TPM support for using the public key with TLS.

wolfSSL · Jun 16, 2022 · 22ef06b · 22ef06b
1 parent 160b3e0
commit 22ef06b
Show file tree

Hide file tree

Showing 12 changed files with 74 additions and 283 deletions.
diff --git a/README.md b/README.md
@@ -693,7 +693,7 @@ PKCS7 Container Verified (using software)
 
 ### TPM TLS Client Example
 
-The wolfSSL TLS client requires loading a private key for mutual authentication. We load a "fake" private key and use the `myTpmCheckKey` callback to check for fake key to use the TPM instead.
+The wolfSSL TLS client requires loading a public key to indicate mutual authentication is sued. The crypto callback uses the TPM for the private key signing.
 
 ```
 ./examples/tls/tls_client
@@ -717,12 +717,12 @@ Connection: close
 
 ### TPM TLS Server Example
 
-The wolfSSL TLS server requires loading a private key. We load a "fake" private key and use the `myTpmCheckKey` callback to check for fake key to use the TPM instead.
+The wolfSSL TLS server loads the TPM public key and the crypto callback uses the TPM for the private key signing.
 
 ```
 ./examples/tls/tls_server
 TPM2 TLS Server Example
-Loading RSA certificate and dummy key
+Loading RSA certificate and public key
 Read (29): GET /index.html HTTP/1.0
 
 

diff --git a/certs/dummy-ecc.der b/certs/dummy-ecc.der
diff --git a/certs/dummy-ecc.pem b/certs/dummy-ecc.pem
diff --git a/certs/dummy-rsa.der b/certs/dummy-rsa.der
diff --git a/certs/dummy-rsa.pem b/certs/dummy-rsa.pem
diff --git a/certs/include.am b/certs/include.am
@@ -7,8 +7,4 @@ EXTRA_DIST += \
 	     certs/ca-rsa.cnf \
 	     certs/ca-ecc.cnf \
 	     certs/wolf-ca-ecc-cert.pem \
-	     certs/wolf-ca-rsa-cert.pem \
-	     certs/dummy-ecc.pem \
-	     certs/dummy-rsa.pem \
-	     certs/dummy-ecc.der \
-	     certs/dummy-rsa.der
+	     certs/wolf-ca-rsa-cert.pem 
diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c
@@ -179,7 +179,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #ifdef HAVE_ECC
     tpmCtx.eccKey = &eccKey;
 #endif
-    tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
     tpmCtx.storageKey = &storageKey;
 #ifdef WOLFTPM_USE_SYMMETRIC
     tpmCtx.useSymmetricOnTPM = 1;
@@ -329,22 +328,30 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #endif /* !NO_FILESYSTEM */
 
     /* Client Key (Mutual Authentication) */
-    /* Note: Client will not send a client certificate unless a private key is
-     *   set, so we use a fake "DUMMY" key tell wolfSSL to send certificate.
-     *   The crypto callback will detect use of the dummy key using myTpmCheckKey
+    /* Note: Client will not send a client certificate unless a key is
+     *   set. Since we do not have the private key wolfSSL allows setting a
+     *   public key instead (if crypto callbacks are enabled).
      */
 #ifndef NO_TLS_MUTUAL_AUTH
     if (!useECC) {
     #ifndef NO_RSA
-        printf("Loading RSA dummy key\n");
+        byte der[1024];
+        word32 derSz = sizeof(der);
+        rc = wc_RsaKeyToPublicDer_ex(&wolfRsaKey, der, derSz, 1);
+        if (rc < 0) {
+            printf("Failed to export RSA public key!\n");
+            goto exit;
+        }
+        derSz = rc;
+        rc = 0;
 
         /* Private key is on TPM and crypto dev callbacks are used */
-        /* TLS client (mutual auth) requires a dummy key loaded (workaround) */
-        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_RSA_KEY,
-            sizeof(DUMMY_RSA_KEY), WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
-            printf("Failed to set key!\r\n");
+        /* TLS client (mutual auth) requires a public key loaded */
+        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
+                                    WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            printf("Failed to set RSA key!\n");
             goto exit;
-        }
+        }        
     #else
         printf("RSA not supported in this build\n");
         rc = -1;
@@ -353,12 +360,21 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     }
     else {
     #ifdef HAVE_ECC
-        printf("Loading ECC dummy key\n");
+        byte der[256];
+        word32 derSz = sizeof(der);
+        rc = wc_EccPublicKeyToDer(&wolfEccKey, der, derSz, 1);
+        if (rc < 0) {
+            printf("Failed to export ECC public key!\n");
+            goto exit;
+        }
+        derSz = rc;
+        rc = 0;
+
         /* Private key is on TPM and crypto dev callbacks are used */
-        /* TLS client (mutual auth) requires a dummy key loaded (workaround) */
-        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_ECC_KEY,
-            sizeof(DUMMY_ECC_KEY), WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
-            printf("Failed to set key!\r\n");
+        /* TLS client (mutual auth) requires a public key loaded */
+        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
+                                    WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            printf("Failed to set ECC key!\n");
             goto exit;
         }
     #else

diff --git a/examples/tls/tls_common.h b/examples/tls/tls_common.h
@@ -373,86 +373,6 @@ static inline int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
     return 1;
 }
 
-#if defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)
-/* Function checks key to see if its the "dummy" key */
-static inline int myTpmCheckKey(wc_CryptoInfo* info, TpmCryptoDevCtx* ctx)
-{
-    int ret = 0;
-
-#ifndef NO_RSA
-    if (info && info->pk.type == WC_PK_TYPE_RSA) {
-        byte    e[sizeof(word32)], e2[sizeof(word32)];
-        byte    n[WOLFTPM2_WRAP_RSA_KEY_BITS/8], n2[WOLFTPM2_WRAP_RSA_KEY_BITS/8];
-        word32  eSz = sizeof(e), e2Sz = sizeof(e);
-        word32  nSz = sizeof(n), n2Sz = sizeof(n);
-        RsaKey  rsakey;
-        word32  idx = 0;
-
-        /* export the raw public RSA portion */
-        ret = wc_RsaFlattenPublicKey(info->pk.rsa.key, e, &eSz, n, &nSz);
-        if (ret == 0) {
-            /* load the modulus for the dummy key */
-            ret = wc_InitRsaKey(&rsakey, NULL);
-            if (ret == 0) {
-                ret = wc_RsaPrivateKeyDecode(DUMMY_RSA_KEY, &idx, &rsakey,
-                    (word32)sizeof(DUMMY_RSA_KEY));
-                if (ret == 0) {
-                    ret = wc_RsaFlattenPublicKey(&rsakey, e2, &e2Sz, n2, &n2Sz);
-                }
-                wc_FreeRsaKey(&rsakey);
-            }
-        }
-
-        if (ret == 0 && XMEMCMP(n, n2, nSz) == 0) {
-        #ifdef DEBUG_WOLFTPM
-            printf("Detected dummy key, so using TPM RSA key handle\n");
-        #endif
-            ret = 1;
-        }
-    }
-#endif
-#if defined(HAVE_ECC)
-    if (info && info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
-        byte    qx[WOLFTPM2_WRAP_ECC_KEY_BITS/8], qx2[WOLFTPM2_WRAP_ECC_KEY_BITS/8];
-        byte    qy[WOLFTPM2_WRAP_ECC_KEY_BITS/8], qy2[WOLFTPM2_WRAP_ECC_KEY_BITS/8];
-        word32  qxSz = sizeof(qx), qx2Sz = sizeof(qx2);
-        word32  qySz = sizeof(qy), qy2Sz = sizeof(qy2);
-        ecc_key eccKey;
-        word32  idx = 0;
-
-        /* export the raw public ECC portion */
-        ret = wc_ecc_export_public_raw(info->pk.eccsign.key, qx, &qxSz, qy, &qySz);
-        if (ret == 0) {
-            /* load the ECC public x/y for the dummy key */
-            ret = wc_ecc_init(&eccKey);
-            if (ret == 0) {
-                ret = wc_EccPrivateKeyDecode(DUMMY_ECC_KEY, &idx, &eccKey,
-                    (word32)sizeof(DUMMY_ECC_KEY));
-                if (ret == 0) {
-                    ret = wc_ecc_export_public_raw(&eccKey, qx2, &qx2Sz, qy2, &qy2Sz);
-                }
-                wc_ecc_free(&eccKey);
-            }
-        }
-
-        if (ret == 0 && XMEMCMP(qx, qx2, qxSz) == 0 &&
-                        XMEMCMP(qy, qy2, qySz) == 0) {
-        #ifdef DEBUG_WOLFTPM
-            printf("Detected dummy key, so using TPM ECC key handle\n");
-        #endif
-            ret = 1;
-        }
-    }
-#endif
-    (void)info;
-    (void)ctx;
-
-    /* non-zero return code means its a "dummy" key (not valid) and the
-        provided TPM handle will be used, not the wolf public key info */
-    return ret;
-}
-#endif /* WOLF_CRYPTO_DEV || WOLF_CRYPTO_CB */
-
 /******************************************************************************/
 /* --- END Supporting TLS functions --- */
 /******************************************************************************/

diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c
@@ -190,7 +190,6 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
 #ifdef HAVE_ECC
     tpmCtx.eccKey = &eccKey;
 #endif
-    tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
     tpmCtx.storageKey = &storageKey;
 #ifdef WOLFTPM_USE_SYMMETRIC
     tpmCtx.useSymmetricOnTPM = 1;
@@ -338,7 +337,10 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     /* Server certificate */
     if (!useECC) {
     #ifndef NO_RSA
-        printf("Loading RSA certificate and dummy key\n");
+        byte der[1024];
+        word32 derSz = sizeof(der);
+
+        printf("Loading RSA certificate and public key\n");
 
         if ((rc = wolfSSL_CTX_use_certificate_file(ctx,
                                                    "./certs/server-rsa-cert.pem",
@@ -348,13 +350,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
             goto exit;
         }
 
+        rc = wc_RsaKeyToPublicDer_ex(&wolfRsaKey, der, derSz, 1);
+        if (rc < 0) {
+            printf("Failed to export RSA public key!\n");
+            goto exit;
+        }
+        derSz = rc;
+        rc = 0;
+
         /* Private key is on TPM and crypto dev callbacks are used */
-        /* TLS server requires some dummy key loaded (workaround) */
-        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_RSA_KEY,
-                                              sizeof(DUMMY_RSA_KEY),
-                                              WOLFSSL_FILETYPE_ASN1)
-            != WOLFSSL_SUCCESS) {
-            printf("Failed to set key!\r\n");
+        /* TLS client (mutual auth) requires a public key loaded */
+        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
+                                    WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            printf("Failed to set RSA key!\r\n");
             goto exit;
         }
     #else
@@ -365,7 +373,10 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     }
     else {
     #ifdef HAVE_ECC
-        printf("Loading ECC certificate and dummy key\n");
+        byte der[256];
+        word32 derSz = sizeof(der);
+
+        printf("Loading ECC certificate and public key\n");
 
         if ((rc = wolfSSL_CTX_use_certificate_file(ctx,
                 "./certs/server-ecc-cert.pem",
@@ -374,11 +385,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
             goto exit;
         }
 
+        rc = wc_EccPublicKeyToDer(&wolfEccKey, der, derSz, 1);
+        if (rc < 0) {
+            printf("Failed to export ECC public key!\n");
+            goto exit;
+        }
+        derSz = rc;
+        rc = 0;
+
         /* Private key is on TPM and crypto dev callbacks are used */
-        /* TLS server requires some dummy key loaded (workaround) */
-        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_ECC_KEY,
-                sizeof(DUMMY_ECC_KEY), WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
-            printf("Failed to set key!\r\n");
+        /* TLS client (mutual auth) requires a public key loaded */
+        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
+                                    WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            printf("Failed to set ECC key!\r\n");
             goto exit;
         }
     #else