10#include <botan/hash.h>
11#include <botan/hash_id.h>
12#include <botan/der_enc.h>
13#include <botan/workfactor.h>
14#include <botan/pk_ops.h>
17#include <tss/platform.h>
19#include <trousers/trousers.h>
27void tss_error(TSS_RESULT res,
const char* expr,
const char* file,
int line)
29 std::ostringstream err;
30 err <<
"TPM error " << Trspi_Error_String(res)
31 <<
" layer " << Trspi_Error_Layer(res)
32 <<
" in " << expr <<
" at " << file <<
":" << line;
34 throw TPM_Error(err.str());
37TSS_FLAG bit_flag(
size_t bits)
43 return TSS_KEY_SIZE_1024;
45 return TSS_KEY_SIZE_2048;
49 return TSS_KEY_SIZE_4096;
51 return TSS_KEY_SIZE_8192;
53 return TSS_KEY_SIZE_16384;
55 throw Invalid_Argument(
"Unsupported TPM key size " +
std::to_string(bits));
60bool is_srk_uuid(
const UUID& uuid)
62 static const uint8_t srk[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
63 const std::vector<uint8_t>& b = uuid.binary_value();
64 return (b.size() == 16 &&
same_mem(b.data(), srk, 16));
68#define TSPI_CHECK_SUCCESS(expr) do { \
69 TSS_RESULT res = expr; \
70 if(res != TSS_SUCCESS) \
71 tss_error(res, #expr, __FILE__, __LINE__); \
74std::vector<uint8_t> get_obj_attr(TSS_HCONTEXT ctx,
83 std::vector<uint8_t> r(data, data + data_len);
90void set_policy_secret(TSS_HPOLICY policy,
const char* secret)
94 BYTE* as_b =
const_cast<BYTE*
>(
reinterpret_cast<const BYTE*
>(secret));
96 TSS_SECRET_MODE_PLAIN,
102 static const uint8_t nullpass[20] = { 0 };
105 TSS_SECRET_MODE_SHA1,
107 const_cast<BYTE*
>(nullpass)));
111TSS_UUID to_tss_uuid(
const UUID& uuid)
113 static_assert(
sizeof(TSS_UUID) == 16,
"Expected size of packed UUID");
120UUID from_tss_uuid(
const TSS_UUID& tss_uuid)
122 static_assert(
sizeof(TSS_UUID) == 16,
"Expected size of packed UUID");
124 std::vector<uint8_t> mem(16);
126 UUID uuid(std::move(mem));
132 if(flag == TSS_PS_TYPE_USER)
134 else if(flag == TSS_PS_TYPE_SYSTEM)
143 return "tpmkey:uuid=" + uuid.to_string() +
";storage=" + storage_str;
146std::string format_url(
const TSS_UUID& tss_uuid, TSS_FLAG store_type)
148 UUID uuid = from_tss_uuid(tss_uuid);
150 return format_url(from_tss_uuid(tss_uuid),
151 storage_type_from_tss_flag(store_type));
165 const TSS_UUID SRK_UUID = TSS_UUID_SRK;
167 TSPI_CHECK_SUCCESS(::Tspi_Context_LoadKeyByUUID(m_ctx, TSS_PS_TYPE_SYSTEM, SRK_UUID, &m_srk));
170 set_policy_secret(m_srk_policy, srk_password);
195 copy_mem(out,
reinterpret_cast<const uint8_t*
>(mem), out_len);
205 const char* key_password) : m_ctx(ctx)
210 TSS_FLAG key_flags = bit_flag(bits) | TSS_KEY_VOLATILE | TSS_KEY_TYPE_SIGNING;
216 TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
217 TSS_SS_RSASSAPKCS1V15_DER));
221 set_policy_secret(policy, key_password);
233 m_storage(storage_type)
235 const TSS_FLAG key_ps_type =
245 const std::vector<uint8_t>& blob) : m_ctx(ctx)
248 const_cast<uint8_t*
>(blob.data()),
260 m_storage = storage_type;
262 const TSS_UUID key_uuid = to_tss_uuid(m_uuid);
263 const TSS_FLAG key_ps_type =
266 const TSS_UUID srk_uuid = TSS_UUID_SRK;
279 if(storage_type != m_storage)
282 " already registered with different storage type");
285 return format_url(m_uuid, m_storage);
290 TSS_KM_KEYINFO2* key_info;
291 UINT32 key_info_size;
300 std::vector<std::string> r(key_info_size);
302 for(
size_t i = 0; i != key_info_size; ++i)
304 r[i] = format_url(key_info[i].keyUUID, key_info[i].persistentStorageType);
318 TSS_TSPATTRIB_RSAKEY_INFO,
319 TSS_TSPATTRIB_KEYINFO_RSA_MODULUS));
330 TSS_TSPATTRIB_RSAKEY_INFO,
331 TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT));
355 std::vector<uint8_t> bits;
366 throw TPM_Error(
"Private key export not supported for TPM keys");
371 return get_obj_attr(m_ctx.
handle(), m_key,
372 TSS_TSPATTRIB_KEY_BLOB,
373 TSS_TSPATTRIB_KEYBLOB_BLOB);
392 const std::string& hash_name) :
399 size_t signature_length()
const override
401 return m_key.get_n().bytes();
404 void update(
const uint8_t msg[],
size_t msg_len)
override
406 m_hash->update(msg, msg_len);
409 secure_vector<uint8_t> sign(RandomNumberGenerator&)
override
418 secure_vector<uint8_t> msg_hash = m_hash->final();
420 std::vector<uint8_t> id_and_msg;
421 id_and_msg.reserve(m_hash_id.size() + msg_hash.size());
422 id_and_msg.insert(id_and_msg.end(), m_hash_id.begin(), m_hash_id.end());
423 id_and_msg.insert(id_and_msg.end(), msg_hash.begin(), msg_hash.end());
425 TSS_HCONTEXT ctx = m_key.ctx().handle();
427 TSPI_CHECK_SUCCESS(::Tspi_Context_CreateObject(ctx, TSS_OBJECT_TYPE_HASH, TSS_HASH_OTHER, &tpm_hash));
428 TSPI_CHECK_SUCCESS(::Tspi_Hash_SetHashValue(tpm_hash, id_and_msg.size(), id_and_msg.data()));
430 BYTE* sig_bytes =
nullptr;
433 secure_vector<uint8_t> sig(sig_bytes, sig_bytes + sig_len);
445 const TPM_PrivateKey& m_key;
446 std::unique_ptr<HashFunction> m_hash;
447 std::vector<uint8_t> m_hash_id;
452std::unique_ptr<PK_Ops::Signature>
454 const std::string& params,
455 const std::string& )
const
457 return std::unique_ptr<PK_Ops::Signature>(
new TPM_Signing_Operation(*
this, params));
static BigInt decode(const uint8_t buf[], size_t length)
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
DER_Encoder & encode(bool b)
virtual OID get_oid() const
TSS_HCONTEXT handle() const
TPM_Context(pin_cb cb, const char *srk_password)
void gen_random(uint8_t out[], size_t out_len)
uint32_t current_counter()
std::function< std::string(std::string)> pin_cb
void stir_random(const uint8_t in[], size_t in_len)
std::vector< uint8_t > export_blob() const
std::string register_key(TPM_Storage_Type storage_type)
TPM_PrivateKey(TPM_Context &ctx, size_t bits, const char *key_password)
secure_vector< uint8_t > private_key_bits() const override
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
static std::vector< std::string > registered_keys(TPM_Context &ctx)
bool check_key(RandomNumberGenerator &rng, bool) const override
TPM_Context & ctx() const
std::unique_ptr< Public_Key > public_key() const
size_t key_length() const override
std::vector< uint8_t > public_key_bits() const override
size_t estimated_strength() const override
AlgorithmIdentifier algorithm_identifier() const override
std::string to_string() const
int(* update)(CTX *, const void *, CC_LONG len)
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
void copy_mem(T *out, const T *in, size_t n)
std::vector< uint8_t > pkcs_hash_id(const std::string &name)
void typecast_copy(uint8_t out[], T in[], size_t N)
size_t if_work_factor(size_t bits)
bool same_mem(const T *p1, const T *p2, size_t n)
std::vector< T, secure_allocator< T > > secure_vector
#define TSPI_CHECK_SUCCESS(expr)