enumerator->destroy(enumerator);
return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme,
- data, pin, signature);
+ params, data, pin, signature);
}
METHOD(private_key_t, decrypt, bool,
* @param handle object handle of TPM key to be used for signature
* @param hierarchy hierarchy the TPM key object is attached to
* @param scheme scheme to be used for signature
+ * @param param signature scheme parameters
* @param data data to be hashed and signed
* @param pin PIN code or empty chunk
* @param signature returns signature
* @return TRUE if signature succeeded
*/
bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
- signature_scheme_t scheme, chunk_t data, chunk_t pin,
- chunk_t *signature);
+ signature_scheme_t scheme, void *params, chunk_t data,
+ chunk_t pin, chunk_t *signature);
/**
* Get random bytes from the TPM
METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
- signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+ signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+ chunk_t *signature)
{
return FALSE;
}
METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
- signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+ signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+ chunk_t *signature)
{
key_type_t key_type;
hash_algorithm_t hash_alg;
+ rsa_pss_params_t *rsa_pss_params;
uint32_t rval;
TPM_ALG_ID alg_id;
}
*( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
- key_type = key_type_from_signature_scheme(scheme);
- hash_alg = hasher_from_signature_scheme(scheme, NULL);
+ if (scheme == SIGN_RSA_EMSA_PSS)
+ {
+ key_type = KEY_RSA;
+ rsa_pss_params = (rsa_pss_params_t *)params;
+ hash_alg = rsa_pss_params->hash;
+ }
+ else
+ {
+ key_type = key_type_from_signature_scheme(scheme);
+ hash_alg = hasher_from_signature_scheme(scheme, NULL);
+ }
/* Check if hash algorithm is supported by TPM */
alg_id = hash_alg_to_tpm_alg_id(hash_alg);
if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA)
{
- sig_scheme.scheme = TPM_ALG_RSASSA;
- sig_scheme.details.rsassa.hashAlg = alg_id;
+ if (scheme == SIGN_RSA_EMSA_PSS)
+ {
+ sig_scheme.scheme = TPM_ALG_RSAPSS;
+ sig_scheme.details.rsapss.hashAlg = alg_id;
+ }
+ else
+ {
+ sig_scheme.scheme = TPM_ALG_RSASSA;
+ sig_scheme.details.rsassa.hashAlg = alg_id;
+ }
}
else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC)
{
sig.signature.rsassa.sig.t.buffer,
sig.signature.rsassa.sig.t.size));
break;
+ case SIGN_RSA_EMSA_PSS:
+ *signature = chunk_clone(
+ chunk_create(
+ sig.signature.rsapss.sig.t.buffer,
+ sig.signature.rsapss.sig.t.size));
+ break;
case SIGN_ECDSA_256:
case SIGN_ECDSA_384:
case SIGN_ECDSA_521:
METHOD(tpm_tss_t, sign, bool,
private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
- signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+ signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+ chunk_t *signature)
{
key_type_t key_type;
hash_algorithm_t hash_alg;
+ rsa_pss_params_t *rsa_pss_params;
uint32_t rval;
TPM2_ALG_ID alg_id;
memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size);
}
- key_type = key_type_from_signature_scheme(scheme);
- hash_alg = hasher_from_signature_scheme(scheme, NULL);
+ if (scheme == SIGN_RSA_EMSA_PSS)
+ {
+ key_type = KEY_RSA;
+ rsa_pss_params = (rsa_pss_params_t *)params;
+ hash_alg = rsa_pss_params->hash;
+ }
+ else
+ {
+ key_type = key_type_from_signature_scheme(scheme);
+ hash_alg = hasher_from_signature_scheme(scheme, NULL);
+ }
/* Check if hash algorithm is supported by TPM */
alg_id = hash_alg_to_tpm_alg_id(hash_alg);
if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA)
{
- sig_scheme.scheme = TPM2_ALG_RSASSA;
- sig_scheme.details.rsassa.hashAlg = alg_id;
+ if (scheme == SIGN_RSA_EMSA_PSS)
+ {
+ sig_scheme.scheme = TPM2_ALG_RSAPSS;
+ sig_scheme.details.rsapss.hashAlg = alg_id;
+ }
+ else
+ {
+ sig_scheme.scheme = TPM2_ALG_RSASSA;
+ sig_scheme.details.rsassa.hashAlg = alg_id;
+ }
}
else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC)
{
sig.signature.rsassa.sig.buffer,
sig.signature.rsassa.sig.size));
break;
+ case SIGN_RSA_EMSA_PSS:
+ *signature = chunk_clone(
+ chunk_create(
+ sig.signature.rsapss.sig.buffer,
+ sig.signature.rsapss.sig.size));
+ break;
case SIGN_ECDSA_256:
case SIGN_ECDSA_384:
case SIGN_ECDSA_521: