Switch to standard TSS2 PEM format

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls.c b/gnutls.c
index c2ecc3476e91f5bfc987d89f058389887edf5088..b3b61a897b8202775e253cac2155f6a5d3b78adf 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1320,7 +1320,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
        }
 
        /* Is it a PEM file with a TPM key blob? */
-       if (strstr((char *)fdata.data, "-----BEGIN TSS2 KEY BLOB-----")) {
+       if (strstr((char *)fdata.data, "-----BEGIN TSS2 PRIVATE KEY-----")) {
 #ifndef HAVE_TSS2
                vpn_progress(vpninfo, PRG_ERR,
                             _("This version of OpenConnect was built without TPM2 support\n"));

diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 5adc713e466173fc530ac8ab4bacd66eacc99c79..abca9c4fa58d0626142f1f9fa787d9eb748c401b 100644 (file)
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -29,7 +29,15 @@
 
 #include <libtasn1.h>
 
-
+/*
+ * TPMKey ::= SEQUENCE {
+ *     type            OBJECT IDENTIFIER,
+ *     emptyAuth       [0] EXPLICIT BOOLEAN OPTIONAL,
+ *     parent          INTEGER,
+ *     pubkey          OCTET STRING,
+ *     privkey         OCTET STRING
+ * }
+ */
 const asn1_static_node tpmkey_asn1_tab[] = {
   { "TPMKey", 536875024, NULL },
   { NULL, 1073741836, NULL },
@@ -37,14 +45,13 @@ const asn1_static_node tpmkey_asn1_tab[] = {
   { "type", 1073741836, NULL },
   { "emptyAuth", 1610637316, NULL },
   { NULL, 2056, "0"},
-  { "parent", 1610637315, NULL },
-  { NULL, 2056, "1"},
-  { "pubkey", 1610637319, NULL },
-  { NULL, 2056, "2"},
+  { "parent", 1073741827, NULL },
+  { "pubkey", 1073741831, NULL },
   { "privkey", 7, NULL },
   { NULL, 0, NULL }
 };
 
+
 #if GNUTLS_VERSION_NUMBER < 0x030600
 static int tpm2_rsa_sign_fn(gnutls_privkey_t key, void *_vpninfo,
                            const gnutls_datum_t *data, gnutls_datum_t *sig)
@@ -162,7 +169,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
        unsigned int parent;
        int err, ret = -EINVAL;
 
-       err = gnutls_pem_base64_decode_alloc("TSS2 KEY BLOB", fdata, &asn1);
+       err = gnutls_pem_base64_decode_alloc("TSS2 PRIVATE KEY", fdata, &asn1);
        if (err) {
                vpn_progress(vpninfo, PRG_ERR,
                             _("Error decoding TSS2 key blob: %s\n"),
@@ -187,21 +194,6 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
                goto out_tpmkey;
        }
 
-       value_buflen = sizeof(value_buf);
-       err = asn1_read_value(tpmkey, "type", value_buf, &value_buflen);
-       if (err != ASN1_SUCCESS) {
-               vpn_progress(vpninfo, PRG_ERR,
-                            _("Failed to identify type of TPM2 key: %s\n"),
-                            asn1_strerror(err));
-               goto out_tpmkey;
-       }
-       if (strcmp(value_buf, "2.23.133.10.2")) {
-               vpn_progress(vpninfo, PRG_ERR,
-                            _("Unsupported TPM2 key OID: %s\n"),
-                            value_buf);
-               goto out_tpmkey;
-       }
-
        value_buflen = sizeof(value_buf);
        if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
            !strcmp(value_buf, "TRUE"))

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 730e624a5e0b69834897949a1cb8fd58a6764c27..ca09c919a989a4f421d9487e58e0451cfdd7b2be 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -76,6 +76,8 @@ static TPM2B_PUBLIC primaryTemplate = {
                .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
                                     TPMA_OBJECT_RESTRICTED |
                                     TPMA_OBJECT_DECRYPT |
+                                    TPMA_OBJECT_FIXEDTPM |
+                                    TPMA_OBJECT_FIXEDPARENT |
                                     TPMA_OBJECT_NODA |
                                     TPMA_OBJECT_SENSITIVEDATAORIGIN),
                .authPolicy = {

diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index 76a86712eca83e8cae375f7928cce5062bd60904..e5cc28a25914001cbe6247137c2a96f2772c2283 100644 (file)
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -215,6 +215,8 @@ static TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h,
        in.inPublic.publicArea.type = TPM_ALG_ECC;
        in.inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
        in.inPublic.publicArea.objectAttributes.val =
+               TPMA_OBJECT_FIXEDPARENT |
+               TPMA_OBJECT_FIXEDTPM |
                TPMA_OBJECT_NODA |
                TPMA_OBJECT_SENSITIVEDATAORIGIN |
                TPMA_OBJECT_USERWITHAUTH |

diff --git a/openssl.c b/openssl.c
index 27bfba7b13888176a0612507430cfd7a2d7c1943..eb64ed5732856b36523b68481d5b05463a0ebc48 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -949,7 +949,8 @@ static int load_certificate(struct openconnect_info *vpninfo)
                if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
                        fclose(f);
                        return load_tpm_certificate(vpninfo, "tpm");
-               } else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n")) {
+               } else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n") ||
+                          !strcmp(buf, "-----BEGIN TSS2 PRIVATE KEY-----\n")) {
                        fclose(f);
                        return load_tpm_certificate(vpninfo, "tpm2");
                } else if (!strcmp(buf, "-----BEGIN TSS2 PRIVKEY BLOB v1-----\n")) {