diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 5c5f8bdd..91a1a1ff 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -161,6 +161,26 @@ jobs: - name: make not provisioning run: make +# test with symmetric encryption + - name: configure symmetric + run: ./configure --enable-swtpm CFLAGS="-DWOLFTPM_USE_SYMMETRIC" + - name: make symmetric + run: make + - name: make check symmetric + run: | + make check + WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + +# test with software ecdhe + - name: configure swecdhe + run: ./configure --enable-swtpm CFLAGS="-DWOLFTPM2_USE_SW_ECDHE" + - name: make swecdhe + run: make + - name: make check swecdhe + run: | + make check + WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + # test without ECC - name: wolfssl no ECC working-directory: ./wolfssl @@ -240,16 +260,6 @@ jobs: make check WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh -# test with symmetric encryption - - name: configure symmetric - run: ./configure --enable-swtpm CFLAGS="-DWOLFTPM_USE_SYMMETRIC" - - name: make symmetric - run: make - - name: make check symmetric - run: | - make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - # capture logs on failure - name: Upload failure logs if: failure() diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 72a19301..e4f3dfc1 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -124,6 +124,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; + XMEMSET(&rsaKey, 0, sizeof(rsaKey)); + XMEMSET(&eccKey, 0, sizeof(eccKey)); XMEMSET(&aesKey, 0, sizeof(aesKey)); XMEMSET(&publicKey, 0, sizeof(publicKey)); #ifndef WOLFTPM2_NO_WOLFCRYPT @@ -172,11 +174,9 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) /* Setup the wolf crypto device callback */ XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); #ifndef NO_RSA - XMEMSET(&rsaKey, 0, sizeof(rsaKey)); tpmCtx.rsaKey = &rsaKey; #endif #ifdef HAVE_ECC - XMEMSET(&eccKey, 0, sizeof(eccKey)); tpmCtx.eccKey = &eccKey; #endif tpmCtx.storageKey = &storageKey; @@ -448,21 +448,30 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) (word32)sizeof(kRsaKeyPrivDer)); PRIVATE_KEY_LOCK(); if (rc != 0) goto exit; - rc = wolfTPM2_RsaKey_WolfToTpm_ex(&dev, &storageKey, &wolfRsaPrivKey, - &rsaKey); - wc_FreeRsaKey(&wolfRsaPrivKey); - if (rc != 0 && rc != NOT_COMPILED_IN) { + XMEMSET(&testKey, 0, sizeof(testKey)); + rc = wolfTPM2_CreateRsaKeyBlob(&dev, &storageKey, &wolfRsaPrivKey, + &testKey); + wc_FreeRsaKey(&wolfRsaPrivKey); /* free wolf key */ + + if (rc == 0) { + printf("RSA Private Key Blob created (private = %d bytes)\n", + testKey.priv.size); + + rc = wolfTPM2_LoadKey(&dev, &testKey, &storageKey.handle); + if (rc != 0) goto exit; + printf("RSA Private Key Loaded into TPM: Handle 0x%x\n", + (word32)rsaKey.handle.hndl); + + /* Use TPM Handle... */ + + rc = wolfTPM2_UnloadHandle(&dev, &testKey.handle); + if (rc != 0) goto exit; + } + else if (rc != NOT_COMPILED_IN) { /* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for * encrypting secrets */ goto exit; } - printf("RSA Private Key Loaded into TPM: Handle 0x%x\n", - (word32)rsaKey.handle.hndl); - - /* Use TPM Handle... */ - - rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); - if (rc != 0) goto exit; #endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */ /* Load raw RSA private key into TPM */ @@ -682,22 +691,29 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) rc = wc_EccPrivateKeyDecode(kEccKeyPrivDer, &idx, &wolfEccPrivKey, (word32)sizeof(kEccKeyPrivDer)); if (rc != 0) goto exit; - rc = wolfTPM2_EccKey_WolfToTpm_ex(&dev, &storageKey, &wolfEccPrivKey, - &eccKey); - wc_ecc_free(&wolfEccPrivKey); - if (rc != 0 && rc != NOT_COMPILED_IN) { + XMEMSET(&testKey, 0, sizeof(testKey)); + rc = wolfTPM2_CreateEccKeyBlob(&dev, &storageKey, &wolfEccPrivKey, + &testKey); + wc_ecc_free(&wolfEccPrivKey); /* free wolf key */ + if (rc == 0) { + printf("ECC Private Key Blob created (private = %d bytes)\n", + testKey.priv.size); + rc = wolfTPM2_LoadKey(&dev, &testKey, &storageKey.handle); + if (rc != 0) goto exit; + printf("ECC Private Key Loaded into TPM: Handle 0x%x\n", + (word32)testKey.handle.hndl); + + /* Use TPM Handle... */ + + rc = wolfTPM2_UnloadHandle(&dev, &testKey.handle); + if (rc != 0) goto exit; + } + else if (rc != NOT_COMPILED_IN) { /* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled * exposing the mp_ math API's or AES CFB is not enabled. * Both are needed for encrypting secrets */ goto exit; } - printf("ECC Private Key Loaded into TPM: Handle 0x%x\n", - (word32)eccKey.handle.hndl); - - /* Use TPM Handle... */ - - rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); - if (rc != 0) goto exit; #endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */ /* Load raw ECC private key into TPM */ diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c index c822efdb..457cc968 100644 --- a/src/tpm2_cryptocb.c +++ b/src/tpm2_cryptocb.c @@ -177,80 +177,123 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) #endif /* !NO_RSA */ #ifdef HAVE_ECC if (info->pk.type == WC_PK_TYPE_EC_KEYGEN) { - #ifdef WOLFTPM2_USE_SW_ECDHE - rc = exit_rc; - #else int curve_id; WOLFTPM2_KEY* key; + #ifdef WOLFTPM2_USE_SW_ECDHE + if (tlsCtx->ecdhKey == NULL) { + return exit_rc; + } + #endif + + if ( tlsCtx->eccKey == NULL + && tlsCtx->ecdsaKey == NULL + && tlsCtx->ecdhKey == NULL + ) { + #ifdef DEBUG_WOLFTPM + printf("No crypto callback key pointer set!\n"); + #endif + return BAD_FUNC_ARG; + } + /* Make sure an ECDH key has been set and curve is supported */ curve_id = info->pk.eckg.curveId; if (curve_id == 0 && info->pk.eckg.key->dp != NULL) { curve_id = info->pk.eckg.key->dp->id; /* use dp */ } rc = TPM2_GetTpmCurve(curve_id); - if (rc < 0 || (tlsCtx->ecdhKey == NULL && tlsCtx->eccKey == NULL)) { + if (rc < 0) { return exit_rc; } curve_id = rc; rc = 0; /* If ecdhKey is NULL then it is a signing key */ - if (tlsCtx->ecdhKey == NULL) { + #ifndef WOLFTPM2_USE_SW_ECDHE + if (tlsCtx->ecdhKey == NULL) + #endif + { /* Create an ECC key for ECDSA - if one isn't already created */ - key = tlsCtx->eccKey; + key = (tlsCtx->ecdsaKey != NULL) ? + (WOLFTPM2_KEY*)tlsCtx->ecdsaKey : tlsCtx->eccKey; if (key->handle.hndl == 0 || key->handle.hndl == TPM_RH_NULL ) { TPMT_PUBLIC publicTemplate; - XMEMSET(&publicTemplate, 0, sizeof(publicTemplate)); + TPMI_ALG_HASH hashAlg; + + if (curve_id == TPM_ECC_NIST_P521) + hashAlg = TPM_ALG_SHA512; + else if (curve_id == TPM_ECC_NIST_P384) + hashAlg = TPM_ALG_SHA384; + else + hashAlg = TPM_ALG_SHA256; - rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, + XMEMSET(&publicTemplate, 0, sizeof(publicTemplate)); + rc = wolfTPM2_GetKeyTemplate_ECC_ex(&publicTemplate, hashAlg, TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | TPMA_OBJECT_sign | TPMA_OBJECT_noDA, - curve_id, TPM_ALG_ECDSA); + curve_id, TPM_ALG_ECDSA, hashAlg); if (rc == 0) { - publicTemplate.nameAlg = TPM_ALG_SHA256; /* make sure its SHA256 */ - rc = wolfTPM2_CreateAndLoadKey(tlsCtx->dev, key, - &tlsCtx->storageKey->handle, &publicTemplate, - (byte*)key->handle.auth.buffer, - key->handle.auth.size); + if (tlsCtx->ecdsaKey != NULL) { + /* Use create key and load key directly instead to make + * sure the private portion is populated */ + rc = wolfTPM2_CreateKey(tlsCtx->dev, tlsCtx->ecdsaKey, + &tlsCtx->storageKey->handle, &publicTemplate, + (byte*)key->handle.auth.buffer, + key->handle.auth.size); + if (rc == TPM_RC_SUCCESS) { + rc = wolfTPM2_LoadKey(tlsCtx->dev, tlsCtx->ecdsaKey, + &tlsCtx->storageKey->handle); + } + } + else { + /* Create and load key - encrypted private is not exported */ + rc = wolfTPM2_CreateAndLoadKey(tlsCtx->dev, tlsCtx->eccKey, + &tlsCtx->storageKey->handle, &publicTemplate, + (byte*)key->handle.auth.buffer, + key->handle.auth.size); + } } } } + #ifndef WOLFTPM2_USE_SW_ECDHE else { /* Generate ephemeral key - if one isn't already created */ key = tlsCtx->ecdhKey; if (key->handle.hndl == 0 || key->handle.hndl == TPM_RH_NULL) { - rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, key, curve_id, - NULL, 0 /* no auth for ephemeral key */ + rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, tlsCtx->ecdhKey, + curve_id, NULL, 0 /* no auth for ephemeral key */ ); } } + #endif + if (rc == 0) { /* Export public key info to wolf ecc_key */ rc = wolfTPM2_EccKey_TpmToWolf(tlsCtx->dev, key, info->pk.eckg.key); if (rc != 0) { /* if failure, release key */ - wolfTPM2_UnloadHandle(tlsCtx->dev, &tlsCtx->ecdhKey->handle); + wolfTPM2_UnloadHandle(tlsCtx->dev, &key->handle); } } else if (rc & TPM_RC_CURVE) { /* if the curve is not supported on TPM, then fall-back to software */ rc = exit_rc; - /* Make sure ECDHE key indicates nothing loaded */ + /* Make sure key indicates nothing loaded */ key->handle.hndl = TPM_RH_NULL; } - #endif /* WOLFTPM2_USE_SW_ECDHE */ } else if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) { byte sigRS[MAX_ECC_BYTES*2]; word32 rsLen = sizeof(sigRS), keySz; word32 inlen = info->pk.eccsign.inlen; + WOLFTPM2_KEY* key = (tlsCtx->ecdsaKey != NULL) ? + (WOLFTPM2_KEY*)tlsCtx->ecdsaKey : tlsCtx->eccKey; - if (tlsCtx->eccKey == NULL) { + if (key == NULL) { /* TPM key not setup, fallback to software */ return exit_rc; } @@ -260,13 +303,13 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) if (keySz == 0) { /* if not populated fallback to key size for TPM key */ keySz = TPM2_GetCurveSize( - tlsCtx->eccKey->pub.publicArea.parameters.eccDetail.curveID); + key->pub.publicArea.parameters.eccDetail.curveID); } /* truncate input to match key size */ if (inlen > keySz) inlen = keySz; - rc = wolfTPM2_SignHash(tlsCtx->dev, tlsCtx->eccKey, + rc = wolfTPM2_SignHash(tlsCtx->dev, key, info->pk.eccsign.in, inlen, sigRS, (int*)&rsLen); if (rc == 0) { byte *r, *s; @@ -335,8 +378,9 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) TPM2B_ECC_POINT pubPoint; /* Make sure an ECDH key has been set */ - if (tlsCtx->ecdhKey == NULL || tlsCtx->eccKey == NULL || - tlsCtx->ecdhKey->handle.hndl == TPM_RH_NULL) { + if (tlsCtx->ecdhKey == NULL || + tlsCtx->ecdhKey->handle.hndl == TPM_RH_NULL || + tlsCtx->ecdhKey->handle.hndl == 0) { return exit_rc; } diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index b7515f94..9d12238d 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -2951,11 +2951,15 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, rc = wc_RsaPublicKeyDecode(der, &idx, key, derSz); } if (rc == 0) { - if (isPrivateKey) + if (isPrivateKey) { + PRIVATE_KEY_UNLOCK(); rc = wc_RsaExportKey(key, (byte*)&e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz); - else + PRIVATE_KEY_LOCK(); + } + else { rc = wc_RsaFlattenPublicKey(key, (byte*)&e, &eSz, n, &nSz); + } } if (rc == 0 && nSz > sizeof(pub->publicArea.unique.rsa.buffer)) rc = BUFFER_E; @@ -3046,11 +3050,15 @@ int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub, if (rc == 0) { curveId = TPM2_GetTpmCurve(key->dp->id); - if (isPrivateKey) + if (isPrivateKey) { + PRIVATE_KEY_UNLOCK(); rc = wc_ecc_export_private_raw(key, qx, &qxSz, qy, &qySz, d, &dSz); - else + PRIVATE_KEY_LOCK(); + } + else { rc = wc_ecc_export_public_raw(key, qx, &qxSz, qy, &qySz); + } } if (rc == 0 && qxSz > sizeof(pub->publicArea.unique.ecc.x.buffer)) rc = BUFFER_E; @@ -3416,8 +3424,10 @@ int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev, rc = wc_RsaPrivateKeyDecode(input, &idx, key, inSz); if (rc == 0) { + PRIVATE_KEY_UNLOCK(); rc = wc_RsaExportKey(key, (byte*)&e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz); + PRIVATE_KEY_LOCK(); } if (rc == 0) { @@ -3502,6 +3512,51 @@ int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, return rc; } +int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, + RsaKey* wolfKey, WOLFTPM2_KEYBLOB* tpmKey) +{ + int rc; + word32 exponent; + byte e[sizeof(exponent)]; + byte n[WOLFTPM2_WRAP_RSA_KEY_BITS / 8]; + byte d[WOLFTPM2_WRAP_RSA_KEY_BITS / 8]; + byte p[WOLFTPM2_WRAP_RSA_KEY_BITS / 8]; + byte q[WOLFTPM2_WRAP_RSA_KEY_BITS / 8]; + word32 eSz = sizeof(e); + word32 nSz = sizeof(n); + word32 dSz = sizeof(d); + word32 pSz = sizeof(p); + word32 qSz = sizeof(q); + + if (dev == NULL || tpmKey == NULL || wolfKey == NULL || parentKey == NULL || + wolfKey->type != RSA_PRIVATE) { + return BAD_FUNC_ARG; + } + + XMEMSET(e, 0, sizeof(e)); + XMEMSET(n, 0, sizeof(n)); + XMEMSET(d, 0, sizeof(d)); + XMEMSET(p, 0, sizeof(p)); + XMEMSET(q, 0, sizeof(q)); + + /* export the raw private and public RSA as unsigned binary */ + PRIVATE_KEY_UNLOCK(); + rc = wc_RsaExportKey(wolfKey, e, &eSz, n, &nSz, + d, &dSz, p, &pSz, q, &qSz); + PRIVATE_KEY_LOCK(); + if (rc == 0) { + exponent = wolfTPM2_RsaKey_Exponent(e, eSz); + + rc = wolfTPM2_ImportRsaPrivateKey(dev, parentKey, tpmKey, n, nSz, + exponent, q, qSz, TPM_ALG_NULL, TPM_ALG_NULL); + } + + /* not used */ + (void)p; + + return rc; +} + int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, RsaKey* wolfKey, WOLFTPM2_KEY* tpmKey) { @@ -3652,6 +3707,81 @@ int wolfTPM2_EccKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, } #endif /* HAVE_ECC_KEY_IMPORT */ #ifdef HAVE_ECC_KEY_EXPORT +int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, + ecc_key* wolfKey, WOLFTPM2_KEYBLOB* tpmKey) +{ + int rc, curve_id = 0; + byte qx[WOLFTPM2_WRAP_ECC_KEY_BITS / 8]; + byte qy[WOLFTPM2_WRAP_ECC_KEY_BITS / 8]; + byte d[WOLFTPM2_WRAP_ECC_KEY_BITS / 8]; + word32 qxSz = sizeof(qx); + word32 qySz = sizeof(qy); + word32 dSz = sizeof(d); + + if (dev == NULL || tpmKey == NULL || wolfKey == NULL || parentKey == NULL || + wolfKey->type == ECC_PUBLICKEY) { + return BAD_FUNC_ARG; + } + + XMEMSET(tpmKey, 0, sizeof(*tpmKey)); + XMEMSET(qx, 0, sizeof(qx)); + XMEMSET(qy, 0, sizeof(qy)); + XMEMSET(d, 0, sizeof(d)); + + if (wolfKey->dp) + curve_id = wolfKey->dp->id; + + rc = TPM2_GetTpmCurve(curve_id); + if (rc < 0) + return rc; + curve_id = rc; + rc = 0; + + if (wolfKey->type == ECC_PRIVATEKEY_ONLY) { + /* compute public point without modifying incoming wolf key */ + int keySz = wc_ecc_size(wolfKey); + ecc_point* point = wc_ecc_new_point(); + if (point == NULL) { + rc = MEMORY_E; + } + if (rc == 0) { + #ifdef ECC_TIMING_RESISTANT + rc = wc_ecc_make_pub_ex(wolfKey, point, wolfKey->rng); + #else + rc = wc_ecc_make_pub(wolfKey, point); + #endif + if (rc == 0) + rc = wc_export_int(point->x, qx, &qxSz, keySz, + WC_TYPE_UNSIGNED_BIN); + if (rc == 0) + rc = wc_export_int(point->y, qy, &qySz, keySz, + WC_TYPE_UNSIGNED_BIN); + if (rc == 0) { + PRIVATE_KEY_UNLOCK(); + rc = wc_ecc_export_private_only(wolfKey, d, &dSz); + PRIVATE_KEY_LOCK(); + } + wc_ecc_del_point(point); + } + } + else { + /* export the raw private/public ECC portions */ + PRIVATE_KEY_UNLOCK(); + rc = wc_ecc_export_private_raw(wolfKey, + qx, &qxSz, + qy, &qySz, + d, &dSz); + PRIVATE_KEY_LOCK(); + } + + if (rc == 0) { + rc = wolfTPM2_ImportEccPrivateKey(dev, parentKey, tpmKey, curve_id, + qx, qxSz, qy, qySz, d, dSz); + } + + return rc; +} + int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, ecc_key* wolfKey, WOLFTPM2_KEY* tpmKey) { @@ -3702,17 +3832,22 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, if (rc == 0) rc = wc_export_int(point->y, qy, &qySz, keySz, WC_TYPE_UNSIGNED_BIN); - if (rc == 0) + if (rc == 0) { + PRIVATE_KEY_UNLOCK(); rc = wc_ecc_export_private_only(wolfKey, d, &dSz); + PRIVATE_KEY_LOCK(); + } wc_ecc_del_point(point); } } else { /* export the raw private/public ECC portions */ + PRIVATE_KEY_UNLOCK(); rc = wc_ecc_export_private_raw(wolfKey, qx, &qxSz, qy, &qySz, d, &dSz); + PRIVATE_KEY_LOCK(); } if (rc == 0) { diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index a0deb5c4..214d58c7 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -22,27 +22,32 @@ #ifndef __TPM2_TYPES_H__ #define __TPM2_TYPES_H__ -#include #include -#if defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H) +#ifdef WOLFTPM_USER_SETTINGS + #include "user_settings.h" +#elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H) /* STM Configuration File (generated by CubeMX) */ #include "wolfSSL.I-CUBE-wolfTPM_conf.h" -#elif !defined(WOLFTPM_USER_SETTINGS) - /* use generated options.h or a custom one */ +#else + /* use generated library options.h */ #include #endif #ifndef WOLFTPM2_NO_WOLFCRYPT - #ifndef WOLFSSL_USER_SETTINGS - #include - #endif -#else - #ifdef WOLFTPM_USER_SETTINGS + #ifdef WOLFSSL_USER_SETTINGS #include "user_settings.h" + #elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H) + /* STM Configuration File (generated by CubeMX) */ + #include "wolfSSL.I-CUBE-wolfSSL_conf.h" + #else + /* use generated library options.h */ + #include #endif #endif +#include + #ifdef WOLFTPM_WINAPI #ifdef _WIN32 #include diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index d38dec34..f01a0a53 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -1423,6 +1423,27 @@ WOLFTPM_API int wolfTPM2_RsaKey_WolfToTpm(WOLFTPM2_DEV* dev, RsaKey* wolfKey, WOLFTPM_API int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, RsaKey* wolfKey, WOLFTPM2_KEY* tpmKey); +/*! + \ingroup wolfTPM2_Wrappers + \brief Create an encrypted RSA key blob from a wolfCrypt key under a specific parent key + \note Creates an encrypted version of the key in WOLFTPM2_KEYBLOB format, but does not load the key into the TPM. Use wolfTPM2_LoadKey() to load the key. + + \return TPM_RC_SUCCESS: successful + \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) + \return BAD_FUNC_ARG: check the provided arguments + + \param dev pointer to a TPM2_DEV struct + \param parentKey pointer to a WOLFTPM2_KEY struct, pointing to a Primary Key or TPM Hierarchy + \param wolfKey pointer to a struct of RsaKey type, holding a wolfcrypt key + \param tpmKey pointer to an empty struct of WOLFTPM2_KEYBLOB type, to hold the encrypted key blob + + \sa wolfTPM2_LoadKey + \sa wolfTPM2_RsaKey_WolfToTpm_ex + \sa wolfTPM2_CreateEccKeyBlob +*/ +WOLFTPM_API int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, + RsaKey* wolfKey, WOLFTPM2_KEYBLOB* tpmKey); + /*! \ingroup wolfTPM2_Wrappers \brief Import a PEM format public key from a file into the TPM @@ -1520,6 +1541,27 @@ WOLFTPM_API int wolfTPM2_EccKey_WolfToTpm(WOLFTPM2_DEV* dev, ecc_key* wolfKey, WOLFTPM_API int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, ecc_key* wolfKey, WOLFTPM2_KEY* tpmKey); +/*! + \ingroup wolfTPM2_Wrappers + \brief Create an encrypted ECC key blob from a wolfCrypt key under a specific parent key + \note Creates an encrypted version of the key in WOLFTPM2_KEYBLOB format, but does not load the key into the TPM. Use wolfTPM2_LoadKey() to load the key. + + \return TPM_RC_SUCCESS: successful + \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) + \return BAD_FUNC_ARG: check the provided arguments + + \param dev pointer to a TPM2_DEV struct + \param parentKey pointer to a WOLFTPM2_KEY struct, pointing to a Primary Key or TPM Hierarchy + \param wolfKey pointer to a struct of ecc_key type, holding a wolfcrypt key + \param tpmKey pointer to an empty struct of WOLFTPM2_KEYBLOB type, to hold the encrypted key blob + + \sa wolfTPM2_LoadKey + \sa wolfTPM2_EccKey_WolfToTpm_ex + \sa wolfTPM2_CreateRsaKeyBlob +*/ +WOLFTPM_API int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, + ecc_key* wolfKey, WOLFTPM2_KEYBLOB* tpmKey); + /*! \ingroup wolfTPM2_Wrappers \brief Import a ECC public key generated from wolfcrypt key into the TPM @@ -3345,10 +3387,9 @@ typedef struct TpmCryptoDevCtx { #endif #endif #ifdef HAVE_ECC - WOLFTPM2_KEY* eccKey; /* ECDSA */ - #ifndef WOLFTPM2_USE_SW_ECDHE - WOLFTPM2_KEY* ecdhKey; /* ECDH */ - #endif + WOLFTPM2_KEY* eccKey; /* ECDSA - public only */ + WOLFTPM2_KEYBLOB* ecdsaKey; /* ECDSA - retain encrypted private portion from keygen */ + WOLFTPM2_KEY* ecdhKey; /* ECDH */ #endif WOLFTPM2_KEY* storageKey; #ifdef WOLFTPM_USE_SYMMETRIC