Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes API breaking changes. #557

Merged
merged 1 commit into from
Dec 6, 2024
Merged

Fixes API breaking changes. #557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 44 additions & 4 deletions tss-esapi/src/abstraction/ak.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ use crate::{
handles::{AuthHandle, KeyHandle, SessionHandle},
interface_types::{
algorithm::{
EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm,
SignatureSchemeAlgorithm,
AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm,
RsaSchemeAlgorithm, SignatureSchemeAlgorithm,
},
session_handles::PolicySession,
},
Expand All @@ -21,6 +21,7 @@ use crate::{
},
Context, Error, Result, WrapperErrorKind,
};
use log::error;
use std::convert::TryFrom;

// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
Expand Down Expand Up @@ -56,6 +57,7 @@ const POLICY_C_SM3_256: [u8; 32] = [
0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b, 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d,
];

/// Creates a Public object for an AK key.
fn create_ak_public<IKC: IntoKeyCustomization>(
key_alg: AsymmetricAlgorithmSelection,
hash_alg: HashingAlgorithm,
Expand Down Expand Up @@ -131,7 +133,7 @@ fn create_ak_public<IKC: IntoKeyCustomization>(
key_builder.build()
}

// extracts the hashing and sysmmetric algorithm from parent and constructs the correct DigestList for OR policy
/// Extracts the hashing and symmetric algorithm from parent and constructs the correct DigestList for OR policy
fn session_config(
context: &mut Context,
parent: KeyHandle,
Expand Down Expand Up @@ -228,8 +230,46 @@ pub fn load_ak(
Ok(key_handle)
}

/// This creates an Attestation Key in the Endorsement hierarchy
/// This creates an Attestation Key in the Endorsement hierarchy.
///
/// <div class="warning">
///
/// The API of this function will be changed to that of [`create_ak_2`]
/// in the next major version.
///
/// </div>
pub fn create_ak<IKC: IntoKeyCustomization>(
Copy link
Collaborator

@wiktor-k wiktor-k Dec 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be good to mark one of them as #[deprecated] with a message.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about that. The problem is that the function will not be removed but it will have its arguments changed in the next major version.

So xx will have its arguments changed.
and xx_2 will be removed. So xx_2 is the function that we want people to use right now. But it will be removed so marking it deprecated here could cause a lot of confusion.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, so let's not do that. But a doc-comment WARNING note or something may still be a good idea? 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is an excellent idea. I need to rephrase the comments any way because I could barely understand them my self when I tried to look at the code in the browser.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I have managed to fix it now. Please have a last look at the comments so I have not made some embarrassing mistakes @wiktor-k @ionut-arm

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it looks really nice 👌

context: &mut Context,
parent: KeyHandle,
hash_alg: HashingAlgorithm,
sign_alg: SignatureSchemeAlgorithm,
ak_auth_value: Option<Auth>,
key_customization: IKC,
) -> Result<CreateKeyResult> {
let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| {
// sign_alg is either HMAC or Null.
error!("Could not retrieve asymmetric algorithm for provided signature scheme");
e
})?;
create_ak_2(
context,
parent,
hash_alg,
AsymmetricAlgorithmSelection::try_from(key_alg)?,
sign_alg,
ak_auth_value,
key_customization,
)
}

/// This creates an Attestation Key in the Endorsement hierarchy.
///
/// <div class="warning">
///
/// This function will be removed in the next major version.
///
/// </div>
pub fn create_ak_2<IKC: IntoKeyCustomization>(
context: &mut Context,
parent: KeyHandle,
hash_alg: HashingAlgorithm,
Expand Down
59 changes: 57 additions & 2 deletions tss-esapi/src/abstraction/ek.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ use crate::{
attributes::ObjectAttributesBuilder,
handles::{KeyHandle, NvIndexTpmHandle, TpmHandle},
interface_types::{
algorithm::{HashingAlgorithm, PublicAlgorithm},
algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm},
ecc::EccCurve,
key_bits::RsaKeyBits,
resource_handles::{Hierarchy, NvAuth},
Expand Down Expand Up @@ -60,7 +60,36 @@ const AUTH_POLICY_B_SM3_256: [u8; 32] = [
///
/// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
/// Appendix B.3.3 and B.3.4
///
/// <div class="warning">
///
/// The API of this function will be changed to that of [`create_ek_public_from_default_template_2`]
/// in the next major version.
///
/// </div>
pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
alg: AsymmetricAlgorithm,
key_customization: IKC,
) -> Result<Public> {
create_ek_public_from_default_template_2(
AsymmetricAlgorithmSelection::try_from(alg)?,
key_customization,
)
}

/// Get the [`Public`] representing a default Endorsement Key
///
/// **Note**: This only works for key algorithms specified in TCG EK Credential Profile for TPM Family 2.0.
///
/// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
/// Appendix B.3.3 and B.3.4
///
/// <div class="warning">
///
/// This function will be removed in the next major version.
///
/// </div>
pub fn create_ek_public_from_default_template_2<IKC: IntoKeyCustomization>(
alg: AsymmetricAlgorithmSelection,
key_customization: IKC,
) -> Result<Public> {
Expand Down Expand Up @@ -191,12 +220,38 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
}

/// Create the Endorsement Key object from the specification templates
///
/// <div class="warning">
///
/// The API of this function will be changed to that of [`create_ek_object_2`]
/// in the next major version.
///
/// </div>
pub fn create_ek_object<IKC: IntoKeyCustomization>(
context: &mut Context,
alg: AsymmetricAlgorithm,
key_customization: IKC,
) -> Result<KeyHandle> {
create_ek_object_2(
context,
AsymmetricAlgorithmSelection::try_from(alg)?,
key_customization,
)
}

/// Create the Endorsement Key object from the specification templates
///
/// <div class="warning">
///
/// This function will be removed in the next major version.
///
/// </div>
pub fn create_ek_object_2<IKC: IntoKeyCustomization>(
context: &mut Context,
alg: AsymmetricAlgorithmSelection,
key_customization: IKC,
) -> Result<KeyHandle> {
let ek_public = create_ek_public_from_default_template(alg, key_customization)?;
let ek_public = create_ek_public_from_default_template_2(alg, key_customization)?;

Ok(context
.execute_with_nullauth_session(|ctx| {
Expand Down
4 changes: 2 additions & 2 deletions tss-esapi/src/abstraction/transient/key_attestation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ impl TransientKeyContext {
None,
);
Ok((
ek::create_ek_object(
ek::create_ek_object_2(
&mut self.context,
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048),
None,
Expand Down Expand Up @@ -192,7 +192,7 @@ impl TransientKeyContext {
}

fn get_ek_object_public(context: &mut crate::Context) -> Result<PublicKey> {
let key_handle = ek::create_ek_object(
let key_handle = ek::create_ek_object_2(
context,
AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048),
None,
Expand Down
Loading
Loading