Botan 3.6.1
Crypto and TLS for C&
tpm2_key.h
Go to the documentation of this file.
1/*
2* TPM 2.0 Key Wrappers' Base Class
3* (C) 2024 Jack Lloyd
4* (C) 2024 René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity GmbH, financed by LANCOM Systems GmbH
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8#ifndef BOTAN_TPM2_ASYM_KEYS_H_
9#define BOTAN_TPM2_ASYM_KEYS_H_
10
11#include <botan/pk_keys.h>
12#include <botan/tpm2_context.h>
13#include <botan/tpm2_object.h>
14#include <botan/tpm2_session.h>
15#if defined(BOTAN_HAS_RSA)
16 #include <botan/rsa.h>
17#endif
18#if defined(BOTAN_HAS_ECC_GROUP)
19 #include <botan/ec_apoint.h>
20 #include <botan/ec_group.h>
21#endif
22
23struct TPM2B_SENSITIVE_CREATE;
24struct TPMT_PUBLIC;
25struct TPM2B_PUBLIC;
26
27namespace Botan::TPM2 {
28
29#if defined(BOTAN_HAS_RSA)
30/**
31 * This helper function transforms a @p public_blob in a TPM2B_PUBLIC* format
32 * into an ordinary Botan::RSA_PublicKey. Note that the resulting key is not
33 * bound to a TPM and can be used as any other RSA key.
34 *
35 * @param public_blob The public blob to load as an ordinary RSA key
36 */
37BOTAN_PUBLIC_API(3, 6) Botan::RSA_PublicKey rsa_pubkey_from_tss2_public(const TPM2B_PUBLIC* public_blob);
38#endif
39
40#if defined(BOTAN_HAS_ECC_GROUP)
41/**
42 * This helper function transforms a @p public_blob in a TPM2B_PUBLIC* format
43 * into an ordinary Botan::EC_PublicKey in the form of a Botan::EC_Group and
44 * a Botan::EC_AffinePoint. Note that the resulting key is not bound to a TPM
45 * and can be used as any other ECC key.
46 *
47 * @param public_blob The public blob to load as an ordinary EC_Group and EC_AffinePoint
48 */
49
50std::pair<EC_Group, EC_AffinePoint> ecc_pubkey_from_tss2_public(const TPM2B_PUBLIC* public_blob);
51#endif
52
53/**
54 * This wraps a public key that is hosted in a TPM 2.0 device. This class allows
55 * performing public-key operations on the TPM. Namely verifying signatures and
56 * encrypting data.
57 *
58 * The class does not provide public constructors, but instead provides static
59 * methods to obtain a public key handle from a TPM.
60 */
61class BOTAN_PUBLIC_API(3, 6) PublicKey : public virtual Botan::Public_Key {
62 public:
63 /**
64 * Load a public key that resides in the TPM's persistent storage.
65 *
66 * @param ctx The TPM context to use
67 * @param persistent_object_handle The handle of the persistent object to load
68 * @param sessions The session bundle to use for loading
69 */
70 static std::unique_ptr<PublicKey> load_persistent(const std::shared_ptr<Context>& ctx,
71 TPM2_HANDLE persistent_object_handle,
72 const SessionBundle& sessions = {});
73
74 /**
75 * Load a public key from the public blob obtained by a TPM key creation.
76 *
77 * Transient keys don't reside inside the TPM but must be loaded by the
78 * application as required. Once this object is destructed, the transient
79 * memory on the TPM is cleared.
80 *
81 * @param ctx The TPM context to use
82 * @param public_blob The public blob of the key to load
83 * @param sessions The session bundle to use for loading
84 */
85 static std::unique_ptr<PublicKey> load_transient(const std::shared_ptr<Context>& ctx,
86 std::span<const uint8_t> public_blob,
87 const SessionBundle& sessions);
88
89 public:
90 std::unique_ptr<Private_Key> generate_another(Botan::RandomNumberGenerator&) const override {
91 throw Not_Implemented("Cannot generate a new TPM-based keypair from this asymmetric key");
92 }
93
94 /**
95 * @returns a TPM2-specific marshalled representation of the public key
96 */
97 std::vector<uint8_t> raw_public_key_bits() const override;
98
99 const Object& handles() const { return m_handle; }
100
101 const SessionBundle& sessions() const { return m_sessions; }
102
103 protected:
104 PublicKey(Object object, SessionBundle sessions) : m_handle(std::move(object)), m_sessions(std::move(sessions)) {}
105
106 static std::unique_ptr<PublicKey> create(Object handles, const SessionBundle& sessions);
107
108 private:
109 Object m_handle;
110 SessionBundle m_sessions;
111};
112
113BOTAN_DIAGNOSTIC_PUSH
114BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
115
116/**
117 * This wraps a private key that is hosted in a TPM 2.0 device. This class
118 * allows performing private-key operations on the TPM. Namely signing and
119 * decrypting data.
120 *
121 * Note that there are two types of keys: persistent and transient. Persistent
122 * keys are stored in the TPM's NVRAM and can be loaded at any time. Transient
123 * keys are loaded by the application from an encrypted private blob that is
124 * only readable by the TPM that created it. Once the key is loaded, the
125 * application can use it as if it were a persistent key. Once the key is
126 * destructed, the transient memory on the TPM is cleared.
127 *
128 * Applications may persist transient keys in the TPM's NVRAM by using the
129 * TPM2_Context::persist() method. This allows the key to be loaded at a later
130 * time without the need to provide the encrypted private blob. Similarly,
131 * persistent keys may be permanently destroyed using TPM2_Context::evict().
132 *
133 * To obtain the public and private blobs of a transient key, use the
134 * raw_public_key_bits() and raw_private_key_bits() methods, respectively.
135 *
136 * The class does not provide public constructors, but instead provides static
137 * methods to obtain a private key handle from a TPM.
138 */
139class BOTAN_PUBLIC_API(3, 6) PrivateKey : public virtual Private_Key {
140 public:
141 /**
142 * Load a private key that resides in the TPM's persistent storage.
143 *
144 * @param ctx The TPM context to use
145 * @param persistent_object_handle The handle of the persistent object to load
146 * @param auth_value The auth value required to use the key
147 * @param sessions The session bundle to use for the key's operations
148 */
149 static std::unique_ptr<PrivateKey> load_persistent(const std::shared_ptr<Context>& ctx,
150 TPM2_HANDLE persistent_object_handle,
151 std::span<const uint8_t> auth_value,
152 const SessionBundle& sessions);
153
154 /**
155 * Load a private key from the public and private blobs obtained by a TPM
156 * key creation.
157 *
158 * Transient keys don't reside inside the TPM but must be loaded by the
159 * application as required. Once this object is destructed, the transient
160 * memory on the TPM is cleared.
161 *
162 * @param ctx The TPM context to use
163 * @param auth_value The auth value required to use the key
164 * @param parent The parent key the key was originally created under
165 * @param public_blob The public blob of the key to load
166 * @param private_blob The private blob of the key to load
167 * @param sessions The session bundle to use for loading
168 */
169 static std::unique_ptr<PrivateKey> load_transient(const std::shared_ptr<Context>& ctx,
170 std::span<const uint8_t> auth_value,
171 const TPM2::PrivateKey& parent,
172 std::span<const uint8_t> public_blob,
173 std::span<const uint8_t> private_blob,
174 const SessionBundle& sessions);
175
176 /**
177 * This is a wrapper around Esys_CreateLoaded creating a transient key
178 * from a given @p key_template with @p sensitive_data. It gives maximal
179 * flexibility to the caller to create a key with their own TSS2 template
180 * configuration.
181 *
182 * Please use this if you know what you are doing, only! Most users should
183 * use the more convenient create_transient() methods of the derived classes.
184 *
185 * @param ctx The TPM context to use
186 * @param sessions The session bundle to use in Esys_CreateLoaded().
187 * @param parent The handle of the parent object to create the new key under
188 * (this may reference a "Primary Seed" to create a "Primary Key",
189 * a "Storage Parent" to create an "Ordinary Key", or
190 * a "Derivation Parent" to create a "Derived Key").
191 * @param key_template The template data to use for the key creation. It
192 * will be passed to Tss2_MU_TPMT_PUBLIC_Marshal() and
193 * Esys_CreateLoaded().
194 * @param sensitive_data The sensitive data (e.g. with the desired auth
195 * value) to use for the key creation.
196 */
197 static std::unique_ptr<PrivateKey> create_transient_from_template(const std::shared_ptr<Context>& ctx,
198 const SessionBundle& sessions,
199 ESYS_TR parent,
200 const TPMT_PUBLIC& key_template,
201 const TPM2B_SENSITIVE_CREATE& sensitive_data);
202
203 public:
204 /// @throws Not_Implemented keys hosted in a TPM2 cannot be exported
205 secure_vector<uint8_t> private_key_bits() const override {
206 throw Not_Implemented("cannot export private key bits from a TPM2 key, maybe use raw_private_key_bits()?");
207 }
208
209 /**
210 * @returns the encrypted private key blob, if the key is transient
211 * @throws Invalid_State if the key is persistent
212 */
213 secure_vector<uint8_t> raw_private_key_bits() const override;
214
215 /**
216 * @returns a TPM2-specific marshalled representation of the public key
217 */
218 std::vector<uint8_t> raw_public_key_bits() const override;
219
220 Object& handles() { return m_handle; }
221
222 const Object& handles() const { return m_handle; }
223
224 const SessionBundle& sessions() const { return m_sessions; }
225
226 bool is_parent() const;
227
228 protected:
229 PrivateKey(Object handle, SessionBundle sessions, std::span<const uint8_t> private_blob = {}) :
230 m_handle(std::move(handle)),
231 m_sessions(std::move(sessions)),
232 m_private_blob(private_blob.begin(), private_blob.end()) {}
233
234 static std::unique_ptr<PrivateKey> create(Object handles,
235 const SessionBundle& sessions,
236 const TPM2B_PUBLIC* public_info,
237 std::span<const uint8_t> private_blob);
238
239 private:
240 Object m_handle;
241 SessionBundle m_sessions;
242
243 /// Transient keys can be exported as an encrypted private blob that is
244 /// readable by the TPM that created it.
245 std::vector<uint8_t> m_private_blob;
246};
247
248BOTAN_DIAGNOSTIC_POP
249
250} // namespace Botan::TPM2
251
252#endif
Botan::Not_Implemented
Definition exceptn.h:334
Botan::Private_Key
Definition pk_keys.h:263
Botan::Public_Key
Definition pk_keys.h:119
Botan::TPM2::PrivateKey::PrivateKey
PrivateKey(Object handle, SessionBundle sessions, std::span< const uint8_t > private_blob={})
Definition tpm2_key.h:229
Botan::TPM2::PrivateKey::sessions
const SessionBundle & sessions() const
Definition tpm2_key.h:224
Botan::TPM2::PrivateKey::handles
const Object & handles() const
Definition tpm2_key.h:222
Botan::TPM2::PrivateKey::private_key_bits
secure_vector< uint8_t > private_key_bits() const override
Definition tpm2_key.h:205
Botan::TPM2::PublicKey::handles
const Object & handles() const
Definition tpm2_key.h:99
Botan::TPM2::PublicKey::PublicKey
PublicKey(Object object, SessionBundle sessions)
Definition tpm2_key.h:104
Botan::TPM2::PublicKey::sessions
const SessionBundle & sessions() const
Definition tpm2_key.h:101
Botan::TPM2::PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(Botan::RandomNumberGenerator &) const override
Definition tpm2_key.h:90
BOTAN_DIAGNOSTIC_POP
#define BOTAN_DIAGNOSTIC_POP
Definition compiler.h:191
BOTAN_DIAGNOSTIC_PUSH
#define BOTAN_DIAGNOSTIC_PUSH
Definition compiler.h:188
BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
#define BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
Definition compiler.h:190
BOTAN_PUBLIC_API
#define BOTAN_PUBLIC_API(maj, min)
Definition compiler.h:31
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
ESYS_TR
uint32_t ESYS_TR
Forward declaration of TSS2 type for convenience.
Definition tpm2_context.h:23
TPM2_HANDLE
uint32_t TPM2_HANDLE
Forward declaration of TSS2 type for convenience.
Definition tpm2_context.h:20
Generated by doxygen 1.12.0