// Copyright 2015 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef ATTESTATION_COMMON_TPM_UTILITY_H_
#define ATTESTATION_COMMON_TPM_UTILITY_H_

#include <stdint.h>

#include <string>

#include <attestation/proto_bindings/interface.pb.h>

#include "attestation/common/database.pb.h"

namespace attestation {

// A class which provides helpers for TPM-related tasks.
class TpmUtility {
 public:
  virtual ~TpmUtility() = default;

  // Override to perform initialization work. This must be called successfully
  // before calling any other methods.
  virtual bool Initialize() = 0;

  // Returns the TPM version managed by this instance.
  virtual TpmVersion GetVersion() = 0;

  // Returns true iff the TPM is enabled, owned, and ready for attestation.
  virtual bool IsTpmReady() = 0;

  // Activates an attestation identity key for TPM 1.2. Effectively this
  // decrypts a certificate or some other type of credential with the
  // endorsement key.  The |identity_key_blob| is the key to which the
  // credential is bound. The |asym_ca_contents| and |sym_ca_attestation|
  // parameters are encrypted TPM structures, typically created by a CA
  // (TPM_ASYM_CA_CONTENTS and TPM_SYM_CA_ATTESTATION respectively). On success
  // returns true and populates the decrypted |credential|.
  virtual bool ActivateIdentity(const std::string& identity_key_blob,
                                const std::string& asym_ca_contents,
                                const std::string& sym_ca_attestation,
                                std::string* credential) = 0;

  // Activates an attestation identity key for TPM 2.0. The type of both the
  // endorsement key and the identity key is specified by |key_type|. The
  // |identity_key_blob| is as output by CreateRestrictedKey(). The
  // |encrypted_seed|, |credential_mac|, and |wrapped_credential| are provided
  // by the Attestation CA via an EncryptedIdentityCredential protobuf. Take
  // note that the |wrapped_credential| is not the wrapped certificate itself
  // but a shorter value which is used to derive
  virtual bool ActivateIdentityForTpm2(KeyType key_type,
                                       const std::string& identity_key_blob,
                                       const std::string& encrypted_seed,
                                       const std::string& credential_mac,
                                       const std::string& wrapped_credential,
                                       std::string* credential) = 0;

  // Generates and certifies a non-migratable key in the TPM. The new key will
  // correspond to |key_type| and |key_usage|. The parent key will be the
  // storage root key. The new key will be certified with the attestation
  // identity key represented by |identity_key_blob|. The |external_data| will
  // be included in the |key_info|. On success, returns true and populates
  // |public_key_tpm_format| with the public key of |key_blob| in TPM_PUBKEY
  // format, |public_key_der| with DER encoded format which converted from
  // TPM_PUBKEY, |key_info| with the TPM_CERTIFY_INFO that was signed, and
  // |proof| with the signature of |key_info| by the identity key.
  virtual bool CreateCertifiedKey(KeyType key_type,
                                  KeyUsage key_usage,
                                  const std::string& identity_key_blob,
                                  const std::string& external_data,
                                  std::string* key_blob,
                                  std::string* public_key_der,
                                  std::string* public_key_tpm_format,
                                  std::string* key_info,
                                  std::string* proof) = 0;

  // Seals |data| to the current value of PCR0 with the SRK and produces the
  // |sealed_data|. Returns true on success.
  virtual bool SealToPCR0(const std::string& data,
                          std::string* sealed_data) = 0;

  // Unseals |sealed_data| previously sealed with the SRK and produces the
  // unsealed |data|. Returns true on success.
  virtual bool Unseal(const std::string& sealed_data, std::string* data) = 0;

  // Reads an endorsement public key from the TPM and provides it as a DER
  // encoded public key. PKCS #1 RSAPublicKey for RSA. RFC 5915 ECPublicKey for
  // EC.
  virtual bool GetEndorsementPublicKey(KeyType key_type,
                                       std::string* public_key_der) = 0;

  // Reads an endorsement certificate from the TPM.
  virtual bool GetEndorsementCertificate(KeyType key_type,
                                         std::string* certificate) = 0;

  // Unbinds |bound_data| with the key loaded from |key_blob| by decrypting
  // using the TPM_ES_RSAESOAEP_SHA1_MGF1 scheme. The input must be in the
  // format of a TPM_BOUND_DATA structure. On success returns true and provides
  // the decrypted |data|.
  virtual bool Unbind(const std::string& key_blob,
                      const std::string& bound_data,
                      std::string* data) = 0;

  // Signs |data_to_sign| with the key loaded from |key_blob| using the
  // TPM_SS_RSASSAPKCS1v15_DER scheme with SHA-256. On success returns true and
  // provides the |signature|.
  virtual bool Sign(const std::string& key_blob,
                    const std::string& data_to_sign,
                    std::string* signature) = 0;

  // Quotes a PCR specified by |pcr_index|. The |key_blob| must be a restricted
  // signing key. On success returns true and populates:
  //   |quoted_pcr_value| - The value of the register at the time it was quoted.
  //   |quoted_data| - The exact serialized data that was signed.
  //   |quote| - The signature.
  virtual bool QuotePCR(uint32_t pcr_index,
                        const std::string& key_blob,
                        std::string* quoted_pcr_value,
                        std::string* quoted_data,
                        std::string* quote) = 0;

  // Checks if |quote| is valid for a single PCR specified by |pcr_index|
  // acoording to |quoted_pcr_value| and |quoted_data|. See |QuotePCR| above for
  // more information about the input variables.
  virtual bool IsQuoteForPCR(const std::string& quoted_pcr_value,
                             const std::string& quoted_data,
                             const std::string& quote,
                             uint32_t pcr_index) const = 0;

  // Reads a PCR specified by |pcr_index|. On success returns true and
  // populates |_pcr_value|.
  virtual bool ReadPCR(uint32_t pcr_index, std::string* pcr_value) = 0;

  // Some older boards are affected by a bug in AP firmware where PCR0 is
  // extended on resume from S3 (rather than just on initial boot), causing
  // PCR0 to have an invalid/unexpected value (different from the expected
  // value immediately after a normal boot).
  //
  // This function returns true iff the value of PCR0 is valid. If PCR0
  // is not valid, then it should not be used (eq quoted or used to seal data).
  virtual bool IsPCR0Valid() = 0;

  // Gets the data size for the NV data at |nv_index| and stores it into
  // |nv_size| if successful. Returns true for success, false otherwise.
  virtual bool GetNVDataSize(uint32_t nv_index, uint16_t* nv_size) const = 0;

  // Certifies NV data at |nv_index|. The amount of data to be certified,
  // starting at offset 0, is specified by |nv_size|. The |key_blob| must be a
  // restricted signing key. On success returns true and populates:
  //   |quoted_data| - The exact serialized data that was signed.
  //   |quote| - The signature.
  virtual bool CertifyNV(uint32_t nv_index,
                         int nv_size,
                         const std::string& key_blob,
                         std::string* quoted_data,
                         std::string* quote) = 0;

  // Signals to remove Attestation dependency on owner password.
  // Returns true if the dependency was removed this time, or it already has
  // been removed earlier; false otherwise.
  virtual bool RemoveOwnerDependency() = 0;

  // Reads an endorsement public key from the TPM and extracts the modulus in
  // |ekm|.
  virtual bool GetEndorsementPublicKeyModulus(KeyType key_type,
                                              std::string* ekm) = 0;

  // Creates identity of |key_type| type and stores the output from TPM into
  // |identity|.
  virtual bool CreateIdentity(KeyType key_type,
                              AttestationDatabase::Identity* identity) = 0;

  // Retrieves a hashed representation of DeviceId from the TPM.
  virtual bool GetRsuDeviceId(std::string* device_id) = 0;
};

}  // namespace attestation

#endif  // ATTESTATION_COMMON_TPM_UTILITY_H_