Allow the setting more hierarchy auths in TKC

This commit expands the scope of the TransientKeyContextBuilder to adding more than one hierarchy auth value. This is needed for attesting keys with the default Endorsement Key which uses the Endorsement Hierarchy for authorization by default. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Nov 10, 2021 · 9d11249 · 9d11249
1 parent 84a79ae
commit 9d11249
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 18 deletions.
diff --git a/tss-esapi/src/abstraction/transient/mod.rs b/tss-esapi/src/abstraction/transient/mod.rs
@@ -36,6 +36,7 @@ use crate::{
 
 use log::error;
 use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
 use std::convert::{TryFrom, TryInto};
 use zeroize::Zeroize;
 
@@ -532,10 +533,10 @@ impl TransientKeyContext {
 #[derive(Debug)]
 pub struct TransientKeyContextBuilder {
     tcti_name_conf: TctiNameConf,
-    hierarchy: Hierarchy,
     root_key_size: u16, // TODO: replace with root key PUBLIC definition
     root_key_auth_size: usize,
-    hierarchy_auth: Vec<u8>,
+    root_hierarchy: Hierarchy,
+    hierarchy_auth: HashMap<Hierarchy, Vec<u8>>,
     default_context_cipher: SymmetricDefinitionObject,
     session_hash_alg: HashingAlgorithm,
 }
@@ -545,10 +546,10 @@ impl TransientKeyContextBuilder {
     pub fn new() -> Self {
         TransientKeyContextBuilder {
             tcti_name_conf: TctiNameConf::Device(Default::default()),
-            hierarchy: Hierarchy::Owner,
+            root_hierarchy: Hierarchy::Owner,
             root_key_size: 2048,
             root_key_auth_size: 32,
-            hierarchy_auth: Vec::new(),
+            hierarchy_auth: HashMap::new(),
             default_context_cipher: SymmetricDefinitionObject::AES_256_CFB,
             session_hash_alg: HashingAlgorithm::Sha256,
         }
@@ -560,9 +561,15 @@ impl TransientKeyContextBuilder {
         self
     }
 
+    /// Set the auth values for any hierarchies that will be used
+    pub fn with_hierarchy_auth(mut self, hierarchy: Hierarchy, auth: Vec<u8>) -> Self {
+        let _ = self.hierarchy_auth.insert(hierarchy, auth);
+        self
+    }
+
     /// Define which hierarchy will be used for the keys being managed.
-    pub fn with_hierarchy(mut self, hierarchy: Hierarchy) -> Self {
-        self.hierarchy = hierarchy;
+    pub fn with_root_hierarchy(mut self, hierarchy: Hierarchy) -> Self {
+        self.root_hierarchy = hierarchy;
         self
     }
 
@@ -578,12 +585,6 @@ impl TransientKeyContextBuilder {
         self
     }
 
-    /// Input the authentication value of the working hierarchy.
-    pub fn with_hierarchy_auth(mut self, hierarchy_auth: Vec<u8>) -> Self {
-        self.hierarchy_auth = hierarchy_auth;
-        self
-    }
-
     /// Define the cipher to be used within this context as a default.
     ///
     /// Currently this default is used for:
@@ -624,7 +625,7 @@ impl TransientKeyContextBuilder {
     /// `Context::set_handle_auth`
     /// * if the root key authentication size is given greater than 32 or if the root key size is
     /// not 1024, 2048, 3072 or 4096, a `InvalidParam` wrapper error is returned
-    pub fn build(self) -> Result<TransientKeyContext> {
+    pub fn build(mut self) -> Result<TransientKeyContext> {
         if self.root_key_auth_size > 32 {
             return Err(Error::local_error(ErrorKind::WrongParamSize));
         }
@@ -640,9 +641,9 @@ impl TransientKeyContextBuilder {
             None
         };
 
-        if !self.hierarchy_auth.is_empty() {
-            let auth_hierarchy = Auth::try_from(self.hierarchy_auth)?;
-            context.tr_set_auth(self.hierarchy.into(), &auth_hierarchy)?;
+        for (hierarchy, auth) in self.hierarchy_auth.drain() {
+            let auth_hierarchy = Auth::try_from(auth)?;
+            context.tr_set_auth(hierarchy.into(), &auth_hierarchy)?;
         }
 
         let session = context
@@ -669,7 +670,7 @@ impl TransientKeyContextBuilder {
 
         let root_key_handle = context
             .create_primary(
-                self.hierarchy,
+                self.root_hierarchy,
                 &create_restricted_decryption_rsa_public(
                     self.default_context_cipher,
                     root_key_rsa_key_bits,

diff --git a/tss-esapi/src/interface_types/resource_handles.rs b/tss-esapi/src/interface_types/resource_handles.rs
@@ -13,7 +13,7 @@ use std::convert::TryFrom;
 ///
 /// Enum describing the object hierarchies in a TPM 2.0.
 //////////////////////////////////////////////////////////////////////////////////
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub enum Hierarchy {
     Owner,
     Platform,