Skip to content

Commit

Permalink
Expand importing functionality in TransientKeyCtx
Browse files Browse the repository at this point in the history 
This commit modifies the method available for importing public keys in
the TransientKeyContext to support other types of keys and associated
parameters. Thus, ECC keys, as well as RSA keys for asym encryption are
now supported.

Signed-off-by: Ionut Mihalcea <[email protected]>
  • Loading branch information
@ionut-arm
ionut-arm committed Oct 14, 2021
1 parent 6501210 commit cc37191
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 51 deletions.
36 changes: 10 additions & 26 deletions tss-esapi/src/abstraction/transient.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ use crate::{
constants::{tss::*, SessionType, Tss2ResponseCodeKind},
handles::{KeyHandle, SessionHandle},
interface_types::{
algorithm::{HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm},
algorithm::{HashingAlgorithm, PublicAlgorithm},
ecc::EccCurve,
key_bits::RsaKeyBits,
resource_handles::Hierarchy,
Expand All @@ -30,10 +30,7 @@ use crate::{
},
tcti_ldr::TctiNameConf,
tss2_esys::*,
utils::{
create_restricted_decryption_rsa_public,
create_unrestricted_signing_rsa_public_with_unique, PublicKey, TpmsContext,
},
utils::{create_restricted_decryption_rsa_public, PublicKey, TpmsContext},
Context, Error, Result, WrapperErrorKind as ErrorKind,
};

Expand Down Expand Up @@ -159,35 +156,22 @@ impl TransientKeyContext {
Ok((key_material, key_auth))
}

/// Load a previously generated RSA public key.
/// Load the public part of a key.
///
/// Returns the key context.
///
/// # Constraints
/// * `public_key` must be 128, 256, 384 or 512 bytes (i.e. slice elements) long, corresponding to 1024, 2048, 3072 or 4096 bits
///
/// # Errors
/// * if the public key length is different than 128, 256, 384 or 512 bytes, a `WrongParamSize` wrapper error is returned
pub fn load_external_rsa_public_key(&mut self, public_key: &[u8]) -> Result<KeyMaterial> {
let rsa_key_bits = RsaKeyBits::try_from(
u16::try_from(public_key.len()).map_err(|e| {
error!("Failed to convert length of public key to u16: {:?}", e);
Error::local_error(ErrorKind::InvalidParam)
})? * 8u16,
)?;
let public = create_unrestricted_signing_rsa_public_with_unique(
RsaScheme::create(RsaSchemeAlgorithm::RsaSsa, Some(HashingAlgorithm::Sha256))?,
rsa_key_bits,
RsaExponent::default(),
&PublicKeyRsa::try_from(public_key)?,
)?;
pub fn load_external_public_key(
&mut self,
public_key: PublicKey,
params: KeyParams,
) -> Result<KeyMaterial> {
let public = TransientKeyContext::get_public_from_params(params, Some(public_key.clone()))?;
self.set_session_attrs()?;
let key_handle = self
.context
.load_external_public(&public, Hierarchy::Owner)?;
self.context.flush_context(key_handle.into())?;
Ok(KeyMaterial {
public: PublicKey::Rsa(public_key.to_vec()),
public: public_key,
private: vec![],
})
}
Expand Down
84 changes: 59 additions & 25 deletions tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,44 @@ fn wrong_auth_size() {
#[test]
fn load_bad_sized_key() {
let mut ctx = create_ctx();
assert_eq!(
ctx.load_external_rsa_public_key(&[0xDE, 0xAD, 0xBE, 0xEF])
.unwrap_err(),
Error::WrapperError(ErrorKind::InvalidParam)
);
let key_params = KeyParams::Rsa {
size: RsaKeyBits::Rsa1024,
scheme: RsaScheme::create(RsaSchemeAlgorithm::RsaSsa, Some(HashingAlgorithm::Sha256))
.expect("Failed to create RSA scheme"),
pub_exponent: RsaExponent::default(),
};
let _ = ctx
.load_external_public_key(PublicKey::Rsa(vec![0xDE, 0xAD, 0xBE, 0xEF]), key_params)
.unwrap_err();
}

#[test]
fn load_with_invalid_params() {
let pub_key = vec![
0x96, 0xDC, 0x72, 0x77, 0x49, 0x82, 0xFD, 0x2D, 0x06, 0x65, 0x8C, 0xE5, 0x3A, 0xCD, 0xED,
0xBD, 0x50, 0xD7, 0x6F, 0x3B, 0xE5, 0x6A, 0x76, 0xED, 0x3E, 0xD8, 0xF9, 0x93, 0x40, 0x55,
0x86, 0x6F, 0xBE, 0x76, 0x60, 0xD2, 0x03, 0x23, 0x59, 0x19, 0x8D, 0xFC, 0x51, 0x6A, 0x95,
0xC8, 0x5D, 0x5A, 0x89, 0x4D, 0xE5, 0xEA, 0x44, 0x78, 0x29, 0x62, 0xDB, 0x3F, 0xF0, 0xF7,
0x49, 0x15, 0xA5, 0xAE, 0x6D, 0x81, 0x8F, 0x06, 0x7B, 0x0B, 0x50, 0x7A, 0x2F, 0xEB, 0x00,
0xB6, 0x12, 0xF3, 0x10, 0xAF, 0x4D, 0x4A, 0xA9, 0xD9, 0x81, 0xBB, 0x1E, 0x2B, 0xDF, 0xB9,
0x33, 0x3D, 0xD6, 0xB7, 0x8D, 0x23, 0x7C, 0x7F, 0xE7, 0x12, 0x48, 0x4F, 0x26, 0x73, 0xAF,
0x63, 0x51, 0xA9, 0xDB, 0xA4, 0xAB, 0xB7, 0x27, 0x00, 0xD7, 0x1C, 0xFC, 0x2F, 0x61, 0x2A,
0xB9, 0x5B, 0x66, 0xA0, 0xE0, 0xD8, 0xF3, 0xD9,
];

let key_params = KeyParams::Ecc {
curve: EccCurve::NistP256,
scheme: EccScheme::create(
EccSchemeAlgorithm::EcDsa,
Some(HashingAlgorithm::Sha256),
None,
)
.expect("Failed to create ecc scheme"),
};
let mut ctx = create_ctx();
let _ = ctx
.load_external_public_key(PublicKey::Rsa(pub_key), key_params)
.unwrap_err();
}

#[test]
Expand Down Expand Up @@ -133,13 +166,15 @@ fn verify() {
);

let mut ctx = create_ctx();
let pub_key = ctx.load_external_rsa_public_key(&pub_key).unwrap();
let key_params = KeyParams::Rsa {
size: RsaKeyBits::Rsa1024,
scheme: RsaScheme::create(RsaSchemeAlgorithm::RsaSsa, Some(HashingAlgorithm::Sha256))
.expect("Failed to create RSA scheme"),
pub_exponent: RsaExponent::default(),
};
let pub_key = ctx
.load_external_public_key(PublicKey::Rsa(pub_key), key_params)
.unwrap();
let _ = ctx
.verify_signature(pub_key, key_params, digest, signature)
.expect("the signature should be valid");
Expand Down Expand Up @@ -195,13 +230,15 @@ fn encrypt_decrypt() {
.expect("Failed to create RSA scheme"),
pub_exponent: RsaExponent::default(),
};
let (key, auth) = ctx.create_key(key_params, 16).unwrap();
let dec_key = key.clone();
let (dec_key, auth) = ctx.create_key(key_params, 16).unwrap();
let enc_key = ctx
.load_external_public_key(dec_key.public().clone(), key_params)
.unwrap();
let message = vec![0x1, 0x2, 0x3];

let ciphertext = ctx
.rsa_encrypt(
key,
enc_key,
key_params,
None,
PublicKeyRsa::try_from(message.clone()).unwrap(),
Expand Down Expand Up @@ -294,11 +331,9 @@ fn verify_wrong_key() {
.unwrap();

// Import and verify with the second key
let pub_key = match key2.public() {
PublicKey::Rsa(pub_key) => pub_key,
_ => panic!("Got wrong type of key!"),
};
let pub_key = ctx.load_external_rsa_public_key(pub_key).unwrap();
let pub_key = ctx
.load_external_public_key(key2.public().clone(), key_params2)
.unwrap();
if let Error::Tss2Error(error) = ctx
.verify_signature(
pub_key,
Expand Down Expand Up @@ -332,11 +367,9 @@ fn verify_wrong_digest() {
Digest::try_from(HASH.to_vec()).unwrap(),
)
.unwrap();
let pub_key = match key.public() {
PublicKey::Rsa(pub_key) => pub_key,
_ => panic!("Got wrong type of key!"),
};
let pub_key = ctx.load_external_rsa_public_key(pub_key).unwrap();
let pub_key = ctx
.load_external_public_key(key.public().clone(), key_params)
.unwrap();

let mut digest_values = HASH.to_vec();
digest_values[0..4].copy_from_slice(&[0xDE, 0xAD, 0xBE, 0xEF]);
Expand Down Expand Up @@ -374,11 +407,9 @@ fn full_test() {
Digest::try_from(HASH.to_vec()).unwrap(),
)
.unwrap();
let pub_key = match key.public() {
PublicKey::Rsa(pub_key) => pub_key,
_ => panic!("Got wrong type of key!"),
};
let pub_key = ctx.load_external_rsa_public_key(pub_key).unwrap();
let pub_key = ctx
.load_external_public_key(key.public().clone(), key_params)
.unwrap();
let _ = ctx
.verify_signature(
pub_key,
Expand Down Expand Up @@ -450,9 +481,12 @@ fn full_ecc_test() {
Digest::try_from(HASH.to_vec()).unwrap(),
)
.unwrap();
let pub_key = ctx
.load_external_public_key(key.public().clone(), key_params)
.unwrap();
let _ = ctx
.verify_signature(
key,
pub_key,
key_params,
Digest::try_from(HASH.to_vec()).unwrap(),
signature,
Expand Down

0 comments on commit cc37191

Please sign in to comment.