Skip to content

Commit

Permalink
enable non standard key sizes and curves for EK and AK
Browse files Browse the repository at this point in the history
Signed-off-by: Thore Sommer <[email protected]>
  • Loading branch information
THS-on committed Dec 19, 2024
1 parent 62e959c commit 3302efc
Show file tree
Hide file tree
Showing 5 changed files with 137 additions and 35 deletions.
2 changes: 1 addition & 1 deletion keylime-agent/src/agent_handler.rs
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ mod tests {
async fn test_agent_info() {
let (mut quotedata, mutex) = QuoteData::fixture().await.unwrap(); //#[allow_ci]
quotedata.hash_alg = keylime::algorithms::HashAlgorithm::Sha256;
quotedata.enc_alg = keylime::algorithms::EncryptionAlgorithm::Rsa;
quotedata.enc_alg = keylime::algorithms::EncryptionAlgorithm::Rsa2048;
quotedata.sign_alg = keylime::algorithms::SignAlgorithm::RsaSsa;
quotedata.agent_uuid = "DEADBEEF".to_string();
let data = web::Data::new(quotedata);
Expand Down
1 change: 1 addition & 0 deletions keylime-agent/src/common.rs
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@ mod tests {
let ak = ctx.create_ak(
ek_result.key_handle,
tpm_hash_alg,
tpm_encryption_alg,
tpm_signing_alg,
)?;

Expand Down
7 changes: 6 additions & 1 deletion keylime-agent/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -412,6 +412,7 @@ async fn main() -> Result<()> {
let new_ak = ctx.create_ak(
ek_result.key_handle,
tpm_hash_alg,
tpm_encryption_alg,
tpm_signing_alg,
)?;
let ak_handle = ctx.load_ak(ek_result.key_handle, &new_ak)?;
Expand Down Expand Up @@ -1029,12 +1030,15 @@ mod testing {
.create_ak(
ek_result.key_handle,
tpm_hash_alg,
tpm_encryption_alg,
tpm_signing_alg,
)
.unwrap(); //#[allow_ci]
let ak_handle =
ctx.load_ak(ek_result.key_handle, &ak_result).unwrap(); //#[allow_ci]

let ak_tpm2b_pub =
PublicBuffer::try_from(ak_result.public)?.marshall()?;
ctx.flush_context(ek_result.key_handle.into()).unwrap(); //#[allow_ci]

let rsa_key_path = Path::new(env!("CARGO_MANIFEST_DIR"))
Expand Down Expand Up @@ -1100,7 +1104,8 @@ mod testing {
payload_tx,
revocation_tx,
hash_alg: keylime::algorithms::HashAlgorithm::Sha256,
enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa,
enc_alg:
keylime::algorithms::EncryptionAlgorithm::Rsa2048,
sign_alg: keylime::algorithms::SignAlgorithm::RsaSsa,
agent_uuid: test_config.agent.uuid,
allow_payload_revocation_actions: test_config
Expand Down
111 changes: 99 additions & 12 deletions keylime/src/algorithms.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,13 @@ use std::convert::TryFrom;
use std::fmt;
use thiserror::Error;
use tss_esapi::{
interface_types::algorithm::{
AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
abstraction::AsymmetricAlgorithmSelection,
interface_types::{
algorithm::{
AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
},
ecc::EccCurve,
key_bits::RsaKeyBits,
},
structures::{HashScheme, SignatureScheme},
};
Expand Down Expand Up @@ -89,15 +94,68 @@ impl From<HashAlgorithm> for MessageDigest {

#[derive(Copy, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum EncryptionAlgorithm {
Rsa,
Ecc,
Rsa1024,
Rsa2048,
Rsa3072,
Rsa4096,
Ecc192,
Ecc224,
Ecc256,
Ecc384,
Ecc521,
EccSm2,
}

impl From<EncryptionAlgorithm> for AsymmetricAlgorithm {
fn from(enc_alg: EncryptionAlgorithm) -> Self {
match enc_alg {
EncryptionAlgorithm::Rsa => AsymmetricAlgorithm::Rsa,
EncryptionAlgorithm::Ecc => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::Rsa1024 => AsymmetricAlgorithm::Rsa,
EncryptionAlgorithm::Rsa2048 => AsymmetricAlgorithm::Rsa,
EncryptionAlgorithm::Rsa3072 => AsymmetricAlgorithm::Rsa,
EncryptionAlgorithm::Rsa4096 => AsymmetricAlgorithm::Rsa,
EncryptionAlgorithm::Ecc192 => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::Ecc224 => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::Ecc256 => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::Ecc384 => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::Ecc521 => AsymmetricAlgorithm::Ecc,
EncryptionAlgorithm::EccSm2 => AsymmetricAlgorithm::Ecc,
}
}
}

impl From<EncryptionAlgorithm> for AsymmetricAlgorithmSelection {
fn from(enc_alg: EncryptionAlgorithm) -> Self {
match enc_alg {
EncryptionAlgorithm::Rsa1024 => {
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa1024)
}
EncryptionAlgorithm::Rsa2048 => {
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)
}
EncryptionAlgorithm::Rsa3072 => {
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072)
}
EncryptionAlgorithm::Rsa4096 => {
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096)
}
EncryptionAlgorithm::Ecc192 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP192)
}
EncryptionAlgorithm::Ecc224 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP224)
}
EncryptionAlgorithm::Ecc256 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)
}
EncryptionAlgorithm::Ecc384 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384)
}
EncryptionAlgorithm::Ecc521 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521)
}
EncryptionAlgorithm::EccSm2 => {
AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256)
}
}
}
}
Expand All @@ -107,8 +165,25 @@ impl TryFrom<&str> for EncryptionAlgorithm {

fn try_from(value: &str) -> Result<Self, Self::Error> {
match value {
"rsa" => Ok(EncryptionAlgorithm::Rsa),
"ecc" => Ok(EncryptionAlgorithm::Ecc),
/* Use default key size and curve if not explicitly specified */
"rsa" => Ok(EncryptionAlgorithm::Rsa2048),
"ecc" => Ok(EncryptionAlgorithm::Ecc256),
"rsa1024" => Ok(EncryptionAlgorithm::Rsa1024),
"rsa2048" => Ok(EncryptionAlgorithm::Rsa2048),
"rsa3072" => Ok(EncryptionAlgorithm::Rsa3072),
"rsa4096" => Ok(EncryptionAlgorithm::Rsa4096),
"ecc192" => Ok(EncryptionAlgorithm::Ecc192),
"ecc_nist_p192" => Ok(EncryptionAlgorithm::Ecc192),
"ecc224" => Ok(EncryptionAlgorithm::Ecc224),
"ecc_nist_p224" => Ok(EncryptionAlgorithm::Ecc224),
"ecc256" => Ok(EncryptionAlgorithm::Ecc256),
"ecc_nist_p256" => Ok(EncryptionAlgorithm::Ecc256),
"ecc384" => Ok(EncryptionAlgorithm::Ecc384),
"ecc_nist_p384" => Ok(EncryptionAlgorithm::Ecc384),
"ecc521" => Ok(EncryptionAlgorithm::Ecc521),
"ecc_nist_p521" => Ok(EncryptionAlgorithm::Ecc521),
"ecc_sm2" => Ok(EncryptionAlgorithm::EccSm2),
"ecc_sm2_p256" => Ok(EncryptionAlgorithm::EccSm2),
_ => Err(AlgorithmError::UnsupportedEncryptionAlgorithm(
value.into(),
)),
Expand All @@ -119,8 +194,16 @@ impl TryFrom<&str> for EncryptionAlgorithm {
impl fmt::Display for EncryptionAlgorithm {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let value = match self {
EncryptionAlgorithm::Rsa => "rsa",
EncryptionAlgorithm::Ecc => "ecc",
EncryptionAlgorithm::Rsa1024 => "rsa1024",
EncryptionAlgorithm::Rsa2048 => "rsa", /* for backwards compatibility */
EncryptionAlgorithm::Rsa3072 => "rsa3072",
EncryptionAlgorithm::Rsa4096 => "rsa4096",
EncryptionAlgorithm::Ecc192 => "ecc192",
EncryptionAlgorithm::Ecc224 => "ecc224",
EncryptionAlgorithm::Ecc256 => "ecc", /* for backwards compatibility */
EncryptionAlgorithm::Ecc384 => "ecc384",
EncryptionAlgorithm::Ecc521 => "ecc521",
EncryptionAlgorithm::EccSm2 => "ecc_sm2",
};
write!(f, "{value}")
}
Expand Down Expand Up @@ -219,9 +302,13 @@ mod tests {
#[test]
fn test_encrypt_try_from() {
let result = EncryptionAlgorithm::try_from("rsa");
assert!(result.is_ok());
assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Rsa2048));
let result = EncryptionAlgorithm::try_from("ecc");
assert!(result.is_ok());
assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Ecc256));
let result = EncryptionAlgorithm::try_from("rsa4096");
assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Rsa4096));
let result = EncryptionAlgorithm::try_from("ecc256");
assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Ecc256));
}
#[test]
fn test_unsupported_encrypt_try_from() {
Expand Down
51 changes: 30 additions & 21 deletions keylime/src/tpm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -562,7 +562,7 @@ impl Context<'_> {
let key_handle: KeyHandle = match handle {
Some(v) => {
if v.is_empty() {
ek::create_ek_object(&mut ctx, alg.into(), DefaultKey)
ek::create_ek_object_2(&mut ctx, alg.into(), DefaultKey)
.map_err(|source| TpmError::TSSCreateEKError {
source,
})?
Expand Down Expand Up @@ -625,19 +625,22 @@ impl Context<'_> {
///
/// * `handle`: The associated EK handle
/// * `hash_alg`: The digest algorithm used for signing with the created AK
/// * `key_alg`: The key type used for signing with the created AK
/// * `sign_alg`: The created AK signing algorithm
///
/// Returns an `AKResult` structure if successful and a `TPMError` otherwise
pub fn create_ak(
&mut self,
handle: KeyHandle,
hash_alg: HashAlgorithm,
key_alg: EncryptionAlgorithm,
sign_alg: SignAlgorithm,
) -> Result<AKResult> {
let ak = ak::create_ak(
let ak = ak::create_ak_2(
&mut self.inner.lock().unwrap(), //#[allow_ci]
handle,
hash_alg.into(),
key_alg.into(),
sign_alg.into(),
None,
DefaultKey,
Expand Down Expand Up @@ -1921,9 +1924,7 @@ pub fn get_idevid_template(
"H-4" => (AsymmetricAlgorithm::Ecc, HashingAlgorithm::Sha512),
"H-5" => (AsymmetricAlgorithm::Ecc, HashingAlgorithm::Sm3_256),
_ => (
AsymmetricAlgorithm::from(EncryptionAlgorithm::try_from(
asym_alg_str,
)?),
EncryptionAlgorithm::try_from(asym_alg_str)?.into(),
HashingAlgorithm::from(HashAlgorithm::try_from(name_alg_str)?),
),
};
Expand Down Expand Up @@ -2421,7 +2422,8 @@ pub mod tests {
async fn test_create_ek() {
let _mutex = testing::lock_tests().await;
let mut ctx = Context::new().unwrap(); //#[allow_ci]
let algs = [EncryptionAlgorithm::Rsa, EncryptionAlgorithm::Ecc];
let algs =
[EncryptionAlgorithm::Rsa2048, EncryptionAlgorithm::Ecc256];
// TODO: create persistent handle and add to be tested: Some("0x81000000"),
let handles = [Some(""), None];

Expand All @@ -2444,12 +2446,15 @@ pub mod tests {
let _mutex = testing::lock_tests().await;
let mut ctx = Context::new().unwrap(); //#[allow_ci]

let r = ctx.create_ek(EncryptionAlgorithm::Rsa, None);
let r = ctx.create_ek(EncryptionAlgorithm::Rsa2048, None);
assert!(r.is_ok(), "Result: {r:?}");

let ek_result = r.unwrap(); //#[allow_ci]
let ek_handle = ek_result.key_handle;

let eng_algs =
[EncryptionAlgorithm::Rsa1024, EncryptionAlgorithm::Rsa2048];

let hash_algs = [
HashAlgorithm::Sha256,
HashAlgorithm::Sha384,
Expand All @@ -2470,18 +2475,20 @@ pub mod tests {
];

for sign in sign_algs {
for hash in hash_algs {
let r = ctx.create_ak(ek_handle, hash, sign);
assert!(r.is_ok(), "Result: {r:?}");
let ak = r.unwrap(); //#[allow_ci]

let r = ctx.load_ak(ek_handle, &ak);
assert!(r.is_ok(), "Result: {r:?}");
let handle = r.unwrap(); //#[allow_ci]

// Flush context to free TPM memory
let r = ctx.flush_context(handle.into());
assert!(r.is_ok(), "Result: {r:?}");
for enc in eng_algs {
for hash in hash_algs {
let r = ctx.create_ak(ek_handle, hash, enc, sign);
assert!(r.is_ok(), "Result: {r:?}");
let ak = r.unwrap(); //#[allow_ci]

let r = ctx.load_ak(ek_handle, &ak);
assert!(r.is_ok(), "Result: {r:?}");
let handle = r.unwrap(); //#[allow_ci]

// Flush context to free TPM memory
let r = ctx.flush_context(handle.into());
assert!(r.is_ok(), "Result: {r:?}");
}
}
}

Expand Down Expand Up @@ -2562,7 +2569,7 @@ pub mod tests {

// Create EK
let ek_result = ctx
.create_ek(EncryptionAlgorithm::Rsa, None)
.create_ek(EncryptionAlgorithm::Rsa2048, None)
.expect("failed to create EK");
let ek_handle = ek_result.key_handle;

Expand All @@ -2571,6 +2578,7 @@ pub mod tests {
.create_ak(
ek_handle,
HashAlgorithm::Sha256,
EncryptionAlgorithm::Rsa2048,
SignAlgorithm::RsaSsa,
)
.expect("failed to create AK");
Expand Down Expand Up @@ -2618,7 +2626,7 @@ pub mod tests {

// Create EK
let ek_result = ctx
.create_ek(EncryptionAlgorithm::Rsa, None)
.create_ek(EncryptionAlgorithm::Rsa2048, None)
.expect("failed to create EK");
let ek_handle = ek_result.key_handle;

Expand All @@ -2627,6 +2635,7 @@ pub mod tests {
.create_ak(
ek_handle,
HashAlgorithm::Sha256,
EncryptionAlgorithm::Rsa2048,
SignAlgorithm::RsaSsa,
)
.expect("failed to create ak");
Expand Down

0 comments on commit 3302efc

Please sign in to comment.