libtpmtss: Support of RSAPSS signature scheme

2018-07-18 22:55:27 +02:00 · 2018-07-18 22:55:27 +02:00 · fd21c40b6c
parent e74e920bbc
commit fd21c40b6c
5 changed files with 66 additions and 14 deletions
--- a/src/libtpmtss/plugins/tpm/tpm_private_key.c
+++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c
@ -93,7 +93,7 @@ METHOD(private_key_t, sign, bool,
 	enumerator->destroy(enumerator);

 	return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme,
-						   data, pin, signature);
+						   params, data, pin, signature);
 }

 METHOD(private_key_t, decrypt, bool,
--- a/src/libtpmtss/tpm_tss.h
+++ b/src/libtpmtss/tpm_tss.h
@ -125,14 +125,15 @@ struct tpm_tss_t {
 	 * @param handle		object handle of TPM key to be used for signature
 	 * @param hierarchy		hierarchy the TPM key object is attached to
 	 * @param scheme		scheme to be used for signature
+	 * @param param			signature scheme parameters
 	 * @param data			data to be hashed and signed
 	 * @param pin			PIN code or empty chunk
 	 * @param signature		returns signature
 	 * @return				TRUE if signature succeeded
 	 */
 	bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
-				 signature_scheme_t scheme, chunk_t data, chunk_t pin,
-				 chunk_t *signature);
+				 signature_scheme_t scheme, void *params, chunk_t data,
+				 chunk_t pin, chunk_t *signature);

 	/**
 	 * Get random bytes from the TPM
--- a/src/libtpmtss/tpm_tss_trousers.c
+++ b/src/libtpmtss/tpm_tss_trousers.c
@ -584,7 +584,8 @@ err1:

 METHOD(tpm_tss_t, sign, bool,
 	private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
-	signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+	signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+	chunk_t *signature)
 {
 	return FALSE;
 }
--- a/src/libtpmtss/tpm_tss_tss2_v1.c
+++ b/src/libtpmtss/tpm_tss_tss2_v1.c
@ -828,10 +828,12 @@ METHOD(tpm_tss_t, quote, bool,

 METHOD(tpm_tss_t, sign, bool,
 	private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
-	signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+	signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+	chunk_t *signature)
 {
 	key_type_t key_type;
 	hash_algorithm_t hash_alg;
+	rsa_pss_params_t *rsa_pss_params;
 	uint32_t rval;

 	TPM_ALG_ID alg_id;
@ -870,8 +872,17 @@ METHOD(tpm_tss_t, sign, bool,
 	}
 	*( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;

-	key_type = key_type_from_signature_scheme(scheme);
-	hash_alg = hasher_from_signature_scheme(scheme, NULL);
+	if (scheme == SIGN_RSA_EMSA_PSS)
+	{
+		key_type = KEY_RSA;
+		rsa_pss_params = (rsa_pss_params_t *)params;
+		hash_alg = rsa_pss_params->hash;
+	}
+	else
+	{
+		key_type = key_type_from_signature_scheme(scheme);
+		hash_alg = hasher_from_signature_scheme(scheme, NULL);
+	}

 	/* Check if hash algorithm is supported by TPM */
 	alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@ -890,8 +901,16 @@ METHOD(tpm_tss_t, sign, bool,

 	if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA)
 	{
-		sig_scheme.scheme = TPM_ALG_RSASSA;
-		sig_scheme.details.rsassa.hashAlg = alg_id;
+		if (scheme == SIGN_RSA_EMSA_PSS)
+		{
+			sig_scheme.scheme = TPM_ALG_RSAPSS;
+			sig_scheme.details.rsapss.hashAlg = alg_id;
+		}
+		else
+		{
+			sig_scheme.scheme = TPM_ALG_RSASSA;
+			sig_scheme.details.rsassa.hashAlg = alg_id;
+		}
 	}
 	else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC)
 	{
@ -983,6 +1002,12 @@ METHOD(tpm_tss_t, sign, bool,
 								sig.signature.rsassa.sig.t.buffer,
 								sig.signature.rsassa.sig.t.size));
 			break;
+		case SIGN_RSA_EMSA_PSS:
+			*signature = chunk_clone(
+							chunk_create(
+								sig.signature.rsapss.sig.t.buffer,
+								sig.signature.rsapss.sig.t.size));
+			break;
 		case SIGN_ECDSA_256:
 		case SIGN_ECDSA_384:
 		case SIGN_ECDSA_521:
--- a/src/libtpmtss/tpm_tss_tss2_v2.c
+++ b/src/libtpmtss/tpm_tss_tss2_v2.c
@ -742,10 +742,12 @@ METHOD(tpm_tss_t, quote, bool,

 METHOD(tpm_tss_t, sign, bool,
 	private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
-	signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+	signature_scheme_t scheme, void *params, chunk_t data, chunk_t pin,
+	chunk_t *signature)
 {
 	key_type_t key_type;
 	hash_algorithm_t hash_alg;
+	rsa_pss_params_t *rsa_pss_params;
 	uint32_t rval;

 	TPM2_ALG_ID alg_id;
@ -768,8 +770,17 @@ METHOD(tpm_tss_t, sign, bool,
 		memcpy(cmd->hmac.buffer, pin.ptr, cmd->hmac.size);
 	}

-	key_type = key_type_from_signature_scheme(scheme);
-	hash_alg = hasher_from_signature_scheme(scheme, NULL);
+	if (scheme == SIGN_RSA_EMSA_PSS)
+	{
+		key_type = KEY_RSA;
+		rsa_pss_params = (rsa_pss_params_t *)params;
+		hash_alg = rsa_pss_params->hash;
+	}
+	else
+	{
+		key_type = key_type_from_signature_scheme(scheme);
+		hash_alg = hasher_from_signature_scheme(scheme, NULL);
+	}

 	/* Check if hash algorithm is supported by TPM */
 	alg_id = hash_alg_to_tpm_alg_id(hash_alg);
@ -788,8 +799,16 @@ METHOD(tpm_tss_t, sign, bool,

 	if (key_type == KEY_RSA && public.publicArea.type == TPM2_ALG_RSA)
 	{
-		sig_scheme.scheme = TPM2_ALG_RSASSA;
-		sig_scheme.details.rsassa.hashAlg = alg_id;
+		if (scheme == SIGN_RSA_EMSA_PSS)
+		{
+			sig_scheme.scheme = TPM2_ALG_RSAPSS;
+			sig_scheme.details.rsapss.hashAlg = alg_id;
+		}
+		else
+		{
+			sig_scheme.scheme = TPM2_ALG_RSASSA;
+			sig_scheme.details.rsassa.hashAlg = alg_id;
+		}
 	}
 	else if (key_type == KEY_ECDSA && public.publicArea.type == TPM2_ALG_ECC)
 	{
@ -881,6 +900,12 @@ METHOD(tpm_tss_t, sign, bool,
 								sig.signature.rsassa.sig.buffer,
 								sig.signature.rsassa.sig.size));
 			break;
+		case SIGN_RSA_EMSA_PSS:
+			*signature = chunk_clone(
+							chunk_create(
+								sig.signature.rsapss.sig.buffer,
+								sig.signature.rsapss.sig.size));
+			break;
 		case SIGN_ECDSA_256:
 		case SIGN_ECDSA_384:
 		case SIGN_ECDSA_521: