diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 4a56e86c..eb1148be 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -52,6 +52,25 @@ jobs: run: | make check WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + - name: make install + run: sudo make install + +# build and test CSharp wrapper + - name: Install mono + run: | + sudo apt-get install -y mono-mcs mono-tools-devel nunit nunit-console + - name: Build CSharp wrapper + working-directory: ./wrapper/CSharp + run: | + mcs wolfTPM.cs wolfTPM-tests.cs -r:/usr/lib/cli/nunit.framework-2.6.3/nunit.framework.dll -t:library + - name: Run self test + working-directory: ./wrapper/CSharp + run: | + LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -run=tpm_csharp_test.WolfTPMTest.TrySelfTest + - name: Run unit tests + working-directory: ./wrapper/CSharp + run: | + LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll #test no wolfcrypt - name: configure no wolfCrypt diff --git a/examples/csr/csr.c b/examples/csr/csr.c index 096e2e95..b0a12d3a 100644 --- a/examples/csr/csr.c +++ b/examples/csr/csr.c @@ -51,7 +51,7 @@ static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem"; /******************************************************************************/ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, - const char* outputPemFile, int makeSelfSignedCert, int devId) + const char* outputPemFile, int makeSelfSignedCert, int devId, int sigType) { int rc; const char* subject = NULL; @@ -63,6 +63,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, const char* custOid = "1.2.3.4.5"; const char* custOidVal = "This is NOT a critical extension"; WOLFTPM2_CSR* csr = wolfTPM2_NewCSR(); + if (csr == NULL) { return MEMORY_E; } @@ -82,7 +83,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, #ifdef WOLFTPM2_NO_HEAP /* single shot API for CSR generation */ rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage, - CTC_FILETYPE_PEM, output, outputSz, 0, makeSelfSignedCert, + CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert, devId); #else rc = wolfTPM2_CSR_SetSubject(dev, csr, subject); @@ -100,7 +101,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, } if (rc == 0) { rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM, - output, outputSz, 0, makeSelfSignedCert, devId); + output, outputSz, sigType, makeSelfSignedCert, devId); } #endif if (rc >= 0) { @@ -202,7 +203,7 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) if (rc == 0) { rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &key, makeSelfSignedCert ? gClientCertRsaFile : gClientCsrRsaFile, - makeSelfSignedCert, tpmDevId); + makeSelfSignedCert, tpmDevId, CTC_SHA256wRSA); } wolfTPM2_UnloadHandle(&dev, &key.handle); } @@ -210,11 +211,20 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) #ifdef HAVE_ECC if (rc == 0) { + int sigType = CTC_SHA256wECDSA; + TPM_ECC_CURVE curve = TPM_ECC_NIST_P256; tpmCtx.eccKey = &key; + + #if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384 + /* make sure we use a curve that is enabled */ + sigType = CTC_SHA384wECDSA; + curve = TPM_ECC_NIST_P384; + #endif + rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | TPMA_OBJECT_sign | TPMA_OBJECT_noDA, - TPM_ECC_NIST_P256, TPM_ALG_ECDSA); + curve, TPM_ALG_ECDSA); if (rc == 0) { rc = getECCkey(&dev, &storageKey, &key, NULL, tpmDevId, (byte*)gKeyAuth, sizeof(gKeyAuth)-1, &publicTemplate); @@ -222,7 +232,7 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) if (rc == 0) { rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &key, makeSelfSignedCert ? gClientCertEccFile : gClientCsrEccFile, - makeSelfSignedCert, tpmDevId); + makeSelfSignedCert, tpmDevId, sigType); } wolfTPM2_UnloadHandle(&dev, &key.handle); } diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 6e957a9b..6efff100 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -3461,6 +3461,7 @@ int wolfTPM2_SignHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, const byte* digest, int digestSz, byte* sig, int* sigSz) { TPM_ALG_ID sigAlg = TPM_ALG_NULL; + TPMI_ALG_HASH hashAlg = WOLFTPM2_WRAP_DIGEST; if (dev == NULL || key == NULL || digest == NULL || sig == NULL) { return BAD_FUNC_ARG; @@ -3468,13 +3469,17 @@ int wolfTPM2_SignHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, if (key->pub.publicArea.type == TPM_ALG_ECC) { sigAlg = key->pub.publicArea.parameters.eccDetail.scheme.scheme; + hashAlg = key->pub.publicArea.parameters.eccDetail.scheme.details.any.hashAlg; + } else if (key->pub.publicArea.type == TPM_ALG_RSA) { sigAlg = key->pub.publicArea.parameters.rsaDetail.scheme.scheme; + hashAlg = key->pub.publicArea.parameters.rsaDetail.scheme.details.anySig.hashAlg; } return wolfTPM2_SignHashScheme(dev, key, digest, digestSz, sig, sigSz, - sigAlg, WOLFTPM2_WRAP_DIGEST); + sigAlg, hashAlg); + } /* sigAlg: TPM_ALG_RSASSA, TPM_ALG_RSAPSS, TPM_ALG_ECDSA or TPM_ALG_ECDAA */ @@ -5315,6 +5320,15 @@ static int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, if (publicTemplate == NULL || curveSz == 0) return BAD_FUNC_ARG; +#if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384 + /* make sure we use a curve that is enabled */ + if (curve == TPM_ECC_NIST_P256) { + curve = TPM_ECC_NIST_P384; + nameAlg = TPM_ALG_SHA384; + sigHash = TPM_ALG_SHA384; + } +#endif + XMEMSET(publicTemplate, 0, sizeof(TPMT_PUBLIC)); publicTemplate->type = TPM_ALG_ECC; publicTemplate->nameAlg = nameAlg; @@ -6247,7 +6261,7 @@ static int CSR_KeySetup(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, WOLFTPM2_KEY* key, csr->req.sigType = CTC_SHA256wECDSA; } } - else if (csr->req.sigType == 0) { + else if (sigType != 0) { csr->req.sigType = sigType; } } @@ -6335,6 +6349,10 @@ int wolfTPM2_CSR_SetKeyUsage(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, /* add Extended Key Usage */ rc = wc_SetExtKeyUsage(&csr->req, keyUsage); + if (rc == EXTKEYUSAGE_E) { + /* try setting key usage values */ + rc = wc_SetKeyUsage(&csr->req, keyUsage); + } #else if (keyUsage != NULL) { #ifdef DEBUG_WOLFTPM diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index b291a157..049fcd8d 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -2670,7 +2670,10 @@ WOLFTPM_API int wolfTPM2_CSR_SetCustomExt(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, /*! \ingroup wolfTPM2_Wrappers \brief Helper for Certificate Signing Request (CSR) generation to set a - key usage for a WOLFTPM2_CSR structure. + extended key usage or key usage for a WOLFTPM2_CSR structure. + Pass either extended key usage or key usage values. + Mixed string types are not supported, however you can call `wolfTPM2_CSR_SetKeyUsage` + twice (once for extended key usage strings and once for standard key usage strings). \return TPM_RC_SUCCESS: successful \return BAD_FUNC_ARG: check the provided arguments @@ -2678,7 +2681,8 @@ WOLFTPM_API int wolfTPM2_CSR_SetCustomExt(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, \param dev pointer to a TPM2_DEV struct (not used) \param csr pointer to a WOLFTPM2_CSR structure \param keyUsage string list of comma separated key usage attributes. - Possible values: any, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping and OCSPSigning + Possible Extended Key Usage values: any, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping and OCSPSigning + Possible Key Usage values: digitalSignature, nonRepudiation, contentCommitment, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly Default: "serverAuth,clientAuth,codeSigning" \sa wolfTPM2_CSR_SetSubject