Merge pull request #557 from Superhepper/7.x.y-keep-api-intact

Fixes API breaking changes.
parallaxsecond · Dec 6, 2024 · fac18ce · fac18ce
2 parents a7df622 + 5590896
commit fac18ce
Show file tree

Hide file tree

Showing 6 changed files with 558 additions and 33 deletions.
diff --git a/tss-esapi/src/abstraction/ak.rs b/tss-esapi/src/abstraction/ak.rs
@@ -8,8 +8,8 @@ use crate::{
     handles::{AuthHandle, KeyHandle, SessionHandle},
     interface_types::{
         algorithm::{
-            EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm, RsaSchemeAlgorithm,
-            SignatureSchemeAlgorithm,
+            AsymmetricAlgorithm, EccSchemeAlgorithm, HashingAlgorithm, PublicAlgorithm,
+            RsaSchemeAlgorithm, SignatureSchemeAlgorithm,
         },
         session_handles::PolicySession,
     },
@@ -21,6 +21,7 @@ use crate::{
     },
     Context, Error, Result, WrapperErrorKind,
 };
+use log::error;
 use std::convert::TryFrom;
 
 // Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
@@ -56,6 +57,7 @@ const POLICY_C_SM3_256: [u8; 32] = [
     0x56, 0x99, 0xa3, 0xe3, 0x9f, 0xc3, 0x55, 0x1b, 0xfe, 0xff, 0xcf, 0x13, 0x2b, 0x49, 0xe1, 0x1d,
 ];
 
+/// Creates a Public object for an AK key.
 fn create_ak_public<IKC: IntoKeyCustomization>(
     key_alg: AsymmetricAlgorithmSelection,
     hash_alg: HashingAlgorithm,
@@ -131,7 +133,7 @@ fn create_ak_public<IKC: IntoKeyCustomization>(
     key_builder.build()
 }
 
-// extracts the hashing and sysmmetric algorithm from parent and constructs the correct DigestList for OR policy
+/// Extracts the hashing and symmetric algorithm from parent and constructs the correct DigestList for OR policy
 fn session_config(
     context: &mut Context,
     parent: KeyHandle,
@@ -228,8 +230,46 @@ pub fn load_ak(
     Ok(key_handle)
 }
 
-/// This creates an Attestation Key in the Endorsement hierarchy
+/// This creates an Attestation Key in the Endorsement hierarchy.
+///
+/// <div class="warning">
+///
+/// The API of this function will be changed to that of [`create_ak_2`]
+/// in the next major version.
+///
+/// </div>
 pub fn create_ak<IKC: IntoKeyCustomization>(
+    context: &mut Context,
+    parent: KeyHandle,
+    hash_alg: HashingAlgorithm,
+    sign_alg: SignatureSchemeAlgorithm,
+    ak_auth_value: Option<Auth>,
+    key_customization: IKC,
+) -> Result<CreateKeyResult> {
+    let key_alg = AsymmetricAlgorithm::try_from(sign_alg).map_err(|e| {
+        // sign_alg is either HMAC or Null.
+        error!("Could not retrieve asymmetric algorithm for provided signature scheme");
+        e
+    })?;
+    create_ak_2(
+        context,
+        parent,
+        hash_alg,
+        AsymmetricAlgorithmSelection::try_from(key_alg)?,
+        sign_alg,
+        ak_auth_value,
+        key_customization,
+    )
+}
+
+/// This creates an Attestation Key in the Endorsement hierarchy.
+///
+/// <div class="warning">
+///
+/// This function will be removed in the next major version.
+///
+/// </div>
+pub fn create_ak_2<IKC: IntoKeyCustomization>(
     context: &mut Context,
     parent: KeyHandle,
     hash_alg: HashingAlgorithm,

diff --git a/tss-esapi/src/abstraction/ek.rs b/tss-esapi/src/abstraction/ek.rs
@@ -6,7 +6,7 @@ use crate::{
     attributes::ObjectAttributesBuilder,
     handles::{KeyHandle, NvIndexTpmHandle, TpmHandle},
     interface_types::{
-        algorithm::{HashingAlgorithm, PublicAlgorithm},
+        algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm},
         ecc::EccCurve,
         key_bits::RsaKeyBits,
         resource_handles::{Hierarchy, NvAuth},
@@ -60,7 +60,36 @@ const AUTH_POLICY_B_SM3_256: [u8; 32] = [
 ///
 /// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
 /// Appendix B.3.3 and B.3.4
+///
+/// <div class="warning">
+///
+/// The API of this function will be changed to that of [`create_ek_public_from_default_template_2`]
+/// in the next major version.
+///
+/// </div>
 pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
+    alg: AsymmetricAlgorithm,
+    key_customization: IKC,
+) -> Result<Public> {
+    create_ek_public_from_default_template_2(
+        AsymmetricAlgorithmSelection::try_from(alg)?,
+        key_customization,
+    )
+}
+
+/// Get the [`Public`] representing a default Endorsement Key
+///
+/// **Note**: This only works for key algorithms specified in TCG EK Credential Profile for TPM Family 2.0.
+///
+/// Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2
+/// Appendix B.3.3 and B.3.4
+///
+/// <div class="warning">
+///
+/// This function will be removed in the next major version.
+///
+/// </div>
+pub fn create_ek_public_from_default_template_2<IKC: IntoKeyCustomization>(
     alg: AsymmetricAlgorithmSelection,
     key_customization: IKC,
 ) -> Result<Public> {
@@ -191,12 +220,38 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
 }
 
 /// Create the Endorsement Key object from the specification templates
+///
+/// <div class="warning">
+///
+/// The API of this function will be changed to that of [`create_ek_object_2`]
+/// in the next major version.
+///
+/// </div>
 pub fn create_ek_object<IKC: IntoKeyCustomization>(
+    context: &mut Context,
+    alg: AsymmetricAlgorithm,
+    key_customization: IKC,
+) -> Result<KeyHandle> {
+    create_ek_object_2(
+        context,
+        AsymmetricAlgorithmSelection::try_from(alg)?,
+        key_customization,
+    )
+}
+
+/// Create the Endorsement Key object from the specification templates
+///
+/// <div class="warning">
+///
+/// This function will be removed in the next major version.
+///
+/// </div>
+pub fn create_ek_object_2<IKC: IntoKeyCustomization>(
     context: &mut Context,
     alg: AsymmetricAlgorithmSelection,
     key_customization: IKC,
 ) -> Result<KeyHandle> {
-    let ek_public = create_ek_public_from_default_template(alg, key_customization)?;
+    let ek_public = create_ek_public_from_default_template_2(alg, key_customization)?;
 
     Ok(context
         .execute_with_nullauth_session(|ctx| {

diff --git a/tss-esapi/src/abstraction/transient/key_attestation.rs b/tss-esapi/src/abstraction/transient/key_attestation.rs
@@ -152,7 +152,7 @@ impl TransientKeyContext {
             None,
         );
         Ok((
-            ek::create_ek_object(
+            ek::create_ek_object_2(
                 &mut self.context,
                 AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048),
                 None,
@@ -192,7 +192,7 @@ impl TransientKeyContext {
 }
 
 fn get_ek_object_public(context: &mut crate::Context) -> Result<PublicKey> {
-    let key_handle = ek::create_ek_object(
+    let key_handle = ek::create_ek_object_2(
         context,
         AsymmetricAlgorithmSelection::Rsa(RsaKeyBits::Rsa2048),
         None,