WIP: Provide an optional auth value for a key

src/lib.rs

@@ -335,18 +335,34 @@ pub enum LoadableIdentityKey {
     TpmEcdsa256V1 {
         private: tpm::Private,
         public: tpm::Public,
+        sk_private: Option<tpm::Private>,
+        sk_public: Option<tpm::Public>,
         x509: Option<Vec<u8>>,
     },
     #[cfg(not(feature = "tpm"))]
-    TpmEcdsa256V1 { private: (), public: (), x509: () },
+    TpmEcdsa256V1 {
+        private: (),
+        public: (),
+        sk_private: Option<()>,
+        sk_public: Option<()>,
+        x509: (),
+    },
     #[cfg(feature = "tpm")]
     TpmRsa2048V1 {
         private: tpm::Private,
         public: tpm::Public,
+        sk_private: Option<tpm::Private>,
+        sk_public: Option<tpm::Public>,
         x509: Option<Vec<u8>>,
     },
     #[cfg(not(feature = "tpm"))]
-    TpmRsa2048V1 { private: (), public: (), x509: () },
+    TpmRsa2048V1 {
+        private: (),
+        public: (),
+        sk_private: Option<()>,
+        sk_public: Option<()>,
+        x509: (),
+    },
 }
 
 pub enum IdentityKey {
@@ -500,12 +516,14 @@ pub trait Tpm {
     fn identity_key_create(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         algorithm: KeyAlgorithm,
     ) -> Result<LoadableIdentityKey, TpmError>;
 
     fn identity_key_load(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
     ) -> Result<IdentityKey, TpmError>;
 
@@ -523,13 +541,15 @@ pub trait Tpm {
     fn identity_key_certificate_request(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         cn: &str,
     ) -> Result<Vec<u8>, TpmError>;
 
     fn identity_key_associate_certificate(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         certificate_der: &[u8],
     ) -> Result<LoadableIdentityKey, TpmError>;
@@ -638,17 +658,19 @@ impl Tpm for BoxedDynTpm {
     fn identity_key_create(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         algorithm: KeyAlgorithm,
     ) -> Result<LoadableIdentityKey, TpmError> {
-        self.0.identity_key_create(mk, algorithm)
+        self.0.identity_key_create(mk, auth_value, algorithm)
     }
 
     fn identity_key_load(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
     ) -> Result<IdentityKey, TpmError> {
-        self.0.identity_key_load(mk, loadable_key)
+        self.0.identity_key_load(mk, auth_value, loadable_key)
     }
 
     fn identity_key_id(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
@@ -671,21 +693,23 @@ impl Tpm for BoxedDynTpm {
     fn identity_key_certificate_request(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         cn: &str,
     ) -> Result<Vec<u8>, TpmError> {
         self.0
-            .identity_key_certificate_request(mk, loadable_key, cn)
+            .identity_key_certificate_request(mk, auth_value, loadable_key, cn)
     }
 
     fn identity_key_associate_certificate(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         certificate_der: &[u8],
     ) -> Result<LoadableIdentityKey, TpmError> {
         self.0
-            .identity_key_associate_certificate(mk, loadable_key, certificate_der)
+            .identity_key_associate_certificate(mk, auth_value, loadable_key, certificate_der)
     }
 
     fn identity_key_public_as_der(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
@@ -885,15 +909,20 @@ mod tests {
                 .machine_key_load(&auth_value, &loadable_machine_key)
                 .expect("Unable to load machine key");
 
+            let id_key_auth_str = AuthValue::generate().expect("Failed to create hex pin");
+
+            let id_key_auth_value =
+                AuthValue::from_str(&id_key_auth_str).expect("Unable to create auth value");
+
             // from that ctx, create an identity key
             let loadable_id_key = $tpm
-                .identity_key_create(&machine_key, $alg)
+                .identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
                 .expect("Unable to create id key");
 
             trace!(?loadable_id_key);
 
             let id_key = $tpm
-                .identity_key_load(&machine_key, &loadable_id_key)
+                .identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
                 .expect("Unable to load id key");
 
             let id_key_public_pem = $tpm
@@ -965,17 +994,24 @@ mod tests {
                 .machine_key_load(&auth_value, &loadable_machine_key)
                 .expect("Unable to load machine key");
 
+            let id_key_auth_value = AuthValue::ephemeral().expect("Unable to create auth value");
+
             // from that ctx, create an identity key
             let loadable_id_key = $tpm
-                .identity_key_create(&machine_key, $alg)
+                .identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
                 .expect("Unable to create id key");
 
             trace!(?loadable_id_key);
 
             // Get the CSR
 
             let csr_der = $tpm
-                .identity_key_certificate_request(&machine_key, &loadable_id_key, "common name")
+                .identity_key_certificate_request(
+                    &machine_key,
+                    Some(&id_key_auth_value),
+                    &loadable_id_key,
+                    "common name",
+                )
                 .expect("Failed to create csr");
 
             // Now, we need to sign this to an x509 cert externally.
@@ -992,14 +1028,15 @@ mod tests {
             let loadable_id_key = $tpm
                 .identity_key_associate_certificate(
                     &machine_key,
+                    Some(&id_key_auth_value),
                     &loadable_id_key,
                     &signed_cert_der,
                 )
                 .unwrap();
 
             // Now load it in:
             let id_key = $tpm
-                .identity_key_load(&machine_key, &loadable_id_key)
+                .identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
                 .expect("Unable to load id key");
 
             let id_key_x509_pem = $tpm

src/soft.rs

@@ -147,8 +147,12 @@ impl Tpm for SoftTpm {
     fn identity_key_create(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         algorithm: KeyAlgorithm,
     ) -> Result<LoadableIdentityKey, TpmError> {
+        if auth_value.is_some() {
+            return Err(TpmError::TpmOperationUnsupported);
+        }
         match algorithm {
             KeyAlgorithm::Ecdsa256 => {
                 let ecgroup =
@@ -224,8 +228,12 @@ impl Tpm for SoftTpm {
     fn identity_key_load(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
     ) -> Result<IdentityKey, TpmError> {
+        if auth_value.is_some() {
+            return Err(TpmError::TpmOperationUnsupported);
+        }
         match (mk, loadable_key) {
             (
                 MachineKey::SoftAes256Gcm { key: mk_key },
@@ -457,10 +465,11 @@ impl Tpm for SoftTpm {
     fn identity_key_certificate_request(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         cn: &str,
     ) -> Result<Vec<u8>, TpmError> {
-        let id_key = self.identity_key_load(mk, loadable_key)?;
+        let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;
 
         let mut req_builder = X509ReqBuilder::new().map_err(|ossl_err| {
             error!(?ossl_err);
@@ -516,10 +525,11 @@ impl Tpm for SoftTpm {
     fn identity_key_associate_certificate(
         &mut self,
         mk: &MachineKey,
+        auth_value: Option<&AuthValue>,
         loadable_key: &LoadableIdentityKey,
         certificate_der: &[u8],
     ) -> Result<LoadableIdentityKey, TpmError> {
-        let id_key = self.identity_key_load(mk, loadable_key)?;
+        let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;
 
         // Verify the certificate matches our key
         let certificate = X509::from_der(certificate_der).map_err(|ossl_err| {