sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-10 00:00:19 -04:00
Code Issues Projects Releases Wiki Activity

libtpmtss: Support of RSAPSS signature scheme

Browse Source
This commit is contained in:
Andreas Steffen 2018-07-18 22:55:27 +02:00
parent e74e920bbc
commit fd21c40b6c
5 changed files with 66 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libtpmtss/plugins/tpm/tpm_private_key.c
View File

@ -93,7 +93,7 @@ METHOD(private_key_t, sign, bool,
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme, return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme,
data, pin, signature); params, data, pin, signature);
} }
METHOD(private_key_t, decrypt, bool, METHOD(private_key_t, decrypt, bool,

5
src/libtpmtss/tpm_tss.h
View File

@ -125,14 +125,15 @@ struct tpm_tss_t {
* @param handle object handle of TPM key to be used for signature * @param handle object handle of TPM key to be used for signature
* @param hierarchy hierarchy the TPM key object is attached to * @param hierarchy hierarchy the TPM key object is attached to
* @param scheme scheme to be used for signature * @param scheme scheme to be used for signature
* @param param signature scheme parameters
* @param data data to be hashed and signed * @param data data to be hashed and signed
* @param pin PIN code or empty chunk * @param pin PIN code or empty chunk
* @param signature returns signature * @param signature returns signature
* @return TRUE if signature succeeded * @return TRUE if signature succeeded
*/ */
bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle, bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
signature_scheme_t scheme, chunk_t data, chunk_t pin, signature_scheme_t scheme, void *params, chunk_t data,
chunk_t *signature); chunk_t pin, chunk_t *signature);
/** /**
* Get random bytes from the TPM * Get random bytes from the TPM

3
src/libtpmtss/tpm_tss_trousers.c
View File

@ -584,7 +584,8 @@ err1:
METHOD(tpm_tss_t, sign, bool, METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle, private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
chunk_t *signature)
{ {
return FALSE; return FALSE;
} }

35
src/libtpmtss/tpm_tss_tss2_v1.c
View File

@ -828,10 +828,12 @@ METHOD(tpm_tss_t, quote, bool,
METHOD(tpm_tss_t, sign, bool, METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle, private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
chunk_t *signature)
{ {
key_type_t key_type; key_type_t key_type;
hash_algorithm_t hash_alg; hash_algorithm_t hash_alg;
rsa_pss_params_t *rsa_pss_params;
uint32_t rval; uint32_t rval;
TPM_ALG_ID alg_id; TPM_ALG_ID alg_id;
@ -870,8 +872,17 @@ METHOD(tpm_tss_t, sign, bool,
} }
*( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
key_type = key_type_from_signature_scheme(scheme); if (scheme == SIGN_RSA_EMSA_PSS)
hash_alg = hasher_from_signature_scheme(scheme, NULL); {
key_type = KEY_RSA;
rsa_pss_params = (rsa_pss_params_t *)params;
hash_alg = rsa_pss_params->hash;
}
else
{
key_type = key_type_from_signature_scheme(scheme);
hash_alg = hasher_from_signature_scheme(scheme, NULL);
}
/* Check if hash algorithm is supported by TPM */ /* Check if hash algorithm is supported by TPM */
alg_id = hash_alg_to_tpm_alg_id(hash_alg); alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@ -890,8 +901,16 @@ METHOD(tpm_tss_t, sign, bool,
if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA) if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA)
{ {
sig_scheme.scheme = TPM_ALG_RSASSA; if (scheme == SIGN_RSA_EMSA_PSS)
sig_scheme.details.rsassa.hashAlg = alg_id; {
sig_scheme.scheme = TPM_ALG_RSAPSS;
sig_scheme.details.rsapss.hashAlg = alg_id;
}
else
{
sig_scheme.scheme = TPM_ALG_RSASSA;
sig_scheme.details.rsassa.hashAlg = alg_id;
}
} }
else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC) else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC)
{ {
@ -983,6 +1002,12 @@ METHOD(tpm_tss_t, sign, bool,
sig.signature.rsassa.sig.t.buffer, sig.signature.rsassa.sig.t.buffer,
sig.signature.rsassa.sig.t.size)); sig.signature.rsassa.sig.t.size));
break; break;
case SIGN_RSA_EMSA_PSS:
*signature = chunk_clone(
chunk_create(
sig.signature.rsapss.sig.t.buffer,
sig.signature.rsapss.sig.t.size));
break;
case SIGN_ECDSA_256: case SIGN_ECDSA_256:
case SIGN_ECDSA_384: case SIGN_ECDSA_384:
case SIGN_ECDSA_521: case SIGN_ECDSA_521:

35
src/libtpmtss/tpm_tss_tss2_v2.c
View File

@ -742,10 +742,12 @@ METHOD(tpm_tss_t, quote, bool,
METHOD(tpm_tss_t, sign, bool, METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle, private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
chunk_t *signature)
{ {
key_type_t key_type; key_type_t key_type;
hash_algorithm_t hash_alg; hash_algorithm_t hash_alg;
rsa_pss_params_t *rsa_pss_params;
uint32_t rval; uint32_t rval;
TPM2_ALG_ID alg_id; TPM2_ALG_ID alg_id;
@ -768,8 +770,17 @@ METHOD(tpm_tss_t, sign, bool,
memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size); memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size);
} }
key_type = key_type_from_signature_scheme(scheme); if (scheme == SIGN_RSA_EMSA_PSS)
hash_alg = hasher_from_signature_scheme(scheme, NULL); {
key_type = KEY_RSA;
rsa_pss_params = (rsa_pss_params_t *)params;
hash_alg = rsa_pss_params->hash;
}
else
{
key_type = key_type_from_signature_scheme(scheme);
hash_alg = hasher_from_signature_scheme(scheme, NULL);
}
/* Check if hash algorithm is supported by TPM */ /* Check if hash algorithm is supported by TPM */
alg_id = hash_alg_to_tpm_alg_id(hash_alg); alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@ -788,8 +799,16 @@ METHOD(tpm_tss_t, sign, bool,
if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA) if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA)
{ {
sig_scheme.scheme = TPM2_ALG_RSASSA; if (scheme == SIGN_RSA_EMSA_PSS)
sig_scheme.details.rsassa.hashAlg = alg_id; {
sig_scheme.scheme = TPM2_ALG_RSAPSS;
sig_scheme.details.rsapss.hashAlg = alg_id;
}
else
{
sig_scheme.scheme = TPM2_ALG_RSASSA;
sig_scheme.details.rsassa.hashAlg = alg_id;
}
} }
else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC) else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC)
{ {
@ -881,6 +900,12 @@ METHOD(tpm_tss_t, sign, bool,
sig.signature.rsassa.sig.buffer, sig.signature.rsassa.sig.buffer,
sig.signature.rsassa.sig.size)); sig.signature.rsassa.sig.size));
break; break;
case SIGN_RSA_EMSA_PSS:
*signature = chunk_clone(
chunk_create(
sig.signature.rsapss.sig.buffer,
sig.signature.rsapss.sig.size));
break;
case SIGN_ECDSA_256: case SIGN_ECDSA_256:
case SIGN_ECDSA_384: case SIGN_ECDSA_384:
case SIGN_ECDSA_521: case SIGN_ECDSA_521: