ifapi_keystore.h

/* SPDX-License-Identifier: BSD-2-Clause */
/*******************************************************************************
 * Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG
 * All rights reserved.
 ******************************************************************************/
 
#ifndef IFAPI_KEYSTORE_H
#define IFAPI_KEYSTORE_H
 
#include <stdbool.h> // for bool
#include <stdlib.h>  // for size_t
 
#include "fapi_types.h"         // for UINT8_ARY
#include "ifapi_io.h"           // for IFAPI_IO
#include "ifapi_policy_types.h" // for TPMS_POLICY
#include "tss2_common.h"        // for TSS2_RC, UINT32
#include "tss2_esys.h"          // for ESYS_TR
#include "tss2_policy.h"        // for TSS2_OBJECT
#include "tss2_tpm2_types.h"    // for TPMI_YES_NO, TPM2B_PUBLIC, TPM2B_DIGEST
 
typedef UINT32 IFAPI_OBJECT_TYPE_CONSTANT;
#define IFAPI_OBJ_NONE        0 
#define IFAPI_KEY_OBJ         1 
#define IFAPI_NV_OBJ          2 
#define IFAPI_EXT_PUB_KEY_OBJ 3 
#define IFAPI_HIERARCHY_OBJ   4 
#define IFAPI_DUPLICATE_OBJ   5 
typedef struct {
    UINT32 persistent_handle;              
    TPM2B_PUBLIC public;                   
    UINT8_ARY serialization;               
    UINT8_ARY private;                     
    char               *policyInstance;    
    TPM2B_DIGEST        creationHash;      
    TPM2B_CREATION_DATA creationData;      
    TPMT_TK_CREATION    creationTicket;    
    char               *description;       
    UINT8_ARY           appData;           
    char               *certificate;       
    TPMT_SIG_SCHEME     signing_scheme;    
    TPM2B_NAME          name;              
    TPMI_YES_NO         with_auth;         
    UINT32              reset_count;       
    TPMI_YES_NO         delete_prohibited; 
    TPMI_YES_NO         ek_profile;        
    TPM2B_DIGEST   nonce;                  
    TPMI_YES_NO    unique_init_set;        
    TPMU_PUBLIC_ID unique_init;            
    bool           auth_primary_set;       
} IFAPI_KEY;
 
typedef struct {
    char *pem_ext_public; 
    char *certificate;    
    TPM2B_PUBLIC public;  
} IFAPI_EXT_PUB_KEY;
 
typedef struct {
    TPMI_YES_NO  with_auth;   
    char        *description; 
    TPM2B_DIGEST authPolicy;
    ESYS_TR      esysHandle;
    bool         authorized; 
    TPM2B_NAME   name;       
} IFAPI_HIERARCHY;
 
typedef struct {
    TPM2B_NV_PUBLIC public;     
    UINT8_ARY   serialization;  
    UINT32      hierarchy;      
    char       *policyInstance; 
    char       *description;    
    UINT8_ARY   appData;        
    TPMI_YES_NO with_auth;      
    char       *event_log;      
} IFAPI_NV;
 
typedef struct {
 
    TPM2B_PRIVATE          duplicate;      
    TPM2B_ENCRYPTED_SECRET encrypted_seed; 
    TPM2B_PUBLIC public;        
    TPM2B_PUBLIC public_parent; 
    char        *certificate;   
    TPMS_POLICY *policy;        
} IFAPI_DUPLICATE;
 
typedef union {
    IFAPI_EXT_PUB_KEY ext_pub_key; 
    IFAPI_KEY         key;         
    IFAPI_NV          nv;          
    IFAPI_DUPLICATE   key_tree;    
    IFAPI_HIERARCHY   hierarchy;   
} IFAPI_OBJECT_UNION;
 
enum FAPI_SEARCH_STATE { KSEARCH_INIT = 0, KSEARCH_SEARCH_OBJECT, KSEARCH_READ };
 
typedef struct {
    size_t                 path_idx; 
    size_t                 numPaths; 
    char                 **pathlist; 
    enum FAPI_SEARCH_STATE state;
} IFAPI_KEY_SEARCH;
 
typedef struct IFAPI_KEYSTORE {
    char            *systemdir;
    char            *userdir;
    char            *defaultprofile;
    IFAPI_KEY_SEARCH key_search;
    const char      *rel_path;
} IFAPI_KEYSTORE;
 
enum IFAPI_AUTHORIZATION_STATE {
    AUTH_INIT = 0,
    AUTH_CHECK_POLICY,
    AUTH_CREATE_SESSION,
    AUTH_EXEC_POLICY,
    AUTH_FLUSH_OLD_POLICY,
    AUTH_DONE
};
 
enum IFAPI_IO_STATE {
    IO_INIT = 0,
    IO_ACTIVE,
};
 
#define TSS2_OBJECT_TO_IFAPI_OBJECT(p) ((IFAPI_OBJECT *)(p))
 
typedef struct IFAPI_OBJECT {
    /* TSS2_OBJECT MUST GO FIRST. In C pointer of first element
     * is equal to pointer of base type, use this to hide data by
     * only passing pointer to public in callbacks, however, internal
     * FAPI code can do a simple upcast it back to the original.
     *
     * **NOTE**: One could use offset of, and play the same trick
     * the linux kernel linked list uses with container_of, but
     * since offsetof isn't C99, we won't use it here.
     */
    TSS2_OBJECT public; 
    TPMS_POLICY               *policy;
    IFAPI_OBJECT_TYPE_CONSTANT objectType; 
    IFAPI_OBJECT_UNION         misc;       
    TPMI_YES_NO                system;     
    enum IFAPI_AUTHORIZATION_STATE
                        authorization_state; 
    enum IFAPI_IO_STATE state;
    const char         *rel_path;     
    bool                auth_changed; 
} IFAPI_OBJECT;
 
TSS2_RC
ifapi_check_valid_path(const char *path);
 
TSS2_RC
ifapi_keystore_initialize(IFAPI_KEYSTORE *keystore,
                          const char     *config_systemdir,
                          const char     *config_userdir,
                          const char     *config_defaultprofile);
 
TSS2_RC
ifapi_keystore_load_async(IFAPI_KEYSTORE *keystore, IFAPI_IO *io, const char *path);
 
TSS2_RC
ifapi_keystore_load_finish(IFAPI_KEYSTORE *keystore, IFAPI_IO *io, IFAPI_OBJECT *object);
 
TSS2_RC
ifapi_keystore_object_does_not_exist(IFAPI_KEYSTORE     *keystore,
                                     const char         *path,
                                     const IFAPI_OBJECT *object);
 
TSS2_RC
ifapi_keystore_store_async(IFAPI_KEYSTORE     *keystore,
                           IFAPI_IO           *io,
                           const char         *path,
                           const IFAPI_OBJECT *object);
 
TSS2_RC
ifapi_keystore_store_finish(IFAPI_IO *io);
 
TSS2_RC
ifapi_keystore_list_all(IFAPI_KEYSTORE *keystore,
                        const char     *searchpath,
                        char         ***results,
                        size_t         *numresults);
 
TSS2_RC
ifapi_keystore_delete(IFAPI_KEYSTORE *keystore, char *path);
 
TSS2_RC
ifapi_keystore_remove_directories(IFAPI_KEYSTORE *keystore, const char *dir_name);
 
TSS2_RC
ifapi_keystore_search_obj(IFAPI_KEYSTORE *keystore,
                          IFAPI_IO       *io,
                          TPM2B_NAME     *name,
                          char          **found_path);
 
TSS2_RC
ifapi_keystore_search_nv_obj(IFAPI_KEYSTORE  *keystore,
                             IFAPI_IO        *io,
                             TPM2B_NV_PUBLIC *nv_public,
                             char           **found_path);
 
TSS2_RC
ifapi_keystore_check_overwrite(IFAPI_KEYSTORE *keystore, const char *path);
 
TSS2_RC
ifapi_keystore_check_writeable(IFAPI_KEYSTORE *keystore, const char *path);
 
TSS2_RC
ifapi_copy_ifapi_key(IFAPI_KEY *dest, const IFAPI_KEY *src);
 
TSS2_RC
ifapi_copy_ifapi_hierarchy(IFAPI_HIERARCHY *dest, const IFAPI_HIERARCHY *src);
 
TSS2_RC
ifapi_copy_ifapi_key_object(IFAPI_OBJECT *dest, const IFAPI_OBJECT *src);
 
TSS2_RC
ifapi_copy_ifapi_hierarchy_object(IFAPI_OBJECT *dest, const IFAPI_OBJECT *src);
 
void ifapi_cleanup_ifapi_key(IFAPI_KEY *key);
 
void ifapi_cleanup_ifapi_ext_pub_key(IFAPI_EXT_PUB_KEY *key);
 
void ifapi_cleanup_ifapi_hierarchy(IFAPI_HIERARCHY *hierarchy);
 
void ifapi_cleanup_ifapi_nv(IFAPI_NV *nv);
 
void ifapi_cleanup_ifapi_duplicate(IFAPI_DUPLICATE *duplicate);
 
void ifapi_cleanup_ifapi_key_search(IFAPI_KEY_SEARCH *key_search);
 
void ifapi_cleanup_ifapi_keystore(IFAPI_KEYSTORE *keystore);
 
void ifapi_cleanup_ifapi_object(IFAPI_OBJECT *object);
 
TSS2_RC
ifapi_check_provisioned(IFAPI_KEYSTORE *keystore, const char *rel_path, bool *ok);
 
#endif /* IFAPI_KEYSTORE_H */