Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TPM crypto callback support for RSA key generation #311

Merged
merged 16 commits into from
Nov 29, 2023

Conversation

dgarske
Copy link
Contributor

@dgarske dgarske commented Nov 13, 2023

Required for wolfSSL/wolfPKCS11#23

  • Add TPM crypto callback support for RSA key generation
  • Allow import of wolf ECC marked as private only (ECC_PRIVATEKEY_ONLY).
  • Properly translate a TPM ECC signature verify error for compatibility.
  • Fixes for building wolfCrypt without PEM to DER support.
  • Improve the ECC key import scheme for signing.
  • Improve logic for finding TPM curve in ECC key generation. A call to wc_ecc_make_key can use curve_id 0 (to detect), but we can get it from the "dp".
  • Fix to make sure leading ECC sign leading zeros are removed when not required.
  • Fix leading zero issue on verify.
  • Fix for ECC encrypt secret integrity check failed due to zero pad issue.
  • Fix for policy_sign issue when r or s is less than key size (needs zero padding).
  • Support ECC KeyGen for signing or derive based on callback context eccKey or ecdhKey population.
  • Cleanup KDF function return code checking to avoid scan-build warning.

@dgarske dgarske self-assigned this Nov 13, 2023
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch 2 times, most recently from 026a17b to 84866a5 Compare November 14, 2023 19:52
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch from 03498df to 249f9d4 Compare November 16, 2023 05:54
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch from f7f9353 to a48b074 Compare November 17, 2023 19:19
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch from 35213b1 to 4b433f2 Compare November 20, 2023 23:42
…wc_ecc_make_key can use curve_id 0 (to detect), but we can get it from the "dp".
@dgarske dgarske requested a review from embhorn November 27, 2023 22:41
@dgarske dgarske assigned embhorn and unassigned dgarske Nov 27, 2023
@dgarske dgarske assigned dgarske and unassigned embhorn Nov 28, 2023
Copy link
Member

@embhorn embhorn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be documented that WOLFSSL_PUBLIC_MP is required for all the examples in examples/run_examples.sh to succeed. Any reason not to add it to the recommended wolfSSL config in the readme?


Also seeing a failure in the csr test:

:~/git/wolfTPM $ ./examples/csr/csr -cert
TPM2 CSR Example
Trying TPM @ /dev/spidev0.0 (33 MHz)
Trying TPM @ /dev/spidev0.1 (33 MHz)
Found TPM @ /dev/spidev0.1
TPM2: Caps 0x30000697, Did 0x001b, Vid 0x15d1, Rid 0x16
TPM2_Startup pass
TPM2_SelfTest pass
TPM2_ReadPublic Handle 0x81000200: pub 282, name 34, qualifiedName 34
Loading SRK: Storage 0x81000200 (282 bytes)
Reading 506 bytes from rsa_test_blob.raw
Public Area (size 278):
  Type: RSA (0x1), name: SHA256 (0xB), objAttr: 0x60460, authPolicy sz: 0
  RSA: sym algorithm: NULL (0x10), sym keyBits: 0, sym mode: Unknown (0x0)
       scheme: NULL (0x10), scheme hash: Unknown (0x0)
       keyBits: 2048, exponent: 0x10001, unique size 256
Reading the private part of the key
TPM2_Load Key Handle 0x80000001
Loaded key to 0x80000001
TPM2_FlushContext: Closed handle 0x80000001
Failure 0xffffff39: Random Number Generator failed

@dgarske
Copy link
Contributor Author

dgarske commented Nov 28, 2023

It should be documented that WOLFSSL_PUBLIC_MP is required for all the examples in examples/run_examples.sh to succeed. Any reason not to add it to the recommended wolfSSL config in the readme?

Also seeing a failure in the csr test:

:~/git/wolfTPM $ ./examples/csr/csr -cert
TPM2 CSR Example
Trying TPM @ /dev/spidev0.0 (33 MHz)
Trying TPM @ /dev/spidev0.1 (33 MHz)
Found TPM @ /dev/spidev0.1
TPM2: Caps 0x30000697, Did 0x001b, Vid 0x15d1, Rid 0x16
TPM2_Startup pass
TPM2_SelfTest pass
TPM2_ReadPublic Handle 0x81000200: pub 282, name 34, qualifiedName 34
Loading SRK: Storage 0x81000200 (282 bytes)
Reading 506 bytes from rsa_test_blob.raw
Public Area (size 278):
  Type: RSA (0x1), name: SHA256 (0xB), objAttr: 0x60460, authPolicy sz: 0
  RSA: sym algorithm: NULL (0x10), sym keyBits: 0, sym mode: Unknown (0x0)
       scheme: NULL (0x10), scheme hash: Unknown (0x0)
       keyBits: 2048, exponent: 0x10001, unique size 256
Reading the private part of the key
TPM2_Load Key Handle 0x80000001
Loaded key to 0x80000001
TPM2_FlushContext: Closed handle 0x80000001
Failure 0xffffff39: Random Number Generator failed

That is correct. The ECC encrypt scheme requires direct mp_ math functions. It has already been added to wolfSSL's --enable-wolftpm. See PR wolfSSL/wolfssl#6683

dgarske added a commit to dgarske/wolfPKCS11 that referenced this pull request Nov 28, 2023
@dgarske dgarske assigned embhorn and unassigned dgarske Nov 28, 2023
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch 2 times, most recently from dec9783 to 05756ed Compare November 28, 2023 23:28
dgarske added a commit to dgarske/wolfPKCS11 that referenced this pull request Nov 28, 2023
…and supports RSA and ECC. Requires wolfSSL/wolfTPM#311

Added CI testing for wolfPKCS11 with wolfTPM backend and single threaded.
The keystore will use TPM NV if `WOLFPKCS11_TPM_STORE` is defined.
@dgarske dgarske assigned dgarske and unassigned embhorn Nov 29, 2023
…LS tests, to avoid real random port collision with SWTPM sockets. Resolves TLS issue with "ERROR: failed to bind! errno 98".
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch from 05756ed to 1853127 Compare November 29, 2023 20:34
@dgarske dgarske assigned embhorn and unassigned dgarske Nov 29, 2023
@dgarske dgarske requested a review from embhorn November 29, 2023 20:42
@dgarske dgarske force-pushed the tpm_cryptocb_keygen branch from 32c1e90 to 5013754 Compare November 29, 2023 21:10
Copy link
Member

@embhorn embhorn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with RPi / Infineon TPM

@embhorn embhorn merged commit 18e6177 into wolfSSL:master Nov 29, 2023
1 check passed
dgarske added a commit to dgarske/wolfPKCS11 that referenced this pull request Nov 29, 2023
…and supports RSA and ECC. Requires wolfSSL/wolfTPM#311

Added CI testing for wolfPKCS11 with wolfTPM backend and single threaded.
@dgarske dgarske deleted the tpm_cryptocb_keygen branch December 29, 2023 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants