WIP: Create credentials

Author: baloo

Cargo.toml

@@ -7,3 +7,8 @@ p192 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 p224 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 sm2 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 
+# https://github.com/RustCrypto/KDFs/pull/108
+kbkdf = { git = "https://github.com/baloo/KDFs.git", branch = "baloo/kbkdf/pre-releases" }
+concat-kdf = { git = "https://github.com/RustCrypto/KDFs.git" }
+
+cfb-mode = { git = "https://github.com/RustCrypto/block-modes.git" }

tss-esapi/Cargo.toml

@@ -35,8 +35,10 @@ regex = "1.3.9"
 zeroize = { version = "1.5.7", features = ["zeroize_derive"] }
 tss-esapi-sys = { path = "../tss-esapi-sys", version = "0.5.0" }
 x509-cert = { version = "0.3.0-pre.0", optional = true }
+cfb-mode = { version = "0.9.0-pre", optional = true }
 ecdsa = { version = "0.17.0-pre.9", features = ["der", "hazmat", "arithmetic", "verifying"], optional = true }
 elliptic-curve = { version = "0.14.0-rc.1", optional = true, features = ["alloc", "pkcs8"] }
+hmac = { version = "0.13.0-pre.4", optional = true }
 p192 = { version = "0.14.0-pre", optional = true }
 p224 = { version = "0.14.0-pre", optional = true }
 p256 = { version = "0.14.0-pre.2", optional = true }
@@ -48,16 +50,21 @@ sha2 = { version = "0.11.0-pre.4", optional = true }
 sha3 = { version = "0.11.0-pre.4", optional = true }
 sm2 = { version = "0.14.0-pre", optional = true }
 sm3 = { version = "0.5.0-pre.4", optional = true }
+kbkdf = { version = "0.1.0" }
+concat-kdf = { version = "0.2.0-pre" }
 digest = "0.11.0-pre.9"
 signature = { version = "2.3.0-pre.4", features = ["std"], optional = true}
 cfg-if = "1.0.0"
 strum = { version = "0.26.3", optional = true }
 strum_macros = { version = "0.26.4", optional = true }
 paste = "1.0.14"
 getrandom = "0.2.11"
+rand = "0.8"
+aes = "0.9.0-pre.2"
 
 [dev-dependencies]
 env_logger = "0.11.5"
+hex-literal = "0.4.1"
 serde_json = "^1.0.108"
 sha2 = { version = "0.11.0-pre.4", features = ["oid"] }
 tss-esapi = { path = ".", features = [
@@ -66,6 +73,7 @@ tss-esapi = { path = ".", features = [
     "abstraction",
     "rustcrypto-full",
 ] }
+p256 = { version = "0.14.0-pre.2", features = ["ecdh"] }
 x509-cert = { version = "0.3.0-pre.0", features = ["builder"] }
 
 [build-dependencies]
@@ -77,6 +85,6 @@ generate-bindings = ["tss-esapi-sys/generate-bindings"]
 abstraction = ["rustcrypto"]
 integration-tests = ["strum", "strum_macros"]
 
-rustcrypto = ["ecdsa", "elliptic-curve", "signature", "x509-cert"]
+rustcrypto = ["cfb-mode", "ecdsa", "elliptic-curve", "hmac", "signature", "x509-cert"]
 rustcrypto-full = ["rustcrypto", "p192", "p224", "p256", "p384", "p521", "rsa", "sha1", "sha2", "sha3", "sm2", "sm3"]
 

tss-esapi/src/utils/credential.rs

@@ -0,0 +1,103 @@
+// Copyright 2019 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+
+use aes::cipher::AsyncStreamCipher;
+use digest::{
+    array::ArraySize,
+    consts::U9,
+    crypto_common::{Iv, KeyIvInit},
+    typenum::operator_aliases::Sum,
+    KeyInit, Mac,
+};
+use ecdsa::elliptic_curve::{
+    ecdh::{EphemeralSecret, SharedSecret},
+    sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint},
+    AffinePoint, Curve, CurveArithmetic, FieldBytesSize, PublicKey,
+};
+use hmac::Hmac;
+use rand::thread_rng;
+use sha2::Sha256;
+use std::ops::Add;
+
+use crate::{
+    structures::{EncryptedSecret, IdObject, Name},
+    utils::kdf::{self},
+};
+
+pub fn make_credential_ecc<C>(
+    ek_public: PublicKey<C>,
+    secret: &[u8],
+    key_name: Name,
+) -> (IdObject, EncryptedSecret)
+where
+    C: Curve + CurveArithmetic,
+
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+    FieldBytesSize<C>: ModulusSize,
+
+    <FieldBytesSize<C> as Add>::Output: Add<FieldBytesSize<C>>,
+    Sum<FieldBytesSize<C>, FieldBytesSize<C>>: ArraySize,
+    Sum<FieldBytesSize<C>, FieldBytesSize<C>>: Add<U9>,
+    Sum<Sum<FieldBytesSize<C>, FieldBytesSize<C>>, U9>: ArraySize,
+{
+    let mut rng = thread_rng();
+
+    let local = EphemeralSecret::<C>::random(&mut rng);
+
+    let ecdh_secret: SharedSecret<C> = local.diffie_hellman(&ek_public);
+
+    let _ = key_name;
+
+    type HmacSha256 = Hmac<Sha256>;
+
+    let seed = kdf::kdfe::<kdf::Identity, Sha256, C, aes::Aes256>(
+        &ecdh_secret,
+        &local.public_key(),
+        &ek_public,
+    );
+    drop(ecdh_secret);
+
+    // The local ECDH pair is used as "encrypted seed"
+    let encrypted_seed = {
+        let mut out = vec![];
+        out.extend_from_slice(&32u16.to_be_bytes()[..]);
+        out.extend_from_slice(&local.public_key().to_encoded_point(false).x().unwrap());
+        out.extend_from_slice(&32u16.to_be_bytes()[..]);
+        out.extend_from_slice(&local.public_key().to_encoded_point(false).y().unwrap());
+        out
+    };
+
+    let mut sensitive_data = {
+        let mut out = vec![];
+        out.extend_from_slice(&u16::try_from(secret.len()).unwrap().to_be_bytes()[..]);
+        out.extend_from_slice(secret);
+        out
+    };
+
+    let sym_key = kdf::kdfa::<Sha256, kdf::Storage, aes::Aes128>(&seed, key_name.value(), &[]);
+    println!("----");
+    let hmac_key = kdf::kdfa::<Sha256, kdf::Integrity, aes::Aes256>(&seed, &[], &[]);
+    type Aes128CfbEnc = cfb_mode::Encryptor<aes::Aes128>;
+    let iv: Iv<Aes128CfbEnc> = Default::default();
+
+    Aes128CfbEnc::new(&sym_key.into(), &iv.into()).encrypt(&mut sensitive_data);
+
+    let mut hmac = HmacSha256::new_from_slice(&hmac_key).unwrap();
+    hmac.update(&sensitive_data);
+    hmac.update(key_name.value());
+    let hmac = hmac.finalize();
+
+    let mut out = vec![];
+    out.extend_from_slice(
+        &u16::try_from(hmac.into_bytes().len())
+            .unwrap()
+            .to_be_bytes()[..],
+    );
+    out.extend_from_slice(&hmac.into_bytes());
+    out.extend_from_slice(&sensitive_data);
+
+    (
+        IdObject::from_bytes(&out).unwrap(),
+        EncryptedSecret::from_bytes(&encrypted_seed).unwrap(),
+    )
+}

tss-esapi/src/utils/kdf.rs

@@ -0,0 +1,230 @@
+// Copyright 2025 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+
+use core::ops::{Add, Mul};
+
+use digest::{
+    array::{Array, ArraySize},
+    consts::{U10, U4, U7, U8, U9},
+    crypto_common::KeySizeUser,
+    typenum::{operator_aliases::Sum, Unsigned},
+    Digest, FixedOutputReset, Key, OutputSizeUser,
+};
+use ecdsa::elliptic_curve::{
+    ecdh::SharedSecret,
+    sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint},
+    AffinePoint, Curve, CurveArithmetic, FieldBytesSize, PublicKey,
+};
+use hmac::{EagerHash, Hmac};
+use kbkdf::{Counter, Kbkdf};
+
+// Note: until generic_const_expr stabilize, we will have to carry a const parameter on the trait,
+// once that's stable, we should be able to do `const LABEL: [u8; Self::LabelSize]`
+// Until then, the prefered implementation would be using `impl_kdf_usage` macro, as it should be
+// misuse-resistant.
+pub trait KdfUsage {
+    type LabelSize: Unsigned;
+    const LABEL: &'static [u8];
+}
+
+macro_rules! impl_kdf_usage {
+    ($usage:ty, $size: ty, $value: expr) => {
+        impl KdfUsage for $usage {
+            type LabelSize = $size;
+            const LABEL: &'static [u8] = {
+                let _: [u8; <$size>::USIZE] = *$value;
+                $value
+            };
+        }
+    };
+}
+
+#[derive(Copy, Clone, Debug)]
+pub struct Secret;
+impl_kdf_usage!(Secret, U7, b"SECRET\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Context;
+impl_kdf_usage!(Context, U8, b"CONTEXT\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Obfuscate;
+impl_kdf_usage!(Obfuscate, U10, b"OBFUSCATE\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Storage;
+impl_kdf_usage!(Storage, U8, b"STORAGE\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Integrity;
+impl_kdf_usage!(Integrity, U10, b"INTEGRITY\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Commit;
+impl_kdf_usage!(Commit, U7, b"COMMIT\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Cfb;
+impl_kdf_usage!(Cfb, U4, b"CFB\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Xor;
+impl_kdf_usage!(Xor, U4, b"XOR\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Session;
+impl_kdf_usage!(Session, U8, b"SESSION\0");
+
+#[derive(Copy, Clone, Debug)]
+pub struct Identity;
+impl_kdf_usage!(Identity, U9, b"IDENTITY\0");
+
+type LabelAndUAndV<N, C> = Sum<Sum<FieldBytesSize<C>, FieldBytesSize<C>>, N>;
+
+pub fn kdfa<H, L, K>(key: &[u8], context_u: &[u8], context_v: &[u8]) -> Key<K>
+where
+    L: KdfUsage,
+
+    H: Digest + FixedOutputReset + EagerHash,
+    K: KeySizeUser,
+
+    K::KeySize: ArraySize + Mul<U8>,
+    <K::KeySize as Mul<U8>>::Output: Unsigned,
+
+    <<H as EagerHash>::Core as OutputSizeUser>::OutputSize: ArraySize + Mul<U8>,
+    <<<H as EagerHash>::Core as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+{
+    let mut context = Vec::with_capacity(context_u.len() + context_v.len());
+    context.extend_from_slice(context_u);
+    context.extend_from_slice(context_v);
+
+    let kdf = Counter::<Hmac<H>, K>::default();
+    kdf.derive(
+        key,
+        true,
+        false, // TODO(baloo):
+        // https://github.com/tpm2-software/tpm2-pytss/blob/a3e64878f622e23a0313144bed055c78b0f3f8d5/src/tpm2_pytss/internal/crypto.py#L344
+        // is wrong
+        L::LABEL,
+        &context,
+    )
+    .unwrap()
+}
+
+pub fn kdfe<U, H, C, K>(
+    z: &SharedSecret<C>,
+    party_u_info: &PublicKey<C>,
+    party_v_info: &PublicKey<C>,
+) -> Key<K>
+// TODO: return error
+where
+    U: KdfUsage,
+
+    H: Digest + FixedOutputReset,
+    C: Curve + CurveArithmetic,
+    K: KeySizeUser,
+
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+    FieldBytesSize<C>: ModulusSize,
+
+    <FieldBytesSize<C> as Add>::Output: Add<FieldBytesSize<C>>,
+    Sum<FieldBytesSize<C>, FieldBytesSize<C>>: Add<U::LabelSize>,
+    Sum<Sum<FieldBytesSize<C>, FieldBytesSize<C>>, U::LabelSize>: ArraySize,
+{
+    let mut key = Key::<K>::default();
+
+    let mut other_info = Array::<u8, LabelAndUAndV<U::LabelSize, C>>::default();
+    other_info[..U::LabelSize::USIZE].copy_from_slice(&U::LABEL);
+
+    // TODO: convert that to affine point, then grab the X from there instead.
+    other_info[U::LabelSize::USIZE..U::LabelSize::USIZE + FieldBytesSize::<C>::USIZE]
+        .copy_from_slice(&party_u_info.to_encoded_point(false).x().unwrap());
+    other_info[U::LabelSize::USIZE + FieldBytesSize::<C>::USIZE..]
+        .copy_from_slice(&party_v_info.to_encoded_point(false).x().unwrap());
+
+    concat_kdf::derive_key_into::<H>(z.raw_secret_bytes(), &other_info, &mut key).unwrap();
+
+    key
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use aes::Aes256;
+    use hex_literal::hex;
+    use sha2::Sha256;
+
+    #[test]
+    fn test_kdfe() {
+        struct Vector<const S: usize, const K: usize, const E: usize> {
+            shared_secret: [u8; S],
+            local_key: [u8; K],
+            remote_key: [u8; K],
+            expected: [u8; E],
+        }
+
+        // Test vectors here were manually generated from tpm2-pytss
+        static TEST_VECTORS_SHA256: [Vector<
+            { FieldBytesSize::<p256::NistP256>::USIZE },
+            { <FieldBytesSize<p256::NistP256> as ModulusSize>::CompressedPointSize::USIZE },
+            32,
+        >; 2] = [
+            Vector {
+                shared_secret: hex!(
+                    "c75afb6f49c941ef194b232d7615769f5152d20de5dee19a991067f337dd65bc"
+                ),
+                local_key: hex!(
+                    "031ba4030de068a2f07919c42ef6b19f302884f35f45e7d4e4bb90ffbb0bd9d099"
+                ),
+                remote_key: hex!(
+                    "038f2b219a29c2ff9ba69cedff2d08d33a5dbca3da6bc8af8acd3ff6f5ec4dfbef"
+                ),
+                expected: hex!("e3a0079db19724f9b76101e9364c4a149cea3501336abc3b603f94b22b6309a5"),
+            },
+            Vector {
+                shared_secret: hex!(
+                    "a90a1c095155428500ed19e87c0df078df3dd2e66a0e3bbe664ba9ff62113b4a"
+                ),
+                local_key: hex!(
+                    "03e9c7d6a853ba6176b65ec2f328bdea25f61c4e1b23a4e1c08e1da8c723381a04"
+                ),
+                remote_key: hex!(
+                    "036ccf059628d3cdf8e1b4c4ba6d14696ba51cc8d4a96df4016f0b214782d5cee6"
+                ),
+                expected: hex!("865f8093e2c4b801dc8c236eeb2806c7b1c51c2cb04101c035f7f2511ea0aeda"),
+            },
+        ];
+
+        for v in &TEST_VECTORS_SHA256 {
+            let out = kdfe::<Identity, Sha256, p256::NistP256, Aes256>(
+                &SharedSecret::from(Array::from(v.shared_secret)),
+                &PublicKey::try_from(Array::from(v.local_key)).unwrap(),
+                &PublicKey::try_from(Array::from(v.remote_key)).unwrap(),
+            );
+            assert_eq!(out, v.expected);
+        }
+    }
+
+    #[test]
+    fn test_kdfa() {
+        struct Vector {
+            key: &'static [u8],
+            context_u: &'static [u8],
+            context_v: &'static [u8],
+            expected: &'static [u8],
+        }
+
+        static TEST_VECTORS_SHA256: [Vector; 1] = [Vector {
+            key: &hex!("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"),
+            context_u: b"",
+            context_v: &hex!("0506070809"),
+            expected: &hex!("de275f7f5cfeaac226b30d42377903b34705f178730d96400ccafb736e3d28a4"),
+        }];
+
+        for v in &TEST_VECTORS_SHA256 {
+            let out = kdfa::<Sha256, Storage, Aes256>(&v.key, &v.context_u, &v.context_v);
+            assert_eq!(out.as_slice(), v.expected);
+        }
+    }
+}