From 7c48b765481ef36b6b7a42dbc43665d58a15991b Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 13 Dec 2024 09:25:22 -0800 Subject: [PATCH 1/3] Support for building wolfTPM against older wolfCrypt (like v4.7.0). --- .github/workflows/make-test-swtpm.yml | 18 +++++++++++ examples/csr/csr.c | 4 +-- examples/endorsement/get_ek_certs.c | 9 ++++++ examples/pkcs7/pkcs7.c | 8 +++-- examples/run_examples.sh | 46 ++++++++++++++++----------- src/tpm2_wrap.c | 16 +++++++--- wolftpm/tpm2_types.h | 27 +++++++++++----- 7 files changed, 93 insertions(+), 35 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index c2679be2..7d021622 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -202,6 +202,24 @@ jobs: make check WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh +# test with older wolfCrypt (v4.7.0) + - name: wolfssl old v4.7.0 + working-directory: ./wolfssl + run: | + git checkout v4.7.0-stable + ./configure --enable-wolftpm CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" + make + sudo make install + - name: wolftpm old wolfssl + # Old wolfSSL before PR #5075 does not support using a public key in place of private key with + # crypto callbacks enabled. + # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions. + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh + # capture logs on failure - name: Upload failure logs if: failure() diff --git a/examples/csr/csr.c b/examples/csr/csr.c index 3cba9b46..b1879201 100644 --- a/examples/csr/csr.c +++ b/examples/csr/csr.c @@ -87,7 +87,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, #ifdef WOLFTPM2_NO_HEAP /* single shot API for CSR generation */ rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage, - CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert, + ENCODING_TYPE_PEM, output, outputSz, sigType, makeSelfSignedCert, devId); #else rc = wolfTPM2_CSR_SetSubject(dev, csr, subject); @@ -104,7 +104,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key, } } if (rc == 0) { - rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM, + rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, ENCODING_TYPE_PEM, output, outputSz, sigType, makeSelfSignedCert, devId); } #endif diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c index 78abc01e..2f930451 100644 --- a/examples/endorsement/get_ek_certs.c +++ b/examples/endorsement/get_ek_certs.c @@ -278,8 +278,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) if (rc == 0) { /* Attempt to parse certificate */ printf("Parsing certificate (%d bytes)\n", certSz); + #ifdef WOLFSSL_TEST_CERT + InitDecodedCert(&cert, certBuf, certSz, NULL); + rc = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + #else wc_InitDecodedCert(&cert, certBuf, certSz, NULL); rc = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + #endif if (rc == 0) { printf("\tSuccessfully parsed\n"); @@ -338,7 +343,11 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) printf("Error parsing certificate! %s (%d)\n", TPM2_GetRCString(rc), rc); } + #ifdef WOLFSSL_TEST_CERT + FreeDecodedCert(&cert); + #else wc_FreeDecodedCert(&cert); + #endif #ifndef WOLFCRYPT_ONLY if (rc == 0) { diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c index bd4ad4cb..94a6808c 100644 --- a/examples/pkcs7/pkcs7.c +++ b/examples/pkcs7/pkcs7.c @@ -46,12 +46,16 @@ /* The PKCS7 EX functions were added after v3.15.3 */ #include -#if defined(LIBWOLFSSL_VERSION_HEX) && \ - LIBWOLFSSL_VERSION_HEX > 0x03015003 +#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x03015003 #undef ENABLE_PKCS7EX_EXAMPLE #define ENABLE_PKCS7EX_EXAMPLE #endif +#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX < 0x05007004 + /* PKCS7 renamed to wc_PKCS7 */ + #define wc_PKCS7 PKCS7 +#endif + #ifndef MAX_PKCS7_SIZE #define MAX_PKCS7_SIZE MAX_CONTEXT_SIZE #endif diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 3f706a91..e8c8bda1 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -13,6 +13,9 @@ fi if [ -z "$NO_FILESYSTEM" ]; then NO_FILESYSTEM=0 fi +if [ -z "$NO_PUBASPRIV" ]; then + NO_PUBASPRIV=0 +fi if [ -z "$WOLFCRYPT_DEFAULT" ]; then WOLFCRYPT_DEFAULT=0 fi @@ -337,7 +340,7 @@ fi # PKCS7 Tests echo -e "PKCS7 tests" -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ] && [ $NO_PUBASPRIV -eq 0 ]; then ./examples/pkcs7/pkcs7 >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 @@ -400,10 +403,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST run_tpm_tls_client "rsa" "" "4" run_tpm_tls_client "rsa" "-aes" "4" - run_tpm_tls_server "rsa" "" "3" - run_tpm_tls_server "rsa" "-aes" "3" - run_tpm_tls_server "rsa" "" "4" - run_tpm_tls_server "rsa" "-aes" "4" + if [ $NO_PUBASPRIV -eq 0 ]; then + run_tpm_tls_server "rsa" "" "3" + run_tpm_tls_server "rsa" "-aes" "3" + run_tpm_tls_server "rsa" "" "4" + run_tpm_tls_server "rsa" "-aes" "4" + fi # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks run_tpm_tls_client "rsa" "-pk" "3" @@ -411,11 +416,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST run_tpm_tls_client "rsa" "-pk" "4" run_tpm_tls_client "rsa" "-pk -aes" "4" - run_tpm_tls_server "rsa" "-pk " "3" - run_tpm_tls_server "rsa" "-pk -aes" "3" - run_tpm_tls_server "rsa" "-pk " "4" - run_tpm_tls_server "rsa" "-pk -aes" "4" - + if [ $NO_PUBASPRIV -eq 0 ]; then + run_tpm_tls_server "rsa" "-pk " "3" + run_tpm_tls_server "rsa" "-pk -aes" "3" + run_tpm_tls_server "rsa" "-pk " "4" + run_tpm_tls_server "rsa" "-pk -aes" "4" + fi fi if [ $WOLFCRYPT_ECC -eq 1 ]; then # TLS client/server ECC TLS v1.2 and v1.3 Crypto callbacks @@ -424,10 +430,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST run_tpm_tls_client "ecc" "" "4" run_tpm_tls_client "ecc" "-aes" "4" - run_tpm_tls_server "ecc" "" "3" - run_tpm_tls_server "ecc" "-aes" "3" - run_tpm_tls_server "ecc" "" "4" - run_tpm_tls_server "ecc" "-aes" "4" + if [ $NO_PUBASPRIV -eq 0 ]; then + run_tpm_tls_server "ecc" "" "3" + run_tpm_tls_server "ecc" "-aes" "3" + run_tpm_tls_server "ecc" "" "4" + run_tpm_tls_server "ecc" "-aes" "4" + fi # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks run_tpm_tls_client "ecc" "-pk" "3" @@ -435,10 +443,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST run_tpm_tls_client "ecc" "-pk" "4" run_tpm_tls_client "ecc" "-pk -aes" "4" - run_tpm_tls_server "ecc" "-pk" "3" - run_tpm_tls_server "ecc" "-pk -aes" "3" - run_tpm_tls_server "ecc" "-pk" "4" - run_tpm_tls_server "ecc" "-pk -aes" "4" + if [ $NO_PUBASPRIV -eq 0 ]; then + run_tpm_tls_server "ecc" "-pk" "3" + run_tpm_tls_server "ecc" "-pk -aes" "3" + run_tpm_tls_server "ecc" "-pk" "4" + run_tpm_tls_server "ecc" "-pk -aes" "4" + fi fi fi diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 969e1973..0c3c6885 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -2818,6 +2818,8 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, rc = wc_InitRsaKey(key, NULL); if (rc == 0) { idx = 0; + /* skip PKCS8 header */ + (void)wc_GetPkcs8TraditionalOffset((byte*)der, &idx, derSz); rc = wc_RsaPrivateKeyDecode(der, &idx, key, derSz); if (rc == 0) { isPrivateKey = 1; @@ -3033,7 +3035,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, /* load public portion of key into wolf RSA Key */ rc = wolfTPM2_RsaKey_TpmToWolf(dev, tpmKey, &key.rsa); if (rc == 0) { - rc = wc_RsaKeyToPublicDer_ex(&key.rsa, out, *outSz, 1); + rc = wc_RsaKeyToPublicDer(&key.rsa, out, *outSz); if (rc > 0) { derSz = rc; rc = 0; @@ -6836,15 +6838,19 @@ static int CSR_Parse_DN(CertName* name, const char* subject) {"/CN=", OFFSETOF(CertName, commonName)}, /* Common Name */ {"/C=", OFFSETOF(CertName, country)}, /* Country */ {"/ST=", OFFSETOF(CertName, state)}, /* State */ - {"/street=", OFFSETOF(CertName, street)}, /* Street */ {"/L=", OFFSETOF(CertName, locality)}, /* Locality */ {"/SN=", OFFSETOF(CertName, sur)}, /* Surname */ {"/O=", OFFSETOF(CertName, org)}, /* Organization */ {"/OU=", OFFSETOF(CertName, unit)}, /* Organization Unit */ - {"/postalCode=", OFFSETOF(CertName, postalCode)}, /* PostalCode */ - {"/userid=", OFFSETOF(CertName, userId)}, /* UserID */ {"/serialNumber=", OFFSETOF(CertName, serialDev)}, /* Serial Number */ {"/emailAddress=", OFFSETOF(CertName, email)}, /* Email Address */ + #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05000000 + {"/street=", OFFSETOF(CertName, street)}, /* Street */ + {"/postalCode=", OFFSETOF(CertName, postalCode)}, /* PostalCode */ + #endif + #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05003000 + {"/userid=", OFFSETOF(CertName, userId)}, /* UserID */ + #endif #ifdef WOLFSSL_CERT_EXT {"/businessCategory=", OFFSETOF(CertName, busCat)}, /* Business Category */ #endif @@ -6916,7 +6922,7 @@ static int CSR_MakeAndSign(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, CSRKey* key, } /* Optionally convert to PEM */ - if (rc >= 0 && outFormat == CTC_FILETYPE_PEM) { + if (rc >= 0 && outFormat == ENCODING_TYPE_PEM) { #ifdef WOLFSSL_DER_TO_PEM byte tmp[MAX_CONTEXT_SIZE]; if (rc > (int)sizeof(tmp)) { diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index 69687f65..d7f4ccd8 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -125,6 +125,17 @@ typedef int64_t INT64; #define ENCODING_TYPE_PEM 1 /* CTC_FILETYPE_PEM */ #define ENCODING_TYPE_ASN1 2 /* CTC_FILETYPE_ASN1 */ + #ifndef WOLFSSL_HAVE_ECC_KEY_GET_PRIV + #define wc_ecc_key_get_priv(key) (&((key)->k)) + #define WOLFSSL_HAVE_ECC_KEY_GET_PRIV + #endif + + #ifndef PRIVATE_KEY_LOCK + #define PRIVATE_KEY_LOCK() do {} while (0) + #endif + #ifndef PRIVATE_KEY_UNLOCK + #define PRIVATE_KEY_UNLOCK() do {} while (0) + #endif #else #include @@ -172,14 +183,6 @@ typedef int64_t INT64; #define LITTLE_ENDIAN_ORDER #endif - #ifndef OFFSETOF - #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4)) - #define OFFSETOF(type, field) __builtin_offsetof(type, field) - #else - #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field)) - #endif - #endif - /* GCC Version */ #ifndef __GNUC_PREREQ #if defined(__GNUC__) && defined(__GNUC_MINOR__) @@ -223,6 +226,14 @@ typedef int64_t INT64; #endif /* !WOLFTPM2_NO_WOLFCRYPT */ +#ifndef OFFSETOF + #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4)) + #define OFFSETOF(type, field) __builtin_offsetof(type, field) + #else + #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field)) + #endif +#endif + #ifndef WOLFTPM_CUSTOM_TYPES #include From e4ea0950e08076d4bc9a865d653ebcf6afcc15a1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 13 Dec 2024 10:03:38 -0800 Subject: [PATCH 2/3] Fix CI for old wolfSSL. --- .github/workflows/make-test-swtpm.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 7d021622..09a2102f 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -203,14 +203,18 @@ jobs: WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh # test with older wolfCrypt (v4.7.0) - - name: wolfssl old v4.7.0 + - uses: actions/checkout@master + with: + repository: wolfssl/wolfssl + path: wolfssl-old + ref: v4.7.0-stable + - name: wolfssl old working-directory: ./wolfssl run: | - git checkout v4.7.0-stable ./configure --enable-wolftpm CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" make sudo make install - - name: wolftpm old wolfssl + - name: wolftpm with old wolfssl # Old wolfSSL before PR #5075 does not support using a public key in place of private key with # crypto callbacks enabled. # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions. @@ -218,7 +222,7 @@ jobs: ./configure --enable-swtpm make make check - WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh + WOLFSSL_PATH=./wolfssl-old NO_PUBASPRIV=1 ./examples/run_examples.sh # capture logs on failure - name: Upload failure logs From 88f57f373ee6ca7a7d3fc23bc05ffd0da7475ed3 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 13 Dec 2024 13:59:15 -0800 Subject: [PATCH 3/3] Fix CI --- .github/workflows/make-test-swtpm.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 09a2102f..e58201c4 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -218,11 +218,12 @@ jobs: # Old wolfSSL before PR #5075 does not support using a public key in place of private key with # crypto callbacks enabled. # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions. + # Use newer wolfSSL TLS client/server to resolve test certificate expirations run: | ./configure --enable-swtpm make make check - WOLFSSL_PATH=./wolfssl-old NO_PUBASPRIV=1 ./examples/run_examples.sh + WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh # capture logs on failure - name: Upload failure logs