Botan 3.7.1
Crypto and TLS for C&
Namespaces | Classes | Concepts | Typedefs | Functions
Botan::TPM2 Namespace Reference

Namespaces

namespace  detail
 

Classes

class  AttributeWrapper
 
class  Context
 
struct  CryptoCallbackState
 
class  EC_PrivateKey
 
class  EC_PublicKey
 
class  Error
 
struct  esys_liberator
 
class  HashFunction
 
class  Object
 
struct  ObjectAttributes
 
struct  ObjectHandles
 
class  ObjectSetter
 
class  PrivateKey
 
struct  PropMap
 
struct  PublicInfo
 
class  PublicKey
 
class  RandomNumberGenerator
 
class  RSA_PrivateKey
 
class  RSA_PublicKey
 
class  Session
 
struct  SessionAttributes
 
class  SessionBundle
 
class  Signature_Operation
 
class  Signature_Operation_Base
 
struct  SignatureAlgorithmSelection
 
class  Verification_Operation
 

Concepts

concept  tpm2_buffer
 

Typedefs

using TPMA_SESSION = uint8_t
 
template<typename T >
using unique_esys_ptr = std::unique_ptr<T, esys_liberator>
 A unique pointer type for ESYS handles that automatically frees the handle.
 

Functions

constexpr auto as_span (tpm2_buffer auto &data)
 Construct a std::span as a view into a TPM2 buffer.
 
constexpr auto as_span (tpm2_buffer auto &data, size_t length)
 
std::optional< TPM2_ALG_ID > asymmetric_algorithm_botan_to_tss2 (std::string_view algo_name) noexcept
 
std::optional< std::pair< TPMI_ALG_SYM, TPM2_KEY_BITS > > block_cipher_botan_to_tss2 (std::string_view cipher_name) noexcept
 
std::optional< std::string > block_cipher_tss2_to_botan (TPMI_ALG_SYM cipher_id, TPM2_KEY_BITS key_bits) noexcept
 
constexpr void check_rc (std::string_view location, TSS2_RC rc)
 
template<TSS2_RC... expected_errors>
requires (sizeof...(expected_errors) > 0)
constexpr TSS2_RC check_rc_expecting (std::string_view location, TSS2_RC rc)
 
std::optional< TPMT_SYM_DEF > cipher_botan_to_tss2 (std::string_view algo_name)
 
std::optional< TPMI_ALG_SYM_MODE > cipher_mode_botan_to_tss2 (std::string_view mode_name) noexcept
 
std::optional< std::string > cipher_mode_tss2_to_botan (TPMI_ALG_SYM_MODE mode_id)
 
std::optional< std::string > cipher_tss2_to_botan (TPMT_SYM_DEF cipher_def) noexcept
 
template<concepts::resizable_byte_buffer OutT>
constexpr OutT copy_into (const tpm2_buffer auto &data)
 
template<tpm2_buffer T>
constexpr T copy_into (std::span< const uint8_t > data)
 
template<tpm2_buffer T>
constexpr void copy_into (T &dest, std::span< const uint8_t > data)
 
std::optional< size_t > curve_id_order_byte_size (TPMI_ECC_CURVE curve_id)
 
std::optional< std::string > curve_id_tss2_to_botan (TPMI_ECC_CURVE mode_id)
 
std::string get_botan_hash_name (TPM2_ALG_ID hash_id)
 
TSS2_RC get_raw_rc (TSS2_RC rc)
 
std::optional< TPM2_ECC_CURVE > get_tpm2_curve_id (const OID &curve_oid)
 
TPMI_ALG_HASH get_tpm2_hash_type (std::string_view hash_name)
 
TPMT_SYM_DEF get_tpm2_sym_cipher_spec (std::string_view algo_name)
 
std::optional< TPMI_ALG_HASH > hash_algo_botan_to_tss2 (std::string_view hash_name) noexcept
 
std::optional< std::string > hash_algo_tss2_to_botan (TPMI_ALG_HASH hash_id) noexcept
 
template<tpm2_buffer T>
constexpr T init_empty ()
 Create an empty TPM2 buffer of the given type.
 
template<tpm2_buffer T>
constexpr T init_with_size (size_t length)
 Create a TPM2 buffer of a given type and length.
 
constexpr auto out_persistent_handle (Object &object)
 
constexpr auto out_transient_handle (Object &object)
 
template<typename MaskT , typename FieldPointerT >
 PropMap (MaskT, FieldPointerT) -> PropMap< MaskT, FieldPointerT >
 Deduction guide to simplify the creation of PropMap instances.
 
std::optional< TPMI_ALG_ASYM_SCHEME > rsa_encryption_padding_botan_to_tss2 (std::string_view name) noexcept
 
std::optional< TPMT_RSA_DECRYPT > rsa_encryption_scheme_botan_to_tss2 (std::string_view padding)
 
std::pair< BigInt, BigIntrsa_pubkey_components_from_tss2_public (const TPM2B_PUBLIC *public_area)
 
std::optional< TPMI_ALG_SIG_SCHEME > rsa_signature_padding_botan_to_tss2 (std::string_view padding_name) noexcept
 
std::optional< TPMT_SIG_SCHEME > rsa_signature_scheme_botan_to_tss2 (std::string_view name)
 
void set_crypto_callbacks (ESYS_CONTEXT *ctx, void *callback_state)
 
bool supports_botan_crypto_backend () noexcept
 
std::unique_ptr< CryptoCallbackStateuse_botan_crypto_backend (ESYS_CONTEXT *context, const std::shared_ptr< Botan::RandomNumberGenerator > &rng)
 

Typedef Documentation

◆ TPMA_SESSION

using Botan::TPM2::TPMA_SESSION = uint8_t

Definition at line 20 of file tpm2_session.h.

◆ unique_esys_ptr

template<typename T >
using Botan::TPM2::unique_esys_ptr = std::unique_ptr<T, esys_liberator>

A unique pointer type for ESYS handles that automatically frees the handle.

Definition at line 162 of file tpm2_util.h.

Function Documentation

◆ as_span() [1/2]

auto Botan::TPM2::as_span ( tpm2_buffer auto & data)
constexpr

Construct a std::span as a view into a TPM2 buffer.

Definition at line 102 of file tpm2_util.h.

102 {
103 return std::span{data.buffer, data.size};
104}

Referenced by as_span(), copy_into(), copy_into(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::Verification_Operation::is_valid_signature(), rsa_pubkey_components_from_tss2_public(), and Botan::TPM2::Signature_Operation::sign().

◆ as_span() [2/2]

auto Botan::TPM2::as_span ( tpm2_buffer auto & data,
size_t length )
constexpr

Set the size of data to length and construct a std::span as a view into data

Definition at line 108 of file tpm2_util.h.

108 {
109 BOTAN_ASSERT_NOMSG(length <= sizeof(data.buffer));
110 data.size = static_cast<decltype(data.size)>(length);
111 return as_span(data);
112}
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::TPM2::as_span
constexpr auto as_span(tpm2_buffer auto &data)
Construct a std::span as a view into a TPM2 buffer.
Definition tpm2_util.h:102

References as_span(), and BOTAN_ASSERT_NOMSG.

◆ asymmetric_algorithm_botan_to_tss2()

std::optional< TPM2_ALG_ID > Botan::TPM2::asymmetric_algorithm_botan_to_tss2 ( std::string_view algo_name)
inlinenodiscardnoexcept

Definition at line 26 of file tpm2_algo_mappings.h.

27 {
28 if(algo_name == "RSA") {
29 return TPM2_ALG_RSA;
30 } else if(algo_name == "ECC") {
31 return TPM2_ALG_ECC;
32 } else if(algo_name == "ECDSA") {
33 return TPM2_ALG_ECDSA;
34 } else if(algo_name == "ECDH") {
35 return TPM2_ALG_ECDH;
36 } else if(algo_name == "ECDAA") {
37 return TPM2_ALG_ECDAA;
38 } else {
39 return std::nullopt;
40 }
41}

Referenced by Botan::TPM2::Context::supports_algorithm().

◆ block_cipher_botan_to_tss2()

std::optional< std::pair< TPMI_ALG_SYM, TPM2_KEY_BITS > > Botan::TPM2::block_cipher_botan_to_tss2 ( std::string_view cipher_name)
inlinenodiscardnoexcept

Definition at line 159 of file tpm2_algo_mappings.h.

160 {
161 if(cipher_name == "AES-128") {
162 return std::pair{TPM2_ALG_AES, 128};
163 } else if(cipher_name == "AES-192") {
164 return std::pair{TPM2_ALG_AES, 192};
165 } else if(cipher_name == "AES-256") {
166 return std::pair{TPM2_ALG_AES, 256};
167 } else if(cipher_name == "SM4") {
168 return std::pair{TPM2_ALG_SM4, 128};
169 } else if(cipher_name == "Camellia-128") {
170 return std::pair{TPM2_ALG_CAMELLIA, 128};
171 } else if(cipher_name == "Camellia-192") {
172 return std::pair{TPM2_ALG_CAMELLIA, 192};
173 } else if(cipher_name == "Camellia-256") {
174 return std::pair{TPM2_ALG_CAMELLIA, 256};
175 } else if(cipher_name == "3DES") {
176 return std::pair{TPM2_ALG_TDES, 168};
177 } else {
178 return {};
179 }
180}

Referenced by cipher_botan_to_tss2(), and Botan::TPM2::Context::supports_algorithm().

◆ block_cipher_tss2_to_botan()

std::optional< std::string > Botan::TPM2::block_cipher_tss2_to_botan ( TPMI_ALG_SYM cipher_id,
TPM2_KEY_BITS key_bits )
inlinenodiscardnoexcept

Definition at line 120 of file tpm2_algo_mappings.h.

121 {
122 switch(cipher_id) {
123 case TPM2_ALG_AES:
124 if(key_bits == 128) {
125 return "AES-128";
126 } else if(key_bits == 192) {
127 return "AES-192";
128 } else if(key_bits == 256) {
129 return "AES-256";
130 }
131 break;
132
133 case TPM2_ALG_SM4:
134 if(key_bits == 128) {
135 return "SM4";
136 }
137 break;
138
139 case TPM2_ALG_CAMELLIA:
140 if(key_bits == 128) {
141 return "Camellia-128";
142 } else if(key_bits == 192) {
143 return "Camellia-192";
144 } else if(key_bits == 256) {
145 return "Camellia-256";
146 }
147 break;
148
149 case TPM2_ALG_TDES:
150 return "3DES";
151
152 default:
153 break;
154 }
155
156 return std::nullopt;
157}

Referenced by cipher_tss2_to_botan().

◆ check_rc()

void Botan::TPM2::check_rc ( std::string_view location,
TSS2_RC rc )
constexpr

Check the return code and throw an exception if some error occured.

Exceptions
TPM2::Errorif an error occured.

Definition at line 54 of file tpm2_util.h.

54 {
55 if(rc != TSS2_RC_SUCCESS) {
56 throw Error(location, rc);
57 }
58}

Referenced by Botan::TPM2::Object::_public_info(), Botan::TPM2::Session::attributes(), Botan::TPM2::Session::authenticated_session(), check_rc_expecting(), Botan::TPM2::Context::create(), Botan::TPM2::Context::create(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::Context::evict(), Botan::TPM2::HashFunction::final_with_ticket(), Botan::TPM2::PrivateKey::load_transient(), Botan::TPM2::PublicKey::load_transient(), Botan::TPM2::Context::persist(), Botan::TPM2::Session::set_attributes(), set_crypto_callbacks(), Botan::TPM2::Signature_Operation::sign(), Botan::TPM2::Session::tpm_nonce(), and Botan::TPM2::Session::unauthenticated_session().

◆ check_rc_expecting()

template<TSS2_RC... expected_errors>
requires (sizeof...(expected_errors) > 0)
TSS2_RC Botan::TPM2::check_rc_expecting ( std::string_view location,
TSS2_RC rc )
nodiscardconstexpr

Check the return code and throw an exception if an unexpected error occured.

Errors that are listed in the expected_errors parameter are considered expected and will not cause an exception to be thrown. Instead the error code is decoded and returned to the caller for further processing.

Exceptions
TPM2::Errorif an unexpected error occured.
Returns
TSS2_RC_SUCCESS or one of the expected error codes.

Definition at line 72 of file tpm2_util.h.

72 {
73 // If the RC is success, we can return early and avoid the decoding.
74 if(rc == TSS2_RC_SUCCESS) {
75 return rc;
76 }
77
78 // An error occured, we need to decode it to check if it was expected.
79 const TSS2_RC decoded_rc = get_raw_rc(rc);
80
81 // Check if the error is one of the expected and return those to the caller.
82 const bool is_expected_by_caller = ((decoded_rc == expected_errors) || ...);
83 if(is_expected_by_caller) {
84 return decoded_rc;
85 }
86
87 // The error was not expected, so call the normal error handling which
88 // will throw an exception.
89 check_rc(location, rc);
90
91 // We know, rc is not 'success', so this won't ever be reached.
92 return rc;
93}
TSS2_RC
uint32_t TSS2_RC
Forward declaration of TSS2 type for convenience.
Definition tpm2_error.h:15

References check_rc(), and get_raw_rc().

Referenced by Botan::TPM2::Verification_Operation::is_valid_signature().

◆ cipher_botan_to_tss2()

std::optional< TPMT_SYM_DEF > Botan::TPM2::cipher_botan_to_tss2 ( std::string_view algo_name)
inlinenodiscard

Definition at line 296 of file tpm2_algo_mappings.h.

296 {
297 SCAN_Name spec(algo_name);
298 if(spec.arg_count() == 0) {
299 return std::nullopt;
300 }
301
302 const auto cipher = block_cipher_botan_to_tss2(spec.arg(0));
303 const auto mode = cipher_mode_botan_to_tss2(spec.algo_name());
304
305 if(!cipher || !mode) {
306 return std::nullopt;
307 }
308
309 return TPMT_SYM_DEF{
310 .algorithm = cipher->first,
311 .keyBits = {.sym = cipher->second},
312 .mode = {.sym = mode.value()},
313 };
314}
Botan::SCAN_Name
Definition scan_name.h:22

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_count(), block_cipher_botan_to_tss2(), and cipher_mode_botan_to_tss2().

Referenced by get_tpm2_sym_cipher_spec(), and Botan::TPM2::Context::supports_algorithm().

◆ cipher_mode_botan_to_tss2()

std::optional< TPMI_ALG_SYM_MODE > Botan::TPM2::cipher_mode_botan_to_tss2 ( std::string_view mode_name)
inlinenodiscardnoexcept

Definition at line 262 of file tpm2_algo_mappings.h.

262 {
263 if(mode_name == "CFB") {
264 return TPM2_ALG_CFB;
265 } else if(mode_name == "CBC") {
266 return TPM2_ALG_CBC;
267 } else if(mode_name == "ECB") {
268 return TPM2_ALG_ECB;
269 } else if(mode_name == "OFB") {
270 return TPM2_ALG_OFB;
271 } else if(mode_name == "CTR" || mode_name == "CTR-BE") {
272 return TPM2_ALG_CTR;
273 } else {
274 return std::nullopt;
275 }
276}

Referenced by cipher_botan_to_tss2(), and Botan::TPM2::Context::supports_algorithm().

◆ cipher_mode_tss2_to_botan()

std::optional< std::string > Botan::TPM2::cipher_mode_tss2_to_botan ( TPMI_ALG_SYM_MODE mode_id)
inlinenodiscard

Definition at line 182 of file tpm2_algo_mappings.h.

182 {
183 switch(mode_id) {
184 case TPM2_ALG_CFB:
185 return "CFB";
186 case TPM2_ALG_CBC:
187 return "CBC";
188 case TPM2_ALG_ECB:
189 return "ECB";
190 case TPM2_ALG_OFB:
191 return "OFB";
192 case TPM2_ALG_CTR:
193 return "CTR";
194 default: // TPMI_ALG_SYM_MODE is not an enum
195 return std::nullopt;
196 }
197}

Referenced by cipher_tss2_to_botan().

◆ cipher_tss2_to_botan()

std::optional< std::string > Botan::TPM2::cipher_tss2_to_botan ( TPMT_SYM_DEF cipher_def)
inlinenodiscardnoexcept
Returns
a Botan cipher mode name string if the cipher_id, key_bits and mode_name are known, otherwise std::nullopt

Definition at line 282 of file tpm2_algo_mappings.h.

282 {
283 const auto cipher_name = block_cipher_tss2_to_botan(cipher_def.algorithm, cipher_def.keyBits.sym);
284 if(!cipher_name) {
285 return std::nullopt;
286 }
287
288 const auto mode_name = cipher_mode_tss2_to_botan(cipher_def.mode.sym);
289 if(!mode_name) {
290 return std::nullopt;
291 }
292
293 return Botan::fmt("{}({})", mode_name.value(), cipher_name.value());
294}
Botan::TPM2::block_cipher_tss2_to_botan
std::optional< std::string > block_cipher_tss2_to_botan(TPMI_ALG_SYM cipher_id, TPM2_KEY_BITS key_bits) noexcept
Definition tpm2_algo_mappings.h:120
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

References block_cipher_tss2_to_botan(), cipher_mode_tss2_to_botan(), and Botan::fmt().

◆ copy_into() [1/3]

template<concepts::resizable_byte_buffer OutT>
OutT Botan::TPM2::copy_into ( const tpm2_buffer auto & data)
constexpr

Copy the content of the TPM2 buffer data into a new resizable byte buffer of the user's choosing.

Definition at line 133 of file tpm2_util.h.

133 {
134 OutT result;
135 result.resize(data.size);
136 copy_mem(result, as_span(data));
137 return result;
138}
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147

References as_span(), and Botan::copy_mem().

◆ copy_into() [2/3]

template<tpm2_buffer T>
T Botan::TPM2::copy_into ( std::span< const uint8_t > data)
constexpr

Create a TPM2 buffer from the provided data, assuming that the provided data is not larger than the capacity of the buffer type.

Definition at line 124 of file tpm2_util.h.

124 {
125 T result;
126 copy_into(result, data);
127 return result;
128}
T
FE_25519 T
Definition ge.cpp:34
Botan::TPM2::copy_into
constexpr void copy_into(T &dest, std::span< const uint8_t > data)
Definition tpm2_util.h:117

References copy_into(), and T.

◆ copy_into() [3/3]

template<tpm2_buffer T>
void Botan::TPM2::copy_into ( T & dest,
std::span< const uint8_t > data )
constexpr

Copy the data into the TPM2 buffer dest, assuming that the provided data is not larger than the capacity of the buffer.

Definition at line 117 of file tpm2_util.h.

117 {
118 copy_mem(as_span(dest, data.size()), data);
119}

References as_span(), and Botan::copy_mem().

Referenced by copy_into(), Botan::TPM2::EC_PrivateKey::create_unrestricted_transient(), Botan::TPM2::RSA_PrivateKey::create_unrestricted_transient(), Botan::TPM2::PrivateKey::load_transient(), Botan::TPM2::Context::persist(), and Botan::TPM2::Session::tpm_nonce().

◆ curve_id_order_byte_size()

std::optional< size_t > Botan::TPM2::curve_id_order_byte_size ( TPMI_ECC_CURVE curve_id)
inlinenodiscard

Definition at line 221 of file tpm2_algo_mappings.h.

221 {
222 switch(curve_id) {
223 case TPM2_ECC_NIST_P192:
224 return 24;
225 case TPM2_ECC_NIST_P224:
226 return 28;
227 case TPM2_ECC_NIST_P256:
228 return 32;
229 case TPM2_ECC_NIST_P384:
230 return 48;
231 case TPM2_ECC_NIST_P521:
232 return 66; // Rounded up to the next full byte
233 case TPM2_ECC_SM2_P256:
234 return 32;
235 default:
236 return std::nullopt;
237 }
238}

◆ curve_id_tss2_to_botan()

std::optional< std::string > Botan::TPM2::curve_id_tss2_to_botan ( TPMI_ECC_CURVE mode_id)
inlinenodiscard

Definition at line 199 of file tpm2_algo_mappings.h.

199 {
200 // Currently, tpm2-tss does not include support for Brainpool curves or 25519/448.
201 // Once the corresponding PR (https://github.com/tpm2-software/tpm2-tss/pull/2897) is merged and released,
202 // this function should be updated.
203 switch(mode_id) {
204 case TPM2_ECC_NIST_P192:
205 return "secp192r1";
206 case TPM2_ECC_NIST_P224:
207 return "secp224r1";
208 case TPM2_ECC_NIST_P256:
209 return "secp256r1";
210 case TPM2_ECC_NIST_P384:
211 return "secp384r1";
212 case TPM2_ECC_NIST_P521:
213 return "secp521r1";
214 case TPM2_ECC_SM2_P256:
215 return "sm2p256v1";
216 default:
217 return std::nullopt;
218 }
219}

◆ get_botan_hash_name()

std::string Botan::TPM2::get_botan_hash_name ( TPM2_ALG_ID hash_id)
inlinenodiscard
Returns
a Botan hash name string if the hash_id value is known, otherwise throws Invalid_State

Definition at line 112 of file tpm2_algo_mappings.h.

112 {
113 if(auto hash_name = hash_algo_tss2_to_botan(hash_id)) {
114 return hash_name.value();
115 }
116
117 throw Invalid_State("TPM 2.0 hash object with unexpected hash type");
118}
Botan::Invalid_State
Definition exceptn.h:206
Botan::TPM2::hash_algo_tss2_to_botan
std::optional< std::string > hash_algo_tss2_to_botan(TPMI_ALG_HASH hash_id) noexcept
Definition tpm2_algo_mappings.h:85

References hash_algo_tss2_to_botan().

Referenced by Botan::TPM2::HashFunction::name().

◆ get_raw_rc()

TSS2_RC Botan::TPM2::get_raw_rc ( TSS2_RC rc)

Definition at line 18 of file tpm2_error.cpp.

18 {
19#if defined(BOTAN_TSS2_SUPPORTS_ERROR_DECODING)
20 TSS2_RC_INFO info;
21 const TSS2_RC decoding_rc = Tss2_RC_DecodeInfo(rc, &info);
22 if(decoding_rc != TSS2_RC_SUCCESS) [[unlikely]] {
23 throw Error(fmt("Decoding RC failed (was: {})", rc), decoding_rc);
24 }
25 return info.error;
26#else
27 // This fallback implementation is derived from the implementation of
28 // Tss2_RC_DecodeInfo in tpm2-tss 4.0.0.
29 const bool formatted = (rc & (1 << 7)) != 0;
30 if(formatted) {
31 return (rc & 0x3F) | TPM2_RC_FMT1;
32 } else {
33 return rc & 0xFFFF;
34 }
35#endif
36}

References Botan::fmt().

Referenced by check_rc_expecting().

◆ get_tpm2_curve_id()

std::optional< TPM2_ECC_CURVE > Botan::TPM2::get_tpm2_curve_id ( const OID & curve_oid)
inlinenodiscard

Definition at line 240 of file tpm2_algo_mappings.h.

240 {
241 // Currently, tpm2-tss does not include support for Brainpool curves or 25519/448.
242 // Once the corresponding PR (https://github.com/tpm2-software/tpm2-tss/pull/2897) is merged and released,
243 // this function should be updated.
244 const std::string curve_name = curve_oid.to_formatted_string();
245 if(curve_name == "secp192r1") {
246 return TPM2_ECC_NIST_P192;
247 } else if(curve_name == "secp224r1") {
248 return TPM2_ECC_NIST_P224;
249 } else if(curve_name == "secp256r1") {
250 return TPM2_ECC_NIST_P256;
251 } else if(curve_name == "secp384r1") {
252 return TPM2_ECC_NIST_P384;
253 } else if(curve_name == "secp521r1") {
254 return TPM2_ECC_NIST_P521;
255 } else if(curve_name == "sm2p256v1") {
256 return TPM2_ECC_SM2_P256;
257 } else {
258 return std::nullopt;
259 }
260}
Botan::OID::to_formatted_string
std::string to_formatted_string() const
Definition asn1_oid.cpp:139

References Botan::OID::to_formatted_string().

Referenced by Botan::TPM2::EC_PrivateKey::create_unrestricted_transient().

◆ get_tpm2_hash_type()

TPMI_ALG_HASH Botan::TPM2::get_tpm2_hash_type ( std::string_view hash_name)
inlinenodiscard
Returns
a TPMI_ALG_HASH value if the hash_name is known, otherwise throws Lookup_Error

Definition at line 73 of file tpm2_algo_mappings.h.

73 {
74 if(auto hash_id = hash_algo_botan_to_tss2(hash_name)) {
75 return hash_id.value();
76 }
77
78 throw Lookup_Error("TPM 2.0 Hash", hash_name);
79}
Botan::Lookup_Error
Definition exceptn.h:235
Botan::TPM2::hash_algo_botan_to_tss2
std::optional< TPMI_ALG_HASH > hash_algo_botan_to_tss2(std::string_view hash_name) noexcept
Definition tpm2_algo_mappings.h:47

References hash_algo_botan_to_tss2().

Referenced by Botan::TPM2::Session::authenticated_session(), and Botan::TPM2::Session::unauthenticated_session().

◆ get_tpm2_sym_cipher_spec()

TPMT_SYM_DEF Botan::TPM2::get_tpm2_sym_cipher_spec ( std::string_view algo_name)
inlinenodiscard

Definition at line 316 of file tpm2_algo_mappings.h.

316 {
317 if(auto cipher = cipher_botan_to_tss2(algo_name)) {
318 return cipher.value();
319 }
320
321 throw Lookup_Error("TPM 2.0 Symmetric Cipher Spec", algo_name);
322}
Botan::TPM2::cipher_botan_to_tss2
std::optional< TPMT_SYM_DEF > cipher_botan_to_tss2(std::string_view algo_name)
Definition tpm2_algo_mappings.h:296

References cipher_botan_to_tss2().

Referenced by Botan::TPM2::Session::authenticated_session(), and Botan::TPM2::Session::unauthenticated_session().

◆ hash_algo_botan_to_tss2()

std::optional< TPMI_ALG_HASH > Botan::TPM2::hash_algo_botan_to_tss2 ( std::string_view hash_name)
inlinenodiscardnoexcept
Returns
a TPMI_ALG_HASH value if the hash_name is known, otherwise std::nullopt

Definition at line 47 of file tpm2_algo_mappings.h.

47 {
48 if(hash_name == "SHA-1") {
49 return TPM2_ALG_SHA1;
50 } else if(hash_name == "SHA-256") {
51 return TPM2_ALG_SHA256;
52 } else if(hash_name == "SHA-384") {
53 return TPM2_ALG_SHA384;
54 } else if(hash_name == "SHA-512") {
55 return TPM2_ALG_SHA512;
56 } else if(hash_name == "SHA-3(256)") {
57 return TPM2_ALG_SHA3_256;
58 } else if(hash_name == "SHA-3(384)") {
59 return TPM2_ALG_SHA3_384;
60 } else if(hash_name == "SHA-3(512)") {
61 return TPM2_ALG_SHA3_512;
62 } else if(hash_name == "SM3") {
63 return TPM2_ALG_SM3_256;
64 } else {
65 return std::nullopt;
66 }
67}

Referenced by get_tpm2_hash_type(), rsa_encryption_scheme_botan_to_tss2(), rsa_signature_scheme_botan_to_tss2(), and Botan::TPM2::Context::supports_algorithm().

◆ hash_algo_tss2_to_botan()

std::optional< std::string > Botan::TPM2::hash_algo_tss2_to_botan ( TPMI_ALG_HASH hash_id)
inlinenodiscardnoexcept
Returns
a Botan hash name string if the hash_id value is known, otherwise std::nullopt

Definition at line 85 of file tpm2_algo_mappings.h.

85 {
86 switch(hash_id) {
87 case TPM2_ALG_SHA1:
88 return "SHA-1";
89 case TPM2_ALG_SHA256:
90 return "SHA-256";
91 case TPM2_ALG_SHA384:
92 return "SHA-384";
93 case TPM2_ALG_SHA512:
94 return "SHA-512";
95 case TPM2_ALG_SHA3_256:
96 return "SHA-3(256)";
97 case TPM2_ALG_SHA3_384:
98 return "SHA-3(384)";
99 case TPM2_ALG_SHA3_512:
100 return "SHA-3(512)";
101 case TPM2_ALG_SM3_256:
102 return "SM3";
103 default: // TPMI_ALG_HASH is not an enum
104 return std::nullopt;
105 }
106}

Referenced by get_botan_hash_name().

◆ init_empty()

template<tpm2_buffer T>
T Botan::TPM2::init_empty ( )
constexpr

Create an empty TPM2 buffer of the given type.

Definition at line 152 of file tpm2_util.h.

152 {
153 return init_with_size<T>(0);
154}

References init_with_size().

Referenced by Botan::TPM2::EC_PrivateKey::create_unrestricted_transient(), Botan::TPM2::RSA_PrivateKey::create_unrestricted_transient(), Botan::TPM2::HashFunction::final_with_ticket(), and Botan::TPM2::Signature_Operation::sign().

◆ init_with_size()

template<tpm2_buffer T>
T Botan::TPM2::init_with_size ( size_t length)
constexpr

Create a TPM2 buffer of a given type and length.

Definition at line 142 of file tpm2_util.h.

142 {
143 T result;
144 BOTAN_ASSERT_NOMSG(length <= sizeof(result.buffer));
145 result.size = static_cast<decltype(result.size)>(length);
146 clear_bytes(result.buffer, length);
147 return result;
148}
Botan::clear_bytes
constexpr void clear_bytes(void *ptr, size_t bytes)
Definition mem_ops.h:104

References BOTAN_ASSERT_NOMSG, Botan::clear_bytes(), and T.

Referenced by init_empty().

◆ out_persistent_handle()

auto Botan::TPM2::out_persistent_handle ( Object & object)
constexpr

Helper to set the persistent handle of an object from a TSS2 library function's out parameter.

Definition at line 223 of file tpm2_util.h.

223 {
224 return ObjectSetter{object, true};
225}

Referenced by Botan::TPM2::Context::persist().

◆ out_transient_handle()

auto Botan::TPM2::out_transient_handle ( Object & object)
constexpr

Helper to set the transient handle of an object from a TSS2 library function's out parameter.

Definition at line 217 of file tpm2_util.h.

217 {
218 return ObjectSetter{object, false};
219}

Referenced by Botan::TPM2::Session::authenticated_session(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::PrivateKey::load_transient(), Botan::TPM2::PublicKey::load_transient(), Botan::TPM2::Context::persist(), and Botan::TPM2::Session::unauthenticated_session().

◆ PropMap()

template<typename MaskT , typename FieldPointerT >
Botan::TPM2::PropMap ( MaskT ,
FieldPointerT  ) -> PropMap< MaskT, FieldPointerT >

Deduction guide to simplify the creation of PropMap instances.

◆ rsa_encryption_padding_botan_to_tss2()

std::optional< TPMI_ALG_ASYM_SCHEME > Botan::TPM2::rsa_encryption_padding_botan_to_tss2 ( std::string_view name)
inlinenodiscardnoexcept

Definition at line 361 of file tpm2_algo_mappings.h.

362 {
363 if(name == "OAEP" || name == "EME-OAEP" || name == "EME1") {
364 return TPM2_ALG_OAEP;
365 } else if(name == "PKCS1v15" || name == "EME-PKCS1-v1_5") {
366 return TPM2_ALG_RSAES;
367 } else if(name == "Raw") {
368 return TPM2_ALG_NULL;
369 } else {
370 return std::nullopt;
371 }
372}
name
std::string name
Definition commoncrypto_hash.cpp:24

References name.

Referenced by rsa_encryption_scheme_botan_to_tss2(), and Botan::TPM2::Context::supports_algorithm().

◆ rsa_encryption_scheme_botan_to_tss2()

std::optional< TPMT_RSA_DECRYPT > Botan::TPM2::rsa_encryption_scheme_botan_to_tss2 ( std::string_view padding)
inlinenodiscard

Definition at line 374 of file tpm2_algo_mappings.h.

374 {
375 const SCAN_Name req(padding);
376 const auto scheme = rsa_encryption_padding_botan_to_tss2(req.algo_name());
377 if(!scheme) {
378 return std::nullopt;
379 }
380
381 if(scheme.value() == TPM2_ALG_OAEP) {
382 if(req.arg_count() < 1) {
383 return std::nullopt;
384 }
385
386 const auto hash = hash_algo_botan_to_tss2(req.arg(0));
387 if(!hash) {
388 return std::nullopt;
389 }
390
391 return TPMT_RSA_DECRYPT{
392 .scheme = scheme.value(),
393 .details = {.oaep = {.hashAlg = hash.value()}},
394 };
395 } else if(scheme.value() == TPM2_ALG_RSAES) {
396 return TPMT_RSA_DECRYPT{
397 .scheme = scheme.value(),
398 .details = {.rsaes = {}},
399 };
400 } else {
401 return std::nullopt;
402 }
403}
Botan::TPM2::rsa_encryption_padding_botan_to_tss2
std::optional< TPMI_ALG_ASYM_SCHEME > rsa_encryption_padding_botan_to_tss2(std::string_view name) noexcept
Definition tpm2_algo_mappings.h:361

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_count(), hash_algo_botan_to_tss2(), and rsa_encryption_padding_botan_to_tss2().

Referenced by Botan::TPM2::Context::supports_algorithm().

◆ rsa_pubkey_components_from_tss2_public()

std::pair< BigInt, BigInt > Botan::TPM2::rsa_pubkey_components_from_tss2_public ( const TPM2B_PUBLIC * public_blob)

This helper function transforms a public_blob in a TPM2B_PUBLIC* format into the functional components of an RSA public key. Namely, a pair of modulus and exponent as big integers.

Parameters
public_blobThe public blob to decompose into RSA pubkey components

Definition at line 29 of file tpm2_rsa.cpp.

29 {
30 BOTAN_ASSERT_NONNULL(public_area);
31 const auto& pub = public_area->publicArea;
32 BOTAN_ARG_CHECK(pub.type == TPM2_ALG_RSA, "Public key is not an RSA key");
33
34 // TPM2 may report 0 when the exponent is 'the default' (2^16 + 1)
35 const auto exponent = (pub.parameters.rsaDetail.exponent == 0) ? 65537 : pub.parameters.rsaDetail.exponent;
36
37 return {BigInt(as_span(pub.unique.rsa)), exponent};
38}
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:86
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29

References as_span(), BOTAN_ARG_CHECK, and BOTAN_ASSERT_NONNULL.

◆ rsa_signature_padding_botan_to_tss2()

std::optional< TPMI_ALG_SIG_SCHEME > Botan::TPM2::rsa_signature_padding_botan_to_tss2 ( std::string_view padding_name)
inlinenodiscardnoexcept

Definition at line 324 of file tpm2_algo_mappings.h.

325 {
326 // TODO(Botan4) remove the deprecated aliases
327 if(padding_name == "EMSA_PKCS1" || padding_name == "PKCS1v15" || padding_name == "EMSA-PKCS1-v1_5" ||
328 padding_name == "EMSA3") {
329 return TPM2_ALG_RSASSA;
330 } else if(padding_name == "PSS" || padding_name == "PSSR" || padding_name == "EMSA-PSS" ||
331 padding_name == "PSS-MGF1" || padding_name == "EMSA4") {
332 return TPM2_ALG_RSAPSS;
333 } else {
334 return std::nullopt;
335 }
336}

Referenced by rsa_signature_scheme_botan_to_tss2(), and Botan::TPM2::Context::supports_algorithm().

◆ rsa_signature_scheme_botan_to_tss2()

std::optional< TPMT_SIG_SCHEME > Botan::TPM2::rsa_signature_scheme_botan_to_tss2 ( std::string_view name)
inlinenodiscard

Definition at line 338 of file tpm2_algo_mappings.h.

338 {
339 const SCAN_Name req(name);
340 if(req.arg_count() == 0) {
341 return std::nullopt;
342 }
343
344 const auto scheme = rsa_signature_padding_botan_to_tss2(req.algo_name());
345 const auto hash = hash_algo_botan_to_tss2(req.arg(0));
346 if(!scheme || !hash) {
347 return std::nullopt;
348 }
349
350 if(scheme.value() == TPM2_ALG_RSAPSS && req.arg_count() != 1) {
351 // RSA signing using PSS with MGF1
352 return std::nullopt;
353 }
354
355 return TPMT_SIG_SCHEME{
356 .scheme = scheme.value(),
357 .details = {.any = {.hashAlg = hash.value()}},
358 };
359}

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_count(), hash_algo_botan_to_tss2(), name, and rsa_signature_padding_botan_to_tss2().

Referenced by Botan::TPM2::Context::supports_algorithm().

◆ set_crypto_callbacks()

void Botan::TPM2::set_crypto_callbacks ( ESYS_CONTEXT * ctx,
void * callback_state )

Enable the Botan crypto callbacks for the given ESYS context.

The callbacks may maintain two types of state:

  • 'userdata' is a pointer to a CryptoCallbackState object that is passed to all callback functions. This provides access to a random number generator specified by the user. The lifetime of this object is bound to the TPM2::Context.
  • 'context' is a pointer to a DigestCallbackState object that contains either a HashFunction or a MessageAuthenticationCode object. This holds the hash state between update callback invocations. The lifetime of this object is bound to the digest callbacks, hence *_finish() and *_abort() will delete the object.

The runtime crypto backend is available since TSS2 4.0.0 and later. Explicit support for SM4 was added in TSS2 4.1.0.

Note that the callback implementations should be defensive in regard to the input parameters. All pointers should be checked for nullptr before being dereferenced. Some output parameters (e.g. out-buffer lengths) may be regarded as optional, and should be checked for nullptr before being written to.

Error code conventions:

  • TSS2_ESYS_RC_BAD_REFERENCE: reference (typically userdata) invalid
  • TSS2_ESYS_RC_BAD_VALUE: invalid input (e.g. size != 0 w/ nullptr buffer)
  • TSS2_ESYS_RC_NOT_SUPPORTED: algorithm identifier not mapped to Botan
  • TSS2_ESYS_RC_NOT_IMPLEMENTED: algorithm not available (e.g. disabled)

Enable Botan's crypto callbacks in the TPM2-TSS for the given context.

Exceptions
Not_Implementedif the TPM2-TSS does not support crypto callbacks.

Definition at line 861 of file tpm2_crypto_backend_impl.cpp.

861 {
862#if defined(BOTAN_TSS2_SUPPORTS_CRYPTO_CALLBACKS)
863 BOTAN_ASSERT_NONNULL(ctx);
864
865 // clang-format off
866 ESYS_CRYPTO_CALLBACKS callbacks{
867 .rsa_pk_encrypt = &rsa_pk_encrypt,
868 .hash_start = &hash_start,
869 .hash_update = &hash_update,
870 .hash_finish = &hash_finish,
871 .hash_abort = &hash_abort,
872 .hmac_start = &hmac_start,
873 .hmac_update = &hmac_update,
874 .hmac_finish = &hmac_finish,
875 .hmac_abort = &hmac_abort,
876 .get_random2b = &get_random2b,
877 .get_ecdh_point = &get_ecdh_point,
878 .aes_encrypt = &aes_encrypt,
879 .aes_decrypt = &aes_decrypt,
880#if defined(BOTAN_TSS2_SUPPORTS_SM4_IN_CRYPTO_CALLBACKS)
881 .sm4_encrypt = &sm4_encrypt,
882 .sm4_decrypt = &sm4_decrypt,
883#endif
884 .init = &init,
885 .userdata = callback_state,
886 };
887 // clang-format on
888
889 check_rc("Esys_SetCryptoCallbacks", Esys_SetCryptoCallbacks(ctx, &callbacks));
890#else
891 BOTAN_UNUSED(ctx, callback_state);
892 throw Not_Implemented(
893 "This build of botan was compiled with a TSS2 version lower than 4.0.0, "
894 "which does not support custom runtime crypto backends");
895#endif
896}
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:118
Botan::Not_Implemented
Definition exceptn.h:334
init
int(* init)(CTX *)
Definition commoncrypto_hash.cpp:27

References BOTAN_ASSERT_NONNULL, BOTAN_UNUSED, check_rc(), and init.

Referenced by use_botan_crypto_backend(), and Botan::TPM2::Context::~Context().

◆ supports_botan_crypto_backend()

bool Botan::TPM2::supports_botan_crypto_backend ( )
nodiscardnoexcept

Checks if the TSS2 supports registering Botan's crypto backend at runtime. Older versions of the TSS2 do not support this feature ( 4.0.0).

Returns
true if the TSS2 supports Botan's crypto backend

Definition at line 23 of file tpm2_crypto_backend.cpp.

23 {
24#if defined(BOTAN_TSS2_SUPPORTS_CRYPTO_CALLBACKS)
25 return true;
26#else
27 return false;
28#endif
29}

Referenced by Botan::TPM2::Context::supports_botan_crypto_backend().

◆ use_botan_crypto_backend()

std::unique_ptr< CryptoCallbackState > Botan::TPM2::use_botan_crypto_backend ( ESYS_CONTEXT * context,
const std::shared_ptr< Botan::RandomNumberGenerator > & rng )
nodiscard

Enable Botan's crypto callbacks in the TPM2-TSS for the given ESYS_CONTEXT context. Use this if you do not plan to use Botan's TPM wrapper (rooted in TPM2::Context) but still want to benefit from Botan's TPM crypto backend. Otherwise, use TPM2::Context::use_botan_crypto_backend().

This replaces all cryptographic functionality required for the communication with the TPM by Botan's implementations. The TSS2 would otherwise use OpenSSL or mbedTLS.

Note that the provided rng should not be dependent on the TPM and that the returned pointer to the CryptoCallbackState must be kept alive as long as the associated ESYS_CONTEXT is valid and used.

Parameters
contextthe ESYS_CONTEXT pointer to register the crypto backend on
rngthe (independent) random number generator to be used
Returns
a state object that must be kept alive by the caller for as long as the associated ESYS_CONTEXT is valid.
Exceptions
Not_Implementedif the TPM2-TSS does not support crypto callbacks.

Definition at line 16 of file tpm2_crypto_backend.cpp.

17 {
18 auto crypto_callback_state = std::make_unique<CryptoCallbackState>(CryptoCallbackState{.rng = rng});
19 set_crypto_callbacks(context, crypto_callback_state.get());
20 return crypto_callback_state;
21}

References set_crypto_callbacks().

Referenced by botan_tpm2_enable_crypto_backend(), and Botan::TPM2::Context::use_botan_crypto_backend().

Generated by doxygen 1.12.0