Merge pull request #307 from dgarske/csr_sigtype

Fixes and improvements for wolfTPM CSR wrappers

Author: jpbland1

.github/workflows/make-test-swtpm.yml

@@ -52,6 +52,25 @@ jobs:
       run: |
         make check
         WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh
+    - name: make install
+      run: sudo make install
+
+# build and test CSharp wrapper
+    - name: Install mono
+      run: |
+        sudo apt-get install -y mono-mcs mono-tools-devel nunit nunit-console
+    - name: Build CSharp wrapper
+      working-directory: ./wrapper/CSharp
+      run: |
+        mcs wolfTPM.cs wolfTPM-tests.cs -r:/usr/lib/cli/nunit.framework-2.6.3/nunit.framework.dll -t:library
+    - name: Run self test
+      working-directory: ./wrapper/CSharp
+      run: |
+        LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -run=tpm_csharp_test.WolfTPMTest.TrySelfTest
+    - name: Run unit tests
+      working-directory: ./wrapper/CSharp
+      run: |
+        LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll
 
 #test no wolfcrypt
     - name: configure no wolfCrypt

examples/csr/csr.c

@@ -51,7 +51,7 @@ static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem";
 /******************************************************************************/
 
 static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
-    const char* outputPemFile, int makeSelfSignedCert, int devId)
+    const char* outputPemFile, int makeSelfSignedCert, int devId, int sigType)
 {
     int rc;
     const char* subject = NULL;
@@ -63,6 +63,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
     const char* custOid =    "1.2.3.4.5";
     const char* custOidVal = "This is NOT a critical extension";
     WOLFTPM2_CSR* csr = wolfTPM2_NewCSR();
+
     if (csr == NULL) {
         return MEMORY_E;
     }
@@ -82,7 +83,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
 #ifdef WOLFTPM2_NO_HEAP
     /* single shot API for CSR generation */
     rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage,
-        CTC_FILETYPE_PEM, output, outputSz, 0, makeSelfSignedCert,
+        CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
         devId);
 #else
     rc = wolfTPM2_CSR_SetSubject(dev, csr, subject);
@@ -100,7 +101,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
     }
     if (rc == 0) {
         rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM,
-            output, outputSz, 0, makeSelfSignedCert, devId);
+            output, outputSz, sigType, makeSelfSignedCert, devId);
     }
 #endif
     if (rc >= 0) {
@@ -202,27 +203,36 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
         if (rc == 0) {
             rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &key,
                 makeSelfSignedCert ? gClientCertRsaFile : gClientCsrRsaFile,
-                makeSelfSignedCert, tpmDevId);
+                makeSelfSignedCert, tpmDevId, CTC_SHA256wRSA);
         }
         wolfTPM2_UnloadHandle(&dev, &key.handle);
     }
 #endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
     if (rc == 0) {
+        int sigType = CTC_SHA256wECDSA;
+        TPM_ECC_CURVE curve = TPM_ECC_NIST_P256;
         tpmCtx.eccKey = &key;
+
+    #if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384
+        /* make sure we use a curve that is enabled */
+        sigType = CTC_SHA384wECDSA;
+        curve = TPM_ECC_NIST_P384;
+    #endif
+
         rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
                 TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
                 TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
-                TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
+                curve, TPM_ALG_ECDSA);
         if (rc == 0) {
             rc = getECCkey(&dev, &storageKey, &key, NULL, tpmDevId,
                   (byte*)gKeyAuth, sizeof(gKeyAuth)-1, &publicTemplate);
         }
         if (rc == 0) {
             rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &key,
                 makeSelfSignedCert ? gClientCertEccFile : gClientCsrEccFile,
-                makeSelfSignedCert, tpmDevId);
+                makeSelfSignedCert, tpmDevId, sigType);
         }
         wolfTPM2_UnloadHandle(&dev, &key.handle);
     }

src/tpm2_wrap.c

@@ -3461,20 +3461,25 @@ int wolfTPM2_SignHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     const byte* digest, int digestSz, byte* sig, int* sigSz)
 {
     TPM_ALG_ID sigAlg = TPM_ALG_NULL;
+    TPMI_ALG_HASH hashAlg = WOLFTPM2_WRAP_DIGEST;
 
     if (dev == NULL || key == NULL || digest == NULL || sig == NULL) {
         return BAD_FUNC_ARG;
     }
 
     if (key->pub.publicArea.type == TPM_ALG_ECC) {
         sigAlg = key->pub.publicArea.parameters.eccDetail.scheme.scheme;
+        hashAlg = key->pub.publicArea.parameters.eccDetail.scheme.details.any.hashAlg;
+
     }
     else if (key->pub.publicArea.type == TPM_ALG_RSA) {
         sigAlg = key->pub.publicArea.parameters.rsaDetail.scheme.scheme;
+        hashAlg = key->pub.publicArea.parameters.rsaDetail.scheme.details.anySig.hashAlg;
     }
 
     return wolfTPM2_SignHashScheme(dev, key, digest, digestSz, sig, sigSz,
-        sigAlg, WOLFTPM2_WRAP_DIGEST);
+        sigAlg, hashAlg);
+
 }
 
 /* sigAlg: TPM_ALG_RSASSA, TPM_ALG_RSAPSS, TPM_ALG_ECDSA or TPM_ALG_ECDAA */
@@ -5315,6 +5320,15 @@ static int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate,
     if (publicTemplate == NULL || curveSz == 0)
         return BAD_FUNC_ARG;
 
+#if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384
+    /* make sure we use a curve that is enabled */
+    if (curve == TPM_ECC_NIST_P256) {
+        curve = TPM_ECC_NIST_P384;
+        nameAlg = TPM_ALG_SHA384;
+        sigHash = TPM_ALG_SHA384;
+    }
+#endif
+
     XMEMSET(publicTemplate, 0, sizeof(TPMT_PUBLIC));
     publicTemplate->type = TPM_ALG_ECC;
     publicTemplate->nameAlg = nameAlg;
@@ -6247,7 +6261,7 @@ static int CSR_KeySetup(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, WOLFTPM2_KEY* key,
                 csr->req.sigType = CTC_SHA256wECDSA;
             }
         }
-        else if (csr->req.sigType == 0) {
+        else if (sigType != 0) {
             csr->req.sigType = sigType;
         }
     }
@@ -6335,6 +6349,10 @@ int wolfTPM2_CSR_SetKeyUsage(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr,
 
     /* add Extended Key Usage */
     rc = wc_SetExtKeyUsage(&csr->req, keyUsage);
+    if (rc == EXTKEYUSAGE_E) {
+        /* try setting key usage values */
+        rc = wc_SetKeyUsage(&csr->req, keyUsage);
+    }
 #else
     if (keyUsage != NULL) {
     #ifdef DEBUG_WOLFTPM

wolftpm/tpm2_wrap.h

@@ -2670,15 +2670,19 @@ WOLFTPM_API int wolfTPM2_CSR_SetCustomExt(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr,
 /*!
     \ingroup wolfTPM2_Wrappers
     \brief Helper for Certificate Signing Request (CSR) generation to set a
-        key usage for a WOLFTPM2_CSR structure.
+        extended key usage or key usage for a WOLFTPM2_CSR structure.
+        Pass either extended key usage or key usage values.
+        Mixed string types are not supported, however you can call `wolfTPM2_CSR_SetKeyUsage`
+        twice (once for extended key usage strings and once for standard key usage strings).
 
     \return TPM_RC_SUCCESS: successful
     \return BAD_FUNC_ARG: check the provided arguments
 
     \param dev pointer to a TPM2_DEV struct (not used)
     \param csr pointer to a WOLFTPM2_CSR structure
     \param keyUsage string list of comma separated key usage attributes.
-        Possible values: any, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping and OCSPSigning
+        Possible Extended Key Usage values: any, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping and OCSPSigning
+        Possible Key Usage values: digitalSignature, nonRepudiation, contentCommitment, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
         Default: "serverAuth,clientAuth,codeSigning"
 
     \sa wolfTPM2_CSR_SetSubject