#include <tpm2_pkops.h>

Inheritance diagram for Botan::TPM2::Signature_Operation:

Public Member Functions
virtual AlgorithmIdentifier	algorithm_identifier () const

std::string	hash_function () const override

std::vector< uint8_t >	sign (Botan::RandomNumberGenerator &rng) override

virtual size_t	signature_length () const =0

	Signature_Operation (const Object &object, const SessionBundle &sessions, const SignatureAlgorithmSelection &algorithms)

void	update (std::span< const uint8_t > msg) override

Protected Member Functions
Botan::HashFunction *	hash ()

const Object &	key_handle () const

virtual std::vector< uint8_t >	marshal_signature (const TPMT_SIGNATURE &signature) const =0

std::optional< std::string >	padding () const

const TPMT_SIG_SCHEME &	scheme () const

const SessionBundle &	sessions () const

Detailed Description

If the key is restricted, this will transparently use the TPM to hash the data to obtain a validation ticket.

TPM Library, Part 1: Architecture", Section 11.4.6.3 (4) This ticket is used to indicate that a digest of external data is safe to sign using a restricted signing key. A restricted signing key may only sign a digest that was produced by the TPM. [...] This prevents forgeries of attestation data.

Definition at line 74 of file tpm2_pkops.h.

Constructor & Destructor Documentation

◆ Signature_Operation()

Botan::TPM2::Signature_Operation::Signature_Operation	(	const Object &	object,
		const SessionBundle &	sessions,
		const SignatureAlgorithmSelection &	algorithms )

Definition at line 45 of file tpm2_pkops.cpp.

                                                                                        :
      Botan::TPM2::Signature_Operation_Base<PK_Ops::Signature>(
         object, sessions, algorithms, create_hash_function(object, sessions, algorithms.hash_name)) {}

Member Function Documentation

◆ algorithm_identifier()

AlgorithmIdentifier Botan::PK_Ops::Signature::algorithm_identifier ( ) const

virtualinherited

Return an algorithm identifier associated with this signature scheme.

Default implementation throws an exception

Reimplemented in Botan::XMSS_Signature_Operation.

Definition at line 24 of file pk_ops.cpp.

                                                                {
   throw Not_Implemented("This signature scheme does not have an algorithm identifier available");
}

◆ hash()

Botan::HashFunction * Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::hash ( )

inlineprotectedinherited

Definition at line 46 of file tpm2_pkops.h.

46{ return m_hash.get(); }

Referenced by sign().

◆ hash_function()

std::string Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::hash_function ( ) const

inlineoverridevirtualinherited

Implements Botan::PK_Ops::Signature.

Definition at line 43 of file tpm2_pkops.h.

43{ return m_hash->name(); }

◆ key_handle()

const Object & Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::key_handle ( ) const

inlineprotectedinherited

Definition at line 48 of file tpm2_pkops.h.

48{ return m_key_handle; }

Referenced by sign().

◆ marshal_signature()

virtual std::vector< uint8_t > Botan::TPM2::Signature_Operation::marshal_signature ( const TPMT_SIGNATURE & signature ) const

protectedpure virtual

Referenced by sign().

◆ padding()

std::optional< std::string > Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::padding ( ) const

inlineprotectedinherited

Definition at line 54 of file tpm2_pkops.h.

54{ return m_padding; }

◆ scheme()

const TPMT_SIG_SCHEME & Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::scheme ( ) const

inlineprotectedinherited

Definition at line 52 of file tpm2_pkops.h.

52{ return m_scheme; }

Referenced by sign().

◆ sessions()

const SessionBundle & Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::sessions ( ) const

inlineprotectedinherited

Definition at line 50 of file tpm2_pkops.h.

50{ return m_sessions; }

Referenced by sign().

◆ sign()

std::vector< uint8_t > Botan::TPM2::Signature_Operation::sign ( Botan::RandomNumberGenerator & rng )

overridevirtual

Perform a signature operation

Parameters

rng	a random number generator

Implements Botan::PK_Ops::Signature.

Definition at line 51 of file tpm2_pkops.cpp.

                                                                            {
   BOTAN_UNUSED(rng);
 
   auto do_sign = [this](const TPM2B_DIGEST& digest, const TPMT_TK_HASHCHECK& validation) {
      unique_esys_ptr<TPMT_SIGNATURE> signature;
      check_rc("Esys_Sign",
               Esys_Sign(*key_handle().context(),
                         key_handle().transient_handle(),
                         sessions()[0],
                         sessions()[1],
                         sessions()[2],
                         &digest,
                         &scheme(),
                         &validation,
                         out_ptr(signature)));
      BOTAN_ASSERT_NONNULL(signature);
      BOTAN_ASSERT_NOMSG(signature->sigAlg == scheme().scheme);
      BOTAN_ASSERT_NOMSG(signature->signature.any.hashAlg == scheme().details.any.hashAlg);
      return signature;
   };
 
   auto signature = [&] {
      if(auto h = dynamic_cast<HashFunction*>(hash())) {
         // This is a TPM2-based hash object that calculated the digest on
         // the TPM. We can use the validation ticket to create the signature.
         auto [digest, validation] = h->final_with_ticket();
         BOTAN_ASSERT_NONNULL(digest);
         BOTAN_ASSERT_NONNULL(validation);
         return do_sign(*digest, *validation);
      } else {
         // This is a software hash, so we have to stub the validation ticket
         // and create the signature without it.
         TPM2B_DIGEST digest;
         hash()->final(as_span(digest, hash()->output_length()));
         return do_sign(digest,
                        TPMT_TK_HASHCHECK{
                           .tag = TPM2_ST_HASHCHECK,
                           .hierarchy = TPM2_RH_NULL,
                           .digest = init_empty<TPM2B_DIGEST>(),
                        });
      }
   }();
 
   return marshal_signature(*signature);
}

References Botan::TPM2::as_span(), BOTAN_ASSERT_NOMSG, BOTAN_ASSERT_NONNULL, BOTAN_UNUSED, Botan::TPM2::check_rc(), Botan::Buffered_Computation::final(), Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::hash(), Botan::TPM2::init_empty(), Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::key_handle(), marshal_signature(), Botan::out_ptr(), Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::scheme(), and Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::sessions().

◆ signature_length()

virtual size_t Botan::PK_Ops::Signature::signature_length ( ) const

pure virtualinherited

Return an upper bound on the length of the output signature

Implemented in Botan::XMSS_Signature_Operation.

◆ update()

void Botan::TPM2::Signature_Operation_Base< PK_Ops::Signature >::update ( std::span< const uint8_t > input )

inlineoverridevirtualinherited

Implements Botan::PK_Ops::Signature.

Definition at line 41 of file tpm2_pkops.h.

41{ m_hash->update(msg); }

The documentation for this class was generated from the following files:

src/lib/prov/tpm2/tpm2_pkops.h
src/lib/prov/tpm2/tpm2_pkops.cpp

Public Member Functions

Protected Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ Signature_Operation()

Member Function Documentation

◆ algorithm_identifier()

◆ hash()

◆ hash_function()

◆ key_handle()

◆ marshal_signature()

◆ padding()

◆ scheme()

◆ sessions()

◆ sign()

◆ signature_length()

◆ update()