Showing with 101 additions and 66 deletions.

+61 −0 lib/tpm2_alg_util.c

+19 −0 lib/tpm2_alg_util.h

+4 −0 man/tpm2_quote.1.md

+16 −4 tools/tpm2_quote.c

+1 −62 tools/tpm2_sign.c
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
@@ -383,3 +383,64 @@ UINT8* tpm2_extract_plain_signature(UINT16 *size, TPMT_SIGNATURE *signature) {
     return NULL;
 }
 
+static bool get_key_type(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT objectHandle,
+        TPMI_ALG_PUBLIC *type) {
+
+    TPMS_AUTH_RESPONSE session_data_out;
+
+    TPMS_AUTH_RESPONSE *session_data_out_array[1] = {
+            &session_data_out
+    };
+
+    TSS2_SYS_RSP_AUTHS sessions_data_out = {
+            1,
+            &session_data_out_array[0]
+    };
+
+    TPM2B_PUBLIC out_public = TPM2B_EMPTY_INIT;
+
+    TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
+
+    TPM2B_NAME qaulified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
+
+    TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, objectHandle, 0, &out_public, &name,
+            &qaulified_name, &sessions_data_out);
+    if (rval != TPM_RC_SUCCESS) {
+        LOG_ERR("Sys_ReadPublic failed, error code: 0x%x", rval);
+        return false;
+    }
+    *type = out_public.t.publicArea.type;
+    return true;
+}
+
+bool get_signature_scheme(TSS2_SYS_CONTEXT *sapi_context,
+        TPMI_DH_OBJECT keyHandle, TPMI_ALG_HASH halg,
+        TPMT_SIG_SCHEME *scheme) {
+
+    TPM_ALG_ID type;
+    bool result = get_key_type(sapi_context, keyHandle, &type);
+    if (!result) {
+        return false;
+    }
+
+    switch (type) {
+    case TPM_ALG_RSA :
+        scheme->scheme = TPM_ALG_RSASSA;
+        scheme->details.rsassa.hashAlg = halg;
+        break;
+    case TPM_ALG_KEYEDHASH :
+        scheme->scheme = TPM_ALG_HMAC;
+        scheme->details.hmac.hashAlg = halg;
+        break;
+    case TPM_ALG_ECC :
+        scheme->scheme = TPM_ALG_ECDSA;
+        scheme->details.ecdsa.hashAlg = halg;
+        break;
+    case TPM_ALG_SYMCIPHER :
+    default:
+        LOG_ERR("Unknown key type, got: 0x%x", type);
+        return false;
+    }
+
+    return true;
+}
diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h
@@ -174,4 +174,23 @@ UINT16 tpm2_alg_util_get_hash_size(TPMI_ALG_HASH id);
  */
 UINT8* tpm2_extract_plain_signature(UINT16 *size, TPMT_SIGNATURE *signature);
 
+/**
+ * Retrieves an approproate signature scheme (scheme) signable by
+ * specified key (keyHandle) and hash algorithm (halg).
+ * @param sapi_context
+ *  System API context for tpm
+ * @param keyHandle
+ *  Handle to key used in signing operation
+ * @param halg
+ *  Hash algoritm for message
+ * @param scheme
+ *  Signature scheme output
+ * @return
+ *  True if successful
+ *  False otherwise, and scheme is left unmodified
+ */
+bool get_signature_scheme(TSS2_SYS_CONTEXT *sapi_context,
+        TPMI_DH_OBJECT keyHandle, TPMI_ALG_HASH halg,
+        TPMT_SIG_SCHEME *scheme);
+
 #endif /* LIB_TPM2_ALG_UTIL_H_ */
diff --git a/man/tpm2_quote.1.md b/man/tpm2_quote.1.md
@@ -58,6 +58,10 @@
   * **-S**, **--input-session-handle**=_SESSION\_HANDLE_:
     Optional Input session handle from a policy session for authorization.
 
+  * **-G**, **--sig-hash-algorithm**:
+
+    Hash algorithm for signature.
+
 [common options](common/options.md)
 
 [common tcti options](common/tcti.md)

diff --git a/tools/tpm2_quote.c b/tools/tpm2_quote.c
@@ -55,11 +55,12 @@ static char *outFilePath;
 static char *signature_path;
 static char *message_path;
 static signature_format sig_format;
+static TPMI_ALG_HASH sig_hash_algorithm;
 static TPM2B_DATA qualifyingData = TPM2B_EMPTY_INIT;
 static TPML_PCR_SELECTION  pcrSelections;
 static bool is_auth_session;
 static TPMI_SH_AUTH_SESSION auth_session_handle;
-static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag;
+static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag;
 static char *contextFilePath;
 static TPM_HANDLE akHandle;
 
@@ -292,7 +293,9 @@ static int quote(TSS2_SYS_CONTEXT *sapi_context, TPM_HANDLE akHandle, TPML_PCR_S
     sessionData.nonce.t.size = 0;
     *( (UINT8 *)((void *)&sessionData.sessionAttributes ) ) = 0;
 
-    inScheme.scheme = TPM_ALG_NULL;
+    if(!G_flag || !get_signature_scheme(sapi_context, akHandle, sig_hash_algorithm, &inScheme)) {
+        inScheme.scheme = TPM_ALG_NULL;
+    }
 
     memset( (void *)&signature, 0, sizeof(signature) );
 
@@ -399,6 +402,14 @@ static bool on_option(char key, char *value) {
             return false;
          }
          break;
+    case 'G':
+        sig_hash_algorithm = tpm2_alg_util_from_optarg(optarg);
+        if(sig_hash_algorithm == TPM_ALG_ERROR) {
+            LOG_ERR("Could not convert signature hash algorithm selection, got: \"%s\"", value);
+            return false;
+        }
+        G_flag = 1;
+        break;
     }
 
     return true;
@@ -418,10 +429,11 @@ bool tpm2_tool_onstart(tpm2_options **opts) {
         { "input-session-handle", required_argument, NULL, 'S' },
         { "signature",            required_argument, NULL, 's' },
         { "message",              required_argument, NULL, 'm' },
-        { "format",               required_argument, NULL, 'f' }
+        { "format",               required_argument, NULL, 'f' },
+        { "sig-hash-algorithm",   required_argument, NULL, 'G' }
     };
 
-    *opts = tpm2_options_new("k:c:P:l:g:L:o:S:q:s:m:f:", ARRAY_LEN(topts), topts,
+    *opts = tpm2_options_new("k:c:P:l:g:L:o:S:q:s:m:f:G:", ARRAY_LEN(topts), topts,
             on_option, NULL);
 
     return *opts != NULL;

diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c
@@ -78,67 +78,6 @@ tpm_sign_ctx ctx = {
         .halg = TPM_ALG_SHA1,
 };
 
-static bool get_key_type(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT objectHandle,
-        TPMI_ALG_PUBLIC *type) {
-
-    TPMS_AUTH_RESPONSE session_data_out;
-
-    TPMS_AUTH_RESPONSE *session_data_out_array[1] = {
-            &session_data_out
-    };
-
-    TSS2_SYS_RSP_AUTHS sessions_data_out = {
-            required_argument,
-            &session_data_out_array[0]
-    };
-
-    TPM2B_PUBLIC out_public = TPM2B_EMPTY_INIT;
-
-    TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
-
-    TPM2B_NAME qaulified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
-
-    TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, objectHandle, 0, &out_public, &name,
-            &qaulified_name, &sessions_data_out);
-    if (rval != TPM_RC_SUCCESS) {
-        LOG_ERR("Sys_ReadPublic failed, error code: 0x%x", rval);
-        return false;
-    }
-    *type = out_public.t.publicArea.type;
-    return true;
-}
-
-static bool set_scheme(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT keyHandle,
-        TPMI_ALG_HASH halg, TPMT_SIG_SCHEME *inScheme) {
-
-    TPM_ALG_ID type;
-    bool result = get_key_type(sapi_context, keyHandle, &type);
-    if (!result) {
-        return false;
-    }
-
-    switch (type) {
-    case TPM_ALG_RSA :
-        inScheme->scheme = TPM_ALG_RSASSA;
-        inScheme->details.rsassa.hashAlg = halg;
-        break;
-    case TPM_ALG_KEYEDHASH :
-        inScheme->scheme = TPM_ALG_HMAC;
-        inScheme->details.hmac.hashAlg = halg;
-        break;
-    case TPM_ALG_ECC :
-        inScheme->scheme = TPM_ALG_ECDSA;
-        inScheme->details.ecdsa.hashAlg = halg;
-        break;
-    case TPM_ALG_SYMCIPHER :
-    default:
-        LOG_ERR("Unknown key type, got: 0x%x", type);
-        return false;
-    }
-
-    return true;
-}
-
 static bool sign_and_save(TSS2_SYS_CONTEXT *sapi_context) {
 
     TPM2B_DIGEST digest = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer);
@@ -166,7 +105,7 @@ static bool sign_and_save(TSS2_SYS_CONTEXT *sapi_context) {
         return false;
     }
 
-    bool result = set_scheme(sapi_context, ctx.keyHandle, ctx.halg, &in_scheme);
+    bool result = get_signature_scheme(sapi_context, ctx.keyHandle, ctx.halg, &in_scheme);
     if (!result) {
         return false;
     }