libtpmtss: Support of RSAPSS signature scheme
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 18 Jul 2018 20:55:27 +0000 (22:55 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 19 Jul 2018 10:40:42 +0000 (12:40 +0200)
src/libtpmtss/plugins/tpm/tpm_private_key.c
src/libtpmtss/tpm_tss.h
src/libtpmtss/tpm_tss_trousers.c
src/libtpmtss/tpm_tss_tss2_v1.c
src/libtpmtss/tpm_tss_tss2_v2.c

index 0df5ee9..3b7582a 100644 (file)
@@ -93,7 +93,7 @@ METHOD(private_key_t, sign, bool,
        enumerator->destroy(enumerator);
 
        return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme,
-                                                  data, pin, signature);
+                                                  params, data, pin, signature);
 }
 
 METHOD(private_key_t, decrypt, bool,
index c0bc261..11e4a7c 100644 (file)
@@ -125,14 +125,15 @@ struct tpm_tss_t {
         * @param handle                object handle of TPM key to be used for signature
         * @param hierarchy             hierarchy the TPM key object is attached to
         * @param scheme                scheme to be used for signature
+        * @param param                 signature scheme parameters
         * @param data                  data to be hashed and signed
         * @param pin                   PIN code or empty chunk
         * @param signature             returns signature
         * @return                              TRUE if signature succeeded
         */
        bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
-                                signature_scheme_t scheme, chunk_t data, chunk_t pin,
-                                chunk_t *signature);
+                                signature_scheme_t scheme, void *params, chunk_t data,
+                                chunk_t pin, chunk_t *signature);
 
        /**
         * Get random bytes from the TPM
index 6ed57af..81e542d 100644 (file)
@@ -584,7 +584,8 @@ err1:
 
 METHOD(tpm_tss_t, sign, bool,
        private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
-       signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+       signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+       chunk_t *signature)
 {
        return FALSE;
 }
index 219c425..9ed2798 100644 (file)
@@ -828,10 +828,12 @@ METHOD(tpm_tss_t, quote, bool,
 
 METHOD(tpm_tss_t, sign, bool,
        private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
-       signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+       signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+       chunk_t *signature)
 {
        key_type_t key_type;
        hash_algorithm_t hash_alg;
+       rsa_pss_params_t *rsa_pss_params;
        uint32_t rval;
 
        TPM_ALG_ID alg_id;
@@ -870,8 +872,17 @@ METHOD(tpm_tss_t, sign, bool,
        }
        *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
 
-       key_type = key_type_from_signature_scheme(scheme);
-       hash_alg = hasher_from_signature_scheme(scheme, NULL);
+       if (scheme == SIGN_RSA_EMSA_PSS)
+       {
+               key_type = KEY_RSA;
+               rsa_pss_params = (rsa_pss_params_t *)params;
+               hash_alg = rsa_pss_params->hash;
+       }
+       else
+       {
+               key_type = key_type_from_signature_scheme(scheme);
+               hash_alg = hasher_from_signature_scheme(scheme, NULL);
+       }
 
        /* Check if hash algorithm is supported by TPM */
        alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@@ -890,8 +901,16 @@ METHOD(tpm_tss_t, sign, bool,
 
        if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA)
        {
-               sig_scheme.scheme = TPM_ALG_RSASSA;
-               sig_scheme.details.rsassa.hashAlg = alg_id;
+               if (scheme == SIGN_RSA_EMSA_PSS)
+               {
+                       sig_scheme.scheme = TPM_ALG_RSAPSS;
+                       sig_scheme.details.rsapss.hashAlg = alg_id;
+               }
+               else
+               {
+                       sig_scheme.scheme = TPM_ALG_RSASSA;
+                       sig_scheme.details.rsassa.hashAlg = alg_id;
+               }
        }
        else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC)
        {
@@ -983,6 +1002,12 @@ METHOD(tpm_tss_t, sign, bool,
                                                                sig.signature.rsassa.sig.t.buffer,
                                                                sig.signature.rsassa.sig.t.size));
                        break;
+               case SIGN_RSA_EMSA_PSS:
+                       *signature = chunk_clone(
+                                                       chunk_create(
+                                                               sig.signature.rsapss.sig.t.buffer,
+                                                               sig.signature.rsapss.sig.t.size));
+                       break;
                case SIGN_ECDSA_256:
                case SIGN_ECDSA_384:
                case SIGN_ECDSA_521:
index 88e00a0..18164f0 100644 (file)
@@ -742,10 +742,12 @@ METHOD(tpm_tss_t, quote, bool,
 
 METHOD(tpm_tss_t, sign, bool,
        private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
-       signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+       signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+       chunk_t *signature)
 {
        key_type_t key_type;
        hash_algorithm_t hash_alg;
+       rsa_pss_params_t *rsa_pss_params;
        uint32_t rval;
 
        TPM2_ALG_ID alg_id;
@@ -768,8 +770,17 @@ METHOD(tpm_tss_t, sign, bool,
                memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size);
        }
 
-       key_type = key_type_from_signature_scheme(scheme);
-       hash_alg = hasher_from_signature_scheme(scheme, NULL);
+       if (scheme == SIGN_RSA_EMSA_PSS)
+       {
+               key_type = KEY_RSA;
+               rsa_pss_params = (rsa_pss_params_t *)params;
+               hash_alg = rsa_pss_params->hash;
+       }
+       else
+       {
+               key_type = key_type_from_signature_scheme(scheme);
+               hash_alg = hasher_from_signature_scheme(scheme, NULL);
+       }
 
        /* Check if hash algorithm is supported by TPM */
        alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@@ -788,8 +799,16 @@ METHOD(tpm_tss_t, sign, bool,
 
        if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA)
        {
-               sig_scheme.scheme = TPM2_ALG_RSASSA;
-               sig_scheme.details.rsassa.hashAlg = alg_id;
+               if (scheme == SIGN_RSA_EMSA_PSS)
+               {
+                       sig_scheme.scheme = TPM2_ALG_RSAPSS;
+                       sig_scheme.details.rsapss.hashAlg = alg_id;
+               }
+               else
+               {
+                       sig_scheme.scheme = TPM2_ALG_RSASSA;
+                       sig_scheme.details.rsassa.hashAlg = alg_id;
+               }
        }
        else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC)
        {
@@ -881,6 +900,12 @@ METHOD(tpm_tss_t, sign, bool,
                                                                sig.signature.rsassa.sig.buffer,
                                                                sig.signature.rsassa.sig.size));
                        break;
+               case SIGN_RSA_EMSA_PSS:
+                       *signature = chunk_clone(
+                                                       chunk_create(
+                                                               sig.signature.rsapss.sig.buffer,
+                                                               sig.signature.rsapss.sig.size));
+                       break;
                case SIGN_ECDSA_256:
                case SIGN_ECDSA_384:
                case SIGN_ECDSA_521: