Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding wrappers for CSR Generation #219

Merged
merged 1 commit into from
Jul 12, 2022
Merged

Adding wrappers for CSR Generation #219

merged 1 commit into from
Jul 12, 2022

Conversation

dgarske
Copy link
Contributor

@dgarske dgarske commented Jul 1, 2022
edited
Loading

  • Support for wolfTPM2_CSR_Generate wrapper to assist with CSR generation.
  • Modified the existing CSR example to use wrapper.
  • Adds support for WOLFTPM2_CSR structure and using custom OIDs in the CSR. This allows passing a WOLFTPM2_CSR to a set of new wolfTPM2_CSR_* API's.
  • Added CSharp wrappers and tests for CSR feature.

The custom OID feature requires:

user_settings.h:

#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_CUSTOM_OID
#define HAVE_OID_ENCODING

Cmake:

"CMAKE_C_FLAGS": "-DWOLFSSL_CUSTOM_OID -DHAVE_OID_ENCODING -DWOLFSSL_ASN_TEMPLATE",

Configure (autoconf):

./configure --enable-wolftpm --enable-certgen --enable-asn=template CFLAGS="-DWOLFSSL_CUSTOM_OID -DHAVE_OID_ENCODING"

@dgarske dgarske requested a review from anhu July 1, 2022 23:13
@dgarske dgarske self-assigned this Jul 1, 2022
@dgarske dgarske removed the request for review from anhu July 3, 2022 15:26
@dgarske dgarske force-pushed the tpm_csr branch 5 times, most recently from a5367be to 5658769 Compare July 6, 2022 19:54
@dgarske dgarske requested a review from anhu July 6, 2022 19:54
anhu
anhu requested changes Jul 6, 2022
View reviewed changes
Copy link
Member

@anhu anhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet! Think I caught some stuff. Please look over my comments.

wolftpm/tpm2_wrap.h Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Outdated Show resolved Hide resolved
src/tpm2_wrap.c Show resolved Hide resolved
@anhu anhu assigned dgarske and unassigned dgarske Jul 6, 2022
anhu
anhu reviewed Jul 6, 2022
View reviewed changes
wrapper/CSharp/wolfTPM.cs Outdated Show resolved Hide resolved
anhu
anhu approved these changes Jul 6, 2022
View reviewed changes
Copy link
Member

@anhu anhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks great to me. Waiting for a few more changes as discussed privately.

@dgarske
Copy link
Contributor Author

dgarske commented Jul 6, 2022

Note: Going to be adding a WOLFTPM_CSR struct / class to support assembling a CSR then asking for it to be signed. This will allow for the custom request extension support.

@dgarske dgarske requested a review from anhu July 12, 2022 19:02
@dgarske dgarske assigned anhu and unassigned dgarske Jul 12, 2022
anhu
anhu requested changes Jul 12, 2022
View reviewed changes
Copy link
Member

@anhu anhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice changes. Just looking for a bit of new wording.

examples/csr/csr.c Outdated
rc = wolfTPM2_CSR_SetKeyUsage(dev, csr, keyUsage);
}
if (rc == 0) {
rc = wolfTPM2_CSR_SetCustomExt(dev, csr, 0, "1.3.6.1.4.1.37244.2.2",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we get a comment or some sort of explanation of what is "1.3.6.1.4.1.37244.2.2" ?

wolftpm/tpm2_wrap.h Outdated
Comment on lines 2323 to 2324
\param selfSign If set to 1 (non-zero) then result will be a self signed certificate.
Zero (0) will generate a CSR to be used by a CA to sign and make into a "real" certificate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In both cases, (zero, non-zero) this is a self signed object. (CA cert or CSR) . Can you call this parameter is_ca_cert or something similar? (admittedly not the best name. )

wrapper/CSharp/wolfTPM-tests.cs Outdated
ret = csr.SetKeyUsage(keyUsage);
Assert.AreEqual((int)Status.TPM_RC_SUCCESS, ret);

ret = csr.SetCustomOid("1.3.6.1.4.1.37244.2.2",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this OID? Perhaps comment?

wrapper/CSharp/wolfTPM.cs Outdated
string oid,
byte[] der,
uint derSz);
public int SetCustomOid(string oid, string der, int critical)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be renamed to SetCustomExtension() ?

examples/csr/csr.c Outdated
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/csr/csr [-selfsigned]\n");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this selfsigned flag is strange as its always selfsigned. Either as a CA cert or a CSR.

@anhu anhu assigned dgarske and unassigned anhu Jul 12, 2022
@dgarske dgarske requested a review from anhu July 12, 2022 19:52
@dgarske
New CSR wrappers to assist with TPM based CSR/Self-Signed-Cert genera…
9d2483d 
…tion including CSharp wrappers. This includes support for subject, key usage, custom request extensions and output as PEM or DER. New structure `WOLFTPM2_CSR`. New API's `wolfTPM2_CSR_*`. New CSharp class `Csr`.
@anhu anhu merged commit 1a78e4f into wolfSSL:master Jul 12, 2022
JasonMac219
JasonMac219 reviewed Jul 13, 2022
View reviewed changes
wrapper/CSharp/wolfTPM-tests.cs
ret = device.LoadKey(keyBlob, parent_key);
Assert.AreEqual((int)Status.TPM_RC_SUCCESS, ret);

ret = device.GenerateCSR(keyBlob, subject, keyUsage,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could add subject format requirements for this interface.

@dgarske dgarske deleted the tpm_csr branch July 13, 2022 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JasonMac219 JasonMac219 JasonMac219 left review comments

@anhu anhu anhu approved these changes

Assignees

@anhu anhu

@dgarske dgarske

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dgarske @anhu @JasonMac219