From 1e8633fbdb3a300caf22db764b62806a41b4bb08 Mon Sep 17 00:00:00 2001 From: Thore Sommer Date: Sun, 11 Jun 2023 16:11:29 +0300 Subject: [PATCH] This adds support other keys than RSA2048 and ECC Nist P256. This takes the following PRs and from the main branch and adapts them so that they can be merged into the 7.x.y branch: \#464 (By Ionut Mihalcea ) \#414 (By Thore Sommer ) Co-authored-by: Jesper Brynolf Co-authored-by: Thore Sommer Co-authored-by: Ionut Mihalcea Signed-off-by: Jesper Brynolf --- tss-esapi/src/abstraction/ak.rs | 43 ++++---- tss-esapi/src/abstraction/ek.rs | 47 +++++---- tss-esapi/src/abstraction/mod.rs | 37 ++++++- .../abstraction/transient/key_attestation.rs | 28 ++++-- tss-esapi/src/interface_types/algorithm.rs | 3 +- tss-esapi/src/structures/tagged/public/ecc.rs | 30 +++++- .../abstraction_tests/ak_tests.rs | 98 ++++++++++++++++--- .../abstraction_tests/ek_tests.rs | 28 ++++-- .../transient_key_context_tests.rs | 25 +++-- .../public_ecc_parameters_tests.rs | 69 +++++++++++++ 10 files changed, 321 insertions(+), 87 deletions(-) diff --git a/tss-esapi/src/abstraction/ak.rs b/tss-esapi/src/abstraction/ak.rs index bf4febb1..8feeb73f 100644 --- a/tss-esapi/src/abstraction/ak.rs +++ b/tss-esapi/src/abstraction/ak.rs @@ -2,31 +2,30 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{cipher::Cipher, IntoKeyCustomization, KeyCustomization}, + abstraction::{ + cipher::Cipher, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization, + }, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, constants::{AlgorithmIdentifier, SessionType}, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, - RsaSchemeAlgorithm, SignatureSchemeAlgorithm, + EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm, + SignatureSchemeAlgorithm, }, - ecc::EccCurve, - key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{ - Auth, CreateKeyResult, EccScheme, KeyDerivationFunctionScheme, Private, Public, + Auth, CreateKeyResult, EccPoint, EccScheme, KeyDerivationFunctionScheme, Private, Public, PublicBuilder, PublicEccParametersBuilder, PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent, RsaScheme, SymmetricDefinitionObject, }, Context, Error, Result, WrapperErrorKind, }; -use log::error; use std::convert::{TryFrom, TryInto}; fn create_ak_public( - key_alg: AsymmetricAlgorithm, + key_alg: AsymmetricAlgorithmSelection, hash_alg: HashingAlgorithm, sign_alg: SignatureSchemeAlgorithm, key_customization: IKC, @@ -50,7 +49,7 @@ fn create_ak_public( .build()?; let key_builder = match key_alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -60,7 +59,7 @@ fn create_ak_public( RsaSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), )?) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -68,7 +67,7 @@ fn create_ak_public( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::default()), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -78,16 +77,17 @@ fn create_ak_public( .with_ecc_scheme(EccScheme::create( EccSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), - Some(0), + if sign_alg == SignatureSchemeAlgorithm::EcDaa { + Some(0) + } else { + None + }, )?) - .with_curve(EccCurve::NistP192) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .build()?, - ), - AsymmetricAlgorithm::Null => { - // TODO: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } + ) + .with_ecc_unique_identifier(EccPoint::default()), }; let key_builder = if let Some(ref k) = key_customization { @@ -160,16 +160,11 @@ pub fn create_ak( context: &mut Context, parent: KeyHandle, hash_alg: HashingAlgorithm, + key_alg: AsymmetricAlgorithmSelection, sign_alg: SignatureSchemeAlgorithm, ak_auth_value: Option, key_customization: IKC, ) -> Result { - let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| { - // sign_alg is either HMAC or Null. - error!("Could not retrieve asymmetric algorithm for provided signature scheme"); - e - })?; - let ak_pub = create_ak_public(key_alg, hash_alg, sign_alg, key_customization)?; let policy_auth_session = context diff --git a/tss-esapi/src/abstraction/ek.rs b/tss-esapi/src/abstraction/ek.rs index 9d856e50..caecf14c 100644 --- a/tss-esapi/src/abstraction/ek.rs +++ b/tss-esapi/src/abstraction/ek.rs @@ -2,11 +2,11 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{nv, IntoKeyCustomization, KeyCustomization}, + abstraction::{nv, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization}, attributes::ObjectAttributesBuilder, handles::{KeyHandle, NvIndexTpmHandle, TpmHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm}, + algorithm::{HashingAlgorithm, PublicAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::{Hierarchy, NvAuth}, @@ -24,12 +24,20 @@ use std::convert::TryFrom; const RSA_2048_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00002; const ECC_P256_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0000a; +// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 +// Section 2.2.1.5 (High Range) +const ECC_P384_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00016; +const ECC_P521_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00018; +const ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001a; +const RSA_3072_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001c; +const RSA_4096_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001e; + /// Get the [`Public`] representing a default Endorsement Key /// /// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 /// Appendix B.3.3 and B.3.4 pub fn create_ek_public_from_default_template( - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let key_customization = key_customization.into_key_customization(); @@ -65,7 +73,7 @@ pub fn create_ek_public_from_default_template( ]; let key_builder = match alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -74,7 +82,7 @@ pub fn create_ek_public_from_default_template( PublicRsaParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_scheme(RsaScheme::Null) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -82,7 +90,7 @@ pub fn create_ek_public_from_default_template( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::new_empty_with_size(RsaKeyBits::Rsa2048)), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -91,7 +99,7 @@ pub fn create_ek_public_from_default_template( PublicEccParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_ecc_scheme(EccScheme::Null) - .with_curve(EccCurve::NistP256) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -102,10 +110,6 @@ pub fn create_ek_public_from_default_template( EccParameter::try_from(vec![0u8; 32])?, EccParameter::try_from(vec![0u8; 32])?, )), - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } }; let key_builder = if let Some(ref k) = key_customization { @@ -119,7 +123,7 @@ pub fn create_ek_public_from_default_template( /// Create the Endorsement Key object from the specification templates pub fn create_ek_object( context: &mut Context, - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let ek_public = create_ek_public_from_default_template(alg, key_customization)?; @@ -132,14 +136,21 @@ pub fn create_ek_object( } /// Retrieve the Endorsement Key public certificate from the TPM -pub fn retrieve_ek_pubcert(context: &mut Context, alg: AsymmetricAlgorithm) -> Result> { +pub fn retrieve_ek_pubcert( + context: &mut Context, + alg: AsymmetricAlgorithmSelection, +) -> Result> { let nv_idx = match alg { - AsymmetricAlgorithm::Rsa => RSA_2048_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Ecc => ECC_P256_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048) => RSA_2048_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072) => RSA_3072_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096) => RSA_4096_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256) => ECC_P256_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384) => ECC_P384_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521) => ECC_P521_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256) => { + ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX } + _ => return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)), }; let nv_idx = NvIndexTpmHandle::new(nv_idx).unwrap(); diff --git a/tss-esapi/src/abstraction/mod.rs b/tss-esapi/src/abstraction/mod.rs index 1c7d8d68..45aa473e 100644 --- a/tss-esapi/src/abstraction/mod.rs +++ b/tss-esapi/src/abstraction/mod.rs @@ -9,9 +9,16 @@ pub mod pcr; pub mod public; pub mod transient; -use crate::{attributes::ObjectAttributesBuilder, structures::PublicBuilder}; +use std::convert::TryFrom; -/// KeyCustomizaion allows to adjust how a key is going to be created +use crate::{ + attributes::ObjectAttributesBuilder, + interface_types::{algorithm::AsymmetricAlgorithm, ecc::EccCurve, key_bits::RsaKeyBits}, + structures::PublicBuilder, + Error, WrapperErrorKind, +}; + +/// KeyCustomization allows to adjust how a key is going to be created pub trait KeyCustomization { /// Alter the attributes used on key creation fn attributes(&self, attributes_builder: ObjectAttributesBuilder) -> ObjectAttributesBuilder { @@ -60,3 +67,29 @@ impl IntoKeyCustomization for Option { None } } + +/// Enum representing the asymmetric algorithm interface type with specific properties. +/// +/// # Details +/// Use this instead of [AsymmetricAlgorithm]. +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub enum AsymmetricAlgorithmSelection { + Rsa(RsaKeyBits), + Ecc(EccCurve), +} + +/// The conversion assumes for RSA 2048 bit size and for ECC the Nist P256 curve, +/// which matches the defaults in tpm2-tools. +impl TryFrom for AsymmetricAlgorithmSelection { + type Error = Error; + + fn try_from(value: AsymmetricAlgorithm) -> Result { + match value { + AsymmetricAlgorithm::Rsa => Ok(AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)), + AsymmetricAlgorithm::Ecc => Ok(AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)), + AsymmetricAlgorithm::Null => { + Err(Error::local_error(WrapperErrorKind::UnsupportedParam)) + } + } + } +} diff --git a/tss-esapi/src/abstraction/transient/key_attestation.rs b/tss-esapi/src/abstraction/transient/key_attestation.rs index 82a1bd48..48a075f4 100644 --- a/tss-esapi/src/abstraction/transient/key_attestation.rs +++ b/tss-esapi/src/abstraction/transient/key_attestation.rs @@ -2,11 +2,12 @@ // SPDX-License-Identifier: Apache-2.0 use super::{ObjectWrapper, TransientKeyContext}; use crate::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::SessionType, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm}, + algorithm::HashingAlgorithm, + key_bits::RsaKeyBits, session_handles::{AuthSession, PolicySession}, }, structures::{EncryptedSecret, IdObject, SymmetricDefinition}, @@ -151,13 +152,16 @@ impl TransientKeyContext { None, ); Ok(( - ek::create_ek_object(&mut self.context, AsymmetricAlgorithm::Rsa, None).or_else( - |e| { - self.context - .flush_context(SessionHandle::from(session).into())?; - Err(e) - }, - )?, + ek::create_ek_object( + &mut self.context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .or_else(|e| { + self.context + .flush_context(SessionHandle::from(session).into())?; + Err(e) + })?, session, )) } @@ -188,7 +192,11 @@ impl TransientKeyContext { } fn get_ek_object_public(context: &mut crate::Context) -> Result { - let key_handle = ek::create_ek_object(context, AsymmetricAlgorithm::Rsa, None)?; + let key_handle = ek::create_ek_object( + context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + )?; let (attesting_key_pub, _, _) = context.read_public(key_handle).or_else(|e| { context.flush_context(key_handle.into())?; Err(e) diff --git a/tss-esapi/src/interface_types/algorithm.rs b/tss-esapi/src/interface_types/algorithm.rs index 590c66eb..b97b308c 100644 --- a/tss-esapi/src/interface_types/algorithm.rs +++ b/tss-esapi/src/interface_types/algorithm.rs @@ -292,7 +292,8 @@ impl TryFrom for SymmetricMode { /// Enum representing the asymmetric algorithm interface type. /// /// # Details -/// This corresponds to TPMI_ALG_ASYM +/// Use [crate::abstraction::AsymmetricAlgorithmSelection] instead where possible. +/// This corresponds to TPMI_ALG_ASYM. #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)] pub enum AsymmetricAlgorithm { Rsa, diff --git a/tss-esapi/src/structures/tagged/public/ecc.rs b/tss-esapi/src/structures/tagged/public/ecc.rs index e71cb317..ec3ff916 100644 --- a/tss-esapi/src/structures/tagged/public/ecc.rs +++ b/tss-esapi/src/structures/tagged/public/ecc.rs @@ -194,11 +194,31 @@ impl PublicEccParametersBuilder { return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); } - if (ecc_curve == EccCurve::BnP256 || ecc_curve == EccCurve::BnP638) - && ecc_scheme.algorithm() != EccSchemeAlgorithm::EcDaa - { - error!("Bn curve should use only EcDaa scheme"); - return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); + match (ecc_curve, ecc_scheme.algorithm()) { + (EccCurve::BnP256 | EccCurve::BnP638, EccSchemeAlgorithm::EcDaa) + | (EccCurve::Sm2P256, EccSchemeAlgorithm::Sm2) + | ( + EccCurve::NistP192 + | EccCurve::NistP224 + | EccCurve::NistP256 + | EccCurve::NistP384 + | EccCurve::NistP521, + EccSchemeAlgorithm::EcDh + | EccSchemeAlgorithm::EcDaa + | EccSchemeAlgorithm::EcDsa + | EccSchemeAlgorithm::EcMqv + | EccSchemeAlgorithm::EcSchnorr, + ) + | (_, EccSchemeAlgorithm::Null) => (), + + _ => { + error!( + "Mismatch between elliptic curve ({:#?}) and signing scheme ({:#?}) used", + ecc_curve, + ecc_scheme.algorithm() + ); + return Err(Error::local_error(WrapperErrorKind::InconsistentParams)); + } } Ok(PublicEccParameters { diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs index ad2a1691..f4fff700 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs @@ -4,15 +4,18 @@ use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::{ak, ek, KeyCustomization}, + abstraction::{ak, ek, AsymmetricAlgorithmSelection, KeyCustomization}, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, constants::SessionType, handles::AuthHandle, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm}, + algorithm::{HashingAlgorithm, SignatureSchemeAlgorithm}, + ecc::EccCurve, + key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{Auth, Digest, PublicBuilder, SymmetricDefinition}, + Error, WrapperErrorKind, }; use crate::common::create_ctx_without_session; @@ -21,11 +24,17 @@ use crate::common::create_ctx_without_session; fn test_create_ak_rsa_rsa() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, None, None, @@ -37,32 +46,90 @@ fn test_create_ak_rsa_rsa() { fn test_create_ak_rsa_ecc() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - if ak::create_ak( + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + + if let Err(actual_error) = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), SignatureSchemeAlgorithm::Sm2, None, None, - ) - .is_ok() - { - // We can't use unwrap_err because that requires Debug on the T - panic!("Should have errored"); + ) { + let expected_error = Error::WrapperError(WrapperErrorKind::InconsistentParams); + assert_eq!(expected_error, actual_error); + } else { + // We can't use unwrap_err because that requires Debug on the T(=CreateKeyResult). + panic!("Should not be possible to create an AK with a parent that have an unsupported or incompatible scheme."); } } +#[test] +fn test_create_ak_ecc_ecc() { + let mut context = create_ctx_without_session(); + + let ek_ecc = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384), + None, + ) + .unwrap(); + ak::create_ak( + &mut context, + ek_ecc, + HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + SignatureSchemeAlgorithm::EcDsa, + None, + None, + ) + .unwrap(); +} + +#[test] +fn test_create_ak_ecdaa() { + let mut context = create_ctx_without_session(); + + let ek_ecc = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384), + None, + ) + .unwrap(); + ak::create_ak( + &mut context, + ek_ecc, + HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::BnP256), + SignatureSchemeAlgorithm::EcDaa, + None, + None, + ) + .unwrap(); +} + #[test] fn test_create_and_use_ak() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); let att_key = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -158,13 +225,19 @@ fn test_create_custom_ak() { } let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); // Without customization, no st clear let att_key_without = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -181,6 +254,7 @@ fn test_create_custom_ak() { &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth), &CustomizeKey, diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs index fd9de753..e87b45a7 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs @@ -2,9 +2,9 @@ // SPDX-License-Identifier: Apache-2.0 use tss_esapi::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::response_code::{FormatOneResponseCode, Tss2ResponseCode}, - interface_types::algorithm::AsymmetricAlgorithm, + interface_types::{ecc::EccCurve, key_bits::RsaKeyBits}, Error, }; @@ -16,12 +16,18 @@ fn test_retrieve_ek_pubcert() { // The error 395 is for "handle could not be found" - this makes it that if the NV Index // did not exist (the test is run on a TPM without an endorsement cert), it still passes. - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Rsa) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), }; - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Ecc) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), @@ -32,6 +38,16 @@ fn test_retrieve_ek_pubcert() { fn test_create_ek() { let mut context = create_ctx_without_session(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Ecc, None).unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + None, + ) + .unwrap(); } diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs index f07310f8..b512e1ed 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs @@ -2,13 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::ek, - abstraction::transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + abstraction::{ + ek, + transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + AsymmetricAlgorithmSelection, + }, constants::response_code::Tss2ResponseCodeKind, interface_types::{ - algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm, - }, + algorithm::{EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::Hierarchy, @@ -630,8 +631,11 @@ fn activate_credential() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm, @@ -749,8 +753,11 @@ fn activate_credential_wrong_key() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm, diff --git a/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs b/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs index eb23c331..d9420e33 100644 --- a/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs +++ b/tss-esapi/tests/integration_tests/structures_tests/tagged_tests/public_ecc_parameters_tests.rs @@ -92,3 +92,72 @@ fn test_signing_with_wrong_symmetric() { Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) )); } + +#[test] +fn test_signing_with_mismatched_scheme_nist() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::NistP256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::Sm2, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +} + +#[test] +fn test_signing_with_mismatched_scheme_sm2() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::Sm2P256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::EcDsa, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +} + +#[test] +fn test_signing_with_mismatched_scheme_bn() { + assert_eq!( + PublicEccParametersBuilder::new() + .with_restricted(false) + .with_is_decryption_key(false) + .with_is_signing_key(true) + .with_curve(EccCurve::BnP256) + .with_ecc_scheme( + EccScheme::create( + EccSchemeAlgorithm::EcDsa, + Some(HashingAlgorithm::Sha256), + None + ) + .unwrap() + ) + .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) + .with_symmetric(SymmetricDefinitionObject::Null) + .build(), + Err(Error::WrapperError(WrapperErrorKind::InconsistentParams)) + ); +}