• Denis Kenzior's avatar
    KEYS: asym_tpm: Add support for the sign operation [ver #2] · 64ae16df
    Denis Kenzior authored
    The sign operation can operate in a non-hashed mode by running the RSA
    sign operation directly on the input.  This assumes that the input is
    less than key_size_in_bytes - 11.  Since the TPM performs its own PKCS1
    padding, it isn't possible to support 'raw' mode, only 'pkcs1'.
    
    Alternatively, a hashed version is also possible.  In this variant the
    input is hashed (by userspace) via the selected hash function first.
    Then this implementation takes care of converting the hash to ASN.1
    format and the sign operation is performed on the result.  This is
    similar to the implementation inside crypto/rsa-pkcs1pad.c.
    
    ASN1 templates were copied from crypto/rsa-pkcs1pad.c.  There seems to
    be no easy way to expose that functionality, but likely the templates
    should be shared somehow.
    
    The sign operation is implemented via TPM_Sign operation on the TPM.
    It is assumed that the TPM wrapped key provided uses
    TPM_SS_RSASSAPKCS1v15_DER signature scheme.  This allows the TPM_Sign
    operation to work on data up to key_len_in_bytes - 11 bytes long.
    
    In theory, we could also use TPM_Unbind instead of TPM_Sign, but we would
    have to manually pkcs1 pad the digest first.
    Signed-off-by: default avatarDenis Kenzior <denkenz@gmail.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    Reviewed-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
    64ae16df
asym_tpm.c 22.9 KB