WIP: Provide an optional auth value for a key

[dmulder]

(Refers|Fixes) #

Checklist

• This pr contains no AI generated code
• cargo fmt has been run
• cargo clippy has been run and there's no issues
• cargo test has been run and passes

[dmulder]

This isn't working, but I'm posting it here so we can investigate why:

running 11 tests
test soft::tests::aes_256_gcm_enc_dec ... ok
test soft::tests::aes_256_gcm_enc_dec_large ... ok
test soft::ms_extn_tests::soft_ms_extensions ... FAILED
test soft::tests::soft_identity_ecdsa256_csr ... FAILED
test soft::tests::soft_hmac_hw_bound ... FAILED
test soft::tests::soft_identity_ecdsa256_hw_bound ... FAILED
test soft::tests::soft_identity_rsa2048_hw_bound ... FAILED
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x0000098e) 
2024-03-20T16:44:20.007156Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in loading: 0x0000098E    
2024-03-20T16:44:20.007204Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: AuthFail, argument_number: Session(1) })))
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x0000098e) 
2024-03-20T16:44:20.136390Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in loading: 0x0000098E    
2024-03-20T16:44:20.136423Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: AuthFail, argument_number: Session(1) })))
test tpm::ms_extn_tests::tpm_ms_extensions ... FAILED
test tpm::tests::tpm_hmac_hw_bound ... FAILED
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x0000098e) 
2024-03-20T16:44:47.307023Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in loading: 0x0000098E    
2024-03-20T16:44:47.307096Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: AuthFail, argument_number: Session(1) })))
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x0000098e) 
2024-03-20T16:44:47.637676Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in loading: 0x0000098E    
2024-03-20T16:44:47.637759Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: AuthFail, argument_number: Session(1) })))
test tpm::tests::tpm_identity_rsa2048_hw_bound ... FAILED
test tpm::tests::tpm_identity_ecdsa256_hw_bound ... FAILED

failures:

---- soft::ms_extn_tests::soft_ms_extensions stdout ----
thread 'soft::ms_extn_tests::soft_ms_extensions' panicked at src/soft.rs:1051:9:
Unable to create new hmac key: TpmOperationUnsupported
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

---- soft::tests::soft_identity_ecdsa256_csr stdout ----
thread 'soft::tests::soft_identity_ecdsa256_csr' panicked at src/soft.rs:1039:9:
Unable to create id key: TpmOperationUnsupported

---- soft::tests::soft_hmac_hw_bound stdout ----
thread 'soft::tests::soft_hmac_hw_bound' panicked at src/soft.rs:1016:9:
Unable to create new hmac key: TpmOperationUnsupported

---- soft::tests::soft_identity_ecdsa256_hw_bound stdout ----
thread 'soft::tests::soft_identity_ecdsa256_hw_bound' panicked at src/soft.rs:1024:9:
Unable to create id key: TpmOperationUnsupported

---- soft::tests::soft_identity_rsa2048_hw_bound stdout ----
thread 'soft::tests::soft_identity_rsa2048_hw_bound' panicked at src/soft.rs:1032:9:
Unable to create id key: TpmOperationUnsupported

---- tpm::ms_extn_tests::tpm_ms_extensions stdout ----
thread 'tpm::ms_extn_tests::tpm_ms_extensions' panicked at src/tpm.rs:1631:9:
Unable to load ms rsa key: TpmKeyLoad

---- tpm::tests::tpm_hmac_hw_bound stdout ----
thread 'tpm::tests::tpm_hmac_hw_bound' panicked at src/tpm.rs:1604:9:
Unable to load hmac key: TpmKeyLoad

---- tpm::tests::tpm_identity_rsa2048_hw_bound stdout ----
thread 'tpm::tests::tpm_identity_rsa2048_hw_bound' panicked at src/tpm.rs:1619:9:
Unable to load id key: TpmKeyLoad

---- tpm::tests::tpm_identity_ecdsa256_hw_bound stdout ----
thread 'tpm::tests::tpm_identity_ecdsa256_hw_bound' panicked at src/tpm.rs:1611:9:
Unable to load id key: TpmKeyLoad


failures:
    soft::ms_extn_tests::soft_ms_extensions
    soft::tests::soft_hmac_hw_bound
    soft::tests::soft_identity_ecdsa256_csr
    soft::tests::soft_identity_ecdsa256_hw_bound
    soft::tests::soft_identity_rsa2048_hw_bound
    tpm::ms_extn_tests::tpm_ms_extensions
    tpm::tests::tpm_hmac_hw_bound
    tpm::tests::tpm_identity_ecdsa256_hw_bound
    tpm::tests::tpm_identity_rsa2048_hw_bound

test result: FAILED. 2 passed; 9 failed; 0 ignored; 0 measured; 0 filtered out; finished in 37.68s

[dmulder]

Obviously the soft errors are because it hasn't been implemented there yet, but the tpm errors concern me.

[Firstyear]

Okay, there are two parts here.

First, the error is the same as what occured with the machine keys. See

https://github.com/kanidm/hsm-crypto/blob/main/src/tpm.rs#L523

What's happening is that when you have a TPM object with an authValue, when we unload it's context (to free memory on the TPM, because we can only store 3 objects at a time) to reload the context you needs it's authValue again.

This means you need to duplicate what the MachineKey does where you have a storage key that has the authValue, then you have the actual key under that without the authValue. You can see this here https://github.com/kanidm/hsm-crypto/blob/main/src/lib.rs#L261 and it's why there is a private/public and an sk private/public.

So this means you need to change https://github.com/kanidm/hsm-crypto/blob/main/src/lib.rs#L402 to have an sk_private/public and then the private/public and cek_private/public need to be subordinate to the authenticated sk.

Second, is why are we adding auth values to all the other key types? I thought we only needed them on the MsOapxbcRsaKey for now to support the behaviours we needed?

[dmulder]

Second, is why are we adding auth values to all the other key types? I thought we only needed them on the MsOapxbcRsaKey for now to support the behaviours we needed?

Actually, it's just a plain rsa 2048 key. The key enrollment requires a public rsa 2048 bcrypt blob.

I was adding auth values for all of them because I modified the Tpm trait, forcing me to change all implementations of Tpm.

[dmulder]

I was adding auth values for all of them because I modified the Tpm trait, forcing me to change all implementations of Tpm.

Also had to do with all of them calling execute_key_load_to_context to load.

[dmulder]

Second, is why are we adding auth values to all the other key types? I thought we only needed them on the MsOapxbcRsaKey for now to support the behaviours we needed?

Hrm, I see what you mean now. I was just adding the auth_value to every function signature that made sense to me in src/libs.rs, doh.

[dmulder]

Now I'm getting these errors:

WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish ErrorCode (0x0000018a) 
2024-03-26T17:07:40.836483Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in creating derived key: 0x0000018A    
2024-03-26T17:07:40.836612Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: Type, argument_number: Handle(1) })))
WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish ErrorCode (0x0000018a) 
2024-03-26T17:07:41.127127Z ERROR tss_esapi::context::tpm_commands::object_commands: Error in creating derived key: 0x0000018A    
2024-03-26T17:07:41.127213Z ERROR kanidm_hsm_crypto::tpm: tpm_err=TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: Type, argument_number: Handle(1) })))

Trying to track them down.

[dmulder]

I suspect this storage_key_pub is causing the error, but I don't know the correct parameters to build one of these. Reusing (or recreating) key_pub from above causes the same error still.

[dmulder]

The failure is happening right here.

[Firstyear]

I've fixed the TPM issue in a new PR.