Skip to content

Commit

Permalink
Provide an optional auth value for a key
Browse files Browse the repository at this point in the history 
Signed-off-by: David Mulder <[email protected]>
  • Loading branch information
@dmulder
dmulder committed Mar 20, 2024
1 parent 13013de commit 8731a08
Show file tree
Hide file tree
Showing 3 changed files with 202 additions and 32 deletions.
85 changes: 65 additions & 20 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -487,11 +487,16 @@ pub trait Tpm {
exported_key: &LoadableMachineKey,
) -> Result<MachineKey, TpmError>;

fn hmac_key_create(&mut self, mk: &MachineKey) -> Result<LoadableHmacKey, TpmError>;
fn hmac_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableHmacKey, TpmError>;

fn hmac_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
exported_key: &LoadableHmacKey,
) -> Result<HmacKey, TpmError>;

Expand All @@ -500,12 +505,14 @@ pub trait Tpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError>;

fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError>;

Expand All @@ -523,13 +530,15 @@ pub trait Tpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError>;

fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError>;
Expand All @@ -546,6 +555,7 @@ pub trait Tpm {
fn msoapxbc_rsa_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableMsOapxbcRsaKey, TpmError>;

#[cfg(feature = "msextensions")]
Expand All @@ -559,6 +569,7 @@ pub trait Tpm {
fn msoapxbc_rsa_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableMsOapxbcRsaKey,
) -> Result<MsOapxbcRsaKey, TpmError>;

Expand Down Expand Up @@ -619,16 +630,21 @@ impl Tpm for BoxedDynTpm {
self.0.machine_key_load(auth_value, exported_key)
}

fn hmac_key_create(&mut self, mk: &MachineKey) -> Result<LoadableHmacKey, TpmError> {
self.0.hmac_key_create(mk)
fn hmac_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableHmacKey, TpmError> {
self.0.hmac_key_create(mk, auth_value)
}

fn hmac_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
exported_key: &LoadableHmacKey,
) -> Result<HmacKey, TpmError> {
self.0.hmac_key_load(mk, exported_key)
self.0.hmac_key_load(mk, auth_value, exported_key)
}

fn hmac(&mut self, hk: &HmacKey, input: &[u8]) -> Result<Vec<u8>, TpmError> {
Expand All @@ -638,17 +654,19 @@ impl Tpm for BoxedDynTpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError> {
self.0.identity_key_create(mk, algorithm)
self.0.identity_key_create(mk, auth_value, algorithm)
}

fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError> {
self.0.identity_key_load(mk, loadable_key)
self.0.identity_key_load(mk, auth_value, loadable_key)
}

fn identity_key_id(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
Expand All @@ -671,21 +689,23 @@ impl Tpm for BoxedDynTpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError> {
self.0
.identity_key_certificate_request(mk, loadable_key, cn)
.identity_key_certificate_request(mk, auth_value, loadable_key, cn)
}

fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError> {
self.0
.identity_key_associate_certificate(mk, loadable_key, certificate_der)
.identity_key_associate_certificate(mk, auth_value, loadable_key, certificate_der)
}

fn identity_key_public_as_der(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
Expand All @@ -708,8 +728,9 @@ impl Tpm for BoxedDynTpm {
fn msoapxbc_rsa_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableMsOapxbcRsaKey, TpmError> {
self.0.msoapxbc_rsa_key_create(mk)
self.0.msoapxbc_rsa_key_create(mk, auth_value)
}

#[cfg(feature = "msextensions")]
Expand All @@ -725,9 +746,10 @@ impl Tpm for BoxedDynTpm {
fn msoapxbc_rsa_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableMsOapxbcRsaKey,
) -> Result<MsOapxbcRsaKey, TpmError> {
self.0.msoapxbc_rsa_key_load(mk, loadable_key)
self.0.msoapxbc_rsa_key_load(mk, auth_value, loadable_key)
}

#[cfg(feature = "msextensions")]
Expand Down Expand Up @@ -810,15 +832,18 @@ mod tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let hmac_auth_value =
AuthValue::ephemeral().expect("Failed to generate new random secret");

// from that ctx, create a hmac key.
let loadable_hmac_key = $tpm_a
.hmac_key_create(&machine_key)
.hmac_key_create(&machine_key, Some(&hmac_auth_value))
.expect("Unable to create new hmac key");

trace!(?loadable_hmac_key);

let hmac_key = $tpm_a
.hmac_key_load(&machine_key, &loadable_hmac_key)
.hmac_key_load(&machine_key, Some(&hmac_auth_value), &loadable_hmac_key)
.expect("Unable to load hmac key");

// do a hmac.
Expand All @@ -838,7 +863,7 @@ mod tests {

// Load the keys.
let hmac_key = $tpm_b
.hmac_key_load(&machine_key, &loadable_hmac_key)
.hmac_key_load(&machine_key, Some(&hmac_auth_value), &loadable_hmac_key)
.expect("Unable to load hmac key");

// Do another hmac
Expand Down Expand Up @@ -885,15 +910,20 @@ mod tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let id_key_auth_str = AuthValue::generate().expect("Failed to create hex pin");

let id_key_auth_value =
AuthValue::from_str(&id_key_auth_str).expect("Unable to create auth value");

// from that ctx, create an identity key
let loadable_id_key = $tpm
.identity_key_create(&machine_key, $alg)
.identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
.expect("Unable to create id key");

trace!(?loadable_id_key);

let id_key = $tpm
.identity_key_load(&machine_key, &loadable_id_key)
.identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
.expect("Unable to load id key");

let id_key_public_pem = $tpm
Expand Down Expand Up @@ -965,17 +995,24 @@ mod tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let id_key_auth_value = AuthValue::ephemeral().expect("Unable to create auth value");

// from that ctx, create an identity key
let loadable_id_key = $tpm
.identity_key_create(&machine_key, $alg)
.identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
.expect("Unable to create id key");

trace!(?loadable_id_key);

// Get the CSR

let csr_der = $tpm
.identity_key_certificate_request(&machine_key, &loadable_id_key, "common name")
.identity_key_certificate_request(
&machine_key,
Some(&id_key_auth_value),
&loadable_id_key,
"common name",
)
.expect("Failed to create csr");

// Now, we need to sign this to an x509 cert externally.
Expand All @@ -992,14 +1029,15 @@ mod tests {
let loadable_id_key = $tpm
.identity_key_associate_certificate(
&machine_key,
Some(&id_key_auth_value),
&loadable_id_key,
&signed_cert_der,
)
.unwrap();

// Now load it in:
let id_key = $tpm
.identity_key_load(&machine_key, &loadable_id_key)
.identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
.expect("Unable to load id key");

let id_key_x509_pem = $tpm
Expand Down Expand Up @@ -1147,13 +1185,20 @@ mod ms_extn_tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let ms_rsa_key_auth_value =
AuthValue::ephemeral().expect("Failed to generate new random secret");

// from that ctx, create a hmac key.
let loadable_ms_rsa_key = $tpm_a
.msoapxbc_rsa_key_create(&machine_key)
.msoapxbc_rsa_key_create(&machine_key, Some(&ms_rsa_key_auth_value))
.expect("Unable to create new hmac key");

let ms_rsa_key = $tpm_a
.msoapxbc_rsa_key_load(&machine_key, &loadable_ms_rsa_key)
.msoapxbc_rsa_key_load(
&machine_key,
Some(&ms_rsa_key_auth_value),
&loadable_ms_rsa_key,
)
.expect("Unable to load ms rsa key");

// Get the public key as DER
Expand Down
36 changes: 33 additions & 3 deletions src/soft.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,14 @@ impl Tpm for SoftTpm {
}
}

fn hmac_key_create(&mut self, mk: &MachineKey) -> Result<LoadableHmacKey, TpmError> {
fn hmac_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableHmacKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
let mut buf = Zeroizing::new([0; HMAC_KEY_LEN]);
rand_bytes(buf.as_mut()).map_err(|ossl_err| {
error!(?ossl_err);
Expand All @@ -101,8 +108,12 @@ impl Tpm for SoftTpm {
fn hmac_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableHmacKey,
) -> Result<HmacKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match (mk, loadable_key) {
(
MachineKey::SoftAes256Gcm { key: mk_key },
Expand Down Expand Up @@ -147,8 +158,12 @@ impl Tpm for SoftTpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match algorithm {
KeyAlgorithm::Ecdsa256 => {
let ecgroup =
Expand Down Expand Up @@ -224,8 +239,12 @@ impl Tpm for SoftTpm {
fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match (mk, loadable_key) {
(
MachineKey::SoftAes256Gcm { key: mk_key },
Expand Down Expand Up @@ -457,10 +476,11 @@ impl Tpm for SoftTpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError> {
let id_key = self.identity_key_load(mk, loadable_key)?;
let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;

let mut req_builder = X509ReqBuilder::new().map_err(|ossl_err| {
error!(?ossl_err);
Expand Down Expand Up @@ -516,10 +536,11 @@ impl Tpm for SoftTpm {
fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError> {
let id_key = self.identity_key_load(mk, loadable_key)?;
let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;

// Verify the certificate matches our key
let certificate = X509::from_der(certificate_der).map_err(|ossl_err| {
Expand Down Expand Up @@ -567,7 +588,12 @@ impl Tpm for SoftTpm {
fn msoapxbc_rsa_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
) -> Result<LoadableMsOapxbcRsaKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}

let rsa = Rsa::generate(2048).map_err(|ossl_err| {
error!(?ossl_err);
TpmError::RsaGenerate
Expand Down Expand Up @@ -621,8 +647,12 @@ impl Tpm for SoftTpm {
fn msoapxbc_rsa_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableMsOapxbcRsaKey,
) -> Result<MsOapxbcRsaKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match (mk, loadable_key) {
(
MachineKey::SoftAes256Gcm { key: mk_key },
Expand Down
Loading

0 comments on commit 8731a08

Please sign in to comment.