Fix support for ECC 384-bit only support. Tested with: `./configure -…

…-enable-wolftpm CFLAGS="-DECC_USER_CURVES -DNO_ECC256 -DHAVE_ECC384" --disable-examples --disable-crypttests && make`
fengjixuchui · Oct 20, 2023 · 7a11cb2 · 7a11cb2
1 parent 8ae11cf
commit 7a11cb2
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/examples/csr/csr.c b/examples/csr/csr.c
@@ -51,7 +51,7 @@ static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem";
 /******************************************************************************/
 
 static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
-    const char* outputPemFile, int makeSelfSignedCert, int devId)
+    const char* outputPemFile, int makeSelfSignedCert, int devId, int sigType)
 {
     int rc;
     const char* subject = NULL;
@@ -63,6 +63,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
     const char* custOid =    "1.2.3.4.5";
     const char* custOidVal = "This is NOT a critical extension";
     WOLFTPM2_CSR* csr = wolfTPM2_NewCSR();
+
     if (csr == NULL) {
         return MEMORY_E;
     }
@@ -82,7 +83,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
 #ifdef WOLFTPM2_NO_HEAP
     /* single shot API for CSR generation */
     rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage,
-        CTC_FILETYPE_PEM, output, outputSz, 0, makeSelfSignedCert,
+        CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
         devId);
 #else
     rc = wolfTPM2_CSR_SetSubject(dev, csr, subject);
@@ -100,7 +101,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
     }
     if (rc == 0) {
         rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM,
-            output, outputSz, 0, makeSelfSignedCert, devId);
+            output, outputSz, sigType, makeSelfSignedCert, devId);
     }
 #endif
     if (rc >= 0) {
@@ -202,27 +203,36 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
         if (rc == 0) {
             rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &key,
                 makeSelfSignedCert ? gClientCertRsaFile : gClientCsrRsaFile,
-                makeSelfSignedCert, tpmDevId);
+                makeSelfSignedCert, tpmDevId, CTC_SHA256wRSA);
         }
         wolfTPM2_UnloadHandle(&dev, &key.handle);
     }
 #endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
     if (rc == 0) {
+        int sigType = CTC_SHA256wECDSA;
+        TPM_ECC_CURVE curve = TPM_ECC_NIST_P256;
         tpmCtx.eccKey = &key;
+
+    #if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384
+        /* make sure we use a curve that is enabled */
+        sigType = CTC_SHA384wECDSA;
+        curve = TPM_ECC_NIST_P384;
+    #endif
+
         rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
                 TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
                 TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
-                TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
+                curve, TPM_ALG_ECDSA);
         if (rc == 0) {
             rc = getECCkey(&dev, &storageKey, &key, NULL, tpmDevId,
                   (byte*)gKeyAuth, sizeof(gKeyAuth)-1, &publicTemplate);
         }
         if (rc == 0) {
             rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &key,
                 makeSelfSignedCert ? gClientCertEccFile : gClientCsrEccFile,
-                makeSelfSignedCert, tpmDevId);
+                makeSelfSignedCert, tpmDevId, sigType);
         }
         wolfTPM2_UnloadHandle(&dev, &key.handle);
     }

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -3461,20 +3461,25 @@ int wolfTPM2_SignHash(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     const byte* digest, int digestSz, byte* sig, int* sigSz)
 {
     TPM_ALG_ID sigAlg = TPM_ALG_NULL;
+    TPMI_ALG_HASH hashAlg = WOLFTPM2_WRAP_DIGEST;
 
     if (dev == NULL || key == NULL || digest == NULL || sig == NULL) {
         return BAD_FUNC_ARG;
     }
 
     if (key->pub.publicArea.type == TPM_ALG_ECC) {
         sigAlg = key->pub.publicArea.parameters.eccDetail.scheme.scheme;
+        hashAlg = key->pub.publicArea.parameters.eccDetail.scheme.details.any.hashAlg;
+
     }
     else if (key->pub.publicArea.type == TPM_ALG_RSA) {
         sigAlg = key->pub.publicArea.parameters.rsaDetail.scheme.scheme;
+        hashAlg = key->pub.publicArea.parameters.rsaDetail.scheme.details.anySig.hashAlg;
     }
 
     return wolfTPM2_SignHashScheme(dev, key, digest, digestSz, sig, sigSz,
-        sigAlg, WOLFTPM2_WRAP_DIGEST);
+        sigAlg, hashAlg);
+
 }
 
 /* sigAlg: TPM_ALG_RSASSA, TPM_ALG_RSAPSS, TPM_ALG_ECDSA or TPM_ALG_ECDAA */
@@ -5315,6 +5320,15 @@ static int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate,
     if (publicTemplate == NULL || curveSz == 0)
         return BAD_FUNC_ARG;
 
+#if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384
+    /* make sure we use a curve that is enabled */
+    if (curve == TPM_ECC_NIST_P256) {
+        curve = TPM_ECC_NIST_P384;
+        nameAlg = TPM_ALG_SHA384;
+        sigHash = TPM_ALG_SHA384;
+    }
+#endif
+
     XMEMSET(publicTemplate, 0, sizeof(TPMT_PUBLIC));
     publicTemplate->type = TPM_ALG_ECC;
     publicTemplate->nameAlg = nameAlg;