Merge pull request #213 from puiterwijk/esapi_rebase

Rebase on new tss_esapi

Cargo.toml

@@ -33,7 +33,7 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 picky-asn1-der = { version = "0.2.2", optional = true }
 picky-asn1 = { version = "0.2.1", optional = true }
-tss-esapi = { version = "4.0.5-alpha.1", optional = true }
+tss-esapi = { version = "4.0.6-alpha.1", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "2.1.1"

e2e_tests/tests/per_provider/normal_tests/export_public_key.rs

@@ -74,7 +74,7 @@ fn check_export_public_possible() -> Result<()> {
  bits: 1024,
  policy: Policy {
  usage_flags: UsageFlags {
- sign_hash: false,
+ sign_hash: true,
  verify_hash: false,
  sign_message: false,
  verify_message: false,

e2e_tests/tests/per_provider/normal_tests/key_attributes.rs

@@ -71,7 +71,7 @@ fn wrong_usage_flags() {
  usage_flags: UsageFlags {
  // Forbid signing
  sign_hash: false,
- verify_hash: false,
+ verify_hash: true,
  sign_message: false,
  verify_message: false,
  export: false,

src/providers/tpm_provider/asym_sign.rs

@@ -7,6 +7,8 @@ use log::error;
 use parsec_interface::operations::psa_algorithm::*;
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use std::convert::TryFrom;
+use tss_esapi::structures::{Auth, Digest};
 
 impl TpmProvider {
  pub(super) fn psa_sign_hash_internal(
@@ -46,8 +48,11 @@ impl TpmProvider {
  let signature = esapi_context
  .sign(
  password_context.context,
- &password_context.auth_value,
- &op.hash,
+ Some(
+ Auth::try_from(password_context.auth_value)
+ .map_err(utils::to_response_status)?,
+ ),
+ Digest::try_from((*op.hash).clone()).map_err(utils::to_response_status)?,
  )
  .map_err(|e| {
  if crate::utils::GlobalConfig::log_error_details() {
@@ -98,7 +103,11 @@ impl TpmProvider {
  let signature = utils::parsec_to_tpm_signature(op.signature, key_attributes, op.alg)?;
 
  let _ = esapi_context
- .verify_signature(password_context.context, &op.hash, signature)
+ .verify_signature(
+ password_context.context,
+ Digest::try_from((*op.hash).clone()).map_err(utils::to_response_status)?,
+ signature,
+ )
  .map_err(utils::to_response_status)?;
 
  Ok(psa_verify_hash::Result {})

src/providers/tpm_provider/key_management.rs

@@ -88,18 +88,20 @@ impl TpmProvider {
  .expect("ESAPI Context lock poisoned");
 
  let (key_context, auth_value) = esapi_context
- .create_signing_key(utils::parsec_to_tpm_params(attributes)?, AUTH_VAL_LEN)
+ .create_key(utils::parsec_to_tpm_params(attributes)?, AUTH_VAL_LEN)
  .map_err(|e| {
  format_error!("Error creating a RSA signing key", e);
  utils::to_response_status(e)
  })?;
+ // We hardcode the AUTH_VAL_LEN, so we can assume there is an auth_value
+ let auth_value = auth_value.unwrap();
 
  insert_password_context(
  &mut *store_handle,
  key_triple,
  PasswordContext {
  context: key_context,
- auth_value,
+ auth_value: auth_value.value().to_vec(),
  },
  attributes,
  )?;

src/providers/tpm_provider/mod.rs

@@ -19,8 +19,8 @@ use std::collections::HashSet;
 use std::io::ErrorKind;
 use std::str::FromStr;
 use std::sync::{Arc, Mutex, RwLock};
-use tss_esapi::utils::algorithm_specifiers::Cipher;
-use tss_esapi::utils::tcti::Tcti;
+use tss_esapi::constants::algorithm::{Cipher, HashingAlgorithm};
+use tss_esapi::Tcti;
 use uuid::Uuid;
 
 mod asym_sign;
@@ -269,9 +269,7 @@ impl TpmProviderBuilder {
  .with_root_key_auth_size(ROOT_KEY_AUTH_SIZE)
  .with_hierarchy_auth(hierarchy_auth)
  .with_hierarchy(tss_esapi::utils::Hierarchy::Owner)
- .with_session_hash_alg(
- tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256.into(),
- )
+ .with_session_hash_alg(HashingAlgorithm::Sha256.into())
  .with_default_context_cipher(default_cipher)
  .build()
  .map_err(|e| {

src/providers/tpm_provider/utils.rs

@@ -10,9 +10,10 @@ use picky_asn1_x509::RSAPublicKey;
 use serde::{Deserialize, Serialize};
 use std::convert::TryInto;
 use tss_esapi::abstraction::transient::KeyParams;
-use tss_esapi::response_code::{Error, Tss2ResponseCodeKind};
-use tss_esapi::utils::algorithm_specifiers::{EllipticCurve, HashingAlgorithm};
+use tss_esapi::constants::algorithm::{EllipticCurve, HashingAlgorithm};
+use tss_esapi::constants::response_code::Tss2ResponseCodeKind;
 use tss_esapi::utils::{AsymSchemeUnion, PublicKey, Signature, SignatureData, TpmsContext};
+use tss_esapi::Error;
 use zeroize::Zeroizing;
 const PUBLIC_EXPONENT: [u8; 3] = [0x01, 0x00, 0x01];
 
@@ -99,11 +100,20 @@ pub fn parsec_to_tpm_params(attributes: Attributes) -> Result<KeyParams> {
  x @ 1024 | x @ 2048 | x @ 3072 | x @ 4096 => x.try_into().unwrap(), // will not fail on the matched values
  _ => return Err(ResponseStatus::PsaErrorInvalidArgument),
  };
- Ok(KeyParams::Rsa {
- size,
- scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,
- pub_exponent: 0,
- })
+ if attributes.is_encrypt_permitted() || attributes.is_decrypt_permitted() {
+ Ok(KeyParams::RsaEncrypt {
+ size,
+ pub_exponent: 0,
+ })
+ } else if attributes.is_hash_signable() || attributes.is_hash_verifiable() {
+ Ok(KeyParams::RsaSign {
+ size,
+ scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,
+ pub_exponent: 0,
+ })
+ } else {
+ Err(ResponseStatus::PsaErrorNotSupported)
+ }
  }
  Type::EccKeyPair { .. } => Ok(KeyParams::Ecc {
  scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,