Merge pull request #390 from dgarske/oldcrypt

Support for building wolfTPM against older wolfCrypt (like v4.7.0)

Author: embhorn

.github/workflows/make-test-swtpm.yml

@@ -202,6 +202,29 @@ jobs:
         make check
         WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh
 
+# test with older wolfCrypt (v4.7.0)
+    - uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl-old
+        ref: v4.7.0-stable
+    - name: wolfssl old
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN"
+        make
+        sudo make install
+    - name: wolftpm with old wolfssl
+      # Old wolfSSL before PR #5075 does not support using a public key in place of private key with
+      # crypto callbacks enabled.
+      # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions.
+      # Use newer wolfSSL TLS client/server to resolve test certificate expirations
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh
+
 # capture logs on failure
     - name: Upload failure logs
       if: failure()

examples/csr/csr.c

@@ -87,7 +87,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
 #ifdef WOLFTPM2_NO_HEAP
     /* single shot API for CSR generation */
     rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage,
-        CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
+        ENCODING_TYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
         devId);
 #else
     rc = wolfTPM2_CSR_SetSubject(dev, csr, subject);
@@ -104,7 +104,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
         }
     }
     if (rc == 0) {
-        rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM,
+        rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, ENCODING_TYPE_PEM,
             output, outputSz, sigType, makeSelfSignedCert, devId);
     }
 #endif

examples/endorsement/get_ek_certs.c

@@ -278,8 +278,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
         if (rc == 0) {
             /* Attempt to parse certificate */
             printf("Parsing certificate (%d bytes)\n", certSz);
+            #ifdef WOLFSSL_TEST_CERT
+            InitDecodedCert(&cert, certBuf, certSz, NULL);
+            rc = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+            #else
             wc_InitDecodedCert(&cert, certBuf, certSz, NULL);
             rc = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+            #endif
             if (rc == 0) {
                 printf("\tSuccessfully parsed\n");
 
@@ -338,7 +343,11 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
                 printf("Error parsing certificate! %s (%d)\n",
                     TPM2_GetRCString(rc), rc);
             }
+        #ifdef WOLFSSL_TEST_CERT
+            FreeDecodedCert(&cert);
+        #else
             wc_FreeDecodedCert(&cert);
+        #endif
 
         #ifndef WOLFCRYPT_ONLY
             if (rc == 0) {

examples/pkcs7/pkcs7.c

@@ -46,12 +46,16 @@
 
 /* The PKCS7 EX functions were added after v3.15.3 */
 #include <wolfssl/version.h>
-#if defined(LIBWOLFSSL_VERSION_HEX) && \
-    LIBWOLFSSL_VERSION_HEX > 0x03015003
+#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x03015003
     #undef  ENABLE_PKCS7EX_EXAMPLE
     #define ENABLE_PKCS7EX_EXAMPLE
 #endif
 
+#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX < 0x05007004
+    /* PKCS7 renamed to wc_PKCS7 */
+    #define wc_PKCS7 PKCS7
+#endif
+
 #ifndef MAX_PKCS7_SIZE
 #define MAX_PKCS7_SIZE MAX_CONTEXT_SIZE
 #endif

examples/run_examples.sh

@@ -13,6 +13,9 @@ fi
 if [ -z "$NO_FILESYSTEM" ]; then
     NO_FILESYSTEM=0
 fi
+if [ -z "$NO_PUBASPRIV" ]; then
+    NO_PUBASPRIV=0
+fi
 if [ -z "$WOLFCRYPT_DEFAULT" ]; then
     WOLFCRYPT_DEFAULT=0
 fi
@@ -337,7 +340,7 @@ fi
 
 # PKCS7 Tests
 echo -e "PKCS7 tests"
-if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ] && [ $NO_PUBASPRIV -eq 0 ]; then
     ./examples/pkcs7/pkcs7 >> run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
@@ -400,22 +403,25 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
         run_tpm_tls_client "rsa" "" "4"
         run_tpm_tls_client "rsa" "-aes" "4"
 
-        run_tpm_tls_server "rsa" "" "3"
-        run_tpm_tls_server "rsa" "-aes" "3"
-        run_tpm_tls_server "rsa" "" "4"
-        run_tpm_tls_server "rsa" "-aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "rsa" "" "3"
+            run_tpm_tls_server "rsa" "-aes" "3"
+            run_tpm_tls_server "rsa" "" "4"
+            run_tpm_tls_server "rsa" "-aes" "4"
+        fi
 
         # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
         run_tpm_tls_client "rsa" "-pk" "3"
         run_tpm_tls_client "rsa" "-pk -aes" "3"
         run_tpm_tls_client "rsa" "-pk" "4"
         run_tpm_tls_client "rsa" "-pk -aes" "4"
 
-        run_tpm_tls_server "rsa" "-pk " "3"
-        run_tpm_tls_server "rsa" "-pk -aes" "3"
-        run_tpm_tls_server "rsa" "-pk " "4"
-        run_tpm_tls_server "rsa" "-pk -aes" "4"
-
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "rsa" "-pk " "3"
+            run_tpm_tls_server "rsa" "-pk -aes" "3"
+            run_tpm_tls_server "rsa" "-pk " "4"
+            run_tpm_tls_server "rsa" "-pk -aes" "4"
+        fi
     fi
     if [ $WOLFCRYPT_ECC -eq 1 ]; then
         # TLS client/server ECC TLS v1.2 and v1.3 Crypto callbacks
@@ -424,21 +430,25 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
         run_tpm_tls_client "ecc" "" "4"
         run_tpm_tls_client "ecc" "-aes" "4"
 
-        run_tpm_tls_server "ecc" "" "3"
-        run_tpm_tls_server "ecc" "-aes" "3"
-        run_tpm_tls_server "ecc" "" "4"
-        run_tpm_tls_server "ecc" "-aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "ecc" "" "3"
+            run_tpm_tls_server "ecc" "-aes" "3"
+            run_tpm_tls_server "ecc" "" "4"
+            run_tpm_tls_server "ecc" "-aes" "4"
+        fi
 
         # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
         run_tpm_tls_client "ecc" "-pk" "3"
         run_tpm_tls_client "ecc" "-pk -aes" "3"
         run_tpm_tls_client "ecc" "-pk" "4"
         run_tpm_tls_client "ecc" "-pk -aes" "4"
 
-        run_tpm_tls_server "ecc" "-pk" "3"
-        run_tpm_tls_server "ecc" "-pk -aes" "3"
-        run_tpm_tls_server "ecc" "-pk" "4"
-        run_tpm_tls_server "ecc" "-pk -aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "ecc" "-pk" "3"
+            run_tpm_tls_server "ecc" "-pk -aes" "3"
+            run_tpm_tls_server "ecc" "-pk" "4"
+            run_tpm_tls_server "ecc" "-pk -aes" "4"
+        fi
     fi
 fi
 

src/tpm2_wrap.c

@@ -2818,6 +2818,8 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
     rc = wc_InitRsaKey(key, NULL);
     if (rc == 0) {
         idx = 0;
+        /* skip PKCS8 header */
+        (void)wc_GetPkcs8TraditionalOffset((byte*)der, &idx, derSz);
         rc = wc_RsaPrivateKeyDecode(der, &idx, key, derSz);
         if (rc == 0) {
             isPrivateKey = 1;
@@ -3033,7 +3035,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
             /* load public portion of key into wolf RSA Key */
             rc = wolfTPM2_RsaKey_TpmToWolf(dev, tpmKey, &key.rsa);
             if (rc == 0) {
-                rc = wc_RsaKeyToPublicDer_ex(&key.rsa, out, *outSz, 1);
+                rc = wc_RsaKeyToPublicDer(&key.rsa, out, *outSz);
                 if (rc > 0) {
                     derSz = rc;
                     rc = 0;
@@ -6836,15 +6838,19 @@ static int CSR_Parse_DN(CertName* name, const char* subject)
         {"/CN=",     OFFSETOF(CertName, commonName)}, /* Common Name */
         {"/C=",      OFFSETOF(CertName, country)},    /* Country */
         {"/ST=",     OFFSETOF(CertName, state)},      /* State */
-        {"/street=", OFFSETOF(CertName, street)},     /* Street */
         {"/L=",      OFFSETOF(CertName, locality)},   /* Locality */
         {"/SN=",     OFFSETOF(CertName, sur)},        /* Surname */
         {"/O=",      OFFSETOF(CertName, org)},        /* Organization */
         {"/OU=",     OFFSETOF(CertName, unit)},       /* Organization Unit */
-        {"/postalCode=",   OFFSETOF(CertName, postalCode)}, /* PostalCode */
-        {"/userid=",       OFFSETOF(CertName, userId)},     /* UserID */
         {"/serialNumber=", OFFSETOF(CertName, serialDev)},  /* Serial Number */
         {"/emailAddress=", OFFSETOF(CertName, email)},      /* Email Address */
+    #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05000000
+        {"/street=", OFFSETOF(CertName, street)},     /* Street */
+        {"/postalCode=",   OFFSETOF(CertName, postalCode)}, /* PostalCode */
+    #endif
+    #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05003000
+        {"/userid=",       OFFSETOF(CertName, userId)},     /* UserID */
+    #endif
     #ifdef WOLFSSL_CERT_EXT
         {"/businessCategory=", OFFSETOF(CertName, busCat)}, /* Business Category */
     #endif
@@ -6916,7 +6922,7 @@ static int CSR_MakeAndSign(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, CSRKey* key,
     }
 
     /* Optionally convert to PEM */
-    if (rc >= 0 && outFormat == CTC_FILETYPE_PEM) {
+    if (rc >= 0 && outFormat == ENCODING_TYPE_PEM) {
     #ifdef WOLFSSL_DER_TO_PEM
         byte tmp[MAX_CONTEXT_SIZE];
         if (rc > (int)sizeof(tmp)) {

wolftpm/tpm2_types.h

@@ -125,6 +125,17 @@ typedef int64_t  INT64;
     #define ENCODING_TYPE_PEM  1 /* CTC_FILETYPE_PEM */
     #define ENCODING_TYPE_ASN1 2 /* CTC_FILETYPE_ASN1 */
 
+    #ifndef WOLFSSL_HAVE_ECC_KEY_GET_PRIV
+        #define wc_ecc_key_get_priv(key) (&((key)->k))
+        #define WOLFSSL_HAVE_ECC_KEY_GET_PRIV
+    #endif
+
+    #ifndef PRIVATE_KEY_LOCK
+    #define PRIVATE_KEY_LOCK() do {} while (0)
+    #endif
+    #ifndef PRIVATE_KEY_UNLOCK
+    #define PRIVATE_KEY_UNLOCK() do {} while (0)
+    #endif
 #else
 
     #include <stdio.h>
@@ -172,14 +183,6 @@ typedef int64_t  INT64;
         #define LITTLE_ENDIAN_ORDER
     #endif
 
-    #ifndef OFFSETOF
-        #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4))
-            #define OFFSETOF(type, field) __builtin_offsetof(type, field)
-        #else
-            #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field))
-        #endif
-    #endif
-
     /* GCC Version */
     #ifndef __GNUC_PREREQ
         #if defined(__GNUC__) && defined(__GNUC_MINOR__)
@@ -223,6 +226,14 @@ typedef int64_t  INT64;
 
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
+#ifndef OFFSETOF
+    #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4))
+        #define OFFSETOF(type, field) __builtin_offsetof(type, field)
+    #else
+        #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field))
+    #endif
+#endif
+
 #ifndef WOLFTPM_CUSTOM_TYPES
     #include <stdlib.h>