Skip to content

Commit

Permalink
utils: Add support for loadexternal schemes.
Browse files Browse the repository at this point in the history
Add loadexternal signing and encryption schemes. Update the testrsa
and testhelp scripts for the new options.  Update the man page.

Add regression tests for encryption with an OpenSSL generated key for
oaep and pkcs1.

Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
  • Loading branch information
kgold2 committed Dec 8, 2023
1 parent 862abb6 commit bf8db48
Show file tree
Hide file tree
Showing 6 changed files with 513 additions and 130 deletions.
109 changes: 73 additions & 36 deletions utils/loadexternal.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
DER example:
Create a key pair in PEM format
> openssl genrsa -out keypair.pem -aes256 -passout pass:rrrr 2048
> openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem
Expand Down Expand Up @@ -84,7 +84,7 @@ int main(int argc, char *argv[])
char hierarchyChar = 0;
TPMI_RH_HIERARCHY hierarchy = TPM_RH_NULL;
int keyType = TYPE_SI;
TPMI_ALG_SIG_SCHEME scheme = TPM_ALG_RSASSA;
TPMI_ALG_SIG_SCHEME scheme = TPM_ALG_ERROR; /* illegal value marker */
uint32_t keyTypeSpecified = 0;
TPMI_ALG_PUBLIC algPublic = TPM_ALG_RSA;
TPMI_ALG_HASH halg = TPM_ALG_SHA256;
Expand All @@ -106,14 +106,15 @@ int main(int argc, char *argv[])
setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */
TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
tssUtilsVerbose = FALSE;

/* command line argument defaults */
for (i=1 ; (i<argc) && (rc == 0) ; i++) {
if (strcmp(argv[i],"-hi") == 0) {
i++;
if (i < argc) {
if (argv[i][0] != 'e' && argv[i][0] != 'o' &&
argv[i][0] != 'p' && argv[i][0] != 'n') {
printf("Illegal -hi parameter %c\n", argv[i][0]);
printUsage();
}
hierarchyChar = argv[i][0];
Expand All @@ -122,7 +123,6 @@ int main(int argc, char *argv[])
printf("Missing parameter for -hi\n");
printUsage();
}

}
else if (strcmp(argv[i],"-halg") == 0) {
i++;
Expand Down Expand Up @@ -181,34 +181,39 @@ int main(int argc, char *argv[])
algPublic = TPM_ALG_ECC;
}
else if (strcmp(argv[i],"-scheme") == 0) {
if (keyType == TYPE_SI) {
i++;
if (i < argc) {
if (strcmp(argv[i],"rsassa") == 0) {
scheme = TPM_ALG_RSASSA;
}
else if (strcmp(argv[i],"rsapss") == 0) {
scheme = TPM_ALG_RSAPSS;
}
else {
printf("Bad parameter %s for -scheme\n", argv[i]);
printUsage();
}
i++;
if (i < argc) {
if (strcmp(argv[i],"rsassa") == 0) {
scheme = TPM_ALG_RSASSA;
}
else if (strcmp(argv[i],"rsapss") == 0) {
scheme = TPM_ALG_RSAPSS;
}
else if (strcmp(argv[i],"rsapkcs1") == 0) {
scheme = TPM_ALG_RSAES;
}
else if (strcmp(argv[i],"rsaoaep") == 0) {
scheme = TPM_ALG_OAEP;
}
else if (strcmp(argv[i],"null") == 0) {
scheme = TPM_ALG_NULL;
}
else {
printf("Bad parameter %s for -scheme\n", argv[i]);
printUsage();
}
}
else {
printf("-scheme can only be specified for signing key\n");
printf("-scheme option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i], "-st") == 0) {
keyType = TYPE_ST;
scheme = TPM_ALG_NULL;
keyTypeSpecified++;
}
else if (strcmp(argv[i], "-den") == 0) {
keyType = TYPE_DEN;
scheme = TPM_ALG_NULL;
keyTypeSpecified++;
}
else if (strcmp(argv[i], "-si") == 0) {
Expand Down Expand Up @@ -363,6 +368,35 @@ int main(int argc, char *argv[])
keyType = TYPE_DEN;
}
}
/* set scheme defaults if scheme has not bee specified */
if (scheme == TPM_ALG_ERROR) {
if (keyType == TYPE_DEN) {
scheme = TPM_ALG_NULL;
}
else if (keyType == TYPE_SI) {
scheme = TPM_ALG_RSASSA;
}
else if (keyType == TYPE_ST) {
scheme = TPM_ALG_NULL;
}
}
/* check for valid scheme */
if (keyType == TYPE_SI) {
if ((scheme != TPM_ALG_NULL) &&
(scheme != TPM_ALG_RSASSA) &&
(scheme != TPM_ALG_RSAPSS)) {
printf("Illegal scheme %04x for signing key\n", scheme);
printUsage();
}
}
if (keyType == TYPE_DEN) {
if ((scheme != TPM_ALG_NULL) &&
(scheme != TPM_ALG_RSAES) &&
(scheme != TPM_ALG_OAEP)) {
printf("Illegal scheme %04x for decryption key\n", scheme);
printUsage();
}
}
/* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
if (rc == 0) {
if (hierarchyChar == 'e') {
Expand Down Expand Up @@ -465,7 +499,7 @@ int main(int argc, char *argv[])
/* call TSS to execute the command */
if (rc == 0) {
rc = TSS_Execute(tssContext,
(RESPONSE_PARAMETERS *)&out,
(RESPONSE_PARAMETERS *)&out,
(COMMAND_PARAMETERS *)&in,
NULL,
TPM_CC_LoadExternal,
Expand Down Expand Up @@ -513,23 +547,26 @@ static void printUsage(void)
printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n");
printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
printf("\n");
printf("\t[Asymmetric Key Algorithm]\n");
printf("\n");
printf("\t[-rsa\t(default)]\n");
printf("\t[-ecc\t]\n");
printf("\n");
printf("\t-ipu\tTPM2B_PUBLIC public key file name\n");
printf("\t-ipem\tPEM format public key file name\n");
printf("\t-ider\tDER format plaintext key pair file name\n");
printf("\t\t[-rsa\t(default)]\n");
printf("\t\t[-ecc\t]\n");
printf("\tInput\n");
printf("\t\t-ipu\tTPM2B_PUBLIC public key file name\n");
printf("\t\t-ipem\tPEM format public key file name\n");
printf("\t\t-ider\tDER format plaintext key pair file name\n");
printf("\t[-pwdk\tpassword for DER key (default empty)]\n");
printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
printf("\t[-si\tsigning (default) RSA]\n");
printf("\t[-scheme for signing key (default RSASSA scheme)]\n");
printf("\t\trsassa\n");
printf("\t\trsapss\n");
printf("\t[-st\tstorage (default NULL scheme)]\n");
printf("\t[-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
printf("\t[Key Type]\n");
printf("\t\t[-si\tsigning (default)\n");
printf("\t\t[-st\tdecryption]\n");
printf("\t\t[-den\tdecryption]\n");
printf("\t[-scheme]\n");
printf("\t\trsassa\tdefault for a signing key\n");
printf("\t\trsapss\tvalid for a signing key\n");
printf("\t\trsapkcs1\tvalid for a decryption key\n");
printf("\t\trsaoaep\tvalid for a decryption key\n");
printf("\t\tnull\tdefault for decryption key, valid for any key\n");

printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
printf("\t\tUseful to paste into policy\n");
printf("\n");
Expand All @@ -540,5 +577,5 @@ static void printUsage(void)
printf("\t80\taudit\n");
printf("\n");
printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
exit(1);
}
37 changes: 20 additions & 17 deletions utils/man/man1/tssloadexternal.1
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
'.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13.
.TH TSSLOADEXTERNAL "1" "November 2020" "tssloadexternal 1.6" "User Commands"
.TH TSSLOADEXTERNAL "1" "December 2023" "tssloadexternal 2.2" "User Commands"
.SH NAME
tssloadexternal \- Runs tssloadexternal
.SH DESCRIPTION
Expand All @@ -24,42 +23,46 @@ scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
[\-ecc
]
.TP
[Input]
.IP
\fB\-ipu\fR
TPM2B_PUBLIC public key file name
.TP
.IP
\fB\-ipem\fR
PEM format public key file name
.TP
.IP
\fB\-ider\fR
DER format plaintext key pair file name
.TP
.IP
[\-pwdk
password for DER key (default empty)]
.TP
.IP
[\-uwa
userWithAuth attribute clear (default set)]
.TP
[Key Type]
.IP
[\-si
signing (default) RSA]
.TP
[\-scheme
for signing key (default RSASSA scheme)]
signing (default)]
.IP
rsassa
rsapss
.TP
[\-st
storage (default NULL scheme)]
.TP
decryption]
.IP
[\-den
decryption, (unrestricted, RSA and EC NULL scheme)
decryption]
.TP
[\-scheme
.IP
for signing key: rsassa (default) rsapss null ]
.IP
for decryption key: rsapkcs1 rsaoaep null (default) ]
.TP
[\-ns
additionally print Name in hex ascii on one line]
Useful to paste into policy
.HP
\fB\-se[0\-2]\fR session handle / attributes (default NULL)
.TP
.IP
01
continue
.IP
Expand Down
Loading

0 comments on commit bf8db48

Please sign in to comment.