From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 12 Oct 2018 05:51:08 +0000 (-0700)
Subject: Switch to standard TSS2 PEM format
X-Git-Tag: v8.00~47
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=79bb45470f42582f4254e6a7aca36cf822dec69c;p=users%2Fdwmw2%2Fopenconnect.git

Switch to standard TSS2 PEM format

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gnutls.c b/gnutls.c
index c2ecc347..b3b61a89 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1320,7 +1320,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 	}
 
 	/* Is it a PEM file with a TPM key blob? */
-	if (strstr((char *)fdata.data, "-----BEGIN TSS2 KEY BLOB-----")) {
+	if (strstr((char *)fdata.data, "-----BEGIN TSS2 PRIVATE KEY-----")) {
 #ifndef HAVE_TSS2
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("This version of OpenConnect was built without TPM2 support\n"));
diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 5adc713e..abca9c4f 100644
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -29,7 +29,15 @@
 
 #include <libtasn1.h>
 
-
+/*
+ * TPMKey ::= SEQUENCE {
+ *	type		OBJECT IDENTIFIER,
+ *	emptyAuth	[0] EXPLICIT BOOLEAN OPTIONAL,
+ *	parent		INTEGER,
+ *	pubkey		OCTET STRING,
+ *	privkey		OCTET STRING
+ * }
+ */
 const asn1_static_node tpmkey_asn1_tab[] = {
   { "TPMKey", 536875024, NULL },
   { NULL, 1073741836, NULL },
@@ -37,14 +45,13 @@ const asn1_static_node tpmkey_asn1_tab[] = {
   { "type", 1073741836, NULL },
   { "emptyAuth", 1610637316, NULL },
   { NULL, 2056, "0"},
-  { "parent", 1610637315, NULL },
-  { NULL, 2056, "1"},
-  { "pubkey", 1610637319, NULL },
-  { NULL, 2056, "2"},
+  { "parent", 1073741827, NULL },
+  { "pubkey", 1073741831, NULL },
   { "privkey", 7, NULL },
   { NULL, 0, NULL }
 };
 
+
 #if GNUTLS_VERSION_NUMBER < 0x030600
 static int tpm2_rsa_sign_fn(gnutls_privkey_t key, void *_vpninfo,
 			    const gnutls_datum_t *data, gnutls_datum_t *sig)
@@ -162,7 +169,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
 	unsigned int parent;
 	int err, ret = -EINVAL;
 
-	err = gnutls_pem_base64_decode_alloc("TSS2 KEY BLOB", fdata, &asn1);
+	err = gnutls_pem_base64_decode_alloc("TSS2 PRIVATE KEY", fdata, &asn1);
 	if (err) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Error decoding TSS2 key blob: %s\n"),
@@ -187,21 +194,6 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
 		goto out_tpmkey;
 	}
 
-	value_buflen = sizeof(value_buf);
-	err = asn1_read_value(tpmkey, "type", value_buf, &value_buflen);
-	if (err != ASN1_SUCCESS) {
-		vpn_progress(vpninfo, PRG_ERR,
-			     _("Failed to identify type of TPM2 key: %s\n"),
-			     asn1_strerror(err));
-		goto out_tpmkey;
-	}
-	if (strcmp(value_buf, "2.23.133.10.2")) {
-		vpn_progress(vpninfo, PRG_ERR,
-			     _("Unsupported TPM2 key OID: %s\n"),
-			     value_buf);
-		goto out_tpmkey;
-	}
-
 	value_buflen = sizeof(value_buf);
 	if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
 	    !strcmp(value_buf, "TRUE"))
diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 730e624a..ca09c919 100644
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -76,6 +76,8 @@ static TPM2B_PUBLIC primaryTemplate = {
 		.objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
 				     TPMA_OBJECT_RESTRICTED |
 				     TPMA_OBJECT_DECRYPT |
+				     TPMA_OBJECT_FIXEDTPM |
+				     TPMA_OBJECT_FIXEDPARENT |
 				     TPMA_OBJECT_NODA |
 				     TPMA_OBJECT_SENSITIVEDATAORIGIN),
 		.authPolicy = {
diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index 76a86712..e5cc28a2 100644
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -215,6 +215,8 @@ static TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h,
 	in.inPublic.publicArea.type = TPM_ALG_ECC;
 	in.inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
 	in.inPublic.publicArea.objectAttributes.val =
+		TPMA_OBJECT_FIXEDPARENT |
+		TPMA_OBJECT_FIXEDTPM |
 		TPMA_OBJECT_NODA |
 		TPMA_OBJECT_SENSITIVEDATAORIGIN |
 		TPMA_OBJECT_USERWITHAUTH |
diff --git a/openssl.c b/openssl.c
index 27bfba7b..eb64ed57 100644
--- a/openssl.c
+++ b/openssl.c
@@ -949,7 +949,8 @@ static int load_certificate(struct openconnect_info *vpninfo)
 		if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
 			fclose(f);
 			return load_tpm_certificate(vpninfo, "tpm");
-		} else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n")) {
+		} else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n") ||
+			   !strcmp(buf, "-----BEGIN TSS2 PRIVATE KEY-----\n")) {
 			fclose(f);
 			return load_tpm_certificate(vpninfo, "tpm2");
 		} else if (!strcmp(buf, "-----BEGIN TSS2 PRIVKEY BLOB v1-----\n")) {