diff --git a/tss-esapi/src/abstraction/ak.rs b/tss-esapi/src/abstraction/ak.rs index cb0ccac3..3693e12f 100644 --- a/tss-esapi/src/abstraction/ak.rs +++ b/tss-esapi/src/abstraction/ak.rs @@ -8,8 +8,8 @@ use crate::{ handles::{AuthHandle, KeyHandle, SessionHandle}, interface_types::{ algorithm::{ - EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm, - SignatureSchemeAlgorithm, + AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, + RsaSchemeAlgorithm, SignatureSchemeAlgorithm, }, session_handles::PolicySession, }, @@ -21,6 +21,7 @@ use crate::{ }, Context, Error, Result, WrapperErrorKind, }; +use log::error; use std::convert::TryFrom; // Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2 @@ -56,6 +57,7 @@ const POLICY_C_SM3_256: [u8; 32] = [ 0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b, 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d, ]; +/// Creates a Public object for an AK key. fn create_ak_public( key_alg: AsymmetricAlgorithmSelection, hash_alg: HashingAlgorithm, @@ -228,8 +230,36 @@ pub fn load_ak( Ok(key_handle) } -/// This creates an Attestation Key in the Endorsement hierarchy +/// This creates an Attestation Key in the Endorsement hierarchy. pub fn create_ak( + context: &mut Context, + parent: KeyHandle, + hash_alg: HashingAlgorithm, + sign_alg: SignatureSchemeAlgorithm, + ak_auth_value: Option, + key_customization: IKC, +) -> Result { + let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| { + // sign_alg is either HMAC or Null. + error!("Could not retrieve asymmetric algorithm for provided signature scheme"); + e + })?; + create_ak_2( + context, + parent, + hash_alg, + AsymmetricAlgorithmSelection::try_from(key_alg)?, + sign_alg, + ak_auth_value, + key_customization, + ) +} + +/// This creates an Attestation Key in the Endorsement hierarchy. +/// +/// # Details +/// This is only replace the `create_ak` API in the next major version. +pub fn create_ak_2( context: &mut Context, parent: KeyHandle, hash_alg: HashingAlgorithm, diff --git a/tss-esapi/src/abstraction/ek.rs b/tss-esapi/src/abstraction/ek.rs index df13e76b..4ea31428 100644 --- a/tss-esapi/src/abstraction/ek.rs +++ b/tss-esapi/src/abstraction/ek.rs @@ -6,7 +6,7 @@ use crate::{ attributes::ObjectAttributesBuilder, handles::{KeyHandle, NvIndexTpmHandle, TpmHandle}, interface_types::{ - algorithm::{HashingAlgorithm, PublicAlgorithm}, + algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm}, ecc::EccCurve, key_bits::RsaKeyBits, resource_handles::{Hierarchy, NvAuth}, @@ -61,6 +61,25 @@ const AUTH_POLICY_B_SM3_256: [u8; 32] = [ /// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 /// Appendix B.3.3 and B.3.4 pub fn create_ek_public_from_default_template( + alg: AsymmetricAlgorithm, + key_customization: IKC, +) -> Result { + create_ek_public_from_default_template_2( + AsymmetricAlgorithmSelection::try_from(alg)?, + key_customization, + ) +} + +/// Get the [`Public`] representing a default Endorsement Key +/// +/// **Note**: This only works for key algorithms specified in TCG EK Credential Profile for TPM Family 2.0. +/// +/// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2 +/// Appendix B.3.3 and B.3.4 +/// +/// # Details +/// This is only replace the `create_ek_public_from_default_template` API in the next major version. +pub fn create_ek_public_from_default_template_2( alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { @@ -192,11 +211,27 @@ pub fn create_ek_public_from_default_template( /// Create the Endorsement Key object from the specification templates pub fn create_ek_object( + context: &mut Context, + alg: AsymmetricAlgorithm, + key_customization: IKC, +) -> Result { + create_ek_object_2( + context, + AsymmetricAlgorithmSelection::try_from(alg)?, + key_customization, + ) +} + +/// Create the Endorsement Key object from the specification templates +/// +/// # Details +/// This is only replace the `create_ek_object` API in the next major version. +pub fn create_ek_object_2( context: &mut Context, alg: AsymmetricAlgorithmSelection, key_customization: IKC, ) -> Result { - let ek_public = create_ek_public_from_default_template(alg, key_customization)?; + let ek_public = create_ek_public_from_default_template_2(alg, key_customization)?; Ok(context .execute_with_nullauth_session(|ctx| { diff --git a/tss-esapi/src/abstraction/transient/key_attestation.rs b/tss-esapi/src/abstraction/transient/key_attestation.rs index 48a075f4..5d39bbbe 100644 --- a/tss-esapi/src/abstraction/transient/key_attestation.rs +++ b/tss-esapi/src/abstraction/transient/key_attestation.rs @@ -152,7 +152,7 @@ impl TransientKeyContext { None, ); Ok(( - ek::create_ek_object( + ek::create_ek_object_2( &mut self.context, AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), None, @@ -192,7 +192,7 @@ impl TransientKeyContext { } fn get_ek_object_public(context: &mut crate::Context) -> Result { - let key_handle = ek::create_ek_object( + let key_handle = ek::create_ek_object_2( context, AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048), None,