roms/skiboot/libstb/tss2/ibmtpm20tss/utils/ekutils.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

/********************************************************************************/
/*										*/
/*			IWG EK Index Parsing Utilities				*/
/*			     Written by Ken Goldman				*/
/*		       IBM Thomas J. Watson Research Center			*/
/*										*/
/* (c) Copyright IBM Corporation 2016 - 2019.					*/
/*										*/
/* All rights reserved.								*/
/* 										*/
/* Redistribution and use in source and binary forms, with or without		*/
/* modification, are permitted provided that the following conditions are	*/
/* met:										*/
/* 										*/
/* Redistributions of source code must retain the above copyright notice,	*/
/* this list of conditions and the following disclaimer.			*/
/* 										*/
/* Redistributions in binary form must reproduce the above copyright		*/
/* notice, this list of conditions and the following disclaimer in the		*/
/* documentation and/or other materials provided with the distribution.		*/
/* 										*/
/* Neither the names of the IBM Corporation nor the names of its		*/
/* contributors may be used to endorse or promote products derived from		*/
/* this software without specific prior written permission.			*/
/* 										*/
/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
/********************************************************************************/

#ifndef EKUTILS_H
#define EKUTILS_H

/* Windows 10 crypto API clashes with openssl */
#ifdef TPM_WINDOWS
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#endif

#ifndef TPM_TSS_NO_OPENSSL
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/bn.h>
#endif	/* TPM_TSS_NO_OPENSSL */

#include <ibmtss/tss.h>

/* legacy TCG IWG NV indexes */

#define EK_CERT_RSA_INDEX 	0x01c00002
#define EK_NONCE_RSA_INDEX 	0x01c00003 
#define EK_TEMPLATE_RSA_INDEX 	0x01c00004

#define EK_CERT_EC_INDEX 	0x01c0000a
#define EK_NONCE_EC_INDEX 	0x01c0000b
#define EK_TEMPLATE_EC_INDEX 	0x01c0000c

#define MAX_ROOTS		100	/* 100 should be more than enough */

#ifdef __cplusplus
extern "C" {
#endif

    /*
      crypto library independent functions
    */
    
    TPM_RC readNvBufferMax(TSS_CONTEXT *tssContext,
			   uint32_t *nvBufferMax);
    TPM_RC getIndexSize(TSS_CONTEXT *tssContext,
			uint16_t *dataSize,
			TPMI_RH_NV_INDEX nvIndex);
    TPM_RC getIndexData(TSS_CONTEXT *tssContext,
			unsigned char **buffer,
			TPMI_RH_NV_INDEX nvIndex,
			uint16_t dataSize);
    TPM_RC getIndexContents(TSS_CONTEXT *tssContext,
			    unsigned char **buffer,
			    uint16_t *bufferSize,
			    TPMI_RH_NV_INDEX nvIndex);
    void getRsaTemplate(TPMT_PUBLIC *tpmtPublic);
    void getEccTemplate(TPMT_PUBLIC *tpmtPublic);
    TPM_RC getRootCertificateFilenames(char *rootFilename[],
				       unsigned int *rootFileCount,
				       const char *listFilename,
				       int print);
    TPM_RC processEKNonce(TSS_CONTEXT *tssContext,
			  unsigned char **nonce,
			  uint16_t *nonceSize,
			  TPMI_RH_NV_INDEX ekNonceIndex,
			  int print);
    TPM_RC processEKTemplate(TSS_CONTEXT *tssContext,
			     TPMT_PUBLIC *tpmtPublic,
			     TPMI_RH_NV_INDEX ekTemplateIndex,
			     int print);
    TPM_RC convertDerToX509(void **x509Certificate,
			    uint16_t readLength,
			    const unsigned char *readBuffer);
    TPM_RC convertX509PemToDer(uint32_t *certLength,
				unsigned char **certificate,
				const char *pemCertificateFilename);
    TPM_RC convertX509ToPem(const char *pemFilename,
			    void *x509);
    void x509FreeStructure(void *x509);
    void x509PrintStructure(void *x509);
    TPM_RC processEKCertificate(TSS_CONTEXT *tssContext,
				void **ekCertificate,
				uint8_t **modulusBin,
				int *modulusBytes,
				TPMI_RH_NV_INDEX ekCertIndex,
				int print);
    TPM_RC getIndexX509Certificate(TSS_CONTEXT *tssContext,
				   void **certificate,
				   TPMI_RH_NV_INDEX nvIndex);
    TPM_RC convertCertificatePubKey(uint8_t **modulusBin,
				    int *modulusBytes,
				    void *ekCertificate,
				    TPMI_RH_NV_INDEX ekCertIndex,
				    int print);
    TPM_RC createCertificate(char **x509CertString,
			     char **pemCertString,
			     uint32_t *certLength,
			     unsigned char **certificate,
			     TPMT_PUBLIC *tpmtPublic,	
			     const char *caKeyFileName,
			     size_t issuerEntriesSize,
			     char **issuerEntries,
			     size_t subjectEntriesSize,
			     char **subjectEntries,
			     const char *caKeyPassword);
    TPM_RC processRoot(TSS_CONTEXT *tssContext,
		       TPMI_RH_NV_INDEX ekCertIndex,
		       const char *rootFilename[],
		       unsigned int rootFileCount,
		       int print);
    TPM_RC verifyCertificate(void *x509Certificate,
			     const char *rootFilename[],
			     unsigned int rootFileCount,
			     int print);
    TPM_RC processCreatePrimary(TSS_CONTEXT *tssContext,
				TPM_HANDLE *keyHandle,
				TPMI_RH_NV_INDEX ekCertIndex,
				unsigned char *nonce,
				uint16_t nonceSize,
				TPMT_PUBLIC *tpmtPublicIn,
				TPMT_PUBLIC *tpmtPublicOut,
				unsigned int noFlush,
				int print);
    TPM_RC processValidatePrimary(uint8_t *publicKeyBin,
				  int publicKeyBytes,
				  TPMT_PUBLIC *tpmtPublic,
				  TPMI_RH_NV_INDEX ekCertIndex,
				  int print);
    TPM_RC processPrimary(TSS_CONTEXT *tssContext,
			  TPM_HANDLE *keyHandle,
			  TPMI_RH_NV_INDEX ekCertIndex,
			  TPMI_RH_NV_INDEX ekNonceIndex, 
			  TPMI_RH_NV_INDEX ekTemplateIndex,
			  unsigned int noFlush,
			  int print);

    /*
      deprecated OpenSSL specific functions
    */
   
#ifndef TPM_TSS_NO_OPENSSL


    uint32_t getPubkeyFromDerCertFile(RSA  **rsaPkey,
				      X509 **x509,
				      const char *derCertificateFileName);
    uint32_t getPubKeyFromX509Cert(RSA  **rsaPkey,
				   X509 *x509);
    TPM_RC getCaStore(X509_STORE **caStore,
		      X509 *caCert[],
		      const char *rootFilename[],
		      unsigned int rootFileCount);
    TPM_RC verifyKeyUsage(X509 *ekX509Certificate,
			  int pkeyType,
			  int print);
    TPM_RC convertX509ToDer(uint32_t *certLength,
			    unsigned char **certificate,
			    X509 *x509Certificate);
#ifndef TPM_TSS_NOECC
    TPM_RC convertX509ToEc(EC_KEY **ecKey,
			   X509 *x509);
#endif	/* TPM_TSS_NOECC */
    TPM_RC convertX509ToDer(uint32_t *certLength,
			    unsigned char **certificate,
			    X509 *x509Certificate);
    TPM_RC convertPemToX509(X509 **x509,
			    const char *pemCertificateFilename);
    TPM_RC convertPemMemToX509(X509 **x509,
			       const char *pemCertificate);
    TPM_RC convertX509ToPemMem(char **pemString,
			       X509 *x509);
    TPM_RC convertX509ToString(char **x509String,
			       X509 *x509);
    TPM_RC convertCertificatePubKey12(uint8_t **modulusBin,
				      int *modulusBytes,
				      X509 *ekCertificate);

    /* certificate key to nid mapping array */

    TPM_RC startCertificate(X509 *x509Certificate,
			    uint16_t keyLength,
			    const unsigned char *keyBuffer,
			    size_t issuerEntriesSize,
			    char **issuerEntries,
			    size_t subjectEntriesSize,
			    char **subjectEntries);

    typedef struct tdCertificateName
    {
	const char *key;
	int nid;
    } CertificateName;

    TPM_RC calculateNid(void);
    TPM_RC createX509Name(X509_NAME **x509Name,
			  size_t entriesSize,
			  char **entries);
    TPM_RC addCertExtension(X509 *x509Certificate, int nid, const char *value);
    TPM_RC addCertKeyRsa(X509 *x509Certificate,
			 const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa);
#ifndef TPM_TSS_NOECC
    TPM_RC addCertKeyEcc(X509 *x509Certificate,
			 const TPMS_ECC_POINT *tpmsEccPoint);
#endif	/* TPM_TSS_NOECC */
    TPM_RC addCertSignatureRoot(X509 *x509Certificate,
				const char *caKeyFileName,
				const char *caKeyPassword);
    TPM_RC TSS_RSAGetKey(const BIGNUM **n,
			 const BIGNUM **e,
			 const BIGNUM **d,
			 const BIGNUM **p,
			 const BIGNUM **q,
			 const RSA *rsaKey);

    int TSS_Pubkey_GetAlgorithm(EVP_PKEY *pkey);


#endif /* TPM_TSS_NO_OPENSSL */

#ifdef __cplusplus
}
#endif

#endif