diff --git a/tss-esapi/src/abstraction/ak.rs b/tss-esapi/src/abstraction/ak.rs index bf4febb1..8feeb73f 100644 --- a/tss-esapi/src/abstraction/ak.rs +++ b/tss-esapi/src/abstraction/ak.rs @@ -2,31 +2,30 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{cipher::Cipher, IntoKeyCustomization, KeyCustomization}, + abstraction::{ + cipher::Cipher, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization, + }, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, constants::{AlgorithmIdentifier, SessionType}, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, - RsaSchemeAlgorithm, SignatureSchemeAlgorithm, + EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm, + SignatureSchemeAlgorithm, }, - ecc::EccCurve, - key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{ - Auth, CreateKeyResult, EccScheme, KeyDerivationFunctionScheme, Private, Public, + Auth, CreateKeyResult, EccPoint, EccScheme, KeyDerivationFunctionScheme, Private, Public, PublicBuilder, PublicEccParametersBuilder, PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent, RsaScheme, SymmetricDefinitionObject, }, Context, Error, Result, WrapperErrorKind, }; -use log::error; use std::convert::{TryFrom, TryInto}; fn create_ak_public( - key_alg: AsymmetricAlgorithm, + key_alg: AsymmetricAlgorithmSelection, hash_alg: HashingAlgorithm, sign_alg: SignatureSchemeAlgorithm, key_customization: IKC, @@ -50,7 +49,7 @@ fn create_ak_public( .build()?; let key_builder = match key_alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -60,7 +59,7 @@ fn create_ak_public( RsaSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), )?) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -68,7 +67,7 @@ fn create_ak_public( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::default()), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -78,16 +77,17 @@ fn create_ak_public( .with_ecc_scheme(EccScheme::create( EccSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), - Some(0), + if sign_alg == SignatureSchemeAlgorithm::EcDaa { + Some(0) + } else { + None + }, )?) - .with_curve(EccCurve::NistP192) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .build()?, - ), - AsymmetricAlgorithm::Null => { - // TODO: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } + ) + .with_ecc_unique_identifier(EccPoint::default()), }; let key_builder = if let Some(ref k) = key_customization { @@ -160,16 +160,11 @@ pub fn create_ak( context: &mut Context, parent: KeyHandle, hash_alg: HashingAlgorithm, + key_alg: AsymmetricAlgorithmSelection, sign_alg: SignatureSchemeAlgorithm, ak_auth_value: Option, key_customization: IKC, ) -> Result { - let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| { - // sign_alg is either HMAC or Null. - error!("Could not retrieve asymmetric algorithm for provided signature scheme"); - e - })?; - let ak_pub = create_ak_public(key_alg, hash_alg, sign_alg, key_customization)?; let policy_auth_session = context diff --git a/tss-esapi/src/abstraction/ek.rs b/tss-esapi/src/abstraction/ek.rs index 9d856e50..caecf14c 100644 --- a/tss-esapi/src/abstraction/ek.rs +++ b/tss-esapi/src/abstraction/ek.rs @@ -2,11 +2,11 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{nv, IntoKeyCustomization, KeyCustomization}, + abstraction::{nv, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization}, attributes::ObjectAttributesBuilder, handles::{KeyHandle, NvIndexTpmHandle, TpmHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm}, + algorithm::{HashingAlgorithm, PublicAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::{Hierarchy, NvAuth}, @@ -24,12 +24,20 @@ use std::convert::TryFrom; const RSA_2048_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00002; const ECC_P256_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0000a; +// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 +// Section 2.2.1.5 (High Range) +const ECC_P384_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00016; +const ECC_P521_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00018; +const ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001a; +const RSA_3072_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001c; +const RSA_4096_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001e; + /// Get the [`Public`] representing a default Endorsement Key /// /// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 /// Appendix B.3.3 and B.3.4 pub fn create_ek_public_from_default_template( - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let key_customization = key_customization.into_key_customization(); @@ -65,7 +73,7 @@ pub fn create_ek_public_from_default_template( ]; let key_builder = match alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -74,7 +82,7 @@ pub fn create_ek_public_from_default_template( PublicRsaParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_scheme(RsaScheme::Null) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -82,7 +90,7 @@ pub fn create_ek_public_from_default_template( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::new_empty_with_size(RsaKeyBits::Rsa2048)), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -91,7 +99,7 @@ pub fn create_ek_public_from_default_template( PublicEccParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_ecc_scheme(EccScheme::Null) - .with_curve(EccCurve::NistP256) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -102,10 +110,6 @@ pub fn create_ek_public_from_default_template( EccParameter::try_from(vec![0u8; 32])?, EccParameter::try_from(vec![0u8; 32])?, )), - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } }; let key_builder = if let Some(ref k) = key_customization { @@ -119,7 +123,7 @@ pub fn create_ek_public_from_default_template( /// Create the Endorsement Key object from the specification templates pub fn create_ek_object( context: &mut Context, - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let ek_public = create_ek_public_from_default_template(alg, key_customization)?; @@ -132,14 +136,21 @@ pub fn create_ek_object( } /// Retrieve the Endorsement Key public certificate from the TPM -pub fn retrieve_ek_pubcert(context: &mut Context, alg: AsymmetricAlgorithm) -> Result> { +pub fn retrieve_ek_pubcert( + context: &mut Context, + alg: AsymmetricAlgorithmSelection, +) -> Result> { let nv_idx = match alg { - AsymmetricAlgorithm::Rsa => RSA_2048_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Ecc => ECC_P256_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048) => RSA_2048_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072) => RSA_3072_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096) => RSA_4096_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256) => ECC_P256_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384) => ECC_P384_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521) => ECC_P521_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256) => { + ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX } + _ => return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)), }; let nv_idx = NvIndexTpmHandle::new(nv_idx).unwrap(); diff --git a/tss-esapi/src/abstraction/mod.rs b/tss-esapi/src/abstraction/mod.rs index 1c7d8d68..45aa473e 100644 --- a/tss-esapi/src/abstraction/mod.rs +++ b/tss-esapi/src/abstraction/mod.rs @@ -9,9 +9,16 @@ pub mod pcr; pub mod public; pub mod transient; -use crate::{attributes::ObjectAttributesBuilder, structures::PublicBuilder}; +use std::convert::TryFrom; -/// KeyCustomizaion allows to adjust how a key is going to be created +use crate::{ + attributes::ObjectAttributesBuilder, + interface_types::{algorithm::AsymmetricAlgorithm, ecc::EccCurve, key_bits::RsaKeyBits}, + structures::PublicBuilder, + Error, WrapperErrorKind, +}; + +/// KeyCustomization allows to adjust how a key is going to be created pub trait KeyCustomization { /// Alter the attributes used on key creation fn attributes(&self, attributes_builder: ObjectAttributesBuilder) -> ObjectAttributesBuilder { @@ -60,3 +67,29 @@ impl IntoKeyCustomization for Option { None } } + +/// Enum representing the asymmetric algorithm interface type with specific properties. +/// +/// # Details +/// Use this instead of [AsymmetricAlgorithm]. +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub enum AsymmetricAlgorithmSelection { + Rsa(RsaKeyBits), + Ecc(EccCurve), +} + +/// The conversion assumes for RSA 2048 bit size and for ECC the Nist P256 curve, +/// which matches the defaults in tpm2-tools. +impl TryFrom for AsymmetricAlgorithmSelection { + type Error = Error; + + fn try_from(value: AsymmetricAlgorithm) -> Result { + match value { + AsymmetricAlgorithm::Rsa => Ok(AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)), + AsymmetricAlgorithm::Ecc => Ok(AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)), + AsymmetricAlgorithm::Null => { + Err(Error::local_error(WrapperErrorKind::UnsupportedParam)) + } + } + } +} diff --git a/tss-esapi/src/abstraction/transient/key_attestation.rs b/tss-esapi/src/abstraction/transient/key_attestation.rs index 82a1bd48..48a075f4 100644 --- a/tss-esapi/src/abstraction/transient/key_attestation.rs +++ b/tss-esapi/src/abstraction/transient/key_attestation.rs @@ -2,11 +2,12 @@ // SPDX-License-Identifier: Apache-2.0 use super::{ObjectWrapper, TransientKeyContext}; use crate::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::SessionType, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm}, + algorithm::HashingAlgorithm, + key_bits::RsaKeyBits, session_handles::{AuthSession, PolicySession}, }, structures::{EncryptedSecret, IdObject, SymmetricDefinition}, @@ -151,13 +152,16 @@ impl TransientKeyContext { None, ); Ok(( - ek::create_ek_object(&mut self.context, AsymmetricAlgorithm::Rsa, None).or_else( - |e| { - self.context - .flush_context(SessionHandle::from(session).into())?; - Err(e) - }, - )?, + ek::create_ek_object( + &mut self.context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .or_else(|e| { + self.context + .flush_context(SessionHandle::from(session).into())?; + Err(e) + })?, session, )) } @@ -188,7 +192,11 @@ impl TransientKeyContext { } fn get_ek_object_public(context: &mut crate::Context) -> Result { - let key_handle = ek::create_ek_object(context, AsymmetricAlgorithm::Rsa, None)?; + let key_handle = ek::create_ek_object( + context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + )?; let (attesting_key_pub, _, _) = context.read_public(key_handle).or_else(|e| { context.flush_context(key_handle.into())?; Err(e) diff --git a/tss-esapi/src/interface_types/algorithm.rs b/tss-esapi/src/interface_types/algorithm.rs index 590c66eb..b97b308c 100644 --- a/tss-esapi/src/interface_types/algorithm.rs +++ b/tss-esapi/src/interface_types/algorithm.rs @@ -292,7 +292,8 @@ impl TryFrom for SymmetricMode { /// Enum representing the asymmetric algorithm interface type. /// /// # Details -/// This corresponds to TPMI_ALG_ASYM +/// Use [crate::abstraction::AsymmetricAlgorithmSelection] instead where possible. +/// This corresponds to TPMI_ALG_ASYM. #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)] pub enum AsymmetricAlgorithm { Rsa, diff --git a/tss-esapi/src/structures/tagged/public/ecc.rs b/tss-esapi/src/structures/tagged/public/ecc.rs index e71cb317..ec3ff916 100644 --- a/tss-esapi/src/structures/tagged/public/ecc.rs +++ b/tss-esapi/src/structures/tagged/public/ecc.rs @@ -194,11 +194,31 @@ impl PublicEccParametersBuilder { return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); } - if (ecc_curve == EccCurve::BnP256 || ecc_curve == EccCurve::BnP638) - && ecc_scheme.algorithm() != EccSchemeAlgorithm::EcDaa - { - error!("Bn curve should use only EcDaa scheme"); - return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); + match (ecc_curve, ecc_scheme.algorithm()) { + (EccCurve::BnP256 | EccCurve::BnP638, EccSchemeAlgorithm::EcDaa) + | (EccCurve::Sm2P256, EccSchemeAlgorithm::Sm2) + | ( + EccCurve::NistP192 + | EccCurve::NistP224 + | EccCurve::NistP256 + | EccCurve::NistP384 + | EccCurve::NistP521, + EccSchemeAlgorithm::EcDh + | EccSchemeAlgorithm::EcDaa + | EccSchemeAlgorithm::EcDsa + | EccSchemeAlgorithm::EcMqv + | EccSchemeAlgorithm::EcSchnorr, + ) + | (_, EccSchemeAlgorithm::Null) => (), + + _ => { + error!( + "Mismatch between elliptic curve ({:#?}) and signing scheme ({:#?}) used", + ecc_curve, + ecc_scheme.algorithm() + ); + return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); + } } Ok(PublicEccParameters { diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs index ad2a1691..f4fff700 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs @@ -4,15 +4,18 @@ use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::{ak, ek, KeyCustomization}, + abstraction::{ak, ek, AsymmetricAlgorithmSelection, KeyCustomization}, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, constants::SessionType, handles::AuthHandle, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm}, + algorithm::{HashingAlgorithm, SignatureSchemeAlgorithm}, + ecc::EccCurve, + key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{Auth, Digest, PublicBuilder, SymmetricDefinition}, + Error, WrapperErrorKind, }; use crate::common::create_ctx_without_session; @@ -21,11 +24,17 @@ use crate::common::create_ctx_without_session; fn test_create_ak_rsa_rsa() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, None, None, @@ -37,32 +46,90 @@ fn test_create_ak_rsa_rsa() { fn test_create_ak_rsa_ecc() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - if ak::create_ak( + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + + if let Err(actual_error) = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), SignatureSchemeAlgorithm::Sm2, None, None, - ) - .is_ok() - { - // We can't use unwrap_err because that requires Debug on the T - panic!("Should have errored"); + ) { + let expected_error = Error::WrapperError(WrapperErrorKind::InconsistentParams); + assert_eq!(expected_error, actual_error); + } else { + // We can't use unwrap_err because that requires Debug on the T(=CreateKeyResult). + panic!("Should not be possible to create an AK with a parent that have an unsupported or incompatible scheme."); } } +#[test] +fn test_create_ak_ecc_ecc() { + let mut context = create_ctx_without_session(); + + let ek_ecc = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384), + None, + ) + .unwrap(); + ak::create_ak( + &mut context, + ek_ecc, + HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + SignatureSchemeAlgorithm::EcDsa, + None, + None, + ) + .unwrap(); +} + +#[test] +fn test_create_ak_ecdaa() { + let mut context = create_ctx_without_session(); + + let ek_ecc = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384), + None, + ) + .unwrap(); + ak::create_ak( + &mut context, + ek_ecc, + HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::BnP256), + SignatureSchemeAlgorithm::EcDaa, + None, + None, + ) + .unwrap(); +} + #[test] fn test_create_and_use_ak() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); let att_key = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -158,13 +225,19 @@ fn test_create_custom_ak() { } let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); // Without customization, no st clear let att_key_without = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -181,6 +254,7 @@ fn test_create_custom_ak() { &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth), &CustomizeKey, diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs index fd9de753..e87b45a7 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs @@ -2,9 +2,9 @@ // SPDX-License-Identifier: Apache-2.0 use tss_esapi::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::response_code::{FormatOneResponseCode, Tss2ResponseCode}, - interface_types::algorithm::AsymmetricAlgorithm, + interface_types::{ecc::EccCurve, key_bits::RsaKeyBits}, Error, }; @@ -16,12 +16,18 @@ fn test_retrieve_ek_pubcert() { // The error 395 is for "handle could not be found" - this makes it that if the NV Index // did not exist (the test is run on a TPM without an endorsement cert), it still passes. - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Rsa) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), }; - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Ecc) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), @@ -32,6 +38,16 @@ fn test_retrieve_ek_pubcert() { fn test_create_ek() { let mut context = create_ctx_without_session(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Ecc, None).unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + None, + ) + .unwrap(); } diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs index f07310f8..b512e1ed 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs @@ -2,13 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::ek, - abstraction::transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + abstraction::{ + ek, + transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + AsymmetricAlgorithmSelection, + }, constants::response_code::Tss2ResponseCodeKind, interface_types::{ - algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm, - }, + algorithm::{EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::Hierarchy, @@ -630,8 +631,11 @@ fn activate_credential() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm, @@ -749,8 +753,11 @@ fn activate_credential_wrong_key() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm, diff --git a/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs b/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs index eb23c331..d9420e33 100644 --- a/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs +++ b/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs @@ -92,3 +92,72 @@ fn test_signing_with_wrong_symmetric() { Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) )); } + +#[test] +fn test_signing_with_mismatched_scheme_nist() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::NistP256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::Sm2, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +} + +#[test] +fn test_signing_with_mismatched_scheme_sm2() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::Sm2P256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::EcDsa, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +} + +#[test] +fn test_signing_with_mismatched_scheme_bn() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::BnP256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::EcDsa, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +}