diff --git a/Cargo.toml b/Cargo.toml index 127edf6..025c364 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "kanidm-hsm-crypto" description = "A library for easily interacting with a HSM or TPM" -version = "0.1.2" +version = "0.1.3" edition = "2021" license = "MPL-2.0" homepage = "https://github.com/kanidm/hsm-crypto/" @@ -13,12 +13,13 @@ authors = ["William Brown "] tpm = ["dep:tss-esapi"] [dependencies] +argon2 = { version = "0.5.2", features = ["alloc"] } +hex = "0.4.3" openssl = "^0.10.57" -tracing = "^0.1.37" serde = { version = "^1.0", features = ["derive"] } +tracing = "^0.1.37" tss-esapi = { version = "^7.4.0", optional = true } zeroize = "1.6.0" -argon2 = { version = "0.5.2", features = ["alloc"] } [dev-dependencies] tracing-subscriber = "^0.3.17" diff --git a/src/lib.rs b/src/lib.rs index 81628a6..49b87b4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -42,7 +42,21 @@ pub enum KeyAlgorithm { } impl AuthValue { - pub fn new_random() -> Result { + fn random_key() -> Result, TpmError> { + let mut auth_key = Zeroizing::new([0; 24]); + openssl::rand::rand_bytes(auth_key.as_mut()).map_err(|ossl_err| { + error!(?ossl_err); + TpmError::Entropy + })?; + Ok(auth_key) + } + + pub fn generate() -> Result { + let ak = Self::random_key()?; + Ok(hex::encode(&ak)) + } + + pub fn ephemeral() -> Result { let mut auth_key = Zeroizing::new([0; 32]); openssl::rand::rand_bytes(auth_key.as_mut()).map_err(|ossl_err| { error!(?ossl_err); @@ -92,12 +106,15 @@ impl FromStr for AuthValue { type Err = TpmError; fn from_str(cleartext: &str) -> Result { - Self::try_from(cleartext.as_bytes()) + hex::decode(cleartext) + .map_err(|_| TpmError::AuthValueInvalidHexInput) + .and_then(|bytes| Self::try_from(bytes.as_slice())) } } #[derive(Debug, Clone)] pub enum TpmError { + AuthValueInvalidHexInput, AuthValueTooShort, AuthValueDerivation, Aes256GcmConfig, @@ -350,7 +367,7 @@ mod tests { let _ = tracing_subscriber::fmt::try_init(); // Create a new random auth_value. - let auth_value = AuthValue::new_random().expect("Failed to generate new random secret"); + let auth_value = AuthValue::ephemeral().expect("Failed to generate new random secret"); // Request a new machine-key-context. This key "owns" anything // created underneath it. @@ -417,8 +434,9 @@ mod tests { let _ = tracing_subscriber::fmt::try_init(); - let auth_value = AuthValue::from_str("Ohquiech9jis7Poo8Di7eth3") - .expect("Unable to create auth value"); + let auth_str = AuthValue::generate().expect("Failed to create hex pin"); + + let auth_value = AuthValue::from_str(&auth_str).expect("Unable to create auth value"); // Request a new machine-key-context. This key "owns" anything // created underneath it. @@ -483,13 +501,11 @@ mod tests { macro_rules! test_tpm_identity_csr { ( $tpm:expr, $alg:expr ) => { use crate::{AuthValue, Tpm}; - use std::str::FromStr; use tracing::trace; let _ = tracing_subscriber::fmt::try_init(); - let auth_value = AuthValue::from_str("Ohquiech9jis7Poo8Di7eth3") - .expect("Unable to create auth value"); + let auth_value = AuthValue::ephemeral().expect("Unable to create auth value"); // Request a new machine-key-context. This key "owns" anything // created underneath it. diff --git a/src/tpm.rs b/src/tpm.rs index 67dbf22..8743cf8 100644 --- a/src/tpm.rs +++ b/src/tpm.rs @@ -352,6 +352,15 @@ impl Tpm for TpmTss { Err(TpmError::TpmOperationUnsupported) } + fn identity_key_verify( + &mut self, + key: &IdentityKey, + input: &[u8], + signature: &[u8], + ) -> Result { + Err(TpmError::TpmOperationUnsupported) + } + fn identity_key_certificate_request( &mut self, _mk: &MachineKey,