From: Andreas Steffen Date: Wed, 18 Jul 2018 20:55:27 +0000 (+0200) Subject: libtpmtss: Support of RSAPSS signature scheme X-Git-Tag: 5.7.0dr5~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd21c40b6cc4bbb6eb9249451b294e52f8f8973c;p=thirdparty%2Fstrongswan.git libtpmtss: Support of RSAPSS signature scheme --- diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c index 0df5ee94c9..3b7582ae3c 100644 --- a/src/libtpmtss/plugins/tpm/tpm_private_key.c +++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c @@ -93,7 +93,7 @@ METHOD(private_key_t, sign, bool, enumerator->destroy(enumerator); return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme, - data, pin, signature); + params, data, pin, signature); } METHOD(private_key_t, decrypt, bool, diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h index c0bc26117b..11e4a7c157 100644 --- a/src/libtpmtss/tpm_tss.h +++ b/src/libtpmtss/tpm_tss.h @@ -125,14 +125,15 @@ struct tpm_tss_t { * @param handle object handle of TPM key to be used for signature * @param hierarchy hierarchy the TPM key object is attached to * @param scheme scheme to be used for signature + * @param param signature scheme parameters * @param data data to be hashed and signed * @param pin PIN code or empty chunk * @param signature returns signature * @return TRUE if signature succeeded */ bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle, - signature_scheme_t scheme, chunk_t data, chunk_t pin, - chunk_t *signature); + signature_scheme_t scheme, void *params, chunk_t data, + chunk_t pin, chunk_t *signature); /** * Get random bytes from the TPM diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c index 6ed57af9d0..81e542d02d 100644 --- a/src/libtpmtss/tpm_tss_trousers.c +++ b/src/libtpmtss/tpm_tss_trousers.c @@ -584,7 +584,8 @@ err1: METHOD(tpm_tss_t, sign, bool, private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle, - signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) + signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin, + chunk_t *signature) { return FALSE; } diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c index 219c425a81..9ed2798f77 100644 --- a/src/libtpmtss/tpm_tss_tss2_v1.c +++ b/src/libtpmtss/tpm_tss_tss2_v1.c @@ -828,10 +828,12 @@ METHOD(tpm_tss_t, quote, bool, METHOD(tpm_tss_t, sign, bool, private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle, - signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) + signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin, + chunk_t *signature) { key_type_t key_type; hash_algorithm_t hash_alg; + rsa_pss_params_t *rsa_pss_params; uint32_t rval; TPM_ALG_ID alg_id; @@ -870,8 +872,17 @@ METHOD(tpm_tss_t, sign, bool, } *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; - key_type = key_type_from_signature_scheme(scheme); - hash_alg = hasher_from_signature_scheme(scheme, NULL); + if (scheme == SIGN_RSA_EMSA_PSS) + { + key_type = KEY_RSA; + rsa_pss_params = (rsa_pss_params_t *)params; + hash_alg = rsa_pss_params->hash; + } + else + { + key_type = key_type_from_signature_scheme(scheme); + hash_alg = hasher_from_signature_scheme(scheme, NULL); + } /* Check if hash algorithm is supported by TPM */ alg_id = hash_alg_to_tpm_alg_id(hash_alg); @@ -890,8 +901,16 @@ METHOD(tpm_tss_t, sign, bool, if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA) { - sig_scheme.scheme = TPM_ALG_RSASSA; - sig_scheme.details.rsassa.hashAlg = alg_id; + if (scheme == SIGN_RSA_EMSA_PSS) + { + sig_scheme.scheme = TPM_ALG_RSAPSS; + sig_scheme.details.rsapss.hashAlg = alg_id; + } + else + { + sig_scheme.scheme = TPM_ALG_RSASSA; + sig_scheme.details.rsassa.hashAlg = alg_id; + } } else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC) { @@ -983,6 +1002,12 @@ METHOD(tpm_tss_t, sign, bool, sig.signature.rsassa.sig.t.buffer, sig.signature.rsassa.sig.t.size)); break; + case SIGN_RSA_EMSA_PSS: + *signature = chunk_clone( + chunk_create( + sig.signature.rsapss.sig.t.buffer, + sig.signature.rsapss.sig.t.size)); + break; case SIGN_ECDSA_256: case SIGN_ECDSA_384: case SIGN_ECDSA_521: diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c index 88e00a029d..18164f08b4 100644 --- a/src/libtpmtss/tpm_tss_tss2_v2.c +++ b/src/libtpmtss/tpm_tss_tss2_v2.c @@ -742,10 +742,12 @@ METHOD(tpm_tss_t, quote, bool, METHOD(tpm_tss_t, sign, bool, private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle, - signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature) + signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin, + chunk_t *signature) { key_type_t key_type; hash_algorithm_t hash_alg; + rsa_pss_params_t *rsa_pss_params; uint32_t rval; TPM2_ALG_ID alg_id; @@ -768,8 +770,17 @@ METHOD(tpm_tss_t, sign, bool, memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size); } - key_type = key_type_from_signature_scheme(scheme); - hash_alg = hasher_from_signature_scheme(scheme, NULL); + if (scheme == SIGN_RSA_EMSA_PSS) + { + key_type = KEY_RSA; + rsa_pss_params = (rsa_pss_params_t *)params; + hash_alg = rsa_pss_params->hash; + } + else + { + key_type = key_type_from_signature_scheme(scheme); + hash_alg = hasher_from_signature_scheme(scheme, NULL); + } /* Check if hash algorithm is supported by TPM */ alg_id = hash_alg_to_tpm_alg_id(hash_alg); @@ -788,8 +799,16 @@ METHOD(tpm_tss_t, sign, bool, if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA) { - sig_scheme.scheme = TPM2_ALG_RSASSA; - sig_scheme.details.rsassa.hashAlg = alg_id; + if (scheme == SIGN_RSA_EMSA_PSS) + { + sig_scheme.scheme = TPM2_ALG_RSAPSS; + sig_scheme.details.rsapss.hashAlg = alg_id; + } + else + { + sig_scheme.scheme = TPM2_ALG_RSASSA; + sig_scheme.details.rsassa.hashAlg = alg_id; + } } else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC) { @@ -881,6 +900,12 @@ METHOD(tpm_tss_t, sign, bool, sig.signature.rsassa.sig.buffer, sig.signature.rsassa.sig.size)); break; + case SIGN_RSA_EMSA_PSS: + *signature = chunk_clone( + chunk_create( + sig.signature.rsapss.sig.buffer, + sig.signature.rsapss.sig.size)); + break; case SIGN_ECDSA_256: case SIGN_ECDSA_384: case SIGN_ECDSA_521: