The "version" field can be used to decide when capabilities are
supported/reported and give some library build details.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Add MY_CFLAGS, CFLAGS, and MY_LDFLAGS to all Makefile.am's so that they
can be defined during configure time as well as CFLAGS added during
build time. LDFLAGS were already handled correctly during build-time.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
deprecation warnings that are made fatal by -Werror:
ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
The new types were introduced almost ten years ago, so they should be pretty
universally available by now.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Implement support for passing the curve id via the --curve-id
option. Default assumes secp256r1. secp384r1 is also supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --print-capabilities option to display newly
added capabilities. Adpat the man page and related test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the gnutls_x509_crt_get_subject_key_id() API call to get the subject
key ID of the signer's certificate rather than gnutls_x509_crt_get_key_id().
The latter returns the same result most of the time but there are instances
when this is not the case and the returned result is wrong.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OIDs for the TPM 1.2 and TPM 2 platform data
are different (though have the same name in the spec).
Adapt them for the TPM 2 case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
For PKCS11 modules (such as SoftHSM) to sign a TPM EK or platform
certificate we use 'pkcs11:' prefixed URIs like those URIs for
TPM 1.2 starting with tpmkey:.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ceritficates for a TPM 2 have to be signed using SHA256 and those for
a TPM 1.2 have to be signed using SHA1 (following specs). We can use
either of these algorithms when using the GnuTLS TPM support since it
will create the hash and have the TPM 1.2 sign whatever it created.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Gnutls supports TPM 1.2 keys in its API and we can use a TPM 1.2
signing key for signing the EK or platform certs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Coverity scan shows an uninitialized access in case an error is
encountered and the cleanup path is taken before datum was initialized.
Fix the error by initializing the variable.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Coverity scan discovered a buffer overrun error in case the
datum->size = 0. Fix the error.
The function with the potential error is not called if datum->size == 0.
Also make the 'size' variable larger so there cannot be a overrun in
'size = datum->size + sizeof(buffer) - i'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
For sys_dependencies.h to be found during out-of-tree builds we
need to include -I$(top_srcdir)/include.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The include file include/swtpm.h will be generated from swtpm.h.in and
reside under the $(top_builddir) rather than the $(top_srcdir).
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case of a TPM 2 we allow the creation of a signing key by passing
--allow signing. To also enable key encipherment, we add the --decryption
option to allow key encipherment and signing at the same time.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Provide support for creating certificates for TPM2 ECC type of keys.
Extend the test cases and the man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM2 allows the primary key to also be a signing key, so in case
--tpm2 is provided, --allow-signing can be provided as well in
case the primary can also be used for signing operations.
We use SHA256 for the signing algorithm when TPM 2 is being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The subject alternative name need to have a special sequence of
bytes prepended to them for certtool to accept the data. Also TCG's
sample certificate does show the sequence. The byte sequence is of
the form: 0x30 <subsequent length> 0xa4 <subsequent length> <data>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The previous patch's reversal was partially wrong. The authority
key id needs to be set explicitly from the key id of the signing
key of the issuing CA.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the copying of the authority key id from the given issuer
cert to the created cert since this copies the wrong key id and
besides that it will be set automatically when the certificate is
created.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
For TPM 1.2 the spec says that we must not set the subject, so we
do not set it but keep it around for TPM 2 certificates.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To make the ASN.1 look like the one from the spec. we have to
use a lower-level GNUTLS API function to set it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Put the code that creates the ASN.1 for the platform and
TPM manufacturer info into their own functions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Simplify the two's complement implementation by converting the number
into a big endian and writing it out into a byte array that is prefixed
with a 0-byte. This covers all unsigned ints while the previous imple-
mentation would have been wrong once the number exceeded 255.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Calculate the two's completement of the spec_level and spec_revision
numbers so that ASN.1 properly stores them as unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create ASN.1 for the Extended Key Usage field for the EK certificate
that has the oid 2.23.133.8.1 and for the platform certificate the
oid 2.23.133.8.2. Both are registered OIDs:
http://oid-info.com/get/2.23.133.8.1http://oid-info.com/get/2.23.133.8.2
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since the EK cert must have an Authority Key Id, we error out if
the signing certificate we are given does not have an Authority
Key Id. The typical reason why it wouldn't have it is that we are
using a self-signed (rootCA) certificate directly.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the TPMSpecification SEQUENCE and add it to the subject
directory attributes of an EK cert.
The code generates the same ASN.1 for the Subject Directory Attributes
as the example in the EK spec has.
> openssl asn1parse -in ${cert} -strparse 603
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 28 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :2.23.133.2.16
11:d=2 hl=2 l= 19 cons: SET
13:d=3 hl=2 l= 17 cons: SEQUENCE
15:d=4 hl=2 l= 3 prim: UTF8STRING :1.2
20:d=4 hl=2 l= 4 prim: INTEGER :41010000
26:d=4 hl=2 l= 4 prim: INTEGER :7B000000
Extend existing test case so they create the ASN.1 as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM 1.2 certificates need a header when written to NVRAM. This patch
adds a --add-header option for this and prepends the header to.
Also see TCG PC Specific Inmplementation Specification section 7.4.4 and
7.4.5.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The certificate chain could not be verified due to a wrong
API call for getting the authority key id where the key id
was gotten instead.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cast the exponent to unsigned long int to avoid a compiler
error reporting comparison of signed and unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Following the example in the Appendix A.1 of the TCG EK Credential
Profile Spec Version 2.0, a ASN.1 SET is supposed to be created for
each one of the items. This patch fixes the format.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the GNUTLS 3.5 function gnutls_x509_crt_set_subject_alt_othername
to set the TP<M and platform manufacturer info since the other function
does not accept binary data.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
