Skip to content

Commit

Permalink
Provide an optional auth value for an IdentityKey
Browse files Browse the repository at this point in the history 
Signed-off-by: David Mulder <[email protected]>
  • Loading branch information
@dmulder
dmulder committed Mar 26, 2024
1 parent 13013de commit 1ec0303
Show file tree
Hide file tree
Showing 3 changed files with 310 additions and 46 deletions.
59 changes: 48 additions & 11 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,18 +335,34 @@ pub enum LoadableIdentityKey {
TpmEcdsa256V1 {
private: tpm::Private,
public: tpm::Public,
sk_private: Option<tpm::Private>,
sk_public: Option<tpm::Public>,
x509: Option<Vec<u8>>,
},
#[cfg(not(feature = "tpm"))]
TpmEcdsa256V1 { private: (), public: (), x509: () },
TpmEcdsa256V1 {
private: (),
public: (),
sk_private: Option<()>,
sk_public: Option<()>,
x509: (),
},
#[cfg(feature = "tpm")]
TpmRsa2048V1 {
private: tpm::Private,
public: tpm::Public,
sk_private: Option<tpm::Private>,
sk_public: Option<tpm::Public>,
x509: Option<Vec<u8>>,
},
#[cfg(not(feature = "tpm"))]
TpmRsa2048V1 { private: (), public: (), x509: () },
TpmRsa2048V1 {
private: (),
public: (),
sk_private: Option<()>,
sk_public: Option<()>,
x509: (),
},
}

pub enum IdentityKey {
Expand Down Expand Up @@ -500,12 +516,14 @@ pub trait Tpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError>;

fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError>;

Expand All @@ -523,13 +541,15 @@ pub trait Tpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError>;

fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError>;
Expand Down Expand Up @@ -638,17 +658,19 @@ impl Tpm for BoxedDynTpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError> {
self.0.identity_key_create(mk, algorithm)
self.0.identity_key_create(mk, auth_value, algorithm)
}

fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError> {
self.0.identity_key_load(mk, loadable_key)
self.0.identity_key_load(mk, auth_value, loadable_key)
}

fn identity_key_id(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
Expand All @@ -671,21 +693,23 @@ impl Tpm for BoxedDynTpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError> {
self.0
.identity_key_certificate_request(mk, loadable_key, cn)
.identity_key_certificate_request(mk, auth_value, loadable_key, cn)
}

fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError> {
self.0
.identity_key_associate_certificate(mk, loadable_key, certificate_der)
.identity_key_associate_certificate(mk, auth_value, loadable_key, certificate_der)
}

fn identity_key_public_as_der(&mut self, key: &IdentityKey) -> Result<Vec<u8>, TpmError> {
Expand Down Expand Up @@ -885,15 +909,20 @@ mod tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let id_key_auth_str = AuthValue::generate().expect("Failed to create hex pin");

let id_key_auth_value =
AuthValue::from_str(&id_key_auth_str).expect("Unable to create auth value");

// from that ctx, create an identity key
let loadable_id_key = $tpm
.identity_key_create(&machine_key, $alg)
.identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
.expect("Unable to create id key");

trace!(?loadable_id_key);

let id_key = $tpm
.identity_key_load(&machine_key, &loadable_id_key)
.identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
.expect("Unable to load id key");

let id_key_public_pem = $tpm
Expand Down Expand Up @@ -965,17 +994,24 @@ mod tests {
.machine_key_load(&auth_value, &loadable_machine_key)
.expect("Unable to load machine key");

let id_key_auth_value = AuthValue::ephemeral().expect("Unable to create auth value");

// from that ctx, create an identity key
let loadable_id_key = $tpm
.identity_key_create(&machine_key, $alg)
.identity_key_create(&machine_key, Some(&id_key_auth_value), $alg)
.expect("Unable to create id key");

trace!(?loadable_id_key);

// Get the CSR

let csr_der = $tpm
.identity_key_certificate_request(&machine_key, &loadable_id_key, "common name")
.identity_key_certificate_request(
&machine_key,
Some(&id_key_auth_value),
&loadable_id_key,
"common name",
)
.expect("Failed to create csr");

// Now, we need to sign this to an x509 cert externally.
Expand All @@ -992,14 +1028,15 @@ mod tests {
let loadable_id_key = $tpm
.identity_key_associate_certificate(
&machine_key,
Some(&id_key_auth_value),
&loadable_id_key,
&signed_cert_der,
)
.unwrap();

// Now load it in:
let id_key = $tpm
.identity_key_load(&machine_key, &loadable_id_key)
.identity_key_load(&machine_key, Some(&id_key_auth_value), &loadable_id_key)
.expect("Unable to load id key");

let id_key_x509_pem = $tpm
Expand Down
14 changes: 12 additions & 2 deletions src/soft.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,12 @@ impl Tpm for SoftTpm {
fn identity_key_create(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
algorithm: KeyAlgorithm,
) -> Result<LoadableIdentityKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match algorithm {
KeyAlgorithm::Ecdsa256 => {
let ecgroup =
Expand Down Expand Up @@ -224,8 +228,12 @@ impl Tpm for SoftTpm {
fn identity_key_load(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
) -> Result<IdentityKey, TpmError> {
if auth_value.is_some() {
return Err(TpmError::TpmOperationUnsupported);
}
match (mk, loadable_key) {
(
MachineKey::SoftAes256Gcm { key: mk_key },
Expand Down Expand Up @@ -457,10 +465,11 @@ impl Tpm for SoftTpm {
fn identity_key_certificate_request(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
cn: &str,
) -> Result<Vec<u8>, TpmError> {
let id_key = self.identity_key_load(mk, loadable_key)?;
let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;

let mut req_builder = X509ReqBuilder::new().map_err(|ossl_err| {
error!(?ossl_err);
Expand Down Expand Up @@ -516,10 +525,11 @@ impl Tpm for SoftTpm {
fn identity_key_associate_certificate(
&mut self,
mk: &MachineKey,
auth_value: Option<&AuthValue>,
loadable_key: &LoadableIdentityKey,
certificate_der: &[u8],
) -> Result<LoadableIdentityKey, TpmError> {
let id_key = self.identity_key_load(mk, loadable_key)?;
let id_key = self.identity_key_load(mk, auth_value, loadable_key)?;

// Verify the certificate matches our key
let certificate = X509::from_der(certificate_der).map_err(|ossl_err| {
Expand Down
Loading

0 comments on commit 1ec0303

Please sign in to comment.