diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-11-22 10:57:35 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-11-22 16:44:24 -0500 |
commit | df71996a0107b4ac931040206f4808af71da13c2 (patch) | |
tree | 842e9bdacb7f88ab6724627f16cfd92b3fd154c5 | |
parent | e3d119271d266d165b88fba402d742185a5f406b (diff) | |
download | openssl_tpm2_engine-df71996a0107b4ac931040206f4808af71da13c2.tar.gz |
tpm2-common: add helpers for querying and removing key policy
These helpers will be used to implement the ls and rm functions
of signed_tpm2_policy.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | src/include/tpm2-common.h | 2 | ||||
-rw-r--r-- | src/libcommon/tpm2-common.c | 112 |
2 files changed, 89 insertions, 25 deletions
diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h index 7a70c4e..0e6251b 100644 --- a/src/include/tpm2-common.h +++ b/src/include/tpm2-common.h @@ -129,4 +129,6 @@ int tpm2_ecdh_x(struct app_data *ad, unsigned char **psec, size_t *pseclen, int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText, unsigned char *to, int padding, int protection, char *srk_auth); +int tpm2_rm_signed_policy(char *tpmkey, int rmnum); +int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk); #endif diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c index 41a073a..71c66d2 100644 --- a/src/libcommon/tpm2-common.c +++ b/src/libcommon/tpm2-common.c @@ -2349,6 +2349,89 @@ out: return rc; } +static void tpm2_read_tpk(char *tpmkey, TSSPRIVKEY **tpk) +{ + BIO *bf; + *tpk = NULL; + + bf = BIO_new_file(tpmkey, "r"); + if (!bf) { + fprintf(stderr, "File %s does not exist or cannot be read\n", + tpmkey); + return; + } + + *tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL); + if (!*tpk) { + BIO_seek(bf, 0); + ERR_clear_error(); + *tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL); + } + BIO_free(bf); + if (!*tpk) + fprintf(stderr, "Cannot parse file as TPM key\n"); +} + +static int tpm2_write_tpk(char *tpmkey, TSSPRIVKEY *tpk) +{ + BIO *bf; + + bf = BIO_new_file(tpmkey, "w"); + if (bf == NULL) { + fprintf(stderr, "Failed to open key file %s for writing\n", + tpmkey); + return 1; + } + PEM_write_bio_TSSPRIVKEY(bf, tpk); + BIO_free(bf); + + return 0; +} + +int tpm2_rm_signed_policy(char *tpmkey, int rmnum) +{ + TSSPRIVKEY *tpk; + TSSAUTHPOLICY *ap; + int ret = 0; + + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) + return 1; + + if (sk_TSSAUTHPOLICY_num(tpk->authPolicy) < rmnum) { + fprintf(stderr, "Policy %d does not exist\n", rmnum); + goto out_free; + } + + ap = sk_TSSAUTHPOLICY_delete(tpk->authPolicy, rmnum - 1); + TSSAUTHPOLICY_free(ap); + + ret = tpm2_write_tpk(tpmkey, tpk); + + out_free: + TSSPRIVKEY_free(tpk); + return ret; +} + +int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk) +{ + TSSPRIVKEY *tpk; + + *sk = NULL; + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) + return 1; + + if (tpk->authPolicy) { + *sk = sk_TSSAUTHPOLICY_dup(tpk->authPolicy); + /* dup does not duplicate elements, so transfer ownership */ + sk_TSSAUTHPOLICY_zero(tpk->authPolicy); + } + + TSSPRIVKEY_free(tpk); + return 0; +} + TPM_RC tpm2_new_signed_policy(char *tpmkey, char *policykey, char *engine, TSSAUTHPOLICY *ap, TPMT_HA *digest) { @@ -2368,24 +2451,10 @@ TPM_RC tpm2_new_signed_policy(char *tpmkey, char *policykey, char *engine, BYTE buf[1024]; UINT16 written = 0; - bf = BIO_new_file(tpmkey, "r"); - if (!bf) { - fprintf(stderr, "File %s does not exist or cannot be read\n", - tpmkey); + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) return 0; - } - tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL); - if (!tpk) { - BIO_seek(bf, 0); - ERR_clear_error(); - tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL); - } - BIO_free(bf); - if (!tpk) { - fprintf(stderr, "Cannot parse file as TPM key\n"); - return 0; - } if (!tpk->policy || sk_TSSOPTPOLICY_num(tpk->policy) <= 0) { fprintf(stderr, "TPM Key has no policy\n"); goto err_free_tpmkey; @@ -2460,17 +2529,10 @@ TPM_RC tpm2_new_signed_policy(char *tpmkey, char *policykey, char *engine, * latest policy addition first */ sk_TSSAUTHPOLICY_unshift(tpk->authPolicy, ap); - bf = BIO_new_file(tpmkey, "w"); - if (bf == NULL) { - fprintf(stderr, "Failed to open key file %s for writing\n", - tpmkey); - goto err_free_tpmkey; - } - PEM_write_bio_TSSPRIVKEY(bf, tpk); - BIO_free(bf); + rc = tpm2_write_tpk(tpmkey, tpk); TSSPRIVKEY_free(tpk); - return 0; + return rc; err_free_tpmkey: TSSPRIVKEY_free(tpk); |