keylime · ansasaki · May 27, 2025 · May 27, 2025 · May 27, 2025 · Oct 1, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -45,6 +45,6 @@ static_assertions = "1"
 tempfile = "3.4.0"
 thiserror = "2.0"
 tokio = {version = "1", features = ["rt", "sync", "macros"]}
-tss-esapi = {version = "7.4.0", features = ["generate-bindings"]}
+tss-esapi = {version = "7.6.0", features = ["generate-bindings"]}
 uuid = {version = "1.3", features = ["v4"]}
 zip = {version = "0.6", default-features = false, features= ["deflate"]}
diff --git a/keylime-agent.conf b/keylime-agent.conf
@@ -217,7 +217,7 @@ allow_payload_revocation_actions = true
 #
 # Currently accepted values include:
 # - hashing:    sha512, sha384, sha256 or sha1
-# - encryption: ecc or rsa
+# - encryption: rsa (alias for rsa2048), rsa1024, rsa2048, rsa3072, rsa4096, ecc (alias for ecc256), ecc192, ecc224, ecc256, ecc384, ecc521 or ecc_sm2. 
 # - signing:    rsassa or ecdsa
 #
 # To override tpm_hash_alg, set KEYLIME_AGENT_TPM_HASH_ALG environment variable.

diff --git a/keylime-agent/src/agent_handler.rs b/keylime-agent/src/agent_handler.rs
@@ -88,7 +88,7 @@ mod tests {
     async fn test_agent_info() {
         let (mut quotedata, mutex) = QuoteData::fixture().await.unwrap(); //#[allow_ci]
         quotedata.hash_alg = keylime::algorithms::HashAlgorithm::Sha256;
-        quotedata.enc_alg = keylime::algorithms::EncryptionAlgorithm::Rsa;
+        quotedata.enc_alg = keylime::algorithms::EncryptionAlgorithm::Rsa2048;
         quotedata.sign_alg = keylime::algorithms::SignAlgorithm::RsaSsa;
         quotedata.agent_uuid = "DEADBEEF".to_string();
         let data = web::Data::new(quotedata);

diff --git a/keylime-agent/src/common.rs b/keylime-agent/src/common.rs
@@ -126,6 +126,7 @@ mod tests {
         let ak = ctx.create_ak(
             ek_result.key_handle,
             tpm_hash_alg,
+            tpm_encryption_alg,
             tpm_signing_alg,
         )?;
 

diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
@@ -548,8 +548,10 @@
             .collect::<Vec<String>>()
             .join(", "),
         "latest" => {
-            if let Some(version) =
-                SUPPORTED_API_VERSIONS.iter().map(|&s| s.to_string()).last()
+            if let Some(version) = SUPPORTED_API_VERSIONS
+                .iter()
+                .map(|&s| s.to_string())
+                .next_back()
             {
                 version
             } else {
@@ -914,7 +916,7 @@
         let expected = SUPPORTED_API_VERSIONS
             .iter()
             .map(|e| e.to_string())
-            .last()
+            .next_back()
             .unwrap(); //#[allow_ci]
         assert_eq!(version, expected);
     }

diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -423,6 +423,7 @@ async fn main() -> Result<()> {
             let new_ak = ctx.create_ak(
                 ek_result.key_handle,
                 tpm_hash_alg,
+                tpm_encryption_alg,
                 tpm_signing_alg,
             )?;
             let ak_handle = ctx.load_ak(ek_result.key_handle, &new_ak)?;
@@ -980,6 +981,7 @@ mod testing {
                 .create_ak(
                     ek_result.key_handle,
                     tpm_hash_alg,
+                    tpm_encryption_alg,
                     tpm_signing_alg,
                 )
                 .unwrap(); //#[allow_ci]
@@ -1057,7 +1059,8 @@ mod testing {
                     payload_tx,
                     revocation_tx,
                     hash_alg: keylime::algorithms::HashAlgorithm::Sha256,
-                    enc_alg: keylime::algorithms::EncryptionAlgorithm::Rsa,
+                    enc_alg:
+                        keylime::algorithms::EncryptionAlgorithm::Rsa2048,
                     sign_alg: keylime::algorithms::SignAlgorithm::RsaSsa,
                     agent_uuid: test_config.agent.uuid,
                     allow_payload_revocation_actions: test_config

diff --git a/keylime-push-model-agent/src/registration.rs b/keylime-push-model-agent/src/registration.rs
@@ -34,8 +34,12 @@
     let mut ctx = tpm::Context::new()?;
     let ek_result = ctx.create_ek(tpm_encryption_alg, None)?;
     let ek_hash = hash_ek::hash_ek_pubkey(ek_result.public.clone())?;
-    let ak =
-        ctx.create_ak(ek_result.key_handle, tpm_hash_alg, tpm_signing_alg)?;
+    let ak = ctx.create_ak(
+        ek_result.key_handle,
+        tpm_hash_alg,
+        tpm_encryption_alg,
+        tpm_signing_alg,
+    )?;
     let ak_handle = ctx.load_ak(ek_result.key_handle, &ak)?;
 
     AgentData::create(

diff --git a/keylime/src/algorithms.rs b/keylime/src/algorithms.rs
@@ -6,8 +6,13 @@
 use std::fmt;
 use thiserror::Error;
 use tss_esapi::{
-    interface_types::algorithm::{
-        AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
+    abstraction::AsymmetricAlgorithmSelection,
+    interface_types::{
+        algorithm::{
+            AsymmetricAlgorithm, HashingAlgorithm, SignatureSchemeAlgorithm,
+        },
+        ecc::EccCurve,
+        key_bits::RsaKeyBits,
     },
     structures::{HashScheme, SignatureScheme},
 };
@@ -89,15 +94,68 @@
 
 #[derive(Copy, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub enum EncryptionAlgorithm {
-    Rsa,
-    Ecc,
+    Rsa1024,
+    Rsa2048,
+    Rsa3072,
+    Rsa4096,
+    Ecc192,
+    Ecc224,
+    Ecc256,
+    Ecc384,
+    Ecc521,
+    EccSm2,
 }
 
 impl From<EncryptionAlgorithm> for AsymmetricAlgorithm {
     fn from(enc_alg: EncryptionAlgorithm) -> Self {
         match enc_alg {
-            EncryptionAlgorithm::Rsa => AsymmetricAlgorithm::Rsa,
-            EncryptionAlgorithm::Ecc => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Rsa1024 => AsymmetricAlgorithm::Rsa,
+            EncryptionAlgorithm::Rsa2048 => AsymmetricAlgorithm::Rsa,
+            EncryptionAlgorithm::Rsa3072 => AsymmetricAlgorithm::Rsa,
+            EncryptionAlgorithm::Rsa4096 => AsymmetricAlgorithm::Rsa,
+            EncryptionAlgorithm::Ecc192 => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Ecc224 => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Ecc256 => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Ecc384 => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::Ecc521 => AsymmetricAlgorithm::Ecc,
+            EncryptionAlgorithm::EccSm2 => AsymmetricAlgorithm::Ecc,
+        }
+    }
+}
+
+impl From<EncryptionAlgorithm> for AsymmetricAlgorithmSelection {
+    fn from(enc_alg: EncryptionAlgorithm) -> Self {
+        match enc_alg {
+            EncryptionAlgorithm::Rsa1024 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa1024)
+            }
+            EncryptionAlgorithm::Rsa2048 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048)
+            }
+            EncryptionAlgorithm::Rsa3072 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa3072)
+            }
+            EncryptionAlgorithm::Rsa4096 => {
+                AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa4096)
+            }
+            EncryptionAlgorithm::Ecc192 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP192)
+            }
+            EncryptionAlgorithm::Ecc224 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP224)
+            }
+            EncryptionAlgorithm::Ecc256 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP256)
+            }
+            EncryptionAlgorithm::Ecc384 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP384)
+            }
+            EncryptionAlgorithm::Ecc521 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::NistP521)
+            }
+            EncryptionAlgorithm::EccSm2 => {
+                AsymmetricAlgorithmSelection::Ecc(EccCurve::Sm2P256)
+            }
         }
     }
 }
@@ -107,8 +165,25 @@
 
     fn try_from(value: &str) -> Result<Self, Self::Error> {
         match value {
-            "rsa" => Ok(EncryptionAlgorithm::Rsa),
-            "ecc" => Ok(EncryptionAlgorithm::Ecc),
+            /* Use default key size and curve if not explicitly specified */
+            "rsa" => Ok(EncryptionAlgorithm::Rsa2048),
+            "ecc" => Ok(EncryptionAlgorithm::Ecc256),
+            "rsa1024" => Ok(EncryptionAlgorithm::Rsa1024),
+            "rsa2048" => Ok(EncryptionAlgorithm::Rsa2048),
+            "rsa3072" => Ok(EncryptionAlgorithm::Rsa3072),
+            "rsa4096" => Ok(EncryptionAlgorithm::Rsa4096),
+            "ecc192" => Ok(EncryptionAlgorithm::Ecc192),
+            "ecc_nist_p192" => Ok(EncryptionAlgorithm::Ecc192),
+            "ecc224" => Ok(EncryptionAlgorithm::Ecc224),
+            "ecc_nist_p224" => Ok(EncryptionAlgorithm::Ecc224),
+            "ecc256" => Ok(EncryptionAlgorithm::Ecc256),
+            "ecc_nist_p256" => Ok(EncryptionAlgorithm::Ecc256),
+            "ecc384" => Ok(EncryptionAlgorithm::Ecc384),
+            "ecc_nist_p384" => Ok(EncryptionAlgorithm::Ecc384),
+            "ecc521" => Ok(EncryptionAlgorithm::Ecc521),
+            "ecc_nist_p521" => Ok(EncryptionAlgorithm::Ecc521),
+            "ecc_sm2" => Ok(EncryptionAlgorithm::EccSm2),
+            "ecc_sm2_p256" => Ok(EncryptionAlgorithm::EccSm2),
             _ => Err(AlgorithmError::UnsupportedEncryptionAlgorithm(
                 value.into(),
             )),
@@ -119,8 +194,16 @@
 impl fmt::Display for EncryptionAlgorithm {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         let value = match self {
-            EncryptionAlgorithm::Rsa => "rsa",
-            EncryptionAlgorithm::Ecc => "ecc",
+            EncryptionAlgorithm::Rsa1024 => "rsa1024",
+            EncryptionAlgorithm::Rsa2048 => "rsa", /* for backwards compatibility */
+            EncryptionAlgorithm::Rsa3072 => "rsa3072",
+            EncryptionAlgorithm::Rsa4096 => "rsa4096",
+            EncryptionAlgorithm::Ecc192 => "ecc192",
+            EncryptionAlgorithm::Ecc224 => "ecc224",
+            EncryptionAlgorithm::Ecc256 => "ecc", /* for backwards compatibility */
+            EncryptionAlgorithm::Ecc384 => "ecc384",
+            EncryptionAlgorithm::Ecc521 => "ecc521",
+            EncryptionAlgorithm::EccSm2 => "ecc_sm2",
         };
         write!(f, "{value}")
     }
@@ -219,9 +302,13 @@
     #[test]
     fn test_encrypt_try_from() {
         let result = EncryptionAlgorithm::try_from("rsa");
-        assert!(result.is_ok());
+        assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Rsa2048));
         let result = EncryptionAlgorithm::try_from("ecc");
-        assert!(result.is_ok());
+        assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Ecc256));
+        let result = EncryptionAlgorithm::try_from("rsa4096");
+        assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Rsa4096));
+        let result = EncryptionAlgorithm::try_from("ecc256");
+        assert!(result.is_ok_and(|r| r == EncryptionAlgorithm::Ecc256));
     }
     #[test]
     fn test_unsupported_encrypt_try_from() {