Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Switch to standard TSS2 PEM format
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Oct 12, 2018
1 parent 3079615 commit 79bb454
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 23 deletions.
2 changes: 1 addition & 1 deletion gnutls.c
Expand Up @@ -1320,7 +1320,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
}

/* Is it a PEM file with a TPM key blob? */
if (strstr((char *)fdata.data, "-----BEGIN TSS2 KEY BLOB-----")) {
if (strstr((char *)fdata.data, "-----BEGIN TSS2 PRIVATE KEY-----")) {
#ifndef HAVE_TSS2
vpn_progress(vpninfo, PRG_ERR,
_("This version of OpenConnect was built without TPM2 support\n"));
Expand Down
34 changes: 13 additions & 21 deletions gnutls_tpm2.c
Expand Up @@ -29,22 +29,29 @@

#include <libtasn1.h>


/*
* TPMKey ::= SEQUENCE {
* type OBJECT IDENTIFIER,
* emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
* parent INTEGER,
* pubkey OCTET STRING,
* privkey OCTET STRING
* }
*/
const asn1_static_node tpmkey_asn1_tab[] = {
{ "TPMKey", 536875024, NULL },
{ NULL, 1073741836, NULL },
{ "TPMKey", 536870917, NULL },
{ "type", 1073741836, NULL },
{ "emptyAuth", 1610637316, NULL },
{ NULL, 2056, "0"},
{ "parent", 1610637315, NULL },
{ NULL, 2056, "1"},
{ "pubkey", 1610637319, NULL },
{ NULL, 2056, "2"},
{ "parent", 1073741827, NULL },
{ "pubkey", 1073741831, NULL },
{ "privkey", 7, NULL },
{ NULL, 0, NULL }
};


#if GNUTLS_VERSION_NUMBER < 0x030600
static int tpm2_rsa_sign_fn(gnutls_privkey_t key, void *_vpninfo,
const gnutls_datum_t *data, gnutls_datum_t *sig)
Expand Down Expand Up @@ -162,7 +169,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
unsigned int parent;
int err, ret = -EINVAL;

err = gnutls_pem_base64_decode_alloc("TSS2 KEY BLOB", fdata, &asn1);
err = gnutls_pem_base64_decode_alloc("TSS2 PRIVATE KEY", fdata, &asn1);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error decoding TSS2 key blob: %s\n"),
Expand All @@ -187,21 +194,6 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
goto out_tpmkey;
}

value_buflen = sizeof(value_buf);
err = asn1_read_value(tpmkey, "type", value_buf, &value_buflen);
if (err != ASN1_SUCCESS) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to identify type of TPM2 key: %s\n"),
asn1_strerror(err));
goto out_tpmkey;
}
if (strcmp(value_buf, "2.23.133.10.2")) {
vpn_progress(vpninfo, PRG_ERR,
_("Unsupported TPM2 key OID: %s\n"),
value_buf);
goto out_tpmkey;
}

value_buflen = sizeof(value_buf);
if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
!strcmp(value_buf, "TRUE"))
Expand Down
2 changes: 2 additions & 0 deletions gnutls_tpm2_esys.c
Expand Up @@ -76,6 +76,8 @@ static TPM2B_PUBLIC primaryTemplate = {
.objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
TPMA_OBJECT_RESTRICTED |
TPMA_OBJECT_DECRYPT |
TPMA_OBJECT_FIXEDTPM |
TPMA_OBJECT_FIXEDPARENT |
TPMA_OBJECT_NODA |
TPMA_OBJECT_SENSITIVEDATAORIGIN),
.authPolicy = {
Expand Down
2 changes: 2 additions & 0 deletions gnutls_tpm2_ibm.c
Expand Up @@ -215,6 +215,8 @@ static TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h,
in.inPublic.publicArea.type = TPM_ALG_ECC;
in.inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
in.inPublic.publicArea.objectAttributes.val =
TPMA_OBJECT_FIXEDPARENT |
TPMA_OBJECT_FIXEDTPM |
TPMA_OBJECT_NODA |
TPMA_OBJECT_SENSITIVEDATAORIGIN |
TPMA_OBJECT_USERWITHAUTH |
Expand Down
3 changes: 2 additions & 1 deletion openssl.c
Expand Up @@ -949,7 +949,8 @@ static int load_certificate(struct openconnect_info *vpninfo)
if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
fclose(f);
return load_tpm_certificate(vpninfo, "tpm");
} else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n")) {
} else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n") ||
!strcmp(buf, "-----BEGIN TSS2 PRIVATE KEY-----\n")) {
fclose(f);
return load_tpm_certificate(vpninfo, "tpm2");
} else if (!strcmp(buf, "-----BEGIN TSS2 PRIVKEY BLOB v1-----\n")) {
Expand Down

0 comments on commit 79bb454

Please sign in to comment.