Google Git
Sign in
qemu / skiboot / 326a4666bd69ca071c4f7d2eacf868b11099baee / . / libstb / tss2 / ibmtpm20tss / utils / ekutils.h
blob: bffde537146823370f7830c25a5a5ff2638e5260 [file] [log] [blame]
/********************************************************************************/
/* */
/* IWG EK Index Parsing Utilities */
/* Written by Ken Goldman */
/* IBM Thomas J. Watson Research Center */
/* */
/* (c) Copyright IBM Corporation 2016 - 2019. */
/* */
/* All rights reserved. */
/* */
/* Redistribution and use in source and binary forms, with or without */
/* modification, are permitted provided that the following conditions are */
/* met: */
/* */
/* Redistributions of source code must retain the above copyright notice, */
/* this list of conditions and the following disclaimer. */
/* */
/* Redistributions in binary form must reproduce the above copyright */
/* notice, this list of conditions and the following disclaimer in the */
/* documentation and/or other materials provided with the distribution. */
/* */
/* Neither the names of the IBM Corporation nor the names of its */
/* contributors may be used to endorse or promote products derived from */
/* this software without specific prior written permission. */
/* */
/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */
/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */
/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */
/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */
/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */
/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */
/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */
/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */
/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */
/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */
/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
/********************************************************************************/
#ifndef EKUTILS_H
#define EKUTILS_H
/* Windows 10 crypto API clashes with openssl */
#ifdef TPM_WINDOWS
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#endif
#ifndef TPM_TSS_NO_OPENSSL
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/bn.h>
#endif /* TPM_TSS_NO_OPENSSL */
#include <ibmtss/tss.h>
/* legacy TCG IWG NV indexes */
#define EK_CERT_RSA_INDEX 0x01c00002
#define EK_NONCE_RSA_INDEX 0x01c00003
#define EK_TEMPLATE_RSA_INDEX 0x01c00004
#define EK_CERT_EC_INDEX 0x01c0000a
#define EK_NONCE_EC_INDEX 0x01c0000b
#define EK_TEMPLATE_EC_INDEX 0x01c0000c
#define MAX_ROOTS 100 /* 100 should be more than enough */
#ifdef __cplusplus
extern "C" {
#endif
/*
crypto library independent functions
*/
TPM_RC readNvBufferMax(TSS_CONTEXT *tssContext,
uint32_t *nvBufferMax);
TPM_RC getIndexSize(TSS_CONTEXT *tssContext,
uint16_t *dataSize,
TPMI_RH_NV_INDEX nvIndex);
TPM_RC getIndexData(TSS_CONTEXT *tssContext,
unsigned char **buffer,
TPMI_RH_NV_INDEX nvIndex,
uint16_t dataSize);
TPM_RC getIndexContents(TSS_CONTEXT *tssContext,
unsigned char **buffer,
uint16_t *bufferSize,
TPMI_RH_NV_INDEX nvIndex);
void getRsaTemplate(TPMT_PUBLIC *tpmtPublic);
void getEccTemplate(TPMT_PUBLIC *tpmtPublic);
TPM_RC getRootCertificateFilenames(char *rootFilename[],
unsigned int *rootFileCount,
const char *listFilename,
int print);
TPM_RC processEKNonce(TSS_CONTEXT *tssContext,
unsigned char **nonce,
uint16_t *nonceSize,
TPMI_RH_NV_INDEX ekNonceIndex,
int print);
TPM_RC processEKTemplate(TSS_CONTEXT *tssContext,
TPMT_PUBLIC *tpmtPublic,
TPMI_RH_NV_INDEX ekTemplateIndex,
int print);
TPM_RC convertDerToX509(void **x509Certificate,
uint16_t readLength,
const unsigned char *readBuffer);
TPM_RC convertX509PemToDer(uint32_t *certLength,
unsigned char **certificate,
const char *pemCertificateFilename);
TPM_RC convertX509ToPem(const char *pemFilename,
void *x509);
void x509FreeStructure(void *x509);
void x509PrintStructure(void *x509);
TPM_RC processEKCertificate(TSS_CONTEXT *tssContext,
void **ekCertificate,
uint8_t **modulusBin,
int *modulusBytes,
TPMI_RH_NV_INDEX ekCertIndex,
int print);
TPM_RC getIndexX509Certificate(TSS_CONTEXT *tssContext,
void **certificate,
TPMI_RH_NV_INDEX nvIndex);
TPM_RC convertCertificatePubKey(uint8_t **modulusBin,
int *modulusBytes,
void *ekCertificate,
TPMI_RH_NV_INDEX ekCertIndex,
int print);
TPM_RC createCertificate(char **x509CertString,
char **pemCertString,
uint32_t *certLength,
unsigned char **certificate,
TPMT_PUBLIC *tpmtPublic,
const char *caKeyFileName,
size_t issuerEntriesSize,
char **issuerEntries,
size_t subjectEntriesSize,
char **subjectEntries,
const char *caKeyPassword);
TPM_RC processRoot(TSS_CONTEXT *tssContext,
TPMI_RH_NV_INDEX ekCertIndex,
const char *rootFilename[],
unsigned int rootFileCount,
int print);
TPM_RC verifyCertificate(void *x509Certificate,
const char *rootFilename[],
unsigned int rootFileCount,
int print);
TPM_RC processCreatePrimary(TSS_CONTEXT *tssContext,
TPM_HANDLE *keyHandle,
TPMI_RH_NV_INDEX ekCertIndex,
unsigned char *nonce,
uint16_t nonceSize,
TPMT_PUBLIC *tpmtPublicIn,
TPMT_PUBLIC *tpmtPublicOut,
unsigned int noFlush,
int print);
TPM_RC processValidatePrimary(uint8_t *publicKeyBin,
int publicKeyBytes,
TPMT_PUBLIC *tpmtPublic,
TPMI_RH_NV_INDEX ekCertIndex,
int print);
TPM_RC processPrimary(TSS_CONTEXT *tssContext,
TPM_HANDLE *keyHandle,
TPMI_RH_NV_INDEX ekCertIndex,
TPMI_RH_NV_INDEX ekNonceIndex,
TPMI_RH_NV_INDEX ekTemplateIndex,
unsigned int noFlush,
int print);
/*
deprecated OpenSSL specific functions
*/
#ifndef TPM_TSS_NO_OPENSSL
uint32_t getPubkeyFromDerCertFile(RSA **rsaPkey,
X509 **x509,
const char *derCertificateFileName);
uint32_t getPubKeyFromX509Cert(RSA **rsaPkey,
X509 *x509);
TPM_RC getCaStore(X509_STORE **caStore,
X509 *caCert[],
const char *rootFilename[],
unsigned int rootFileCount);
TPM_RC verifyKeyUsage(X509 *ekX509Certificate,
int pkeyType,
int print);
TPM_RC convertX509ToDer(uint32_t *certLength,
unsigned char **certificate,
X509 *x509Certificate);
#ifndef TPM_TSS_NOECC
TPM_RC convertX509ToEc(EC_KEY **ecKey,
X509 *x509);
#endif /* TPM_TSS_NOECC */
TPM_RC convertX509ToDer(uint32_t *certLength,
unsigned char **certificate,
X509 *x509Certificate);
TPM_RC convertPemToX509(X509 **x509,
const char *pemCertificateFilename);
TPM_RC convertPemMemToX509(X509 **x509,
const char *pemCertificate);
TPM_RC convertX509ToPemMem(char **pemString,
X509 *x509);
TPM_RC convertX509ToString(char **x509String,
X509 *x509);
TPM_RC convertCertificatePubKey12(uint8_t **modulusBin,
int *modulusBytes,
X509 *ekCertificate);
/* certificate key to nid mapping array */
TPM_RC startCertificate(X509 *x509Certificate,
uint16_t keyLength,
const unsigned char *keyBuffer,
size_t issuerEntriesSize,
char **issuerEntries,
size_t subjectEntriesSize,
char **subjectEntries);
typedef struct tdCertificateName
{
const char *key;
int nid;
} CertificateName;
TPM_RC calculateNid(void);
TPM_RC createX509Name(X509_NAME **x509Name,
size_t entriesSize,
char **entries);
TPM_RC addCertExtension(X509 *x509Certificate, int nid, const char *value);
TPM_RC addCertKeyRsa(X509 *x509Certificate,
const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa);
#ifndef TPM_TSS_NOECC
TPM_RC addCertKeyEcc(X509 *x509Certificate,
const TPMS_ECC_POINT *tpmsEccPoint);
#endif /* TPM_TSS_NOECC */
TPM_RC addCertSignatureRoot(X509 *x509Certificate,
const char *caKeyFileName,
const char *caKeyPassword);
TPM_RC TSS_RSAGetKey(const BIGNUM **n,
const BIGNUM **e,
const BIGNUM **d,
const BIGNUM **p,
const BIGNUM **q,
const RSA *rsaKey);
int TSS_Pubkey_GetAlgorithm(EVP_PKEY *pkey);
#endif /* TPM_TSS_NO_OPENSSL */
#ifdef __cplusplus
}
#endif
#endif