Skip to content

Commit

Permalink
For authenticated session key binding requires the algorithm RSA/ECC …
Browse files Browse the repository at this point in the history 
…to be enabled to encrypt secret.
  • Loading branch information
@dgarske
dgarske committed Aug 16, 2024
1 parent c1db226 commit 0433a39
Show file tree
Hide file tree
Showing 8 changed files with 116 additions and 31 deletions.
22 changes: 16 additions & 6 deletions examples/keygen/keygen.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEYBLOB primaryBlob; /* Primary key as WOLFTPM2_KEYBLOB */
TPMT_PUBLIC publicTemplate;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* default, see usage() for options */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID algSym = TPM_ALG_CTR; /* default Symmetric Cipher, see usage */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
Expand Down Expand Up @@ -220,13 +221,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
XMEMSET(&auth, 0, sizeof(auth));

if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;

printf("TPM2.0 Key generation example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
if(alg == TPM_ALG_SYMCIPHER) {
printf("\t\t %s mode, %d keybits\n", symMode, keyBits);
}
printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));

rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
Expand All @@ -237,25 +242,30 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])

if (endorseKey) {
/* endorsement is always RSA */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */
pubFilename = ekPubFile;
primary = &endorse;
}
else {
/* SRK: Use RSA or ECC SRK only. Prefer ECC */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
pubFilename = srkPubFile;
primary = &storage;
}
if (rc != 0) goto exit;

if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = primary;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("HMAC Session: Handle 0x%x\n",
Expand Down
40 changes: 27 additions & 13 deletions examples/keygen/keyimport.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEYBLOB impKey;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA, srkAlg; /* TPM_ALG_ECC */
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
const char* outputFile = "keyblob.bin";
Expand Down Expand Up @@ -98,6 +99,9 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
alg = TPM_ALG_ECC;
}
else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
alg = TPM_ALG_RSA;
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
Expand Down Expand Up @@ -137,9 +141,13 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&impKey, 0, sizeof(impKey));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));

if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;

printf("TPM2.0 Key Import example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
printf("\tpassword: %s\n", password);

Expand All @@ -149,24 +157,24 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
goto exit;
}

srkAlg = alg;
#if defined(HAVE_ECC) && !defined(WOLFSSL_PUBLIC_MP)
if (srkAlg == TPM_ALG_ECC && paramEncAlg != TPM_ALG_NULL) {
/* ECC encrypt requires mp_ API's */
printf("Parameter encryption with ECC SRK support not available, "
"using RSA SRK\n");
srkAlg = TPM_ALG_RSA;
}
#endif

/* get SRK */
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
if (rc != 0) goto exit;

if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storage;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif

/* Start an authenticated session (salted / unbound) with parameter
* encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
Expand Down Expand Up @@ -202,7 +210,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
if (isPublicKey) {
rc = wolfTPM2_ImportPublicKeyBuffer(&dev,
alg,
(WOLFTPM2_KEY*)&impKey,
(WOLFTPM2_KEY*)&impKey,
encType,
(const char*)buf, (word32)bufSz,
attributes
Expand All @@ -219,6 +227,12 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
);
}
}
#if defined(NO_RSA) || !defined(HAVE_ECC)
if (rc == NOT_COMPILED_IN) {
printf("Feature not compiled in! Skipping test\n");
rc = 0; /* allowing error */
}
#endif
}
else
#else
Expand Down
28 changes: 20 additions & 8 deletions examples/keygen/keyload.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,15 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEY *primary = NULL;
WOLFTPM2_KEYBLOB newKey;
WOLFTPM2_KEY persistKey;
TPM_ALG_ID alg;
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
const char* inputFile = "keyblob.bin";
int persistent = 0;
int endorseKey = 0;


if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
XSTRCMP(argv[1], "-h") == 0 ||
Expand Down Expand Up @@ -129,18 +132,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
goto exit;
#endif

alg = newKey.pub.publicArea.type;
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
printf("Loading %s key\n", TPM2_GetAlgName(alg));

if (endorseKey) {
/* endorsement is always RSA */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
if (rc != 0) goto exit;
endorse.handle.policyAuth = 1;
primary = &endorse;
}
else {
/* SRK: Use RSA or ECC SRK only. Prefer ECC */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
if (newKey.pub.publicArea.type == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
if (rc != 0) goto exit;
primary = &storage;
Expand All @@ -154,11 +158,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
if (rc != 0) goto exit;
}

if (paramEncAlg != TPM_ALG_NULL) {
else if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storage;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter
* encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
Expand Down
14 changes: 13 additions & 1 deletion examples/pkcs7/pkcs7.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,12 +391,24 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])

printf("TPM2 PKCS7 Example\n");


XMEMSET(&derCert, 0, sizeof(derCert));
XMEMSET(&derPubKey, 0, sizeof(derPubKey));
XMEMSET(&tpmKey, 0, sizeof(tpmKey));
XMEMSET(&storageKey, 0, sizeof(storageKey));

#ifndef HAVE_ECC
if (alg == TPM_ALG_ECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (alg == TPM_ALG_RSA) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif

/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
Expand Down
5 changes: 4 additions & 1 deletion examples/timestamp/signed_timestamp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n");
printf("./examples/timestamp/signed_timestamp [-ecc/-rsa] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC for SRK/AIK\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
Expand Down Expand Up @@ -93,6 +93,9 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
alg = TPM_ALG_ECC;
}
else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
alg = TPM_ALG_RSA;
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
Expand Down
13 changes: 13 additions & 0 deletions examples/tls/tls_client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,19 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("\tUsing Port: %d\n", port);
printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");

#ifndef HAVE_ECC
if (useECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (!useECC) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif

/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) {
Expand Down
13 changes: 13 additions & 0 deletions examples/tls/tls_server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
printf("\tUsing Port: %d\n", port);
printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");

#ifndef HAVE_ECC
if (useECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (!useECC) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif

/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) {
Expand Down
12 changes: 10 additions & 2 deletions examples/wrap/wrap_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])

/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
void* bindKey = &storageKey;
#ifdef NO_RSA
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
Expand Down Expand Up @@ -543,7 +547,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])

/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
void* bindKey = &storageKey;
#ifndef HAVE_ECC
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
Expand Down

0 comments on commit 0433a39

Please sign in to comment.