Botan 3.6.1
Crypto and TLS for C&
tpm2_pkops.h
Go to the documentation of this file.
1/*
2* TPM 2.0 Public Key Operations
3* (C) 2024 Jack Lloyd
4* (C) 2024 René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity GmbH, financed by LANCOM Systems GmbH
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#ifndef BOTAN_TPM2_PKOPS_H_
10#define BOTAN_TPM2_PKOPS_H_
11
12#include <botan/pk_ops.h>
13
14#include <botan/hash.h>
15#include <botan/internal/tpm2_util.h>
16
17namespace Botan::TPM2 {
18
19struct SignatureAlgorithmSelection {
20 TPMT_SIG_SCHEME signature_scheme;
21 std::string hash_name;
22 std::optional<std::string> padding;
23};
24
25template <typename PKOpT>
26class Signature_Operation_Base : public PKOpT {
27 public:
28 Signature_Operation_Base(const Object& object,
29 const SessionBundle& sessions,
30 const SignatureAlgorithmSelection& algorithms,
31 std::unique_ptr<Botan::HashFunction> hash) :
32 m_key_handle(object),
33 m_sessions(sessions),
34 m_scheme(algorithms.signature_scheme),
35 m_hash(std::move(hash)),
36 m_padding(algorithms.padding) {
37 BOTAN_ASSERT_NONNULL(m_hash);
38 }
39
40 public:
41 void update(std::span<const uint8_t> msg) override { m_hash->update(msg); }
42
43 std::string hash_function() const override { return m_hash->name(); }
44
45 protected:
46 Botan::HashFunction* hash() { return m_hash.get(); }
47
48 const Object& key_handle() const { return m_key_handle; }
49
50 const SessionBundle& sessions() const { return m_sessions; }
51
52 const TPMT_SIG_SCHEME& scheme() const { return m_scheme; }
53
54 std::optional<std::string> padding() const { return m_padding; }
55
56 private:
57 const Object& m_key_handle;
58 const SessionBundle& m_sessions;
59 TPMT_SIG_SCHEME m_scheme;
60 std::unique_ptr<Botan::HashFunction> m_hash;
61 std::optional<std::string> m_padding;
62};
63
64/**
65 * If the key is restricted, this will transparently use the TPM to hash the
66 * data to obtain a validation ticket.
67 *
68 * TPM Library, Part 1: Architecture", Section 11.4.6.3 (4)
69 * This ticket is used to indicate that a digest of external data is safe to
70 * sign using a restricted signing key. A restricted signing key may only
71 * sign a digest that was produced by the TPM. [...] This prevents forgeries
72 * of attestation data.
73 */
74class Signature_Operation : public Signature_Operation_Base<PK_Ops::Signature> {
75 public:
76 Signature_Operation(const Object& object,
77 const SessionBundle& sessions,
78 const SignatureAlgorithmSelection& algorithms);
79
80 std::vector<uint8_t> sign(Botan::RandomNumberGenerator& rng) override;
81
82 protected:
83 virtual std::vector<uint8_t> marshal_signature(const TPMT_SIGNATURE& signature) const = 0;
84};
85
86/**
87 * Signature verification on the TPM. This does not require a validation ticket,
88 * therefore the hash is always calculated in software.
89 */
90class Verification_Operation : public Signature_Operation_Base<PK_Ops::Verification> {
91 public:
92 Verification_Operation(const Object& object,
93 const SessionBundle& sessions,
94 const SignatureAlgorithmSelection& algorithms);
95
96 bool is_valid_signature(std::span<const uint8_t> sig_data) override;
97
98 protected:
99 virtual TPMT_SIGNATURE unmarshal_signature(std::span<const uint8_t> sig_data) const = 0;
100};
101
102} // namespace Botan::TPM2
103
104#endif
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:86
Botan::TPM2::Signature_Operation_Base
Definition tpm2_pkops.h:26
Botan::TPM2::Signature_Operation_Base::key_handle
const Object & key_handle() const
Definition tpm2_pkops.h:48
Botan::TPM2::Signature_Operation_Base::hash
Botan::HashFunction * hash()
Definition tpm2_pkops.h:46
Botan::TPM2::Signature_Operation_Base::sessions
const SessionBundle & sessions() const
Definition tpm2_pkops.h:50
Botan::TPM2::Signature_Operation_Base::update
void update(std::span< const uint8_t > msg) override
Definition tpm2_pkops.h:41
Botan::TPM2::Signature_Operation_Base::padding
std::optional< std::string > padding() const
Definition tpm2_pkops.h:54
Botan::TPM2::Signature_Operation_Base::hash_function
std::string hash_function() const override
Definition tpm2_pkops.h:43
Botan::TPM2::Signature_Operation_Base::Signature_Operation_Base
Signature_Operation_Base(const Object &object, const SessionBundle &sessions, const SignatureAlgorithmSelection &algorithms, std::unique_ptr< Botan::HashFunction > hash)
Definition tpm2_pkops.h:28
Botan::TPM2::Signature_Operation_Base::scheme
const TPMT_SIG_SCHEME & scheme() const
Definition tpm2_pkops.h:52
Botan::TPM2::Signature_Operation
Definition tpm2_pkops.h:74
Botan::TPM2::Signature_Operation::Signature_Operation
Signature_Operation(const Object &object, const SessionBundle &sessions, const SignatureAlgorithmSelection &algorithms)
Definition tpm2_pkops.cpp:45
Botan::TPM2::Signature_Operation::marshal_signature
virtual std::vector< uint8_t > marshal_signature(const TPMT_SIGNATURE &signature) const =0
Botan::TPM2::Signature_Operation::sign
std::vector< uint8_t > sign(Botan::RandomNumberGenerator &rng) override
Definition tpm2_pkops.cpp:51
Botan::TPM2::Verification_Operation
Definition tpm2_pkops.h:90
Botan::TPM2::Verification_Operation::unmarshal_signature
virtual TPMT_SIGNATURE unmarshal_signature(std::span< const uint8_t > sig_data) const =0
Botan::TPM2::Verification_Operation::Verification_Operation
Verification_Operation(const Object &object, const SessionBundle &sessions, const SignatureAlgorithmSelection &algorithms)
Definition tpm2_pkops.cpp:97
Botan::TPM2::Verification_Operation::is_valid_signature
bool is_valid_signature(std::span< const uint8_t > sig_data) override
Definition tpm2_pkops.cpp:103
Botan::TPM2::SignatureAlgorithmSelection::padding
std::optional< std::string > padding
Definition tpm2_pkops.h:22
Generated by doxygen 1.12.0