cryptohome/signature_sealing_backend_tpm1_impl.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2018 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_
 #define CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_

 #include <stdint.h>
 #include <map>
 #include <memory>
 #include <set>
 #include <vector>

 #include <base/macros.h>
 #include <brillo/secure_blob.h>
 #include <crypto/scoped_openssl_types.h>
 #include <openssl/rsa.h>

 #include "cryptohome/signature_sealing_backend.h"

 namespace cryptohome {

 class TpmImpl;

 // Implementation of signature-sealing operations for TPM 1.2. Based on the
 // Certified Migratable Key functionality, with the CMK's private key contents
 // playing the role of the sealed secret. The CMK is of 2048-bit size.
 //
 // Only the |kRsassaPkcs1V15Sha1| algorithm is supported by this implementation.
 class SignatureSealingBackendTpm1Impl final : public SignatureSealingBackend {
  public:
   explicit SignatureSealingBackendTpm1Impl(TpmImpl* tpm);
   SignatureSealingBackendTpm1Impl(const SignatureSealingBackendTpm1Impl&) =
       delete;
   SignatureSealingBackendTpm1Impl& operator=(
       const SignatureSealingBackendTpm1Impl&) = delete;

   ~SignatureSealingBackendTpm1Impl() override;

   // SignatureSealingBackend:
   bool CreateSealedSecret(
       const brillo::Blob& public_key_spki_der,
       const std::vector<ChallengeSignatureAlgorithm>& key_algorithms,
       const std::vector<std::map<uint32_t, brillo::Blob>>& pcr_restrictions,
       const brillo::Blob& delegate_blob,
       const brillo::Blob& delegate_secret,
       brillo::SecureBlob* secret_value,
       SignatureSealedData* sealed_secret_data) override;
   std::unique_ptr<UnsealingSession> CreateUnsealingSession(
       const SignatureSealedData& sealed_secret_data,
       const brillo::Blob& public_key_spki_der,
       const std::vector<ChallengeSignatureAlgorithm>& key_algorithms,
       const brillo::Blob& delegate_blob,
       const brillo::Blob& delegate_secret) override;

  private:
   // Unowned.
   TpmImpl* const tpm_;
 };

 // Extracts the CMK's private key from the output of the migration procedure:
 // the TPM_KEY12 blob of the migrated CMK in |migrated_cmk_key12_blob|, and the
 // migration random XOR-mask in |migration_random_blob|. Returns the OpenSSL
 // private key object.
 crypto::ScopedRSA ExtractCmkPrivateKeyFromMigratedBlob(
     const brillo::Blob& migrated_cmk_key12_blob,
     const brillo::Blob& migration_random_blob,
     const brillo::Blob& cmk_pubkey,
     const brillo::Blob& cmk_pubkey_digest,
     const brillo::Blob& msa_composite_digest,
     RSA* migration_destination_rsa);

 }  // namespace cryptohome

 #endif  // CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_
	// Copyright 2018 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_
	#define CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_

	#include <stdint.h>
	#include <map>
	#include <memory>
	#include <set>
	#include <vector>

	#include <base/macros.h>
	#include <brillo/secure_blob.h>
	#include <crypto/scoped_openssl_types.h>
	#include <openssl/rsa.h>

	#include "cryptohome/signature_sealing_backend.h"

	namespace cryptohome {

	class TpmImpl;

	// Implementation of signature-sealing operations for TPM 1.2. Based on the
	// Certified Migratable Key functionality, with the CMK's private key contents
	// playing the role of the sealed secret. The CMK is of 2048-bit size.
	//
	// Only the \|kRsassaPkcs1V15Sha1\| algorithm is supported by this implementation.
	class SignatureSealingBackendTpm1Impl final : public SignatureSealingBackend {
	public:
	explicit SignatureSealingBackendTpm1Impl(TpmImpl* tpm);
	SignatureSealingBackendTpm1Impl(const SignatureSealingBackendTpm1Impl&) =
	delete;
	SignatureSealingBackendTpm1Impl& operator=(
	const SignatureSealingBackendTpm1Impl&) = delete;

	~SignatureSealingBackendTpm1Impl() override;

	// SignatureSealingBackend:
	bool CreateSealedSecret(
	const brillo::Blob& public_key_spki_der,
	const std::vector<ChallengeSignatureAlgorithm>& key_algorithms,
	const std::vector<std::map<uint32_t, brillo::Blob>>& pcr_restrictions,
	const brillo::Blob& delegate_blob,
	const brillo::Blob& delegate_secret,
	brillo::SecureBlob* secret_value,
	SignatureSealedData* sealed_secret_data) override;
	std::unique_ptr<UnsealingSession> CreateUnsealingSession(
	const SignatureSealedData& sealed_secret_data,
	const brillo::Blob& public_key_spki_der,
	const std::vector<ChallengeSignatureAlgorithm>& key_algorithms,
	const brillo::Blob& delegate_blob,
	const brillo::Blob& delegate_secret) override;

	private:
	// Unowned.
	TpmImpl* const tpm_;
	};

	// Extracts the CMK's private key from the output of the migration procedure:
	// the TPM_KEY12 blob of the migrated CMK in \|migrated_cmk_key12_blob\|, and the
	// migration random XOR-mask in \|migration_random_blob\|. Returns the OpenSSL
	// private key object.
	crypto::ScopedRSA ExtractCmkPrivateKeyFromMigratedBlob(
	const brillo::Blob& migrated_cmk_key12_blob,
	const brillo::Blob& migration_random_blob,
	const brillo::Blob& cmk_pubkey,
	const brillo::Blob& cmk_pubkey_digest,
	const brillo::Blob& msa_composite_digest,
	RSA* migration_destination_rsa);

	} // namespace cryptohome

	#endif // CRYPTOHOME_SIGNATURE_SEALING_BACKEND_TPM1_IMPL_H_