-## Introduction
+# Introduction
This is TPM2-Plugin to load asymetric key pairs to TPM2.0 module.
The private part of keys can only be used for signing when it is loaded in TPM module.
-### Build
+Loading Password protected Primary Keys in plugin requires the setting of the
+following ENVIRONMENT Variable:
+```
+TPM_PRK_PASSWORD
+```
+The plugin will read this and setup hmac appropriately for the session.
+## Build
+```
./bootstrap
./configure --prefix test
+```
-### Installation
+## Installation and Uninstallation
+```
make install
+```
-###Uninstall
-
+```
make clean
make distclean
+```
\ No newline at end of file
}
return 0;
}
+
int load_key(TSS2_SYS_CONTEXT *sapi_context,
TPMI_DH_OBJECT parentHandle,
TPM2B_PUBLIC *inPublic,
- TPM2B_PRIVATE *inPrivate,
- int P_flag)
+ TPM2B_PRIVATE *inPrivate)
{
UINT32 rval;
TPMS_AUTH_RESPONSE sessionDataOut;
sessionData.sessionHandle = TPM_RS_PW;
sessionData.nonce.t.size = 0;
- if(P_flag == 0)
- sessionData.hmac.t.size = 0;
-
*((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0;
if (sessionData.hmac.t.size > 0 && hexPasswd)
{
return 0;
}
+/*
+Reads the PRK_PASSWORD Environment variable
+and populates that information into the
+sessionData global environment variable
+*/
+int readPassword()
+{
+ char *prk_passwd;
+
+ sessionData.hmac.t.size = 0;
+
+ prk_passwd = getenv("TPM_PRK_PASSWORD");
+ if (prk_passwd != NULL) {
+ sessionData.hmac.t.size = strlen(prk_passwd);
+ if (sessionData.hmac.t.size > sizeof(sessionData.hmac.t.buffer)) {
+ return -1;
+ }
+ memcpy(sessionData.hmac.t.buffer, prk_passwd, sessionData.hmac.t.size);
+ return 0;
+ }
+ return 0;
+}
+
TPMS_CONTEXT loaded_key_context;
int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
}
}
+ // Read TPM_PRK_PASSWORD and setup sessionsData appropriately
+ if (readPassword() != 0) {
+ // Password read failure
+ return -1;
+ }
+
returnVal = load_key (sapi_context,
parentHandle,
&inPublic,
- &inPrivate,
- 0);
+ &inPrivate);
returnVal = read_public(sapi_context,
handle2048rsa,
importkey_info);
#!/bin/bash
# NOTE - This scripts expects the Init and the Duplicate tools to be already
-# run and the output files(listedb in README) to be present at the
+# run and the output files(listed in README) to be present at the
# shared volume (input for Import tool)
+# It also requires the following ENVIRONMENT variables to be set
+# SECRETS_FOLDER - containing the srk_handl and prk_passwd files in base64
+# DATA_FOLDER - containing the files that are produced from the distcenter
set -e
+#Primary Key Password used by TPM Plugin to load keys
+TPM_PRK_PASSWORD="$(cat ${SECRETS_FOLDER}/prk_passwd | base64 -d)"
+#Handle to the aforementioned Primary Key
+SRK_HANDLE="$(cat ${SECRETS_FOLDER}/srk_handle | base64 -d)"
#Placeholder of Input files to the Import tool which is the output of duplicate tool
-sharedvolume="/tmp/files"
+sharedvolume="${DATA_FOLDER}"
#key_id is the parameter expected by SoftHSM
key_id="8738"
-#TPM handle
-tpm_handle="0x81000011"
#Key_label is the parameter expected by SoftHSM
key_label="ABC"
#UserPin for the SoftHSM operations
# 2.b Run the Import Utility
cd /tpm-util/bin
- ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \
--dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv
+ ./ossl_tpm_import -H $SRK_HANDLE -dupPub dupPub -dupPriv dupPriv \
+ -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \
+ -password $TPM_PRK_PASSWORD
cd /
chmod 755 softhsmconfig.sh
- ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID
+ ./softhsmconfig.sh $SRK_HANDLE $key_id $key_label $upin $sopin $SoftHSMv2SlotID
else
# 3 SoftHSM mode implementation
# Configuration generation for SoftHSM
# 1.a Create the directory as expected by the SoftHSM to read the files
-mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
Code Review / aaf / sshsm.git / commitdiff