Signer should support non-transient keys

baloo · baloo · commit ca00fb54f94c · 2025-02-08T22:52:30.000-08:00
Signed-off-by: Arthur Gautier &lt;arthur.gautier@arista.com&gt;
diff --git a/tss-esapi/src/abstraction/mod.rs b/tss-esapi/src/abstraction/mod.rs
@@ -11,7 +11,9 @@ pub mod transient;
 
 mod hashing;
 mod signatures;
+mod signer;
 pub use hashing::AssociatedHashingAlgorithm;
+pub use signer::EcSigner;
 
 use std::convert::TryFrom;
 
diff --git a/tss-esapi/src/abstraction/signer.rs b/tss-esapi/src/abstraction/signer.rs
@@ -4,16 +4,19 @@
 //! Module for exposing a [`signature::Signer`] interface for keys
 //!
 //! This modules presents objects held in a TPM over a [`signature::DigestSigner`] interface.
-use super::TransientKeyContext;
 use crate::{
     abstraction::{
         public::AssociatedTpmCurve,
-        transient::{KeyMaterial, KeyParams},
+        transient::{KeyMaterial, KeyParams, TransientKeyContext},
         AssociatedHashingAlgorithm,
     },
+    handles::KeyHandle,
     interface_types::algorithm::EccSchemeAlgorithm,
-    structures::{Auth, Digest as TpmDigest, EccScheme, Signature as TpmSignature},
-    Error, WrapperErrorKind,
+    structures::{
+        Auth, Digest as TpmDigest, EccScheme, Public, Signature as TpmSignature, SignatureScheme,
+    },
+    utils::PublicKey as TpmPublicKey,
+    Context, Error, WrapperErrorKind,
 };
 
 use std::{convert::TryFrom, ops::Add, sync::Mutex};
@@ -31,21 +34,86 @@ use elliptic_curve::{
     subtle::CtOption,
     AffinePoint, CurveArithmetic, FieldBytesSize, PrimeCurve, PublicKey, Scalar,
 };
+use log::error;
 use signature::{DigestSigner, Error as SigError, KeypairRef, Signer};
 use x509_cert::{
     der::asn1::AnyRef,
     spki::{AlgorithmIdentifier, AssociatedAlgorithmIdentifier, SignatureAlgorithmIdentifier},
 };
 
+pub trait TpmSigner {
+    fn public(&self) -> crate::Result<TpmPublicKey>;
+    fn key_params(&self) -> crate::Result<KeyParams>;
+    fn sign(&self, digest: TpmDigest) -> crate::Result<TpmSignature>;
+}
+
+impl TpmSigner for (Mutex<&'_ mut Context>, KeyHandle) {
+    fn public(&self) -> crate::Result<TpmPublicKey> {
+        let mut context = self.0.lock().expect("Mutex got poisoned");
+        let (public, _, _) = context.read_public(self.1)?;
+
+        TpmPublicKey::try_from(public)
+    }
+
+    fn key_params(&self) -> crate::Result<KeyParams> {
+        let mut context = self.0.lock().expect("Mutex got poisoned");
+        let (public, _, _) = context.read_public(self.1)?;
+
+        match public {
+            Public::Rsa { parameters, .. } => Ok(KeyParams::Rsa {
+                size: parameters.key_bits(),
+                scheme: parameters.rsa_scheme(),
+                pub_exponent: parameters.exponent(),
+            }),
+            Public::Ecc { parameters, .. } => Ok(KeyParams::Ecc {
+                curve: parameters.ecc_curve(),
+                scheme: parameters.ecc_scheme(),
+            }),
+            other => {
+                error!("Unsupported key parameter used: {other:?}");
+                Err(Error::local_error(WrapperErrorKind::InvalidParam))
+            }
+        }
+    }
+
+    fn sign(&self, digest: TpmDigest) -> crate::Result<TpmSignature> {
+        let mut context = self.0.lock().expect("Mutex got poisoned");
+        context.sign(self.1, digest, SignatureScheme::Null, None)
+    }
+}
+
+impl TpmSigner
+    for (
+        Mutex<&'_ mut TransientKeyContext>,
+        KeyMaterial,
+        KeyParams,
+        Option<Auth>,
+    )
+{
+    fn public(&self) -> crate::Result<TpmPublicKey> {
+        Ok(self.1.public().clone())
+    }
+
+    fn key_params(&self) -> crate::Result<KeyParams> {
+        Ok(self.2)
+    }
+
+    fn sign(&self, digest: TpmDigest) -> crate::Result<TpmSignature> {
+        let mut context = self.0.lock().expect("Mutex got poisoned");
+        context.sign(self.1.clone(), self.2, self.3.clone(), digest)
+    }
+}
+
 /// [`EcSigner`] will sign a payload with an elliptic curve secret key stored on the TPM.
 ///
 /// # Parameters
 ///
 /// Parameter `C` describes the curve that is of use (Nist P-256, Nist P-384, ...)
 ///
 /// ```no_run
+/// # use std::sync::Mutex;
 /// # use tss_esapi::{
-/// #     abstraction::transient::{EcSigner, TransientKeyContextBuilder},
+/// #     abstraction::{EcSigner, transient::TransientKeyContextBuilder},
 /// #     TctiNameConf
 /// # };
 /// use p256::NistP256;
@@ -59,52 +127,57 @@ use x509_cert::{
 /// #     .build()
 /// #     .expect("Failed to create Context");
 ///
+/// let key_params = EcSigner::<NistP256, ()>::key_params_default();
 /// let (tpm_km, _tpm_auth) = context
-///     .create_key(EcSigner::<NistP256>::key_params_default(), 0)
+///     .create_key(key_params, 0)
 ///     .expect("Failed to create a private keypair");
 ///
-/// let signer = EcSigner::<NistP256>::new(&mut context, tpm_km, None)
+/// let signer = EcSigner::<NistP256,_>::new((Mutex::new(&mut context), tpm_km, key_params, None))
 ///      .expect("Failed to create a signer");
 /// let signature: p256::ecdsa::Signature = signer.sign(b"Hello Bob, Alice here.");
 /// ```
 #[derive(Debug)]
-pub struct EcSigner<'ctx, C>
+pub struct EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
 {
-    context: Mutex<&'ctx mut TransientKeyContext>,
-    key_material: KeyMaterial,
-    key_auth: Option<Auth>,
+    context: Ctx,
     verifying_key: VerifyingKey<C>,
 }
 
-impl<'ctx, C> EcSigner<'ctx, C>
+impl<C, Ctx> EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     C: AssociatedTpmCurve,
     FieldBytesSize<C>: ModulusSize,
     AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+
+    Ctx: TpmSigner,
 {
-    pub fn new(
-        context: &'ctx mut TransientKeyContext,
-        key_material: KeyMaterial,
-        key_auth: Option<Auth>,
-    ) -> Result<Self, Error> {
-        let context = Mutex::new(context);
-
-        let public_key = PublicKey::try_from(key_material.public())?;
+    pub fn new(context: Ctx) -> Result<Self, Error> {
+        match context.key_params()? {
+            KeyParams::Ecc { curve, .. } if curve == C::TPM_CURVE => {}
+            other => {
+                error!(
+                    "Unsupported key parameters: {other:?}, expected Ecc(curve: {:?})",
+                    C::default()
+                );
+                return Err(Error::local_error(WrapperErrorKind::InvalidParam));
+            }
+        }
+
+        let public_key = context.public()?;
+        let public_key = PublicKey::try_from(&public_key)?;
         let verifying_key = VerifyingKey::from(public_key);
 
         Ok(Self {
             context,
-            key_material,
-            key_auth,
             verifying_key,
         })
     }
 }
 
-impl<C> EcSigner<'_, C>
+impl<C, Ctx> EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     C: AssociatedTpmCurve,
@@ -137,7 +210,7 @@ where
     }
 }
 
-impl<C> AsRef<VerifyingKey<C>> for EcSigner<'_, C>
+impl<C, Ctx> AsRef<VerifyingKey<C>> for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
@@ -148,7 +221,7 @@ where
     }
 }
 
-impl<C> KeypairRef for EcSigner<'_, C>
+impl<C, Ctx> KeypairRef for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
@@ -157,7 +230,7 @@ where
     type VerifyingKey = VerifyingKey<C>;
 }
 
-impl<C, D> DigestSigner<D, Signature<C>> for EcSigner<'_, C>
+impl<C, Ctx, D> DigestSigner<D, Signature<C>> for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     C: AssociatedTpmCurve,
@@ -166,20 +239,13 @@ where
     Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
     TpmDigest: From<Output<D>>,
+    Ctx: TpmSigner,
 {
     fn try_sign_digest(&self, digest: D) -> Result<Signature<C>, SigError> {
         let digest = TpmDigest::from(digest.finalize_fixed());
 
-        let key_params = Self::key_params::<D>();
-        let mut context = self.context.lock().expect("Mutex got poisoned");
-        let signature = context
-            .sign(
-                self.key_material.clone(),
-                key_params,
-                self.key_auth.clone(),
-                digest,
-            )
-            .map_err(SigError::from_source)?;
+        //let key_params = Self::key_params::<D>();
+        let signature = self.context.sign(digest).map_err(SigError::from_source)?;
 
         let TpmSignature::EcDsa(signature) = signature else {
             return Err(SigError::from_source(Error::local_error(
@@ -193,7 +259,7 @@ where
     }
 }
 
-impl<C, D> DigestSigner<D, DerSignature<C>> for EcSigner<'_, C>
+impl<C, Ctx, D> DigestSigner<D, DerSignature<C>> for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     C: AssociatedTpmCurve,
@@ -205,28 +271,32 @@ where
 
     MaxSize<C>: ArrayLength<u8>,
     <FieldBytesSize<C> as Add>::Output: Add<MaxOverhead> + ArrayLength<u8>,
+
+    Ctx: TpmSigner,
 {
     fn try_sign_digest(&self, digest: D) -> Result<DerSignature<C>, SigError> {
         let signature: Signature<_> = self.try_sign_digest(digest)?;
         Ok(signature.to_der())
     }
 }
 
-impl<C> Signer<Signature<C>> for EcSigner<'_, C>
+impl<C, Ctx> Signer<Signature<C>> for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
     C: AssociatedTpmCurve,
     <C as DigestPrimitive>::Digest: AssociatedHashingAlgorithm,
     Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
     TpmDigest: From<Output<<C as DigestPrimitive>::Digest>>,
+
+    Ctx: TpmSigner,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<C>, SigError> {
         self.try_sign_digest(C::Digest::new_with_prefix(msg))
     }
 }
 
-impl<C> Signer<DerSignature<C>> for EcSigner<'_, C>
+impl<C, Ctx> Signer<DerSignature<C>> for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
     C: AssociatedTpmCurve,
@@ -237,13 +307,15 @@ where
 
     MaxSize<C>: ArrayLength<u8>,
     <FieldBytesSize<C> as Add>::Output: Add<MaxOverhead> + ArrayLength<u8>,
+
+    Ctx: TpmSigner,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<DerSignature<C>, SigError> {
         self.try_sign_digest(C::Digest::new_with_prefix(msg))
     }
 }
 
-impl<C> SignatureAlgorithmIdentifier for EcSigner<'_, C>
+impl<C, Ctx> SignatureAlgorithmIdentifier for EcSigner<C, Ctx>
 where
     C: PrimeCurve + CurveArithmetic,
     Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
diff --git a/tss-esapi/src/abstraction/transient/mod.rs b/tss-esapi/src/abstraction/transient/mod.rs
@@ -35,12 +35,8 @@ use zeroize::Zeroize;
 
 mod key_attestation;
 
-mod signer;
-
 pub use key_attestation::MakeCredParams;
 
-pub use signer::EcSigner;
-
 /// Parameters for the kinds of keys supported by the context
 #[derive(Debug, Clone, Copy)]
 pub enum KeyParams {
diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs
@@ -3,10 +3,11 @@
 use std::{
     convert::{TryFrom, TryInto},
     str::FromStr,
+    sync::Mutex,
 };
 use tss_esapi::{
-    abstraction::transient::{EcSigner, KeyParams, ObjectWrapper, TransientKeyContextBuilder},
-    abstraction::{ek, AsymmetricAlgorithmSelection},
+    abstraction::transient::{KeyParams, ObjectWrapper, TransientKeyContextBuilder},
+    abstraction::{ek, AsymmetricAlgorithmSelection, EcSigner},
     constants::return_code::{TpmFormatOneError, TpmFormatZeroError},
     error::{TpmFormatZeroResponseCode, TpmResponseCode},
     interface_types::{
@@ -895,12 +896,12 @@ fn sign_csr() {
     // Check that we can convert a reference from TKC to Context
     let mut ctx = create_ctx();
 
-    let (tpm_km, _tpm_auth) = ctx
-        .create_key(EcSigner::<NistP256>::key_params_default(), 0)
-        .expect("create private key");
+    let key_params = EcSigner::<NistP256, ()>::key_params_default();
+    let (tpm_km, _tpm_auth) = ctx.create_key(key_params, 0).expect("create private key");
 
     let subject = Name::from_str("CN=tpm.example").expect("Parse common name");
-    let signer = EcSigner::<NistP256>::new(&mut ctx, tpm_km, None).expect("Create a signer");
+    let signer = EcSigner::<NistP256, _>::new((Mutex::new(&mut ctx), tpm_km, key_params, None))
+        .expect("Create a signer");
     let builder = RequestBuilder::new(subject, &signer).expect("Create certificate request");
 
     let cert_req = builder
@@ -920,10 +921,10 @@ fn sign_p256_sha2_256() {
     // Check that we can convert a reference from TKC to Context
     let mut ctx = create_ctx();
 
-    let (tpm_km, _tpm_auth) = ctx
-        .create_key(EcSigner::<NistP256>::key_params::<sha2::Sha256>(), 0)
-        .expect("create private key");
-    let signer = EcSigner::<NistP256>::new(&mut ctx, tpm_km, None).expect("Create a signer");
+    let key_params = EcSigner::<NistP256, ()>::key_params::<sha2::Sha256>();
+    let (tpm_km, _tpm_auth) = ctx.create_key(key_params, 0).expect("create private key");
+    let signer = EcSigner::<NistP256, _>::new((Mutex::new(&mut ctx), tpm_km, key_params, None))
+        .expect("Create a signer");
 
     let payload = b"Example of ECDSA with P-256";
     let mut hash = Sha256::new();
@@ -951,20 +952,19 @@ fn sign_p256_sha3_256() {
     // Check that we can convert a reference from TKC to Context
     let mut ctx = create_ctx();
 
-    let (tpm_km, _tpm_auth) = ctx
-        .create_key(EcSigner::<NistP256>::key_params::<Sha3_256>(), 0)
-        .expect("create private key");
-    let signer = EcSigner::<NistP256>::new(&mut ctx, tpm_km, None).expect("Create a signer");
+    let key_params = EcSigner::<NistP256, ()>::key_params::<Sha3_256>();
+    let (tpm_km, _tpm_auth) = ctx.create_key(key_params, 0).expect("create private key");
+    let signer = EcSigner::<NistP256, _>::new((Mutex::new(&mut ctx), tpm_km, key_params, None))
+        .expect("Create a signer");
 
     let payload = b"Example of ECDSA with P-256";
     let mut hash = Sha3_256::new();
     hash.update(payload);
 
-    let signature =
-        <EcSigner<'_, _> as DigestSigner<Sha3_256, p256::ecdsa::Signature>>::sign_digest(
-            &signer,
-            hash.clone(),
-        );
+    let signature = <EcSigner<_, _> as DigestSigner<Sha3_256, p256::ecdsa::Signature>>::sign_digest(
+        &signer,
+        hash.clone(),
+    );
     let verifying_key: VerifyingKey = *signer.as_ref();
     assert!(verifying_key.verify_digest(hash, &signature).is_ok());
 }
diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs
