Improve SRK ECC support detection / handling.

wolfSSL · Aug 15, 2023 · 649c257 · 649c257
1 parent 6126d04
commit 649c257
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 51 deletions.
diff --git a/examples/keygen/keyimport.c b/examples/keygen/keyimport.c
@@ -1,6 +1,6 @@
 /* keyimport.c
  *
- * Copyright (C) 2006-2022 wolfSSL Inc.
+ * Copyright (C) 2006-2023 wolfSSL Inc.
  *
  * This file is part of wolfTPM.
  *
@@ -39,7 +39,8 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/keygen/keyimport [keyblob.bin] [-ecc/-rsa] [-pem/-der] [-aes/xor] [-password] [-public]\n");
+    printf("./examples/keygen/keyimport [keyblob.bin] [-ecc/-rsa] [-pem/-der] "
+           "[-aes/xor] [-password] [-public]\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -rsa/-ecc: Use RSA or ECC key\n");
     printf("* -public: Input file is public key only\n");
@@ -65,7 +66,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_DEV dev;
     WOLFTPM2_KEY storage; /* SRK */
     WOLFTPM2_KEYBLOB impKey;
-    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
+    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA, srkAlg; /* TPM_ALG_ECC */
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     const char* outputFile = "keyblob.bin";
@@ -102,7 +103,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
         else if (XSTRCMP(argv[argc-1], "-public") == 0) {
             isPublicKey = 1;
         }
-        else if (XSTRNCMP(argv[argc-1], "-password=", XSTRLEN("-password=")) == 0) {
+        else if (XSTRNCMP(argv[argc-1], "-password=",
+                XSTRLEN("-password=")) == 0) {
             password = (const char*)(argv[argc-1] + XSTRLEN("-password="));
         }
         else if (XSTRCMP(argv[argc-1], "-der") == 0) {
@@ -150,12 +152,23 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
         goto exit;
     }
 
+    srkAlg = alg;
+#if defined(HAVE_ECC) && !defined(WOLFSSL_PUBLIC_MP)
+    if (srkAlg == TPM_ALG_ECC && paramEncAlg != TPM_ALG_NULL) {
+        /* ECC encrypt requires mp_ API's */
+        printf("Parameter encryption with ECC SRK support not available, "
+               "using RSA SRK\n");
+        srkAlg = TPM_ALG_RSA;
+    }
+#endif
+
     /* get SRK */
-    rc = getPrimaryStoragekey(&dev, &storage, alg);
+    rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
     if (rc != 0) goto exit;
 
     if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        /* Start an authenticated session (salted / unbound) with parameter
+         * encryption */
         rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
@@ -164,7 +177,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
 
         /* set session for authorization of the storage key */
         rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
-            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+             TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }
 
@@ -237,7 +251,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
         TPM2_GetAlgName(alg), impKey.pub.size, impKey.priv.size);
 
     /* Save key as encrypted blob to the disk */
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_WRITE_TEMP_FILES)
     rc = writeKeyBlob(outputFile, &impKey);
 #else
     printf("Key Public Blob %d\n", impKey.pub.size);

diff --git a/examples/keygen/keyload.c b/examples/keygen/keyload.c
@@ -1,6 +1,6 @@
 /* keyload.c
  *
- * Copyright (C) 2006-2022 wolfSSL Inc.
+ * Copyright (C) 2006-2023 wolfSSL Inc.
  *
  * This file is part of wolfTPM.
  *
@@ -47,7 +47,8 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor] [-persistent] [-eh]\n");
+    printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor] [-persistent]"
+           " [-eh]\n");
     printf("* -eh: Key is from the Endorsement Hierarchy, requires EK\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -persistent: Load the TPM key as persistent\n");
@@ -137,7 +138,8 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     }
 
     if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        /* Start an authenticated session (salted / unbound) with parameter
+         * encryption */
         rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
@@ -146,7 +148,8 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
 
         /* set session for authorization of the storage key */
         rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
-            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+             TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }
 
@@ -177,7 +180,8 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     if (persistent) {
         /* Prepare key in the format expected by the wolfTPM wrapper */
         persistKey.handle.hndl = newKey.handle.hndl;
-        XMEMCPY((BYTE*)&persistKey.pub, (BYTE*)&newKey.pub, sizeof(persistKey.pub));
+        XMEMCPY((BYTE*)&persistKey.pub, (BYTE*)&newKey.pub,
+            sizeof(persistKey.pub));
         /* Make key persistent */
         rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &persistKey,
                                     TPM2_DEMO_PERSISTENT_KEY_HANDLE);

diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c
@@ -1,6 +1,6 @@
 /* tpm_test_keys.c
  *
- * Copyright (C) 2006-2022 wolfSSL Inc.
+ * Copyright (C) 2006-2023 wolfSSL Inc.
  *
  * This file is part of wolfTPM.
  *
@@ -80,7 +80,8 @@ int writeKeyBlob(const char* filename,
 
     fp = XFOPEN(filename, "wb");
     if (fp != XBADFILE) {
-        /* Make publicArea in encoded format to eliminate empty fields, save space */
+        /* Make publicArea in encoded format to eliminate empty fields,
+         * save space */
         rc = TPM2_AppendPublic(pubAreaBuffer, (word32)sizeof(pubAreaBuffer),
             &pubAreaSize, &key->pub);
         if (rc != TPM_RC_SUCCESS)
@@ -139,7 +140,8 @@ int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
         }
         fileSz -= bytes_read;
 
-        bytes_read = XFREAD(pubAreaBuffer, 1, sizeof(UINT16) + key->pub.size, fp);
+        bytes_read = XFREAD(pubAreaBuffer, 1,
+            sizeof(UINT16) + key->pub.size, fp);
         if (bytes_read != sizeof(UINT16) + key->pub.size) {
             printf("Read %zu, expected public blob %zu bytes\n",
                 bytes_read, sizeof(UINT16) + key->pub.size);
@@ -195,13 +197,9 @@ int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
     return rc;
 }
 
-int createAndLoadKey(WOLFTPM2_DEV* pDev,
-                WOLFTPM2_KEY* key,
-                WOLFTPM2_HANDLE* parent,
-                const char* filename,
-                const byte* auth,
-                int authSz,
-                TPMT_PUBLIC* publicTemplate)
+int createAndLoadKey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const char* filename, const byte* auth, int authSz,
+    TPMT_PUBLIC* publicTemplate)
 {
     int rc;
     WOLFTPM2_KEYBLOB keyblob;
@@ -253,12 +251,8 @@ int createAndLoadKey(WOLFTPM2_DEV* pDev,
     return rc;
 }
 
-int readAndLoadKey(WOLFTPM2_DEV* pDev,
-                          WOLFTPM2_KEY* key,
-                          WOLFTPM2_HANDLE* parent,
-                          const char* filename,
-                          const byte* auth,
-                          int authSz)
+int readAndLoadKey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const char* filename, const byte* auth, int authSz)
 {
     int rc;
     WOLFTPM2_KEYBLOB keyblob;
@@ -289,23 +283,31 @@ int readAndLoadKey(WOLFTPM2_DEV* pDev,
     return rc;
 }
 
-int getPrimaryStoragekey(WOLFTPM2_DEV* pDev,
-                                       WOLFTPM2_KEY* pStorageKey,
-                                       TPM_ALG_ID alg)
+int getPrimaryStoragekey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey,
+    TPM_ALG_ID alg)
 {
     int rc;
+    TPM_HANDLE handle;
+
+    if (alg == TPM_ALG_RSA)
+        handle = TPM2_DEMO_STORAGE_KEY_HANDLE;
+    else if (alg == TPM_ALG_ECC)
+        handle = TPM2_DEMO_STORAGE_EC_KEY_HANDLE;
+    else {
+        printf("Invalid SRK alg %x\n", alg);
+        return BAD_FUNC_ARG;
+    }
 
     /* See if SRK already exists */
-    rc = wolfTPM2_ReadPublicKey(pDev, pStorageKey, TPM2_DEMO_STORAGE_KEY_HANDLE);
+    rc = wolfTPM2_ReadPublicKey(pDev, pStorageKey, handle);
     if (rc != 0) {
         /* Create primary storage key */
         rc = wolfTPM2_CreateSRK(pDev, pStorageKey, alg,
             (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
     #ifndef WOLFTPM_WINAPI
         if (rc == TPM_RC_SUCCESS) {
             /* Move storage key into persistent NV */
-            rc = wolfTPM2_NVStoreKey(pDev, TPM_RH_OWNER, pStorageKey,
-                TPM2_DEMO_STORAGE_KEY_HANDLE);
+            rc = wolfTPM2_NVStoreKey(pDev, TPM_RH_OWNER, pStorageKey, handle);
         }
     #endif
     }
@@ -325,13 +327,9 @@ int getPrimaryStoragekey(WOLFTPM2_DEV* pDev,
     return rc;
 }
 
-int getRSAkey(WOLFTPM2_DEV* pDev,
-                            WOLFTPM2_KEY* pStorageKey,
-                            WOLFTPM2_KEY* key,
-                            void* pWolfRsaKey,
-                            int tpmDevId,
-                            const byte* auth, int authSz,
-                            TPMT_PUBLIC* publicTemplate)
+int getRSAkey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey, WOLFTPM2_KEY* key,
+    void* pWolfRsaKey, int tpmDevId, const byte* auth, int authSz,
+    TPMT_PUBLIC* publicTemplate)
 {
     int rc = 0;
 
@@ -360,13 +358,9 @@ int getRSAkey(WOLFTPM2_DEV* pDev,
     return rc;
 }
 
-int getECCkey(WOLFTPM2_DEV* pDev,
-                            WOLFTPM2_KEY* pStorageKey,
-                            WOLFTPM2_KEY* key,
-                            void* pWolfEccKey,
-                            int tpmDevId,
-                            const byte* auth, int authSz,
-                            TPMT_PUBLIC* publicTemplate)
+int getECCkey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey, WOLFTPM2_KEY* key,
+    void* pWolfEccKey, int tpmDevId, const byte* auth, int authSz,
+    TPMT_PUBLIC* publicTemplate)
 {
     int rc = 0;
 

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -1,6 +1,6 @@
 /* tpm2_wrap.c
  *
- * Copyright (C) 2006-2022 wolfSSL Inc.
+ * Copyright (C) 2006-2023 wolfSSL Inc.
  *
  * This file is part of wolfTPM.
  *
@@ -1243,6 +1243,11 @@ int wolfTPM2_EncryptSecret(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpmKey,
         return TPM_RC_SUCCESS;
     }
 
+#ifdef DEBUG_WOLFTPM
+    printf("Encrypt secret: Alg %s, Label %s\n",
+        TPM2_GetAlgName(tpmKey->pub.publicArea.type), label);
+#endif
+
 #ifndef WOLFTPM2_NO_WOLFCRYPT
     switch (tpmKey->pub.publicArea.type) {
     #if defined(HAVE_ECC) && !defined(WC_NO_RNG) && defined(WOLFSSL_PUBLIC_MP)
@@ -1261,7 +1266,7 @@ int wolfTPM2_EncryptSecret(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpmKey,
     }
 
 #ifdef WOLFTPM_DEBUG_VERBOSE
-    printf("Secret %d\n", data->size);
+    printf("Encrypt Secret %d: %d bytes\n", data->size);
     TPM2_PrintBin(data->buffer, data->size);
 #endif
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */