Create credentials

Signed-off-by: Arthur Gautier <[email protected]>

Author: baloo

Cargo.toml

@@ -7,3 +7,11 @@ p192 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 p224 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 sm2 = { git = "https://github.com/RustCrypto/elliptic-curves.git" }
 
+# https://github.com/RustCrypto/KDFs/pull/108
+kbkdf = { git = "https://github.com/TheBestTvarynka/KDFs.git", branch = "feat/kbkdf" }
+concat-kdf = { git = "https://github.com/RustCrypto/KDFs.git" }
+
+cfb-mode = { git = "https://github.com/RustCrypto/block-modes.git" }
+
+# https://github.com/RustCrypto/RSA/pull/467
+rsa = { git = "https://github.com/baloo/RSA.git", branch = "baloo/oaep/non-string-label" }

tss-esapi/Cargo.toml

@@ -35,8 +35,11 @@ regex = "1.3.9"
 zeroize = { version = "1.5.7", features = ["zeroize_derive"] }
 tss-esapi-sys = { path = "../tss-esapi-sys", version = "0.5.0" }
 x509-cert = { version = "0.3.0-pre.0", optional = true }
+aes = { version = "0.9.0-pre.2", optional = true }
+cfb-mode = { version = "0.9.0-pre", optional = true }
 ecdsa = { version = "0.17.0-pre.9", features = ["der", "hazmat", "arithmetic", "verifying"], optional = true }
 elliptic-curve = { version = "0.14.0-rc.1", optional = true, features = ["alloc", "pkcs8"] }
+hmac = { version = "0.13.0-pre.4", optional = true }
 p192 = { version = "0.14.0-pre", optional = true }
 p224 = { version = "0.14.0-pre", optional = true }
 p256 = { version = "0.14.0-pre.2", optional = true }
@@ -48,16 +51,22 @@ sha2 = { version = "0.11.0-pre.4", optional = true }
 sha3 = { version = "0.11.0-pre.4", optional = true }
 sm2 = { version = "0.14.0-pre", optional = true }
 sm3 = { version = "0.5.0-pre.4", optional = true }
+kbkdf = { version = "0.1.0", optional = true }
+concat-kdf = { version = "0.2.0-pre", optional = true }
 digest = "0.11.0-pre.9"
 signature = { version = "2.3.0-pre.4", features = ["std"], optional = true}
 cfg-if = "1.0.0"
 strum = { version = "0.26.3", optional = true }
 strum_macros = { version = "0.26.4", optional = true }
 paste = "1.0.14"
 getrandom = "0.2.11"
+rand = "0.8"
 
 [dev-dependencies]
+aes = "0.9.0-pre.2"
 env_logger = "0.11.5"
+hex-literal = "0.4.1"
+rsa = { version = "0.10.0-pre.3" }
 serde_json = "^1.0.108"
 sha2 = { version = "0.11.0-pre.4", features = ["oid"] }
 tss-esapi = { path = ".", features = [
@@ -66,6 +75,7 @@ tss-esapi = { path = ".", features = [
     "abstraction",
     "rustcrypto-full",
 ] }
+p256 = { version = "0.14.0-pre.2", features = ["ecdh"] }
 x509-cert = { version = "0.3.0-pre.0", features = ["builder"] }
 
 [build-dependencies]
@@ -77,6 +87,6 @@ generate-bindings = ["tss-esapi-sys/generate-bindings"]
 abstraction = ["rustcrypto"]
 integration-tests = ["strum", "strum_macros"]
 
-rustcrypto = ["ecdsa", "elliptic-curve", "signature", "x509-cert"]
-rustcrypto-full = ["rustcrypto", "p192", "p224", "p256", "p384", "p521", "rsa", "sha1", "sha2", "sha3", "sm2", "sm3"]
+rustcrypto = ["cfb-mode", "concat-kdf", "ecdsa", "elliptic-curve", "elliptic-curve/ecdh", "hmac", "kbkdf", "signature", "x509-cert"]
+rustcrypto-full = ["rustcrypto", "aes", "p192", "p224", "p256", "p384", "p521", "rsa", "sha1", "sha2", "sha3", "sm2", "sm3"]
 

tss-esapi/src/utils/credential.rs

@@ -0,0 +1,265 @@
+// Copyright 2025 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+
+use core::{
+    marker::PhantomData,
+    ops::{Add, Mul},
+};
+
+use aes::cipher::AsyncStreamCipher;
+use cfb_mode::cipher::BlockCipherEncrypt;
+use digest::{
+    array::ArraySize,
+    consts::{B1, U8},
+    crypto_common::{Iv, KeyIvInit, KeySizeUser},
+    typenum::{
+        operator_aliases::{Add1, Sum},
+        Unsigned,
+    },
+    Digest, DynDigest, FixedOutputReset, Key, KeyInit, Mac, OutputSizeUser,
+};
+use ecdsa::elliptic_curve::{
+    ecdh::{EphemeralSecret, SharedSecret},
+    sec1::{Coordinates, FromEncodedPoint, ModulusSize, ToEncodedPoint},
+    AffinePoint, Curve, CurveArithmetic, FieldBytesSize, PublicKey,
+};
+use hmac::{EagerHash, Hmac};
+use log::error;
+use rand::{thread_rng, Rng};
+use rsa::{Oaep, RsaPublicKey};
+
+use crate::{
+    error::{Error, Result, WrapperErrorKind},
+    structures::{EncryptedSecret, IdObject, Name},
+    utils::kdf::{self},
+};
+
+// [`TpmHmac`] intends to code for the key expected for hmac
+// in the KDFa and KDFe derivations. There are no standard sizes for hmac keys really,
+// upstream RustCrypto considers it to be [BlockSize], but TPM specification
+// has a different opinion on the matter, and expect the key to the output
+// bit size of the hash algorithm used.
+//
+// See https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=202
+// section 24.5 HMAC:
+//   bits the number of bits in the digest produced by ekNameAlg
+//
+// [BlockSize]: https://docs.rs/hmac/0.12.1/hmac/struct.HmacCore.html#impl-KeySizeUser-for-HmacCore%3CD%3E
+struct TpmHmac<H>(PhantomData<H>);
+
+impl<H> KeySizeUser for TpmHmac<H>
+where
+    H: OutputSizeUser,
+{
+    type KeySize = H::OutputSize;
+}
+
+pub fn make_credential_ecc<C, EkHash, EkCipher>(
+    ek_public: PublicKey<C>,
+    secret: &[u8],
+    key_name: Name,
+) -> Result<(IdObject, EncryptedSecret)>
+where
+    C: Curve + CurveArithmetic,
+
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+    FieldBytesSize<C>: ModulusSize,
+
+    <FieldBytesSize<C> as Add>::Output: Add<FieldBytesSize<C>>,
+    Sum<FieldBytesSize<C>, FieldBytesSize<C>>: ArraySize,
+    Sum<FieldBytesSize<C>, FieldBytesSize<C>>: Add<U8>,
+    Sum<Sum<FieldBytesSize<C>, FieldBytesSize<C>>, U8>: Add<B1>,
+    Add1<Sum<Sum<FieldBytesSize<C>, FieldBytesSize<C>>, U8>>: ArraySize,
+
+    EkHash: Digest + EagerHash + FixedOutputReset,
+    <EkHash as OutputSizeUser>::OutputSize: Mul<U8>,
+    <<EkHash as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+    <<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize: ArraySize + Mul<U8>,
+    <<<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+
+    EkCipher: KeySizeUser + BlockCipherEncrypt + KeyInit,
+    <EkCipher as KeySizeUser>::KeySize: Mul<U8>,
+    <<EkCipher as KeySizeUser>::KeySize as Mul<U8>>::Output: ArraySize,
+{
+    let mut rng = thread_rng();
+
+    // See Table 22 - Key Generation for the various labels used here after:
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=183
+
+    // C.6.4. ECC Secret Sharing for Credentials
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=311
+    let local = EphemeralSecret::<C>::random(&mut rng);
+
+    let ecdh_secret: SharedSecret<C> = local.diffie_hellman(&ek_public);
+    let local_public = local.public_key();
+    drop(local);
+
+    let seed = kdf::kdfe::<kdf::Identity, EkHash, C, TpmHmac<EkHash>>(
+        &ecdh_secret,
+        &local_public,
+        &ek_public,
+    )?;
+    drop(ecdh_secret);
+
+    // The local ECDH pair is used as "encrypted seed"
+    let encoded_point = local_public.to_encoded_point(false);
+    let Coordinates::Uncompressed {
+        x: point_x,
+        y: point_y,
+    } = encoded_point.coordinates()
+    else {
+        // NOTE: The only way this could trigger would be for the local key to be identity.
+        error!("Couldn't compute coordinates for the local public key");
+        return Err(Error::local_error(WrapperErrorKind::InvalidParam));
+    };
+    let encrypted_seed = {
+        let mut out = vec![];
+        out.extend_from_slice(&FieldBytesSize::<C>::U16.to_be_bytes()[..]);
+        out.extend_from_slice(&point_x);
+        out.extend_from_slice(&FieldBytesSize::<C>::U16.to_be_bytes()[..]);
+        out.extend_from_slice(&point_y);
+        out
+    };
+    let encrypted_secret = EncryptedSecret::from_bytes(&encrypted_seed)?;
+
+    let id_object = secret_to_credential::<EkHash, EkCipher>(seed, secret, key_name)?;
+
+    Ok((id_object, encrypted_secret))
+}
+
+pub fn make_credential_rsa<EkHash, EkCipher>(
+    ek_public: &RsaPublicKey,
+    secret: &[u8],
+    key_name: Name,
+) -> Result<(IdObject, EncryptedSecret)>
+where
+    EkHash: Digest + DynDigest + Send + Sync + 'static,
+    EkHash: EagerHash + FixedOutputReset,
+    <EkHash as OutputSizeUser>::OutputSize: Mul<U8>,
+    <<EkHash as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+    <<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize: ArraySize + Mul<U8>,
+    <<<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+
+    EkCipher: KeySizeUser + BlockCipherEncrypt + KeyInit,
+    <EkCipher as KeySizeUser>::KeySize: Mul<U8>,
+    <<EkCipher as KeySizeUser>::KeySize as Mul<U8>>::Output: ArraySize,
+{
+    let mut rng = thread_rng();
+
+    // See Table 22 - Key Generation for the various labels used here after:
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=183
+
+    // B.10.4 RSA Secret Sharing for Credentials
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=302
+    let random_seed = {
+        let mut out = Key::<TpmHmac<EkHash>>::default();
+        rng.try_fill(out.as_mut_slice()).map_err(|e| {
+            error!("RNG error: {e}");
+            Error::local_error(WrapperErrorKind::InternalError)
+        })?;
+        out
+    };
+
+    // The random seed is then encrypted with RSA-OAEP
+    //
+    // B.4 RSAES_OAEP
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=297
+    //
+    // The label is a byte-stream whose last byte must be zero
+    //
+    // B.10.4. RSA Secret Sharing for Credentials
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=302
+    //
+    // The label is going to be "IDENTITY" for secret sharing.
+    let encrypted_seed = {
+        let padding = Oaep::new_with_label::<EkHash, _>(b"IDENTITY\0".to_vec());
+        let enc_data = ek_public
+            .encrypt(&mut rng, padding, &random_seed[..])
+            .map_err(|e| {
+                error!("RSA OAEP encryption error: {e}");
+                Error::local_error(WrapperErrorKind::InternalError)
+            })?;
+        enc_data
+    };
+    let encrypted_secret = EncryptedSecret::from_bytes(&encrypted_seed)?;
+
+    let id_object = secret_to_credential::<EkHash, EkCipher>(random_seed, secret, key_name)?;
+
+    Ok((id_object, encrypted_secret))
+}
+
+fn secret_to_credential<EkHash, EkCipher>(
+    seed: Key<TpmHmac<EkHash>>,
+    secret: &[u8],
+    key_name: Name,
+) -> Result<IdObject>
+where
+    EkHash: Digest + EagerHash + FixedOutputReset,
+    <EkHash as OutputSizeUser>::OutputSize: Mul<U8>,
+    <<EkHash as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+    <<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize: ArraySize + Mul<U8>,
+    <<<EkHash as EagerHash>::Core as OutputSizeUser>::OutputSize as Mul<U8>>::Output: Unsigned,
+
+    EkCipher: KeySizeUser + BlockCipherEncrypt + KeyInit,
+    <EkCipher as KeySizeUser>::KeySize: Mul<U8>,
+    <<EkCipher as KeySizeUser>::KeySize as Mul<U8>>::Output: ArraySize,
+{
+    // Prepare the sensitive data
+    // this will be then encrypted using AES-CFB (size of the symmetric key depends on the EK).
+    let mut sensitive_data = {
+        let mut out = vec![];
+        out.extend_from_slice(
+            &u16::try_from(secret.len())
+                .map_err(|_| {
+                    error!("secret may only be 2^16 bytes long");
+                    Error::local_error(WrapperErrorKind::WrongParamSize)
+                })?
+                .to_be_bytes()[..],
+        );
+        out.extend_from_slice(secret);
+        out
+    };
+
+    // We'll now encrypt the sensitive data, and hmac the result of the encryption
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=201
+    // See 24.4 Symmetric Encryption
+    let sym_key = kdf::kdfa::<EkHash, kdf::Storage, EkCipher>(&seed, key_name.value(), &[])?;
+
+    // TODO(baloo): once the weak key detection merges
+    // https://github.com/RustCrypto/traits/pull/1739
+    // https://github.com/RustCrypto/block-ciphers/pull/465
+    //
+    // We should check for weak keys, and re-run all the steps above until we get a non-weak key
+    // this is to be in compliance with TPM spec section 11.4.10.4:
+    // https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=82
+
+    let iv: Iv<cfb_mode::Encryptor<EkCipher>> = Default::default();
+
+    cfb_mode::Encryptor::<EkCipher>::new(&sym_key.into(), &iv.into()).encrypt(&mut sensitive_data);
+
+    // See 24.5 HMAC
+    let hmac_key = kdf::kdfa::<EkHash, kdf::Integrity, TpmHmac<EkHash>>(&seed, &[], &[])?;
+    let mut hmac = Hmac::<EkHash>::new_from_slice(&hmac_key).map_err(|e| {
+        error!("HMAC initialization error: {e}");
+        Error::local_error(WrapperErrorKind::WrongParamSize)
+    })?;
+    Mac::update(&mut hmac, &sensitive_data);
+    Mac::update(&mut hmac, key_name.value());
+    let hmac = hmac.finalize();
+
+    // We'll now serialize the object and get everything through the door.
+    let mut out = vec![];
+    out.extend_from_slice(
+        &u16::try_from(hmac.into_bytes().len())
+            .map_err(|_| {
+                // NOTE: this shouldn't ever trigger ... but ...
+                error!("HMAC output may only be 2^16 bytes long");
+                Error::local_error(WrapperErrorKind::WrongParamSize)
+            })?
+            .to_be_bytes()[..],
+    );
+    out.extend_from_slice(&hmac.into_bytes());
+    out.extend_from_slice(&sensitive_data);
+
+    IdObject::from_bytes(&out)
+}