From 0984f345880258373884f0c89c21552bd35cc48a Mon Sep 17 00:00:00 2001 From: Thore Sommer Date: Sun, 11 Jun 2023 16:11:29 +0300 Subject: [PATCH] ek, ak abstractions: allow to specficy exact key type This adds support other keys than RSA2048 and ECC Nist P256. The difference between this commit and the original is that it has been adopted to be compatible with the 7.x.y branch(Jesper Brynolf). Co-authored-by: Jesper Brynolf Signed-off-by: Thore Sommer --- tss-esapi/src/abstraction/ak.rs | 43 ++++++------ tss-esapi/src/abstraction/ek.rs | 47 ++++++++----- tss-esapi/src/abstraction/mod.rs | 37 +++++++++- .../abstraction/transient/key_attestation.rs | 28 +++++--- tss-esapi/src/interface_types/algorithm.rs | 3 +- .../abstraction_tests/ak_tests.rs | 67 +++++++++++++++---- .../abstraction_tests/ek_tests.rs | 28 ++++++-- .../transient_key_context_tests.rs | 25 ++++--- 8 files changed, 195 insertions(+), 83 deletions(-) diff --git a/tss-esapi/src/abstraction/ak.rs b/tss-esapi/src/abstraction/ak.rs index bf4febb1..8feeb73f 100644 --- a/tss-esapi/src/abstraction/ak.rs +++ b/tss-esapi/src/abstraction/ak.rs @@ -2,31 +2,30 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{cipher::Cipher, IntoKeyCustomization, KeyCustomization}, + abstraction::{ + cipher::Cipher, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization, + }, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, constants::{AlgorithmIdentifier, SessionType}, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, - RsaSchemeAlgorithm, SignatureSchemeAlgorithm, + EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm, + SignatureSchemeAlgorithm, }, - ecc::EccCurve, - key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{ - Auth, CreateKeyResult, EccScheme, KeyDerivationFunctionScheme, Private, Public, + Auth, CreateKeyResult, EccPoint, EccScheme, KeyDerivationFunctionScheme, Private, Public, PublicBuilder, PublicEccParametersBuilder, PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent, RsaScheme, SymmetricDefinitionObject, }, Context, Error, Result, WrapperErrorKind, }; -use log::error; use std::convert::{TryFrom, TryInto}; fn create_ak_public( - key_alg: AsymmetricAlgorithm, + key_alg: AsymmetricAlgorithmSelection, hash_alg: HashingAlgorithm, sign_alg: SignatureSchemeAlgorithm, key_customization: IKC, @@ -50,7 +49,7 @@ fn create_ak_public( .build()?; let key_builder = match key_alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -60,7 +59,7 @@ fn create_ak_public( RsaSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), )?) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -68,7 +67,7 @@ fn create_ak_public( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::default()), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(hash_alg) .with_object_attributes(obj_attrs) @@ -78,16 +77,17 @@ fn create_ak_public( .with_ecc_scheme(EccScheme::create( EccSchemeAlgorithm::try_from(AlgorithmIdentifier::from(sign_alg))?, Some(hash_alg), - Some(0), + if sign_alg == SignatureSchemeAlgorithm::EcDaa { + Some(0) + } else { + None + }, )?) - .with_curve(EccCurve::NistP192) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .build()?, - ), - AsymmetricAlgorithm::Null => { - // TODO: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } + ) + .with_ecc_unique_identifier(EccPoint::default()), }; let key_builder = if let Some(ref k) = key_customization { @@ -160,16 +160,11 @@ pub fn create_ak( context: &mut Context, parent: KeyHandle, hash_alg: HashingAlgorithm, + key_alg: AsymmetricAlgorithmSelection, sign_alg: SignatureSchemeAlgorithm, ak_auth_value: Option, key_customization: IKC, ) -> Result { - let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| { - // sign_alg is either HMAC or Null. - error!("Could not retrieve asymmetric algorithm for provided signature scheme"); - e - })?; - let ak_pub = create_ak_public(key_alg, hash_alg, sign_alg, key_customization)?; let policy_auth_session = context diff --git a/tss-esapi/src/abstraction/ek.rs b/tss-esapi/src/abstraction/ek.rs index 9d856e50..caecf14c 100644 --- a/tss-esapi/src/abstraction/ek.rs +++ b/tss-esapi/src/abstraction/ek.rs @@ -2,11 +2,11 @@ // SPDX-License-Identifier: Apache-2.0 use crate::{ - abstraction::{nv, IntoKeyCustomization, KeyCustomization}, + abstraction::{nv, AsymmetricAlgorithmSelection, IntoKeyCustomization, KeyCustomization}, attributes::ObjectAttributesBuilder, handles::{KeyHandle, NvIndexTpmHandle, TpmHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm}, + algorithm::{HashingAlgorithm, PublicAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::{Hierarchy, NvAuth}, @@ -24,12 +24,20 @@ use std::convert::TryFrom; const RSA_2048_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00002; const ECC_P256_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0000a; +// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 +// Section 2.2.1.5 (High Range) +const ECC_P384_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00016; +const ECC_P521_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c00018; +const ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001a; +const RSA_3072_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001c; +const RSA_4096_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001e; + /// Get the [`Public`] representing a default Endorsement Key /// /// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 /// Appendix B.3.3 and B.3.4 pub fn create_ek_public_from_default_template( - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let key_customization = key_customization.into_key_customization(); @@ -65,7 +73,7 @@ pub fn create_ek_public_from_default_template( ]; let key_builder = match alg { - AsymmetricAlgorithm::Rsa => PublicBuilder::new() + AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Rsa) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -74,7 +82,7 @@ pub fn create_ek_public_from_default_template( PublicRsaParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_scheme(RsaScheme::Null) - .with_key_bits(RsaKeyBits::Rsa2048) + .with_key_bits(key_bits) .with_exponent(RsaExponent::default()) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -82,7 +90,7 @@ pub fn create_ek_public_from_default_template( .build()?, ) .with_rsa_unique_identifier(PublicKeyRsa::new_empty_with_size(RsaKeyBits::Rsa2048)), - AsymmetricAlgorithm::Ecc => PublicBuilder::new() + AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new() .with_public_algorithm(PublicAlgorithm::Ecc) .with_name_hashing_algorithm(HashingAlgorithm::Sha256) .with_object_attributes(obj_attrs) @@ -91,7 +99,7 @@ pub fn create_ek_public_from_default_template( PublicEccParametersBuilder::new() .with_symmetric(SymmetricDefinitionObject::AES_128_CFB) .with_ecc_scheme(EccScheme::Null) - .with_curve(EccCurve::NistP256) + .with_curve(ecc_curve) .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null) .with_is_signing_key(obj_attrs.sign_encrypt()) .with_is_decryption_key(obj_attrs.decrypt()) @@ -102,10 +110,6 @@ pub fn create_ek_public_from_default_template( EccParameter::try_from(vec![0u8; 32])?, EccParameter::try_from(vec![0u8; 32])?, )), - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); - } }; let key_builder = if let Some(ref k) = key_customization { @@ -119,7 +123,7 @@ pub fn create_ek_public_from_default_template( /// Create the Endorsement Key object from the specification templates pub fn create_ek_object( context: &mut Context, - alg: AsymmetricAlgorithm, + alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { let ek_public = create_ek_public_from_default_template(alg, key_customization)?; @@ -132,14 +136,21 @@ pub fn create_ek_object( } /// Retrieve the Endorsement Key public certificate from the TPM -pub fn retrieve_ek_pubcert(context: &mut Context, alg: AsymmetricAlgorithm) -> Result> { +pub fn retrieve_ek_pubcert( + context: &mut Context, + alg: AsymmetricAlgorithmSelection, +) -> Result> { let nv_idx = match alg { - AsymmetricAlgorithm::Rsa => RSA_2048_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Ecc => ECC_P256_EK_CERTIFICATE_NV_INDEX, - AsymmetricAlgorithm::Null => { - // TDOD: Figure out what to with Null. - return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)); + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048) => RSA_2048_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072) => RSA_3072_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096) => RSA_4096_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256) => ECC_P256_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384) => ECC_P384_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521) => ECC_P521_EK_CERTIFICATE_NV_INDEX, + AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256) => { + ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX } + _ => return Err(Error::local_error(WrapperErrorKind::UnsupportedParam)), }; let nv_idx = NvIndexTpmHandle::new(nv_idx).unwrap(); diff --git a/tss-esapi/src/abstraction/mod.rs b/tss-esapi/src/abstraction/mod.rs index 1c7d8d68..45aa473e 100644 --- a/tss-esapi/src/abstraction/mod.rs +++ b/tss-esapi/src/abstraction/mod.rs @@ -9,9 +9,16 @@ pub mod pcr; pub mod public; pub mod transient; -use crate::{attributes::ObjectAttributesBuilder, structures::PublicBuilder}; +use std::convert::TryFrom; -/// KeyCustomizaion allows to adjust how a key is going to be created +use crate::{ + attributes::ObjectAttributesBuilder, + interface_types::{algorithm::AsymmetricAlgorithm, ecc::EccCurve, key_bits::RsaKeyBits}, + structures::PublicBuilder, + Error, WrapperErrorKind, +}; + +/// KeyCustomization allows to adjust how a key is going to be created pub trait KeyCustomization { /// Alter the attributes used on key creation fn attributes(&self, attributes_builder: ObjectAttributesBuilder) -> ObjectAttributesBuilder { @@ -60,3 +67,29 @@ impl IntoKeyCustomization for Option { None } } + +/// Enum representing the asymmetric algorithm interface type with specific properties. +/// +/// # Details +/// Use this instead of [AsymmetricAlgorithm]. +#[derive(Copy, Clone, Debug, PartialEq, Eq)] +pub enum AsymmetricAlgorithmSelection { + Rsa(RsaKeyBits), + Ecc(EccCurve), +} + +/// The conversion assumes for RSA 2048 bit size and for ECC the Nist P256 curve, +/// which matches the defaults in tpm2-tools. +impl TryFrom for AsymmetricAlgorithmSelection { + type Error = Error; + + fn try_from(value: AsymmetricAlgorithm) -> Result { + match value { + AsymmetricAlgorithm::Rsa => Ok(AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)), + AsymmetricAlgorithm::Ecc => Ok(AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)), + AsymmetricAlgorithm::Null => { + Err(Error::local_error(WrapperErrorKind::UnsupportedParam)) + } + } + } +} diff --git a/tss-esapi/src/abstraction/transient/key_attestation.rs b/tss-esapi/src/abstraction/transient/key_attestation.rs index 82a1bd48..48a075f4 100644 --- a/tss-esapi/src/abstraction/transient/key_attestation.rs +++ b/tss-esapi/src/abstraction/transient/key_attestation.rs @@ -2,11 +2,12 @@ // SPDX-License-Identifier: Apache-2.0 use super::{ObjectWrapper, TransientKeyContext}; use crate::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::SessionType, handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm}, + algorithm::HashingAlgorithm, + key_bits::RsaKeyBits, session_handles::{AuthSession, PolicySession}, }, structures::{EncryptedSecret, IdObject, SymmetricDefinition}, @@ -151,13 +152,16 @@ impl TransientKeyContext { None, ); Ok(( - ek::create_ek_object(&mut self.context, AsymmetricAlgorithm::Rsa, None).or_else( - |e| { - self.context - .flush_context(SessionHandle::from(session).into())?; - Err(e) - }, - )?, + ek::create_ek_object( + &mut self.context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .or_else(|e| { + self.context + .flush_context(SessionHandle::from(session).into())?; + Err(e) + })?, session, )) } @@ -188,7 +192,11 @@ impl TransientKeyContext { } fn get_ek_object_public(context: &mut crate::Context) -> Result { - let key_handle = ek::create_ek_object(context, AsymmetricAlgorithm::Rsa, None)?; + let key_handle = ek::create_ek_object( + context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + )?; let (attesting_key_pub, _, _) = context.read_public(key_handle).or_else(|e| { context.flush_context(key_handle.into())?; Err(e) diff --git a/tss-esapi/src/interface_types/algorithm.rs b/tss-esapi/src/interface_types/algorithm.rs index 590c66eb..b97b308c 100644 --- a/tss-esapi/src/interface_types/algorithm.rs +++ b/tss-esapi/src/interface_types/algorithm.rs @@ -292,7 +292,8 @@ impl TryFrom for SymmetricMode { /// Enum representing the asymmetric algorithm interface type. /// /// # Details -/// This corresponds to TPMI_ALG_ASYM +/// Use [crate::abstraction::AsymmetricAlgorithmSelection] instead where possible. +/// This corresponds to TPMI_ALG_ASYM. #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)] pub enum AsymmetricAlgorithm { Rsa, diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs index ad2a1691..5bf3728c 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ak_tests.rs @@ -4,15 +4,18 @@ use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::{ak, ek, KeyCustomization}, + abstraction::{ak, ek, AsymmetricAlgorithmSelection, KeyCustomization}, attributes::{ObjectAttributesBuilder, SessionAttributesBuilder}, - constants::SessionType, + constants::{response_code::FormatOneResponseCode, SessionType, Tss2ResponseCode}, handles::AuthHandle, interface_types::{ - algorithm::{AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm}, + algorithm::{HashingAlgorithm, SignatureSchemeAlgorithm}, + ecc::EccCurve, + key_bits::RsaKeyBits, session_handles::PolicySession, }, structures::{Auth, Digest, PublicBuilder, SymmetricDefinition}, + Error, }; use crate::common::create_ctx_without_session; @@ -21,11 +24,17 @@ use crate::common::create_ctx_without_session; fn test_create_ak_rsa_rsa() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, None, None, @@ -37,19 +46,38 @@ fn test_create_ak_rsa_rsa() { fn test_create_ak_rsa_ecc() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - if ak::create_ak( + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + // RC_FMT1 = 0x080 + // TPM_RC_P = 0x040 + // TPM_RC_2 = 0x200 + // TPM_RC_SCHEME = RC_FMT1 + 0x0120 + if let Err(actual_error) = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), SignatureSchemeAlgorithm::Sm2, None, None, - ) - .is_ok() - { - // We can't use unwrap_err because that requires Debug on the T - panic!("Should have errored"); + ) { + // RC_FMT1 0000 0000 0000 0000 0000 0000 1000 0000 + // TPM_RC_P 0000 0000 0000 0000 0000 0000 0100 0000 + // TPM_RC_SCHEME 0000 0000 0000 0000 0000 0000 0001 0010 + // TPM_RC_2 0000 0000 0000 0000 0000 0010 0000 0000 + // ----------------------------------------------------- + // RC -> 0000 0000 0000 0000 0000 0010 1101 0010 + let expected_error = Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode( + 0x000002d2, + ))); + assert_eq!(expected_error, actual_error); + } else { + // We can't use unwrap_err because that requires Debug on the T(=CreateKeyResult). + panic!("Should not be possible to create an AK with a parent that have an unsupported or incompatible scheme."); } } @@ -57,12 +85,18 @@ fn test_create_ak_rsa_ecc() { fn test_create_and_use_ak() { let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); let att_key = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -158,13 +192,19 @@ fn test_create_custom_ak() { } let mut context = create_ctx_without_session(); - let ek_rsa = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); + let ek_rsa = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let ak_auth = Auth::try_from(vec![0x1, 0x2, 0x42]).unwrap(); // Without customization, no st clear let att_key_without = ak::create_ak( &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth.clone()), None, @@ -181,6 +221,7 @@ fn test_create_custom_ak() { &mut context, ek_rsa, HashingAlgorithm::Sha256, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), SignatureSchemeAlgorithm::RsaPss, Some(ak_auth), &CustomizeKey, diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs index fd9de753..e87b45a7 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/ek_tests.rs @@ -2,9 +2,9 @@ // SPDX-License-Identifier: Apache-2.0 use tss_esapi::{ - abstraction::ek, + abstraction::{ek, AsymmetricAlgorithmSelection}, constants::response_code::{FormatOneResponseCode, Tss2ResponseCode}, - interface_types::algorithm::AsymmetricAlgorithm, + interface_types::{ecc::EccCurve, key_bits::RsaKeyBits}, Error, }; @@ -16,12 +16,18 @@ fn test_retrieve_ek_pubcert() { // The error 395 is for "handle could not be found" - this makes it that if the NV Index // did not exist (the test is run on a TPM without an endorsement cert), it still passes. - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Rsa) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), }; - match ek::retrieve_ek_pubcert(&mut context, AsymmetricAlgorithm::Ecc) { + match ek::retrieve_ek_pubcert( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + ) { Ok(_) => (), Err(Error::Tss2Error(Tss2ResponseCode::FormatOne(FormatOneResponseCode(395)))) => (), Err(e) => panic!("Error was unexpected: {:?}", e), @@ -32,6 +38,16 @@ fn test_retrieve_ek_pubcert() { fn test_create_ek() { let mut context = create_ctx_without_session(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Rsa, None).unwrap(); - let _ = ek::create_ek_object(&mut context, AsymmetricAlgorithm::Ecc, None).unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); + let _ = ek::create_ek_object( + &mut context, + AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256), + None, + ) + .unwrap(); } diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs index f07310f8..b512e1ed 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs @@ -2,13 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 use std::convert::{TryFrom, TryInto}; use tss_esapi::{ - abstraction::ek, - abstraction::transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + abstraction::{ + ek, + transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder}, + AsymmetricAlgorithmSelection, + }, constants::response_code::Tss2ResponseCodeKind, interface_types::{ - algorithm::{ - AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm, - }, + algorithm::{EccSchemeAlgorithm, HashingAlgorithm, RsaSchemeAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::Hierarchy, @@ -630,8 +631,11 @@ fn activate_credential() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm, @@ -749,8 +753,11 @@ fn activate_credential_wrong_key() { let mut basic_ctx = crate::common::create_ctx_with_session(); // the public part of the EK is used, so we retrieve the parameters - let key_pub = - ek::create_ek_public_from_default_template(AsymmetricAlgorithm::Rsa, None).unwrap(); + let key_pub = ek::create_ek_public_from_default_template( + AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), + None, + ) + .unwrap(); let key_pub = if let Public::Rsa { object_attributes, name_hashing_algorithm,