Skip to content

Commit 04e6225

Browse files
THS-onTHS-on
committed
ek abstraction: align with TCG EK Credential Profile
Signed-off-by: Thore Sommer <[email protected]>
1 parent 5bb76d8 commit 04e6225

File tree

1 file changed

+110
-47
lines changed
  • tss-esapi/src/abstraction

1 file changed

+110
-47
lines changed

tss-esapi/src/abstraction/ek.rs

Lines changed: 110 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,28 @@ const ECC_P256_SM2_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001a;
3232
const RSA_3072_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001c;
3333
const RSA_4096_EK_CERTIFICATE_NV_INDEX: u32 = 0x01c0001e;
3434

35+
// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
36+
// Section B.3 and B.4
37+
const AUTHPOLICY_SHA256: [u8; 32] = [
38+
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, 0x8d, 0x46, 0xa5, 0xd7, 0x24,
39+
0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, 0x0b, 0x64, 0xf2, 0xa1, 0xda, 0x1b, 0x33, 0x14, 0x69, 0xaa,
40+
];
41+
const AUTHPOLICY_SHA384: [u8; 48] = [
42+
0xb2, 0x6e, 0x7d, 0x28, 0xd1, 0x1a, 0x50, 0xbc, 0x53, 0xd8, 0x82, 0xbc, 0xf5, 0xfd, 0x3a, 0x1a,
43+
0x07, 0x41, 0x48, 0xbb, 0x35, 0xd3, 0xb4, 0xe4, 0xcb, 0x1c, 0x0a, 0xd9, 0xbd, 0xe4, 0x19, 0xca,
44+
0xcb, 0x47, 0xba, 0x09, 0x69, 0x96, 0x46, 0x15, 0x0f, 0x9f, 0xc0, 0x00, 0xf3, 0xf8, 0x0e, 0x12,
45+
];
46+
const AUTHPOLICY_SHA512: [u8; 64] = [
47+
0xb8, 0x22, 0x1c, 0xa6, 0x9e, 0x85, 0x50, 0xa4, 0x91, 0x4d, 0xe3, 0xfa, 0xa6, 0xa1, 0x8c, 0x07,
48+
0x2c, 0xc0, 0x12, 0x08, 0x07, 0x3a, 0x92, 0x8d, 0x5d, 0x66, 0xd5, 0x9e, 0xf7, 0x9e, 0x49, 0xa4,
49+
0x29, 0xc4, 0x1a, 0x6b, 0x26, 0x95, 0x71, 0xd5, 0x7e, 0xdb, 0x25, 0xfb, 0xdb, 0x18, 0x38, 0x42,
50+
0x56, 0x08, 0xb4, 0x13, 0xcd, 0x61, 0x6a, 0x5f, 0x6d, 0xb5, 0xb6, 0x07, 0x1a, 0xf9, 0x9b, 0xea,
51+
];
52+
const AUTHPOLICY_SM3_256: [u8; 32] = [
53+
0x16, 0x78, 0x60, 0xa3, 0x5f, 0x2c, 0x5c, 0x35, 0x67, 0xf9, 0xc9, 0x27, 0xac, 0x56, 0xc0, 0x32,
54+
0xf3, 0xb3, 0xa6, 0x46, 0x2f, 0x8d, 0x03, 0x79, 0x98, 0xe7, 0xa1, 0x0f, 0x77, 0xfa, 0x45, 0x4a,
55+
];
56+
3557
/// Get the [`Public`] representing a default Endorsement Key
3658
///
3759
/// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
@@ -62,54 +84,95 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
6284
}
6385
.build()?;
6486

65-
// TPM2_PolicySecret(TPM_RH_ENDORSEMENT)
66-
// With 32 null-bytes attached, because of the type of with_auth_policy
67-
let authpolicy: [u8; 64] = [
68-
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, 0x8d, 0x46, 0xa5, 0xd7,
69-
0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, 0x0b, 0x64, 0xf2, 0xa1, 0xda, 0x1b, 0x33, 0x14,
70-
0x69, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
71-
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
72-
0x00, 0x00, 0x00, 0x00,
73-
];
74-
7587
let key_builder = match alg {
76-
AsymmetricAlgorithmSelection::Rsa(key_bits) => PublicBuilder::new()
77-
.with_public_algorithm(PublicAlgorithm::Rsa)
78-
.with_name_hashing_algorithm(HashingAlgorithm::Sha256)
79-
.with_object_attributes(obj_attrs)
80-
.with_auth_policy(Digest::try_from(authpolicy[0..32].to_vec())?)
81-
.with_rsa_parameters(
82-
PublicRsaParametersBuilder::new()
83-
.with_symmetric(SymmetricDefinitionObject::AES_128_CFB)
84-
.with_scheme(RsaScheme::Null)
85-
.with_key_bits(key_bits)
86-
.with_exponent(RsaExponent::default())
87-
.with_is_signing_key(obj_attrs.sign_encrypt())
88-
.with_is_decryption_key(obj_attrs.decrypt())
89-
.with_restricted(obj_attrs.decrypt())
90-
.build()?,
91-
)
92-
.with_rsa_unique_identifier(PublicKeyRsa::new_empty_with_size(RsaKeyBits::Rsa2048)),
93-
AsymmetricAlgorithmSelection::Ecc(ecc_curve) => PublicBuilder::new()
94-
.with_public_algorithm(PublicAlgorithm::Ecc)
95-
.with_name_hashing_algorithm(HashingAlgorithm::Sha256)
96-
.with_object_attributes(obj_attrs)
97-
.with_auth_policy(Digest::try_from(authpolicy[0..32].to_vec())?)
98-
.with_ecc_parameters(
99-
PublicEccParametersBuilder::new()
100-
.with_symmetric(SymmetricDefinitionObject::AES_128_CFB)
101-
.with_ecc_scheme(EccScheme::Null)
102-
.with_curve(ecc_curve)
103-
.with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null)
104-
.with_is_signing_key(obj_attrs.sign_encrypt())
105-
.with_is_decryption_key(obj_attrs.decrypt())
106-
.with_restricted(obj_attrs.decrypt())
107-
.build()?,
108-
)
109-
.with_ecc_unique_identifier(EccPoint::new(
110-
EccParameter::try_from(vec![0u8; 32])?,
111-
EccParameter::try_from(vec![0u8; 32])?,
112-
)),
88+
AsymmetricAlgorithmSelection::Rsa(key_bits) => {
89+
let (hash_alg, authpolicy, symmetric) = match key_bits {
90+
RsaKeyBits::Rsa2048 => (
91+
HashingAlgorithm::Sha256,
92+
Digest::try_from(AUTHPOLICY_SHA256.to_vec())?,
93+
SymmetricDefinitionObject::AES_128_CFB,
94+
),
95+
RsaKeyBits::Rsa3072 | RsaKeyBits::Rsa4096 => (
96+
HashingAlgorithm::Sha384,
97+
Digest::try_from(AUTHPOLICY_SHA384.to_vec())?,
98+
SymmetricDefinitionObject::AES_256_CFB,
99+
),
100+
// Other key sizes are not specified in the spec, so fall back to default RSA profile
101+
_ => (
102+
HashingAlgorithm::Sha256,
103+
Digest::try_from(AUTHPOLICY_SHA256.to_vec())?,
104+
SymmetricDefinitionObject::AES_128_CFB,
105+
),
106+
};
107+
108+
PublicBuilder::new()
109+
.with_public_algorithm(PublicAlgorithm::Rsa)
110+
.with_name_hashing_algorithm(hash_alg)
111+
.with_object_attributes(obj_attrs)
112+
.with_auth_policy(authpolicy)
113+
.with_rsa_parameters(
114+
PublicRsaParametersBuilder::new()
115+
.with_symmetric(symmetric)
116+
.with_scheme(RsaScheme::Null)
117+
.with_key_bits(key_bits)
118+
.with_exponent(RsaExponent::default())
119+
.with_is_signing_key(obj_attrs.sign_encrypt())
120+
.with_is_decryption_key(obj_attrs.decrypt())
121+
.with_restricted(obj_attrs.decrypt())
122+
.build()?,
123+
)
124+
.with_rsa_unique_identifier(PublicKeyRsa::new_empty_with_size(RsaKeyBits::Rsa2048))
125+
}
126+
AsymmetricAlgorithmSelection::Ecc(ecc_curve) => {
127+
let (hash_alg, authpolicy, symmetric) = match ecc_curve {
128+
EccCurve::NistP256 => (
129+
HashingAlgorithm::Sha256,
130+
Digest::try_from(AUTHPOLICY_SHA256.to_vec())?,
131+
SymmetricDefinitionObject::AES_128_CFB,
132+
),
133+
EccCurve::NistP384 => (
134+
HashingAlgorithm::Sha384,
135+
Digest::try_from(AUTHPOLICY_SHA384.to_vec())?,
136+
SymmetricDefinitionObject::AES_256_CFB,
137+
),
138+
EccCurve::NistP521 => (
139+
HashingAlgorithm::Sha512,
140+
Digest::try_from(AUTHPOLICY_SHA512.to_vec())?,
141+
SymmetricDefinitionObject::AES_256_CFB,
142+
),
143+
EccCurve::Sm2P256 => (
144+
HashingAlgorithm::Sm3_256,
145+
Digest::try_from(AUTHPOLICY_SM3_256.to_vec())?,
146+
SymmetricDefinitionObject::SM4_128_CFB,
147+
),
148+
// Other curves are not specicied in the spec, so fallback on default ECC profile
149+
_ => (
150+
HashingAlgorithm::Sha256,
151+
Digest::try_from(AUTHPOLICY_SHA256.to_vec())?,
152+
SymmetricDefinitionObject::AES_128_CFB,
153+
),
154+
};
155+
PublicBuilder::new()
156+
.with_public_algorithm(PublicAlgorithm::Ecc)
157+
.with_name_hashing_algorithm(hash_alg)
158+
.with_object_attributes(obj_attrs)
159+
.with_auth_policy(authpolicy)
160+
.with_ecc_parameters(
161+
PublicEccParametersBuilder::new()
162+
.with_symmetric(symmetric)
163+
.with_ecc_scheme(EccScheme::Null)
164+
.with_curve(ecc_curve)
165+
.with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null)
166+
.with_is_signing_key(obj_attrs.sign_encrypt())
167+
.with_is_decryption_key(obj_attrs.decrypt())
168+
.with_restricted(obj_attrs.decrypt())
169+
.build()?,
170+
)
171+
.with_ecc_unique_identifier(EccPoint::new(
172+
EccParameter::try_from(vec![0u8; 32])?,
173+
EccParameter::try_from(vec![0u8; 32])?,
174+
))
175+
}
113176
};
114177

115178
let key_builder = if let Some(ref k) = key_customization {

0 commit comments

Comments
 (0)