tss2_sign: Add new parameter from which the digest is computed.

JuergenReppSIT · JuergenReppSIT · commit 2467d6fda254 · 2026-04-08T17:08:44.000+02:00
* The parameter --data (-m) can be used to compute the digest from the
  this data if the new function Fapi_DigestAndSign is available.
* Add conditional integration test depending on the FAPI version.

Signed-off-by: Juergen Repp &lt;juergen_repp@web.de&gt;
diff --git a/configure.ac b/configure.ac
@@ -82,6 +82,9 @@ AC_CHECK_LIB(crypto, [EVP_sm3], [
 AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [
         AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])],
         [])
+AC_CHECK_LIB(tss2-fapi, [Fapi_DigestAndSign], [
+        AC_DEFINE([HAVE_FAPI_DIGEST_AND_SIGN], [1], [Support signing with restricted keys])],
+        [])
 LIBS="${LIBS_save}"
 PKG_CHECK_MODULES([CURL], [libcurl])
 
diff --git a/man/tss2_sign.1.md b/man/tss2_sign.1.md
@@ -16,7 +16,8 @@
 
 **tss2_sign**(1) - This command uses a key inside the TPM to sign a digest value
 using the TPM signing schemes as specified in the cryptographic profile
-(cf., **fapi-profile(5)**).
+(cf., **fapi-profile(5)**). The digest can be provided as an argument
+or computed from data passed as an argument.
 
 # OPTIONS
 
@@ -40,6 +41,10 @@ These are the available options:
 
     The data to be signed, already hashed.
 
+  * **-m**, **\--data**=_FILENAME_ or _-_ (for stdin):
+
+    The data from which the hash is computed, which is then signed.
+
   * **-f**, **\--force**:
 
     Force overwriting the output file.
diff --git a/test/integration/fapi/fapi-sign-verify.sh b/test/integration/fapi/fapi-sign-verify.sh
@@ -329,4 +329,27 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
 }
 EOF
 
+# Check tss2_sign which computes the digest from data if the FAPI function
+# Fapi_DigestAndSign is available
+
+DATA_FILE=$TEMP_DIR/data.file
+dd if=/dev/zero of=$DATA_FILE bs=1 count=1024
+if [ "$CRYPTO_PROFILE" = "RSA" ]; then
+    PADDING="--padding=RSA_PSS"
+fi
+if nm -D $(ldconfig -p | grep "libtss2-fapi" | head -n1 | awk '{print $NF}') | \
+        grep "Fapi_DigestAndSign";
+then
+    tss2 sign --data=$DATA_FILE --keyPath=$KEY_PATH $PADDING \
+         --signature=$SIGNATURE_FILE --publicKey=$PUBLIC_KEY_FILE -f
+
+    shasum -a 256 $DATA_FILE | awk '{ $1 }' | xxd -r -p > $DIGEST_FILE
+    tss2 verifysignature --keyPath=$PUB_KEY_DIR/$IMPORTED_KEY_NAME \
+         --digest=$DIGEST_FILE --signature=$SIGNATURE_FILE
+else
+    # The sign should fail because Fapi_DigestAndSign is not available
+    ! tss2 sign --data=$DATA_FILE --keyPath=$KEY_PATH $PADDING \
+      --signature=$SIGNATURE_FILE --publicKey=$PUBLIC_KEY_FILE
+fi
+
 exit 0
diff --git a/tools/fapi/tss2_sign.c b/tools/fapi/tss2_sign.c
@@ -11,6 +11,7 @@
 static struct cxt {
     char const *keyPath;
     char const *digest;
+    char const *data;
     char const *signature;
     char const *publicKey;
     char const *certificate;
@@ -27,6 +28,9 @@ static bool on_option(char key, char *value) {
     case 'd':
         ctx.digest = value;
         break;
+    case 'm':
+        ctx.data = value;
+        break;
     case 'f':
         ctx.overwrite = true;
         break;
@@ -52,22 +56,34 @@ static bool tss2_tool_onstart(tpm2_options **opts) {
         {"keyPath",     required_argument, NULL, 'p'},
         {"padding",     required_argument, NULL, 's'},
         {"digest",      required_argument, NULL, 'd'},
+        {"data",        required_argument, NULL, 'm'},
         {"signature",   required_argument, NULL, 'o'},
         {"publicKey",   required_argument, NULL, 'k'},
         {"force",       no_argument      , NULL, 'f'},
         {"certificate", required_argument, NULL, 'c'},
 
     };
-    return (*opts = tpm2_options_new ("c:d:fp:k:o:s:", ARRAY_LEN(topts), topts,
+    return (*opts = tpm2_options_new ("c:d:m:fp:k:o:s:", ARRAY_LEN(topts), topts,
                                       on_option, NULL, 0)) != NULL;
 }
 
 /* Execute specific tool */
 static int tss2_tool_onrun (FAPI_CONTEXT *fctx) {
 
     /* Check availability of required parameters */
-    if (!ctx.digest) {
-        fprintf (stderr, "digest missing, use --digest\n");
+
+#ifndef HAVE_FAPI_DIGEST_AND_SIGN
+    if (ctx.data) {
+        fprintf (stderr, "Fapi_DigestAndSign not available in the current FAPI version.\n");
+        return -1;
+    }
+#endif
+    if (!ctx.digest && !ctx.data) {
+        fprintf (stderr, "digest or dataa missing, use --digest or --data\n");
+        return -1;
+    }
+    if (ctx.digest && ctx.data) {
+        fprintf (stderr, "use --digest or --data\n");
         return -1;
     }
     if (!ctx.keyPath) {
@@ -91,23 +107,43 @@ static int tss2_tool_onrun (FAPI_CONTEXT *fctx) {
     }
 
     /* Read data needed to create signature */
-    uint8_t *digest, *signature;
-    size_t digestSize, signatureSize;
-    char *publicKey, *certificate = NULL;
-    TSS2_RC r = open_read_and_close (ctx.digest, (void**)&digest, &digestSize);
+    uint8_t *data = NULL, *digest = NULL, *signature = NULL;
+    size_t dataSize = 0, digestSize = 0, signatureSize;
+    char *publicKey = NULL, *certificate = NULL;
+    TSS2_RC r;
+    if (ctx.digest) {
+        r = open_read_and_close (ctx.digest, (void**)&digest, &digestSize);
+    } else {
+        r = open_read_and_close (ctx.data, (void**)&data, &dataSize);
+    }
+
     if (r){
         return 1;
     }
 
     /* Execute FAPI command with passed arguments */
-    r = Fapi_Sign (fctx, ctx.keyPath, ctx.padding, digest,
+    if (ctx.digest) {
+        r = Fapi_Sign (fctx, ctx.keyPath, ctx.padding, digest,
         digestSize, &signature, &signatureSize, &publicKey, &certificate);
-    if (r != TSS2_RC_SUCCESS) {
-        LOG_PERR ("Fapi_Sign", r);
+        if (r != TSS2_RC_SUCCESS) {
+            LOG_PERR ("Fapi_Sign", r);
+            free (digest);
+            return 1;
+        }
         free (digest);
-        return 1;
     }
-    free (digest);
+#ifdef HAVE_FAPI_DIGEST_AND_SIGN
+    else if (ctx.data) {
+        r = Fapi_DigestAndSign (fctx, ctx.keyPath, ctx.padding, data,
+        dataSize, &signature, &signatureSize, &publicKey, &certificate);
+        if (r != TSS2_RC_SUCCESS) {
+            LOG_PERR ("Fapi_Sign", r);
+            free (data);
+            return 1;
+        }
+        free (data);
+    }
+#endif
 
     /* Write returned data to file(s) */
     if (ctx.certificate && certificate && strlen(certificate)) {
