Split some code into different files
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
parent
387826aef7
commit
e10391c4fb
203
src/cli.rs
Normal file
203
src/cli.rs
Normal file
|
@ -0,0 +1,203 @@
|
||||||
|
use std::convert::TryFrom;
|
||||||
|
|
||||||
|
use super::PinError;
|
||||||
|
use crate::utils::get_authorized_policy_step;
|
||||||
|
|
||||||
|
use serde::{Deserialize, Serialize};
|
||||||
|
|
||||||
|
use tpm2_policy::TPMPolicyStep;
|
||||||
|
|
||||||
|
#[derive(Serialize, Deserialize, std::fmt::Debug)]
|
||||||
|
pub(super) struct TPM2Config {
|
||||||
|
pub hash: Option<String>,
|
||||||
|
pub key: Option<String>,
|
||||||
|
pub pcr_bank: Option<String>,
|
||||||
|
// PCR IDs can be passed in as comma-separated string or json array
|
||||||
|
pub pcr_ids: Option<serde_json::Value>,
|
||||||
|
pub pcr_digest: Option<String>,
|
||||||
|
// Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
|
||||||
|
pub policy_pubkey_path: Option<String>,
|
||||||
|
pub policy_ref: Option<String>,
|
||||||
|
pub policy_path: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl TryFrom<&TPM2Config> for TPMPolicyStep {
|
||||||
|
type Error = PinError;
|
||||||
|
|
||||||
|
fn try_from(cfg: &TPM2Config) -> Result<Self, PinError> {
|
||||||
|
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
||||||
|
Ok(TPMPolicyStep::Or([
|
||||||
|
Box::new(TPMPolicyStep::PCRs(
|
||||||
|
cfg.get_pcr_hash_alg(),
|
||||||
|
cfg.get_pcr_ids().unwrap(),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
)),
|
||||||
|
Box::new(get_authorized_policy_step(
|
||||||
|
cfg.policy_pubkey_path.as_ref().unwrap(),
|
||||||
|
&None,
|
||||||
|
&cfg.policy_ref,
|
||||||
|
)?),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
]))
|
||||||
|
} else if cfg.pcr_ids.is_some() {
|
||||||
|
Ok(TPMPolicyStep::PCRs(
|
||||||
|
cfg.get_pcr_hash_alg(),
|
||||||
|
cfg.get_pcr_ids().unwrap(),
|
||||||
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
|
))
|
||||||
|
} else if cfg.policy_pubkey_path.is_some() {
|
||||||
|
get_authorized_policy_step(
|
||||||
|
cfg.policy_pubkey_path.as_ref().unwrap(),
|
||||||
|
&None,
|
||||||
|
&cfg.policy_ref,
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
Ok(TPMPolicyStep::NoStep)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl TPM2Config {
|
||||||
|
pub(super) fn get_pcr_hash_alg(
|
||||||
|
&self,
|
||||||
|
) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
||||||
|
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(super) fn get_pcr_ids(&self) -> Option<Vec<u64>> {
|
||||||
|
match &self.pcr_ids {
|
||||||
|
None => None,
|
||||||
|
Some(serde_json::Value::Array(vals)) => {
|
||||||
|
Some(vals.iter().map(|x| x.as_u64().unwrap()).collect())
|
||||||
|
}
|
||||||
|
_ => panic!("Unexpected type found for pcr_ids"),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(super) fn get_pcr_ids_str(&self) -> Option<String> {
|
||||||
|
match &self.pcr_ids {
|
||||||
|
None => None,
|
||||||
|
Some(serde_json::Value::Array(vals)) => Some(
|
||||||
|
vals.iter()
|
||||||
|
.map(|x| x.as_u64().unwrap().to_string())
|
||||||
|
.collect::<Vec<String>>()
|
||||||
|
.join(","),
|
||||||
|
),
|
||||||
|
_ => panic!("Unexpected type found for pcr_ids"),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn normalize(mut self) -> Result<TPM2Config, PinError> {
|
||||||
|
self.normalize_pcr_ids()?;
|
||||||
|
if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
|
||||||
|
self.pcr_bank = Some("sha256".to_string());
|
||||||
|
}
|
||||||
|
if (self.policy_pubkey_path.is_some()
|
||||||
|
|| self.policy_path.is_some()
|
||||||
|
|| self.policy_ref.is_some())
|
||||||
|
&& (self.policy_pubkey_path.is_none()
|
||||||
|
|| self.policy_path.is_none()
|
||||||
|
|| self.policy_ref.is_none())
|
||||||
|
{
|
||||||
|
return Err(PinError::Text(
|
||||||
|
"Not all of policy pubkey, path and ref are specified",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
Ok(self)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn normalize_pcr_ids(&mut self) -> Result<(), PinError> {
|
||||||
|
// Normalize pcr_ids from comma-separated string to array
|
||||||
|
if let Some(serde_json::Value::String(val)) = &self.pcr_ids {
|
||||||
|
// Was a string, do a split
|
||||||
|
let newval: Vec<serde_json::Value> = val
|
||||||
|
.split(',')
|
||||||
|
.map(|x| serde_json::Value::String(x.to_string()))
|
||||||
|
.collect();
|
||||||
|
self.pcr_ids = Some(serde_json::Value::Array(newval));
|
||||||
|
}
|
||||||
|
// Normalize pcr_ids from array of Strings to array of Numbers
|
||||||
|
if let Some(serde_json::Value::Array(vals)) = &self.pcr_ids {
|
||||||
|
let newvals: Result<Vec<serde_json::Value>, _> = vals
|
||||||
|
.iter()
|
||||||
|
.map(|x| match x {
|
||||||
|
serde_json::Value::String(val) => match val.parse::<serde_json::Number>() {
|
||||||
|
Ok(res) => {
|
||||||
|
let new = serde_json::Value::Number(res);
|
||||||
|
if !new.is_u64() {
|
||||||
|
return Err("Non-positive string int");
|
||||||
|
}
|
||||||
|
Ok(new)
|
||||||
|
}
|
||||||
|
Err(_) => Err("Unparseable string int"),
|
||||||
|
},
|
||||||
|
serde_json::Value::Number(n) => {
|
||||||
|
let new = serde_json::Value::Number(n.clone());
|
||||||
|
if !new.is_u64() {
|
||||||
|
return Err("Non-positive int");
|
||||||
|
}
|
||||||
|
Ok(new)
|
||||||
|
}
|
||||||
|
_ => Err("Invalid value in pcr_ids"),
|
||||||
|
})
|
||||||
|
.collect();
|
||||||
|
self.pcr_ids = Some(serde_json::Value::Array(newvals?));
|
||||||
|
}
|
||||||
|
|
||||||
|
match &self.pcr_ids {
|
||||||
|
None => Ok(()),
|
||||||
|
// The normalization above would've caught any non-ints
|
||||||
|
Some(serde_json::Value::Array(_)) => Ok(()),
|
||||||
|
_ => Err(PinError::Text("Invalid type")),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub(super) enum ActionMode {
|
||||||
|
Encrypt,
|
||||||
|
Decrypt,
|
||||||
|
Summary,
|
||||||
|
Help,
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(super) fn get_mode_and_cfg(
|
||||||
|
args: &[String],
|
||||||
|
) -> Result<(ActionMode, Option<TPM2Config>), PinError> {
|
||||||
|
if args.len() > 1 && args[1] == "--summary" {
|
||||||
|
return Ok((ActionMode::Summary, None));
|
||||||
|
}
|
||||||
|
if args.len() > 1 && args[1] == "--help" {
|
||||||
|
return Ok((ActionMode::Help, None));
|
||||||
|
}
|
||||||
|
if atty::is(atty::Stream::Stdin) {
|
||||||
|
return Ok((ActionMode::Help, None));
|
||||||
|
}
|
||||||
|
let (mode, cfgstr) = if args[0].contains("encrypt") && args.len() == 2 {
|
||||||
|
(ActionMode::Encrypt, Some(&args[1]))
|
||||||
|
} else if args[0].contains("decrypt") {
|
||||||
|
(ActionMode::Decrypt, None)
|
||||||
|
} else if args.len() > 1 {
|
||||||
|
if args[1] == "encrypt" && args.len() == 3 {
|
||||||
|
(ActionMode::Encrypt, Some(&args[2]))
|
||||||
|
} else if args[1] == "decrypt" {
|
||||||
|
(ActionMode::Decrypt, None)
|
||||||
|
} else {
|
||||||
|
return Err(PinError::NoCommand);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return Err(PinError::NoCommand);
|
||||||
|
};
|
||||||
|
|
||||||
|
let cfg: Option<TPM2Config> = match cfgstr {
|
||||||
|
None => None,
|
||||||
|
Some(cfgstr) => Some(serde_json::from_str::<TPM2Config>(cfgstr)?.normalize()?),
|
||||||
|
};
|
||||||
|
|
||||||
|
Ok((mode, cfg))
|
||||||
|
}
|
407
src/main.rs
407
src/main.rs
|
@ -15,8 +15,6 @@
|
||||||
use std::convert::TryFrom;
|
use std::convert::TryFrom;
|
||||||
use std::error::Error;
|
use std::error::Error;
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
use std::fs;
|
|
||||||
use std::str::FromStr;
|
|
||||||
|
|
||||||
extern crate atty;
|
extern crate atty;
|
||||||
extern crate base64;
|
extern crate base64;
|
||||||
|
@ -31,40 +29,15 @@ use std::io::{self, Read, Write};
|
||||||
use biscuit::jwe;
|
use biscuit::jwe;
|
||||||
use biscuit::CompactJson;
|
use biscuit::CompactJson;
|
||||||
|
|
||||||
use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER};
|
|
||||||
use tss_esapi::utils;
|
|
||||||
use tss_esapi::utils::tcti;
|
|
||||||
use tss_esapi::Context;
|
|
||||||
|
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
|
|
||||||
use tpm2_policy::{TPMPolicyStep, SignedPolicyList, PublicKey};
|
use tpm2_policy::TPMPolicyStep;
|
||||||
|
|
||||||
|
mod cli;
|
||||||
mod tpm_objects;
|
mod tpm_objects;
|
||||||
|
mod utils;
|
||||||
|
|
||||||
fn serialize_as_base64_url_no_pad<S>(bytes: &[u8], serializer: S) -> Result<S::Ok, S::Error>
|
use cli::TPM2Config;
|
||||||
where
|
|
||||||
S: serde::Serializer,
|
|
||||||
{
|
|
||||||
serializer.serialize_str(&base64::encode_config(bytes, base64::URL_SAFE_NO_PAD))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn deserialize_as_base64_url_no_pad<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>
|
|
||||||
where
|
|
||||||
D: serde::Deserializer<'de>,
|
|
||||||
{
|
|
||||||
String::deserialize(deserializer).and_then(|string| {
|
|
||||||
base64::decode_config(&string, base64::URL_SAFE_NO_PAD).map_err(serde::de::Error::custom)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
fn tpm_sym_def(_ctx: &mut tss_esapi::Context) -> Result<tss_esapi::tss2_esys::TPMT_SYM_DEF, PinError> {
|
|
||||||
Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF {
|
|
||||||
algorithm: tss_esapi::constants::TPM2_ALG_AES,
|
|
||||||
keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 },
|
|
||||||
mode: tss_esapi::tss2_esys::TPMU_SYM_MODE { aes: tss_esapi::constants::TPM2_ALG_CFB },
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
enum PinError {
|
enum PinError {
|
||||||
|
@ -168,278 +141,15 @@ impl From<std::str::Utf8Error> for PinError {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_and_set_tpm2_session(
|
|
||||||
ctx: &mut tss_esapi::Context,
|
|
||||||
session_type: tss_esapi::tss2_esys::TPM2_SE,
|
|
||||||
) -> Result<ESYS_TR, PinError> {
|
|
||||||
let symdef = tpm_sym_def(ctx)?;
|
|
||||||
|
|
||||||
let session = ctx.start_auth_session(
|
|
||||||
ESYS_TR_NONE,
|
|
||||||
ESYS_TR_NONE,
|
|
||||||
&[],
|
|
||||||
session_type,
|
|
||||||
symdef,
|
|
||||||
tss_esapi::constants::TPM2_ALG_SHA256,
|
|
||||||
)?;
|
|
||||||
let session_attr = tss_esapi::utils::TpmaSessionBuilder::new()
|
|
||||||
.with_flag(tss_esapi::constants::TPMA_SESSION_DECRYPT)
|
|
||||||
.with_flag(tss_esapi::constants::TPMA_SESSION_ENCRYPT)
|
|
||||||
.build();
|
|
||||||
|
|
||||||
ctx.tr_sess_set_attributes(session, session_attr)?;
|
|
||||||
|
|
||||||
ctx.set_sessions((session, ESYS_TR_NONE, ESYS_TR_NONE));
|
|
||||||
|
|
||||||
Ok(session)
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Serialize, Deserialize, std::fmt::Debug)]
|
|
||||||
struct TPM2Config {
|
|
||||||
hash: Option<String>,
|
|
||||||
key: Option<String>,
|
|
||||||
pcr_bank: Option<String>,
|
|
||||||
// PCR IDs can be passed in as comma-separated string or json array
|
|
||||||
pcr_ids: Option<serde_json::Value>,
|
|
||||||
pcr_digest: Option<String>,
|
|
||||||
// Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
|
|
||||||
policy_pubkey_path: Option<String>,
|
|
||||||
policy_ref: Option<String>,
|
|
||||||
policy_path: Option<String>,
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_authorized_policy_step(
|
|
||||||
policy_pubkey_path: &str,
|
|
||||||
policy_path: &Option<String>,
|
|
||||||
policy_ref: &Option<String>,
|
|
||||||
) -> Result<TPMPolicyStep, PinError> {
|
|
||||||
let policy_ref = match policy_ref {
|
|
||||||
Some(policy_ref) => policy_ref.as_bytes().to_vec(),
|
|
||||||
None => vec![],
|
|
||||||
};
|
|
||||||
|
|
||||||
let signkey = {
|
|
||||||
let contents = fs::read_to_string(policy_pubkey_path)?;
|
|
||||||
serde_json::from_str::<PublicKey>(&contents)?
|
|
||||||
};
|
|
||||||
|
|
||||||
let policies = match policy_path {
|
|
||||||
None => None,
|
|
||||||
Some(policy_path) => {
|
|
||||||
let contents = fs::read_to_string(policy_path)?;
|
|
||||||
Some(serde_json::from_str::<SignedPolicyList>(&contents)?)
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
Ok(TPMPolicyStep::Authorized {
|
|
||||||
signkey,
|
|
||||||
policy_ref,
|
|
||||||
policies,
|
|
||||||
next: Box::new(TPMPolicyStep::NoStep),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
impl TryFrom<&TPM2Config> for TPMPolicyStep {
|
|
||||||
type Error = PinError;
|
|
||||||
|
|
||||||
fn try_from(cfg: &TPM2Config) -> Result<Self, PinError> {
|
|
||||||
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
|
||||||
Ok(TPMPolicyStep::Or([
|
|
||||||
Box::new(TPMPolicyStep::PCRs(
|
|
||||||
cfg.get_pcr_hash_alg(),
|
|
||||||
cfg.get_pcr_ids().unwrap(),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
)),
|
|
||||||
Box::new(get_authorized_policy_step(
|
|
||||||
cfg.policy_pubkey_path.as_ref().unwrap(),
|
|
||||||
&None,
|
|
||||||
&cfg.policy_ref,
|
|
||||||
)?),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
]))
|
|
||||||
} else if cfg.pcr_ids.is_some() {
|
|
||||||
Ok(TPMPolicyStep::PCRs(
|
|
||||||
cfg.get_pcr_hash_alg(),
|
|
||||||
cfg.get_pcr_ids().unwrap(),
|
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
|
||||||
))
|
|
||||||
} else if cfg.policy_pubkey_path.is_some() {
|
|
||||||
get_authorized_policy_step(
|
|
||||||
cfg.policy_pubkey_path.as_ref().unwrap(),
|
|
||||||
&None,
|
|
||||||
&cfg.policy_ref,
|
|
||||||
)
|
|
||||||
} else {
|
|
||||||
Ok(TPMPolicyStep::NoStep)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_pcr_hash_alg_from_name(
|
|
||||||
name: Option<&String>,
|
|
||||||
) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
|
||||||
match name {
|
|
||||||
None => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
|
||||||
Some(val) => match val.to_lowercase().as_str() {
|
|
||||||
"sha1" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha1,
|
|
||||||
"sha256" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
|
||||||
"sha384" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha384,
|
|
||||||
"sha512" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha512,
|
|
||||||
_ => panic!(format!("Unsupported hash algo: {:?}", name)),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl TPM2Config {
|
|
||||||
fn get_pcr_hash_alg(&self) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
|
||||||
get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_pcr_ids(&self) -> Option<Vec<u64>> {
|
|
||||||
match &self.pcr_ids {
|
|
||||||
None => None,
|
|
||||||
Some(serde_json::Value::Array(vals)) => {
|
|
||||||
Some(vals.iter().map(|x| x.as_u64().unwrap()).collect())
|
|
||||||
}
|
|
||||||
_ => panic!("Unexpected type found for pcr_ids"),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_pcr_ids_str(&self) -> Option<String> {
|
|
||||||
match &self.pcr_ids {
|
|
||||||
None => None,
|
|
||||||
Some(serde_json::Value::Array(vals)) => Some(
|
|
||||||
vals.iter()
|
|
||||||
.map(|x| x.as_u64().unwrap().to_string())
|
|
||||||
.collect::<Vec<String>>()
|
|
||||||
.join(","),
|
|
||||||
),
|
|
||||||
_ => panic!("Unexpected type found for pcr_ids"),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn normalize(mut self) -> Result<TPM2Config, PinError> {
|
|
||||||
self.normalize_pcr_ids()?;
|
|
||||||
if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
|
|
||||||
self.pcr_bank = Some("sha256".to_string());
|
|
||||||
}
|
|
||||||
if (self.policy_pubkey_path.is_some()
|
|
||||||
|| self.policy_path.is_some()
|
|
||||||
|| self.policy_ref.is_some())
|
|
||||||
&& (self.policy_pubkey_path.is_none()
|
|
||||||
|| self.policy_path.is_none()
|
|
||||||
|| self.policy_ref.is_none())
|
|
||||||
{
|
|
||||||
return Err(PinError::Text(
|
|
||||||
"Not all of policy pubkey, path and ref are specified",
|
|
||||||
));
|
|
||||||
}
|
|
||||||
Ok(self)
|
|
||||||
}
|
|
||||||
|
|
||||||
fn normalize_pcr_ids(&mut self) -> Result<(), PinError> {
|
|
||||||
// Normalize pcr_ids from comma-separated string to array
|
|
||||||
if let Some(serde_json::Value::String(val)) = &self.pcr_ids {
|
|
||||||
// Was a string, do a split
|
|
||||||
let newval: Vec<serde_json::Value> = val
|
|
||||||
.split(',')
|
|
||||||
.map(|x| serde_json::Value::String(x.to_string()))
|
|
||||||
.collect();
|
|
||||||
self.pcr_ids = Some(serde_json::Value::Array(newval));
|
|
||||||
}
|
|
||||||
// Normalize pcr_ids from array of Strings to array of Numbers
|
|
||||||
if let Some(serde_json::Value::Array(vals)) = &self.pcr_ids {
|
|
||||||
let newvals: Result<Vec<serde_json::Value>, _> = vals
|
|
||||||
.iter()
|
|
||||||
.map(|x| match x {
|
|
||||||
serde_json::Value::String(val) => match val.parse::<serde_json::Number>() {
|
|
||||||
Ok(res) => {
|
|
||||||
let new = serde_json::Value::Number(res);
|
|
||||||
if !new.is_u64() {
|
|
||||||
return Err("Non-positive string int");
|
|
||||||
}
|
|
||||||
Ok(new)
|
|
||||||
}
|
|
||||||
Err(_) => Err("Unparseable string int"),
|
|
||||||
},
|
|
||||||
serde_json::Value::Number(n) => {
|
|
||||||
let new = serde_json::Value::Number(n.clone());
|
|
||||||
if !new.is_u64() {
|
|
||||||
return Err("Non-positive int");
|
|
||||||
}
|
|
||||||
Ok(new)
|
|
||||||
}
|
|
||||||
_ => Err("Invalid value in pcr_ids"),
|
|
||||||
})
|
|
||||||
.collect();
|
|
||||||
self.pcr_ids = Some(serde_json::Value::Array(newvals?));
|
|
||||||
}
|
|
||||||
|
|
||||||
match &self.pcr_ids {
|
|
||||||
None => Ok(()),
|
|
||||||
// The normalization above would've caught any non-ints
|
|
||||||
Some(serde_json::Value::Array(_)) => Ok(()),
|
|
||||||
_ => Err(PinError::Text("Invalid type")),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Debug)]
|
|
||||||
enum ActionMode {
|
|
||||||
Encrypt,
|
|
||||||
Decrypt,
|
|
||||||
Summary,
|
|
||||||
Help,
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_mode_and_cfg(args: &[String]) -> Result<(ActionMode, Option<TPM2Config>), PinError> {
|
|
||||||
if args.len() > 1 && args[1] == "--summary" {
|
|
||||||
return Ok((ActionMode::Summary, None))
|
|
||||||
}
|
|
||||||
if args.len() > 1 && args[1] == "--help" {
|
|
||||||
return Ok((ActionMode::Help, None))
|
|
||||||
}
|
|
||||||
if atty::is(atty::Stream::Stdin) {
|
|
||||||
return Ok((ActionMode::Help, None))
|
|
||||||
}
|
|
||||||
let (mode, cfgstr) = if args[0].contains("encrypt") && args.len() == 2 {
|
|
||||||
(ActionMode::Encrypt, Some(&args[1]))
|
|
||||||
} else if args[0].contains("decrypt") {
|
|
||||||
(ActionMode::Decrypt, None)
|
|
||||||
} else if args.len() > 1 {
|
|
||||||
if args[1] == "encrypt" && args.len() == 3 {
|
|
||||||
(ActionMode::Encrypt, Some(&args[2]))
|
|
||||||
} else if args[1] == "decrypt" {
|
|
||||||
(ActionMode::Decrypt, None)
|
|
||||||
} else {
|
|
||||||
return Err(PinError::NoCommand);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return Err(PinError::NoCommand);
|
|
||||||
};
|
|
||||||
|
|
||||||
let cfg: Option<TPM2Config> = match cfgstr {
|
|
||||||
None => None,
|
|
||||||
Some(cfgstr) => Some(serde_json::from_str::<TPM2Config>(cfgstr)?.normalize()?),
|
|
||||||
};
|
|
||||||
|
|
||||||
Ok((mode, cfg))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
let key_type = match &cfg.key {
|
let key_type = match &cfg.key {
|
||||||
None => "ecc",
|
None => "ecc",
|
||||||
Some(key_type) => key_type,
|
Some(key_type) => key_type,
|
||||||
};
|
};
|
||||||
let key_public = get_key_public(&key_type)?;
|
let key_public = tpm_objects::get_key_public(&key_type)?;
|
||||||
|
|
||||||
let mut ctx = get_tpm2_ctx()?;
|
let mut ctx = utils::get_tpm2_ctx()?;
|
||||||
let key_handle = get_tpm2_primary_key(&mut ctx, &key_public)?;
|
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||||
|
|
||||||
let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;
|
let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;
|
||||||
|
|
||||||
|
@ -522,13 +232,13 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
struct Tpm2Inner {
|
struct Tpm2Inner {
|
||||||
hash: String,
|
hash: String,
|
||||||
#[serde(
|
#[serde(
|
||||||
deserialize_with = "deserialize_as_base64_url_no_pad",
|
deserialize_with = "utils::deserialize_as_base64_url_no_pad",
|
||||||
serialize_with = "serialize_as_base64_url_no_pad"
|
serialize_with = "utils::serialize_as_base64_url_no_pad"
|
||||||
)]
|
)]
|
||||||
jwk_priv: Vec<u8>,
|
jwk_priv: Vec<u8>,
|
||||||
#[serde(
|
#[serde(
|
||||||
deserialize_with = "deserialize_as_base64_url_no_pad",
|
deserialize_with = "utils::deserialize_as_base64_url_no_pad",
|
||||||
serialize_with = "serialize_as_base64_url_no_pad"
|
serialize_with = "utils::serialize_as_base64_url_no_pad"
|
||||||
)]
|
)]
|
||||||
jwk_pub: Vec<u8>,
|
jwk_pub: Vec<u8>,
|
||||||
key: String,
|
key: String,
|
||||||
|
@ -567,11 +277,11 @@ impl TryFrom<&Tpm2Inner> for TPMPolicyStep {
|
||||||
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
|
||||||
Ok(TPMPolicyStep::Or([
|
Ok(TPMPolicyStep::Or([
|
||||||
Box::new(TPMPolicyStep::PCRs(
|
Box::new(TPMPolicyStep::PCRs(
|
||||||
get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
utils::get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
||||||
cfg.get_pcr_ids().unwrap(),
|
cfg.get_pcr_ids().unwrap(),
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
)),
|
)),
|
||||||
Box::new(get_authorized_policy_step(
|
Box::new(utils::get_authorized_policy_step(
|
||||||
cfg.policy_pubkey_path.as_ref().unwrap(),
|
cfg.policy_pubkey_path.as_ref().unwrap(),
|
||||||
&cfg.policy_path,
|
&cfg.policy_path,
|
||||||
&cfg.policy_ref,
|
&cfg.policy_ref,
|
||||||
|
@ -585,12 +295,12 @@ impl TryFrom<&Tpm2Inner> for TPMPolicyStep {
|
||||||
]))
|
]))
|
||||||
} else if cfg.pcr_ids.is_some() {
|
} else if cfg.pcr_ids.is_some() {
|
||||||
Ok(TPMPolicyStep::PCRs(
|
Ok(TPMPolicyStep::PCRs(
|
||||||
get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
utils::get_pcr_hash_alg_from_name(cfg.pcr_bank.as_ref()),
|
||||||
cfg.get_pcr_ids().unwrap(),
|
cfg.get_pcr_ids().unwrap(),
|
||||||
Box::new(TPMPolicyStep::NoStep),
|
Box::new(TPMPolicyStep::NoStep),
|
||||||
))
|
))
|
||||||
} else if cfg.policy_pubkey_path.is_some() {
|
} else if cfg.policy_pubkey_path.is_some() {
|
||||||
get_authorized_policy_step(
|
utils::get_authorized_policy_step(
|
||||||
cfg.policy_pubkey_path.as_ref().unwrap(),
|
cfg.policy_pubkey_path.as_ref().unwrap(),
|
||||||
&cfg.policy_path,
|
&cfg.policy_path,
|
||||||
&cfg.policy_ref,
|
&cfg.policy_ref,
|
||||||
|
@ -616,18 +326,6 @@ impl CompactJson for Tpm2Inner {}
|
||||||
impl CompactJson for ClevisHeader {}
|
impl CompactJson for ClevisHeader {}
|
||||||
impl CompactJson for ClevisInner {}
|
impl CompactJson for ClevisInner {}
|
||||||
|
|
||||||
fn get_key_public(key_type: &str) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
|
||||||
match key_type {
|
|
||||||
"ecc" => Ok(tpm_objects::create_restricted_ecc_public()),
|
|
||||||
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
|
||||||
utils::algorithm_specifiers::Cipher::aes_128_cfb(),
|
|
||||||
2048,
|
|
||||||
0,
|
|
||||||
)?),
|
|
||||||
_ => Err(PinError::Text("Unsupported key type used")),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn perform_decrypt(input: &str) -> Result<(), PinError> {
|
fn perform_decrypt(input: &str) -> Result<(), PinError> {
|
||||||
let token = biscuit::Compact::decode(input.trim());
|
let token = biscuit::Compact::decode(input.trim());
|
||||||
let hdr: biscuit::jwe::Header<ClevisHeader> = token.part(0)?;
|
let hdr: biscuit::jwe::Header<ClevisHeader> = token.part(0)?;
|
||||||
|
@ -641,12 +339,12 @@ fn perform_decrypt(input: &str) -> Result<(), PinError> {
|
||||||
|
|
||||||
let policy = TPMPolicyStep::try_from(&hdr.private.clevis.tpm2)?;
|
let policy = TPMPolicyStep::try_from(&hdr.private.clevis.tpm2)?;
|
||||||
|
|
||||||
let key_public = get_key_public(hdr.private.clevis.tpm2.key.as_str())?;
|
let key_public = tpm_objects::get_key_public(hdr.private.clevis.tpm2.key.as_str())?;
|
||||||
|
|
||||||
let mut ctx = get_tpm2_ctx()?;
|
let mut ctx = utils::get_tpm2_ctx()?;
|
||||||
let key_handle = get_tpm2_primary_key(&mut ctx, &key_public)?;
|
let key_handle = utils::get_tpm2_primary_key(&mut ctx, &key_public)?;
|
||||||
|
|
||||||
create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::TPM2_SE_HMAC)?;
|
utils::create_and_set_tpm2_session(&mut ctx, tss_esapi::constants::TPM2_SE_HMAC)?;
|
||||||
let key = ctx.load(key_handle, jwkpriv, jwkpub)?;
|
let key = ctx.load(key_handle, jwkpriv, jwkpub)?;
|
||||||
|
|
||||||
policy.send_policy(&mut ctx, false)?;
|
policy.send_policy(&mut ctx, false)?;
|
||||||
|
@ -685,7 +383,8 @@ fn print_summary() {
|
||||||
}
|
}
|
||||||
|
|
||||||
fn print_help() {
|
fn print_help() {
|
||||||
eprintln!("
|
eprintln!(
|
||||||
|
"
|
||||||
Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE
|
Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE
|
||||||
|
|
||||||
Encrypts using a TPM2.0 chip binding policy
|
Encrypts using a TPM2.0 chip binding policy
|
||||||
|
@ -705,14 +404,15 @@ This command uses the following configuration properties:
|
||||||
policy_ref: <string> Reference to search for in signed policy file
|
policy_ref: <string> Reference to search for in signed policy file
|
||||||
|
|
||||||
policy_path: <string> Path to the policy path to search for decryption policy
|
policy_path: <string> Path to the policy path to search for decryption policy
|
||||||
");
|
"
|
||||||
|
);
|
||||||
|
|
||||||
std::process::exit(2);
|
std::process::exit(2);
|
||||||
}
|
}
|
||||||
|
|
||||||
fn main() {
|
fn main() {
|
||||||
let args: Vec<String> = env::args().collect();
|
let args: Vec<String> = env::args().collect();
|
||||||
let (mode, cfg) = match get_mode_and_cfg(&args) {
|
let (mode, cfg) = match cli::get_mode_and_cfg(&args) {
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
eprintln!("Error during parsing operation: {}", e);
|
eprintln!("Error during parsing operation: {}", e);
|
||||||
std::process::exit(1);
|
std::process::exit(1);
|
||||||
|
@ -721,9 +421,9 @@ fn main() {
|
||||||
};
|
};
|
||||||
|
|
||||||
match mode {
|
match mode {
|
||||||
ActionMode::Summary => return print_summary(),
|
cli::ActionMode::Summary => return print_summary(),
|
||||||
ActionMode::Help => return print_help(),
|
cli::ActionMode::Help => return print_help(),
|
||||||
_ => {},
|
_ => {}
|
||||||
};
|
};
|
||||||
|
|
||||||
let input = match read_input_token() {
|
let input = match read_input_token() {
|
||||||
|
@ -735,57 +435,12 @@ fn main() {
|
||||||
};
|
};
|
||||||
|
|
||||||
if let Err(e) = match mode {
|
if let Err(e) = match mode {
|
||||||
ActionMode::Encrypt => perform_encrypt(cfg.unwrap(), &input),
|
cli::ActionMode::Encrypt => perform_encrypt(cfg.unwrap(), &input),
|
||||||
ActionMode::Decrypt => perform_decrypt(&input),
|
cli::ActionMode::Decrypt => perform_decrypt(&input),
|
||||||
ActionMode::Summary => panic!("Summary was already handled supposedly"),
|
cli::ActionMode::Summary => panic!("Summary was already handled supposedly"),
|
||||||
ActionMode::Help => panic!("Help was already handled supposedly"),
|
cli::ActionMode::Help => panic!("Help was already handled supposedly"),
|
||||||
} {
|
} {
|
||||||
eprintln!("Error executing command: {}", e);
|
eprintln!("Error executing command: {}", e);
|
||||||
std::process::exit(2);
|
std::process::exit(2);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_tpm2_ctx() -> Result<Context, tss_esapi::response_code::Error> {
|
|
||||||
unsafe {
|
|
||||||
Context::new(tcti::Tcti::Device(
|
|
||||||
tcti::DeviceConfig::from_str(
|
|
||||||
if std::path::Path::new("/dev/tpmrm0").exists() {
|
|
||||||
"/dev/tpmrm0"
|
|
||||||
} else {
|
|
||||||
"/dev/tpm0"
|
|
||||||
}
|
|
||||||
)?
|
|
||||||
))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn perform_with_other_sessions<T, E, F>(ctx: &mut Context, sestype: tss_esapi::tss2_esys::TPM2_SE, f: F) -> Result<T, E>
|
|
||||||
where
|
|
||||||
F: Fn(&mut Context) -> Result<T, E>,
|
|
||||||
E: From<tss_esapi::response_code::Error> + From<PinError>
|
|
||||||
{
|
|
||||||
let oldses = ctx.sessions();
|
|
||||||
|
|
||||||
let res = create_and_set_tpm2_session(ctx, sestype);
|
|
||||||
if res.is_err() {
|
|
||||||
ctx.set_sessions(oldses);
|
|
||||||
ctx.flush_context(ctx.sessions().0)?;
|
|
||||||
res?;
|
|
||||||
}
|
|
||||||
|
|
||||||
let res = f(ctx);
|
|
||||||
|
|
||||||
ctx.flush_context(ctx.sessions().0)?;
|
|
||||||
|
|
||||||
ctx.set_sessions(oldses);
|
|
||||||
|
|
||||||
res
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_tpm2_primary_key(
|
|
||||||
ctx: &mut Context,
|
|
||||||
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
|
||||||
) -> Result<ESYS_TR, PinError> {
|
|
||||||
perform_with_other_sessions(ctx, tss_esapi::constants::TPM2_SE_HMAC,
|
|
||||||
|ctx| ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, &[], &[], &[], &[]).map_err(|e| e.into()))
|
|
||||||
}
|
|
||||||
|
|
|
@ -5,6 +5,20 @@ use tss_esapi::utils;
|
||||||
|
|
||||||
use crate::PinError;
|
use crate::PinError;
|
||||||
|
|
||||||
|
pub(super) fn get_key_public(
|
||||||
|
key_type: &str,
|
||||||
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
|
match key_type {
|
||||||
|
"ecc" => Ok(create_restricted_ecc_public()),
|
||||||
|
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
||||||
|
utils::algorithm_specifiers::Cipher::aes_128_cfb(),
|
||||||
|
2048,
|
||||||
|
0,
|
||||||
|
)?),
|
||||||
|
_ => Err(PinError::Text("Unsupported key type used")),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub(super) fn create_tpm2b_public_sealed_object(
|
pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
policy: Option<tss_esapi::utils::Digest>,
|
policy: Option<tss_esapi::utils::Digest>,
|
||||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
|
@ -38,7 +52,9 @@ pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn get_tpm2b_public(val: tss_esapi::tss2_esys::TPM2B_PUBLIC) -> Result<Vec<u8>, PinError> {
|
pub(super) fn get_tpm2b_public(
|
||||||
|
val: tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||||
|
) -> Result<Vec<u8>, PinError> {
|
||||||
let mut offset = 0 as u64;
|
let mut offset = 0 as u64;
|
||||||
let mut resp = Vec::with_capacity((val.size + 4) as usize);
|
let mut resp = Vec::with_capacity((val.size + 4) as usize);
|
||||||
|
|
||||||
|
@ -58,7 +74,9 @@ pub(super) fn get_tpm2b_public(val: tss_esapi::tss2_esys::TPM2B_PUBLIC) -> Resul
|
||||||
Ok(resp)
|
Ok(resp)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn get_tpm2b_private(val: tss_esapi::tss2_esys::TPM2B_PRIVATE) -> Result<Vec<u8>, PinError> {
|
pub(super) fn get_tpm2b_private(
|
||||||
|
val: tss_esapi::tss2_esys::TPM2B_PRIVATE,
|
||||||
|
) -> Result<Vec<u8>, PinError> {
|
||||||
let mut offset = 0 as u64;
|
let mut offset = 0 as u64;
|
||||||
let mut resp = Vec::with_capacity((val.size + 4) as usize);
|
let mut resp = Vec::with_capacity((val.size + 4) as usize);
|
||||||
|
|
||||||
|
@ -78,7 +96,9 @@ pub(super) fn get_tpm2b_private(val: tss_esapi::tss2_esys::TPM2B_PRIVATE) -> Res
|
||||||
Ok(resp)
|
Ok(resp)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn build_tpm2b_private(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM2B_PRIVATE, PinError> {
|
pub(super) fn build_tpm2b_private(
|
||||||
|
val: &[u8],
|
||||||
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PRIVATE, PinError> {
|
||||||
let mut resp = tss_esapi::tss2_esys::TPM2B_PRIVATE::default();
|
let mut resp = tss_esapi::tss2_esys::TPM2B_PRIVATE::default();
|
||||||
let mut offset = 0 as u64;
|
let mut offset = 0 as u64;
|
||||||
|
|
||||||
|
@ -97,7 +117,9 @@ pub(super) fn build_tpm2b_private(val: &[u8]) -> Result<tss_esapi::tss2_esys::TP
|
||||||
Ok(resp)
|
Ok(resp)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(super) fn build_tpm2b_public(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
pub(super) fn build_tpm2b_public(
|
||||||
|
val: &[u8],
|
||||||
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
let mut resp = tss_esapi::tss2_esys::TPM2B_PUBLIC::default();
|
let mut resp = tss_esapi::tss2_esys::TPM2B_PUBLIC::default();
|
||||||
let mut offset = 0 as u64;
|
let mut offset = 0 as u64;
|
||||||
|
|
||||||
|
|
164
src/utils.rs
Normal file
164
src/utils.rs
Normal file
|
@ -0,0 +1,164 @@
|
||||||
|
use std::fs;
|
||||||
|
use std::str::FromStr;
|
||||||
|
|
||||||
|
use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER};
|
||||||
|
use tss_esapi::utils::tcti;
|
||||||
|
use tss_esapi::Context;
|
||||||
|
|
||||||
|
use serde::Deserialize;
|
||||||
|
|
||||||
|
use super::PinError;
|
||||||
|
|
||||||
|
use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
|
||||||
|
|
||||||
|
pub(crate) fn get_authorized_policy_step(
|
||||||
|
policy_pubkey_path: &str,
|
||||||
|
policy_path: &Option<String>,
|
||||||
|
policy_ref: &Option<String>,
|
||||||
|
) -> Result<TPMPolicyStep, PinError> {
|
||||||
|
let policy_ref = match policy_ref {
|
||||||
|
Some(policy_ref) => policy_ref.as_bytes().to_vec(),
|
||||||
|
None => vec![],
|
||||||
|
};
|
||||||
|
|
||||||
|
let signkey = {
|
||||||
|
let contents = fs::read_to_string(policy_pubkey_path)?;
|
||||||
|
serde_json::from_str::<PublicKey>(&contents)?
|
||||||
|
};
|
||||||
|
|
||||||
|
let policies = match policy_path {
|
||||||
|
None => None,
|
||||||
|
Some(policy_path) => {
|
||||||
|
let contents = fs::read_to_string(policy_path)?;
|
||||||
|
Some(serde_json::from_str::<SignedPolicyList>(&contents)?)
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
Ok(TPMPolicyStep::Authorized {
|
||||||
|
signkey,
|
||||||
|
policy_ref,
|
||||||
|
policies,
|
||||||
|
next: Box::new(TPMPolicyStep::NoStep),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn get_pcr_hash_alg_from_name(
|
||||||
|
name: Option<&String>,
|
||||||
|
) -> tss_esapi::utils::algorithm_specifiers::HashingAlgorithm {
|
||||||
|
match name {
|
||||||
|
None => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
||||||
|
Some(val) => match val.to_lowercase().as_str() {
|
||||||
|
"sha1" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha1,
|
||||||
|
"sha256" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256,
|
||||||
|
"sha384" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha384,
|
||||||
|
"sha512" => tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha512,
|
||||||
|
_ => panic!(format!("Unsupported hash algo: {:?}", name)),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn serialize_as_base64_url_no_pad<S>(
|
||||||
|
bytes: &[u8],
|
||||||
|
serializer: S,
|
||||||
|
) -> Result<S::Ok, S::Error>
|
||||||
|
where
|
||||||
|
S: serde::Serializer,
|
||||||
|
{
|
||||||
|
serializer.serialize_str(&base64::encode_config(bytes, base64::URL_SAFE_NO_PAD))
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn deserialize_as_base64_url_no_pad<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>
|
||||||
|
where
|
||||||
|
D: serde::Deserializer<'de>,
|
||||||
|
{
|
||||||
|
String::deserialize(deserializer).and_then(|string| {
|
||||||
|
base64::decode_config(&string, base64::URL_SAFE_NO_PAD).map_err(serde::de::Error::custom)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context, tss_esapi::response_code::Error> {
|
||||||
|
unsafe {
|
||||||
|
Context::new(tcti::Tcti::Device(tcti::DeviceConfig::from_str(
|
||||||
|
if std::path::Path::new("/dev/tpmrm0").exists() {
|
||||||
|
"/dev/tpmrm0"
|
||||||
|
} else {
|
||||||
|
"/dev/tpm0"
|
||||||
|
},
|
||||||
|
)?))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn perform_with_other_sessions<T, E, F>(
|
||||||
|
ctx: &mut Context,
|
||||||
|
sestype: tss_esapi::tss2_esys::TPM2_SE,
|
||||||
|
f: F,
|
||||||
|
) -> Result<T, E>
|
||||||
|
where
|
||||||
|
F: Fn(&mut Context) -> Result<T, E>,
|
||||||
|
E: From<tss_esapi::response_code::Error> + From<PinError>,
|
||||||
|
{
|
||||||
|
let oldses = ctx.sessions();
|
||||||
|
|
||||||
|
let res = create_and_set_tpm2_session(ctx, sestype);
|
||||||
|
if res.is_err() {
|
||||||
|
ctx.set_sessions(oldses);
|
||||||
|
ctx.flush_context(ctx.sessions().0)?;
|
||||||
|
res?;
|
||||||
|
}
|
||||||
|
|
||||||
|
let res = f(ctx);
|
||||||
|
|
||||||
|
ctx.flush_context(ctx.sessions().0)?;
|
||||||
|
|
||||||
|
ctx.set_sessions(oldses);
|
||||||
|
|
||||||
|
res
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn get_tpm2_primary_key(
|
||||||
|
ctx: &mut Context,
|
||||||
|
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||||
|
) -> Result<ESYS_TR, PinError> {
|
||||||
|
perform_with_other_sessions(ctx, tss_esapi::constants::TPM2_SE_HMAC, |ctx| {
|
||||||
|
ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, &[], &[], &[], &[])
|
||||||
|
.map_err(|e| e.into())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn create_and_set_tpm2_session(
|
||||||
|
ctx: &mut tss_esapi::Context,
|
||||||
|
session_type: tss_esapi::tss2_esys::TPM2_SE,
|
||||||
|
) -> Result<ESYS_TR, PinError> {
|
||||||
|
let symdef = tpm_sym_def(ctx)?;
|
||||||
|
|
||||||
|
let session = ctx.start_auth_session(
|
||||||
|
ESYS_TR_NONE,
|
||||||
|
ESYS_TR_NONE,
|
||||||
|
&[],
|
||||||
|
session_type,
|
||||||
|
symdef,
|
||||||
|
tss_esapi::constants::TPM2_ALG_SHA256,
|
||||||
|
)?;
|
||||||
|
let session_attr = tss_esapi::utils::TpmaSessionBuilder::new()
|
||||||
|
.with_flag(tss_esapi::constants::TPMA_SESSION_DECRYPT)
|
||||||
|
.with_flag(tss_esapi::constants::TPMA_SESSION_ENCRYPT)
|
||||||
|
.build();
|
||||||
|
|
||||||
|
ctx.tr_sess_set_attributes(session, session_attr)?;
|
||||||
|
|
||||||
|
ctx.set_sessions((session, ESYS_TR_NONE, ESYS_TR_NONE));
|
||||||
|
|
||||||
|
Ok(session)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn tpm_sym_def(
|
||||||
|
_ctx: &mut tss_esapi::Context,
|
||||||
|
) -> Result<tss_esapi::tss2_esys::TPMT_SYM_DEF, PinError> {
|
||||||
|
Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF {
|
||||||
|
algorithm: tss_esapi::constants::TPM2_ALG_AES,
|
||||||
|
keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 },
|
||||||
|
mode: tss_esapi::tss2_esys::TPMU_SYM_MODE {
|
||||||
|
aes: tss_esapi::constants::TPM2_ALG_CFB,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
Loading…
Reference in a new issue