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
|
||||||
.with_object_attributes(object_attributes)
|
.with_object_attributes(object_attributes)
|
||||||
.with_parms(utils::PublicParmsUnion::EccDetail(ecc_params))
|
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
|
||||||
.build()
|
.build()
|
||||||
.unwrap()
|
.unwrap()
|
||||||
}
|
}
|
||||||
|
|
53
src/utils.rs
53
src/utils.rs
|
@ -1,9 +1,11 @@
|
||||||
use std::fs;
|
use std::fs;
|
||||||
use std::str::FromStr;
|
use std::str::FromStr;
|
||||||
|
|
||||||
|
use tss_esapi::constants::algorithm::HashingAlgorithm;
|
||||||
|
use tss_esapi::constants::tss as tss_constants;
|
||||||
use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER};
|
use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER};
|
||||||
use tss_esapi::utils::tcti;
|
|
||||||
use tss_esapi::Context;
|
use tss_esapi::Context;
|
||||||
|
use tss_esapi::Tcti;
|
||||||
|
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
|
|
||||||
|
@ -42,16 +44,14 @@ pub(crate) fn get_authorized_policy_step(
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn get_pcr_hash_alg_from_name(
|
pub(crate) fn get_pcr_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm {
|
||||||
name: Option<&String>,
|
|
||||||
) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
|
||||||
match name {
|
match name {
|
||||||
None => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
None => HashingAlgorithm::Sha256,
|
||||||
Some(val) => match val.to_lowercase().as_str() {
|
Some(val) => match val.to_lowercase().as_str() {
|
||||||
"sha1" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha1,
|
"sha1" => HashingAlgorithm::Sha1,
|
||||||
"sha256" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
"sha256" => HashingAlgorithm::Sha256,
|
||||||
"sha384" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha384,
|
"sha384" => HashingAlgorithm::Sha384,
|
||||||
"sha512" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha512,
|
"sha512" => HashingAlgorithm::Sha512,
|
||||||
_ => panic!(format!("Unsupported hash algo: {:?}", name)),
|
_ => panic!(format!("Unsupported hash algo: {:?}", name)),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -76,16 +76,15 @@ where
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context, tss_esapi::response_code::Error> {
|
pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context, tss_esapi::Error> {
|
||||||
unsafe {
|
let tcti_path = if std::path::Path::new("/dev/tpmrm0").exists() {
|
||||||
Context::new(tcti::Tcti::Device(tcti::DeviceConfig::from_str(
|
"device:/dev/tpmrm0"
|
||||||
if std::path::Path::new("/dev/tpmrm0").exists() {
|
|
||||||
"/dev/tpmrm0"
|
|
||||||
} else {
|
} else {
|
||||||
"/dev/tpm0"
|
"device:/dev/tpm0"
|
||||||
},
|
};
|
||||||
)?))
|
|
||||||
}
|
let tcti = Tcti::from_str(tcti_path)?;
|
||||||
|
unsafe { Context::new(tcti) }
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn perform_with_other_sessions<T, E, F>(
|
pub(crate) fn perform_with_other_sessions<T, E, F>(
|
||||||
|
@ -95,7 +94,7 @@ pub(crate) fn perform_with_other_sessions<T, E, F>(
|
||||||
) -> Result<T, E>
|
) -> Result<T, E>
|
||||||
where
|
where
|
||||||
F: Fn(&mut Context) -> Result<T, E>,
|
F: Fn(&mut Context) -> Result<T, E>,
|
||||||
E: From<tss_esapi::response_code::Error> + From<PinError>,
|
E: From<tss_esapi::Error> + From<PinError>,
|
||||||
{
|
{
|
||||||
let oldses = ctx.sessions();
|
let oldses = ctx.sessions();
|
||||||
|
|
||||||
|
@ -119,8 +118,8 @@ pub(crate) fn get_tpm2_primary_key(
|
||||||
ctx: &mut Context,
|
ctx: &mut Context,
|
||||||
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||||
) -> Result<ESYS_TR, PinError> {
|
) -> Result<ESYS_TR, PinError> {
|
||||||
perform_with_other_sessions(ctx, tss_esapi::constants::TPM2_SE_HMAC, |ctx| {
|
perform_with_other_sessions(ctx, tss_constants::TPM2_SE_HMAC, |ctx| {
|
||||||
ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, &[], &[], &[], &[])
|
ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, None, None, None, &[])
|
||||||
.map_err(|e| e.into())
|
.map_err(|e| e.into())
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -134,14 +133,14 @@ pub(crate) fn create_and_set_tpm2_session(
|
||||||
let session = ctx.start_auth_session(
|
let session = ctx.start_auth_session(
|
||||||
ESYS_TR_NONE,
|
ESYS_TR_NONE,
|
||||||
ESYS_TR_NONE,
|
ESYS_TR_NONE,
|
||||||
&[],
|
None,
|
||||||
session_type,
|
session_type,
|
||||||
symdef,
|
symdef,
|
||||||
tss_esapi::constants::TPM2_ALG_SHA256,
|
tss_constants::TPM2_ALG_SHA256,
|
||||||
)?;
|
)?;
|
||||||
let session_attr = tss_esapi::utils::TpmaSessionBuilder::new()
|
let session_attr = tss_esapi::utils::TpmaSessionBuilder::new()
|
||||||
.with_flag(tss_esapi::constants::TPMA_SESSION_DECRYPT)
|
.with_flag(tss_constants::TPMA_SESSION_DECRYPT)
|
||||||
.with_flag(tss_esapi::constants::TPMA_SESSION_ENCRYPT)
|
.with_flag(tss_constants::TPMA_SESSION_ENCRYPT)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
ctx.tr_sess_set_attributes(session, session_attr)?;
|
ctx.tr_sess_set_attributes(session, session_attr)?;
|
||||||
|
@ -155,10 +154,10 @@ fn tpm_sym_def(
|
||||||
_ctx: &mut tss_esapi::Context,
|
_ctx: &mut tss_esapi::Context,
|
||||||
) -> Result<tss_esapi::tss2_esys::TPMT_SYM_DEF, PinError> {
|
) -> Result<tss_esapi::tss2_esys::TPMT_SYM_DEF, PinError> {
|
||||||
Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF {
|
Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF {
|
||||||
algorithm: tss_esapi::constants::TPM2_ALG_AES,
|
algorithm: tss_constants::TPM2_ALG_AES,
|
||||||
keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 },
|
keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 },
|
||||||
mode: tss_esapi::tss2_esys::TPMU_SYM_MODE {
|
mode: tss_esapi::tss2_esys::TPMU_SYM_MODE {
|
||||||
aes: tss_esapi::constants::TPM2_ALG_CFB,
|
aes: tss_constants::TPM2_ALG_CFB,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue