Support for storage root key and primary key endorsement argument -s for "set key type", pk and srk types

Author: aidangarske

README.md

@@ -529,10 +529,8 @@ fred-cert.der would be:
 
     $ ./examples/client/client -u fred -J ./keys/fred-cert.der -i ./keys/fred-key.der
 
-TPM
-===
-
-wolfSSH now supports TPM public key authentication.
+TPM PUBLIC KEY AUTHENTICATION
+=============================
 
 When using TPM for client side public key authentication wolfSSH has dependencies
 on wolfCrypt and wolfTPM. Youll also need to have a tpm simulator
@@ -560,9 +558,14 @@ simulator like `ibmswtpm2`. This can be done as followed:
     $ cd src
     $ ./tpm_server
 
-Before starting the echoserver you need to run the keygen for keyblob in wolfTPM
-using:
+Before starting the echoserver you need to run the keygen for keyblob in wolfTPM.
+You must choose between using the primary/endorsement key (recommended) or the
+storage root key. The following commands will generate the keyblob:
 
+For primary endorsement key:
+    $ ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh
+
+For storage root key:
     $ ./examples/keygen/keygen keyblob.bin -rsa -t -pem
 
 This will produce a key.pem TPM public key which needs to be converted the to
@@ -576,9 +579,14 @@ server:
 
     $ ./examples/echoserver/echoserver
 
-From another terminal run the client with the keyblob:
+From another terminal run the client with the keyblob. You must specify which
+key type to use:
+
+Using primary endorsement key (recommened)
+    $ ./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -s pk
 
-    $ ./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel
+Using storage root key
+    $ ./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -s srk
 
 For debuging run server like above then:
 

examples/client/client.c

@@ -125,6 +125,9 @@ static void ShowUsage(void)
     printf(" -E            List all possible algos\n");
     printf(" -k            set the list of key algos to use\n");
     printf(" -q            turn off debugging output\n");
+#ifdef WOLFSSH_TPM
+    printf(" -s <type>     TPM key type: pk (primary key) or srk (storage)\n");
+#endif
 }
 
 
@@ -640,6 +643,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
     int ret = 0;
     int ch;
     int userEcc = 0;
+    int useEndorsementKey = -1;
     word16 port = wolfSshPort;
     char* host = (char*)wolfSshIp;
     const char* username = NULL;
@@ -665,7 +669,8 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
 
     (void)keepOpen;
 
-    while ((ch = mygetopt(argc, argv, "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:q")) != -1) {
+    while ((ch = mygetopt(argc, argv,
+        "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:qs:")) != -1) {
         switch (ch) {
             case 'h':
                 host = myoptarg;
@@ -769,6 +774,22 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
                 break;
         #endif
 
+            case 's':
+                if (myoptarg == NULL) {
+                    err_sys("TPM key type cannot be NULL");
+                }
+                if (strcmp(myoptarg, "pk") == 0) {
+                    useEndorsementKey = 1;  /* Use primary/endorsement key */
+                }
+                else if (strcmp(myoptarg, "srk") == 0) {
+                    useEndorsementKey = 0;  /* Use storage key */
+                }
+                else {
+                    useEndorsementKey = -1;
+                    err_sys("Invalid TPM key type. Must be 'pk' or 'srk'");
+                }
+                break;
+
             case '?':
                 ShowUsage();
                 exit(EXIT_SUCCESS);
@@ -798,7 +819,8 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
     }
     #endif
 #endif
-    ret = ClientSetPrivateKey(privKeyName, userEcc, NULL);
+    ret = ClientSetPrivateKey(privKeyName, userEcc, NULL,
+        useEndorsementKey);
     if (ret != 0) {
         err_sys("Error setting private key");
     }
@@ -853,7 +875,14 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
         err_sys("Couldn't create wolfSSH session.");
 
 #ifdef WOLFSSH_TPM
-    CLientSetTpm(ssh);
+    if (useEndorsementKey == -1) {
+        ClientFreeBuffers(pubKeyName, privKeyName, NULL);
+        wolfSSH_free(ssh);
+        wolfSSH_CTX_free(ctx);
+        err_sys("TPM key type must be specified as either 'pk' or 'srk'");
+    } else {
+        CLientSetTpm(ssh);
+    }
 #endif
 #if defined(WOLFSSL_PTHREADS) && defined(WOLFSSL_TEST_GLOBAL_REQ)
     wolfSSH_SetGlobalReq(ctx, callbackGlobalReq);

examples/client/common.c

@@ -771,19 +771,13 @@ int ClientUseCert(const char* certName, void* heap)
     #define WOLFSSH_TPM_KEY_AUTH      "ThisIsMyKeyAuth"
 #endif
 
-/* Enable use of endorsement key instead of storage key */
-#ifndef WOLFSSH_TPM_ENDORSEMENT_KEY
-    #define WOLFSSH_TPM_ENDORSEMENT_KEY 1
-#endif
-
-static const char gStorageKeyAuth[] = WOLFSSH_TPM_SRK_AUTH;
 static const char gKeyAuth[] = WOLFSSH_TPM_KEY_AUTH;
+static const char gStorageKeyAuth[] = WOLFSSH_TPM_SRK_AUTH;
 
 #define TPM2_DEMO_STORAGE_KEY_HANDLE WOLFSSH_TPM_SRK_HANDLE
 
 static int getPrimaryStoragekey(WOLFTPM2_DEV* pDev,
-                         WOLFTPM2_KEY* pStorageKey,
-                         TPM_ALG_ID alg)
+    WOLFTPM2_KEY* pStorageKey, TPM_ALG_ID alg)
 {
     int rc;
 
@@ -820,6 +814,37 @@ static int getPrimaryStoragekey(WOLFTPM2_DEV* pDev,
     return rc;
 }
 
+/* move to wolfTPM */
+static int getPrimaryEndorsementKey(WOLFTPM2_DEV* pDev,
+    WOLFTPM2_KEY* pEndorseKey, TPM_ALG_ID alg)
+{
+    int rc;
+    WOLFTPM2_SESSION tpmSession;
+
+    WLOG(WS_LOG_DEBUG, "Entering getPrimaryEndorsementKey()");
+
+    /* Create endorsement key (EK) */
+    rc = wolfTPM2_CreateEK(pDev, pEndorseKey, alg);
+    if (rc != 0) {
+        WLOG(WS_LOG_DEBUG, "Creating EK failed, rc: %d", rc);
+        return rc;
+    }
+
+    /* EK requires Policy auth, not Password */
+    pEndorseKey->handle.policyAuth = 1;
+
+    /* Create and set policy session */
+    rc = wolfTPM2_CreateAuthSession_EkPolicy(pDev, &tpmSession);
+    if (rc != 0) {
+        WLOG(WS_LOG_DEBUG, "Creating EK policy session failed, rc: %d", rc);
+        return rc;
+    }
+
+    rc = wolfTPM2_SetAuthSession(pDev, 0, &tpmSession, 0);
+    WLOG(WS_LOG_DEBUG, "Leaving getPrimaryEndorsementKey(), rc = %d", rc);
+    return rc;
+}
+
 static int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
 {
     int rc = 0;
@@ -904,81 +929,65 @@ static int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
     return rc;
 }
 
-static int getPrimaryEndorsementKey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pEndorseKey, TPM_ALG_ID alg)
-{
-    int rc;
-    WOLFTPM2_SESSION tpmSession;
-
-    WLOG(WS_LOG_DEBUG, "Entering getPrimaryEndorsementKey()");
-
-    /* Create endorsement key (EK) */
-    rc = wolfTPM2_CreateEK(pDev, pEndorseKey, alg);
-    if (rc != 0) {
-        WLOG(WS_LOG_DEBUG, "Creating EK failed, rc: %d", rc);
-        return rc;
-    }
-
-    /* EK requires Policy auth, not Password */
-    pEndorseKey->handle.policyAuth = 1;
-
-    /* Create and set policy session */
-    rc = wolfTPM2_CreateAuthSession_EkPolicy(pDev, &tpmSession);
-    if (rc != 0) {
-        WLOG(WS_LOG_DEBUG, "Creating EK policy session failed, rc: %d", rc);
-        return rc;
-    }
-
-    rc = wolfTPM2_SetAuthSession(pDev, 0, &tpmSession, 0);
-    WLOG(WS_LOG_DEBUG, "Leaving getPrimaryEndorsementKey(), rc = %d", rc);
-    return rc;
-}
-
 static int wolfSSH_TPM_InitKey(WOLFTPM2_DEV* dev, const char* name,
-                               WOLFTPM2_KEY* pTpmKey)
+                               WOLFTPM2_KEY* pTpmKey, int useEndorsementKey)
 {
     int rc = 0;
-#if WOLFSSH_TPM_ENDORSEMENT_KEY
     WOLFTPM2_KEY endorse;
-#else
     WOLFTPM2_KEY storage;
-#endif
+    WOLFTPM2_KEY* primary = NULL;
     WOLFTPM2_KEYBLOB tpmKeyBlob;
     byte* p = NULL;
 
     WLOG(WS_LOG_DEBUG, "Entering wolfSSH_TPM_InitKey()");
 
+    /* Initialize structures */
+    XMEMSET(&endorse, 0, sizeof(endorse));
+    XMEMSET(&storage, 0, sizeof(storage));
+    XMEMSET(&tpmKeyBlob, 0, sizeof(tpmKeyBlob));
+
     /* Initialize the TPM 2.0 device */
-    if (rc == 0) {
-        rc = wolfTPM2_Init(dev, TPM2_IoCb, NULL);
-        if (rc != 0) {
-            WLOG(WS_LOG_DEBUG, "TPM 2.0 Device initialization failed, rc: %d", rc);
-        }
+    rc = wolfTPM2_Init(dev, TPM2_IoCb, NULL);
+    if (rc != 0) {
+        WLOG(WS_LOG_DEBUG,
+            "TPM 2.0 Device initialization failed, rc: %d", rc);
+        return rc;
     }
 
-    /* TPM 2.0 keys live under a Primary Key, acquire such key */
+    /* Get primary key based on type */
     if (rc == 0) {
-    #if WOLFSSH_TPM_ENDORSEMENT_KEY
-        rc = getPrimaryEndorsementKey(dev, &endorse, TPM_ALG_RSA);
-        if (rc != 0) {
-            WLOG(WS_LOG_DEBUG, "Acquiring Primary Endorsement Key failed, rc: %d", rc);
-        }
-    #else
-        rc = getPrimaryStoragekey(dev, &storage, TPM_ALG_RSA);
-        if (rc != 0) {
-            WLOG(WS_LOG_DEBUG, "Acquiring Primary Storage Key failed, rc: %d", rc);
+        if (useEndorsementKey == 1) {
+            rc = getPrimaryEndorsementKey(dev, &endorse, TPM_ALG_RSA);
+            if (rc == 0) {
+                primary = &endorse;
+                WLOG(WS_LOG_DEBUG, "Using Endorsement Key");
+            } else {
+                WLOG(WS_LOG_DEBUG,
+                    "Getting Primary Endorsement Key failed, rc: %d", rc);
+            }
+        } else {
+            rc = getPrimaryStoragekey(dev, &storage, TPM_ALG_RSA);
+            if (rc == 0) {
+                wolfTPM2_SetAuthHandle(dev, 0, &storage.handle);
+                primary = &storage;
+                WLOG(WS_LOG_DEBUG, "Using Storage Key");
+            } else {
+                WLOG(WS_LOG_DEBUG,
+                    "Getting Primary Storage Key failed, rc: %d", rc);
+            }
         }
-    #endif
     }
 
     /* Load the TPM 2.0 key blob from disk */
     if (rc == 0) {
         rc = readKeyBlob(name, &tpmKeyBlob);
         if (rc != 0) {
-            WLOG(WS_LOG_DEBUG, "Reading key blob from disk failed, rc: %d", rc);
+            WLOG(WS_LOG_DEBUG,
+                "Reading key blob from disk failed, rc: %d", rc);
         }
     }
 
-    /* set session for authorization key */
+    /* Set auth for key */
     if (rc == 0) {
         tpmKeyBlob.handle.auth.size = (int)sizeof(gKeyAuth)-1;
         XMEMCPY(tpmKeyBlob.handle.auth.buffer, gKeyAuth,
@@ -987,15 +996,13 @@ static int wolfSSH_TPM_InitKey(WOLFTPM2_DEV* dev, const char* name,
 
     /* Load the public key into the TPM device */
     if (rc == 0) {
-    #if WOLFSSH_TPM_ENDORSEMENT_KEY
-        rc = wolfTPM2_LoadKey(dev, &tpmKeyBlob, &endorse.handle);
-    #else
-        rc = wolfTPM2_LoadKey(dev, &tpmKeyBlob, &storage.handle);
-    #endif
+        rc = wolfTPM2_LoadKey(dev, &tpmKeyBlob, &primary->handle);
         if (rc != 0) {
             WLOG(WS_LOG_DEBUG, "wolfTPM2_LoadKey failed, rc: %d", rc);
+        } else {
+            WLOG(WS_LOG_DEBUG, "Loaded key to 0x%x\n",
+                (word32)tpmKeyBlob.handle.hndl);
         }
-        WLOG(WS_LOG_DEBUG, "Loaded key to 0x%x\n", (word32)tpmKeyBlob.handle.hndl);
     }
 
     /* Read the public key and extract the public key as a DER/ASN.1 */
@@ -1013,24 +1020,25 @@ static int wolfSSH_TPM_InitKey(WOLFTPM2_DEV* dev, const char* name,
         rc = wolfSSH_ReadPublicKey_buffer(userPublicKey, userPublicKeySz,
             WOLFSSH_FORMAT_ASN1, &p, &userPublicKeySz, &userPublicKeyType,
             &userPublicKeyTypeSz, NULL);
-        if (rc != 0) {
+        if (rc == 0) {
+            userPublicKey = p;
+        } else {
             WLOG(WS_LOG_DEBUG, "Reading public key failed, rc: %d", rc);
         }
-        userPublicKey = p;
     }
 
-    /* Unload primary key handle */
+    /* Copy key info */
     if (rc == 0) {
         XMEMCPY(&pTpmKey->handle, &tpmKeyBlob.handle, sizeof(pTpmKey->handle));
         XMEMCPY(&pTpmKey->pub, &tpmKeyBlob.pub, sizeof(pTpmKey->pub));
-    #if WOLFSSH_TPM_ENDORSEMENT_KEY
-        wolfTPM2_UnloadHandle(dev, &endorse.handle);
-    #else
-        wolfTPM2_UnloadHandle(dev, &storage.handle);
-    #endif
     }
 
-    WLOG(WS_LOG_DEBUG, "Leaving wolfSSH_TPM_InitKey()");
+    /* Cleanup */
+    if (primary != NULL) {
+        wolfTPM2_UnloadHandle(dev, &primary->handle);
+    }
+
+    WLOG(WS_LOG_DEBUG, "Leaving wolfSSH_TPM_InitKey(), rc = %d", rc);
     return rc;
 }
 
@@ -1063,7 +1071,8 @@ int CLientSetTpm(WOLFSSH* ssh)
 
 /* Reads the private key to use from file name privKeyName.
  * returns 0 on success */
-int ClientSetPrivateKey(const char* privKeyName, int userEcc, void* heap)
+int ClientSetPrivateKey(const char* privKeyName, int userEcc,
+    void* heap, int useEndorsementKey)
 {
     int ret = 0;
 
@@ -1099,7 +1108,8 @@ int ClientSetPrivateKey(const char* privKeyName, int userEcc, void* heap)
          */
         WMEMSET(&tpmDev, 0, sizeof(tpmDev));
         WMEMSET(&tpmKey, 0, sizeof(tpmKey));
-        ret = wolfSSH_TPM_InitKey(&tpmDev, privKeyName, &tpmKey);
+        ret = wolfSSH_TPM_InitKey(&tpmDev, privKeyName, &tpmKey,
+            useEndorsementKey);
     #elif !defined(NO_FILESYSTEM)
         userPrivateKey = NULL; /* create new buffer based on parsed input */
         userPrivateKeyAlloc = 1;

examples/client/common.h

@@ -22,7 +22,8 @@
 #define WOLFSSH_COMMON_H
 int ClientLoadCA(WOLFSSH_CTX* ctx, const char* caCert);
 int ClientUsePubKey(const char* pubKeyName, int userEcc, void* heap);
-int ClientSetPrivateKey(const char* privKeyName, int userEcc, void* heap);
+int ClientSetPrivateKey(const char* privKeyName, int userEcc, void* heap,
+        int useEndorsementKey);
 int ClientUseCert(const char* certName, void* heap);
 int ClientSetEcho(int type);
 int ClientUserAuth(byte authType,