Merge pull request #390 from dgarske/oldcrypt

Support for building wolfTPM against older wolfCrypt (like v4.7.0)
2024-12-17 17:00:50 -06:00 · 2024-12-17 17:00:50 -06:00 · cb645d3a21
parent 415f714c66 88f57f373e
commit cb645d3a21
7 changed files with 98 additions and 35 deletions
--- a/.github/workflows/make-test-swtpm.yml
+++ b/.github/workflows/make-test-swtpm.yml
@ -202,6 +202,29 @@ jobs:
        make check
        WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh

+# test with older wolfCrypt (v4.7.0)
+    - uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl-old
+        ref: v4.7.0-stable
+    - name: wolfssl old
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN"
+        make
+        sudo make install
+    - name: wolftpm with old wolfssl
+      # Old wolfSSL before PR #5075 does not support using a public key in place of private key with
+      # crypto callbacks enabled.
+      # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions.
+      # Use newer wolfSSL TLS client/server to resolve test certificate expirations
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh
+
 # capture logs on failure
    - name: Upload failure logs
      if: failure()
--- a/examples/csr/csr.c
+++ b/examples/csr/csr.c
@ -87,7 +87,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
 #ifdef WOLFTPM2_NO_HEAP
    /* single shot API for CSR generation */
    rc = wolfTPM2_CSR_Generate_ex(dev, key, subject, keyUsage,
-        CTC_FILETYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
+        ENCODING_TYPE_PEM, output, outputSz, sigType, makeSelfSignedCert,
        devId);
 #else
    rc = wolfTPM2_CSR_SetSubject(dev, csr, subject);
@ -104,7 +104,7 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
        }
    }
    if (rc == 0) {
-        rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, CTC_FILETYPE_PEM,
+        rc = wolfTPM2_CSR_MakeAndSign_ex(dev, csr, key, ENCODING_TYPE_PEM,
            output, outputSz, sigType, makeSelfSignedCert, devId);
    }
 #endif
--- a/examples/endorsement/get_ek_certs.c
+++ b/examples/endorsement/get_ek_certs.c
@ -278,8 +278,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
        if (rc == 0) {
            /* Attempt to parse certificate */
            printf("Parsing certificate (%d bytes)\n", certSz);
+            #ifdef WOLFSSL_TEST_CERT
+            InitDecodedCert(&cert, certBuf, certSz, NULL);
+            rc = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+            #else
            wc_InitDecodedCert(&cert, certBuf, certSz, NULL);
            rc = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+            #endif
            if (rc == 0) {
                printf("\tSuccessfully parsed\n");

@ -338,7 +343,11 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
                printf("Error parsing certificate! %s (%d)\n",
                    TPM2_GetRCString(rc), rc);
            }
+        #ifdef WOLFSSL_TEST_CERT
+            FreeDecodedCert(&cert);
+        #else
            wc_FreeDecodedCert(&cert);
+        #endif

        #ifndef WOLFCRYPT_ONLY
            if (rc == 0) {
--- a/examples/pkcs7/pkcs7.c
+++ b/examples/pkcs7/pkcs7.c
@ -46,12 +46,16 @@

 /* The PKCS7 EX functions were added after v3.15.3 */
 #include <wolfssl/version.h>
-#if defined(LIBWOLFSSL_VERSION_HEX) && \
-    LIBWOLFSSL_VERSION_HEX > 0x03015003
+#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x03015003
    #undef  ENABLE_PKCS7EX_EXAMPLE
    #define ENABLE_PKCS7EX_EXAMPLE
 #endif

+#if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX < 0x05007004
+    /* PKCS7 renamed to wc_PKCS7 */
+    #define wc_PKCS7 PKCS7
+#endif
+
 #ifndef MAX_PKCS7_SIZE
 #define MAX_PKCS7_SIZE MAX_CONTEXT_SIZE
 #endif
--- a/examples/run_examples.sh
+++ b/examples/run_examples.sh
@ -13,6 +13,9 @@ fi
 if [ -z "$NO_FILESYSTEM" ]; then
    NO_FILESYSTEM=0
 fi
+if [ -z "$NO_PUBASPRIV" ]; then
+    NO_PUBASPRIV=0
+fi
 if [ -z "$WOLFCRYPT_DEFAULT" ]; then
    WOLFCRYPT_DEFAULT=0
 fi
@ -337,7 +340,7 @@ fi

 # PKCS7 Tests
 echo -e "PKCS7 tests"
-if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ] && [ $NO_PUBASPRIV -eq 0 ]; then
    ./examples/pkcs7/pkcs7 >> run.out 2>&1
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
@ -400,10 +403,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
        run_tpm_tls_client "rsa" "" "4"
        run_tpm_tls_client "rsa" "-aes" "4"

-        run_tpm_tls_server "rsa" "" "3"
-        run_tpm_tls_server "rsa" "-aes" "3"
-        run_tpm_tls_server "rsa" "" "4"
-        run_tpm_tls_server "rsa" "-aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "rsa" "" "3"
+            run_tpm_tls_server "rsa" "-aes" "3"
+            run_tpm_tls_server "rsa" "" "4"
+            run_tpm_tls_server "rsa" "-aes" "4"
+        fi

        # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
        run_tpm_tls_client "rsa" "-pk" "3"
@ -411,11 +416,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
        run_tpm_tls_client "rsa" "-pk" "4"
        run_tpm_tls_client "rsa" "-pk -aes" "4"

-        run_tpm_tls_server "rsa" "-pk " "3"
-        run_tpm_tls_server "rsa" "-pk -aes" "3"
-        run_tpm_tls_server "rsa" "-pk " "4"
-        run_tpm_tls_server "rsa" "-pk -aes" "4"
-
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "rsa" "-pk " "3"
+            run_tpm_tls_server "rsa" "-pk -aes" "3"
+            run_tpm_tls_server "rsa" "-pk " "4"
+            run_tpm_tls_server "rsa" "-pk -aes" "4"
+        fi
    fi
    if [ $WOLFCRYPT_ECC -eq 1 ]; then
        # TLS client/server ECC TLS v1.2 and v1.3 Crypto callbacks
@ -424,10 +430,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
        run_tpm_tls_client "ecc" "" "4"
        run_tpm_tls_client "ecc" "-aes" "4"

-        run_tpm_tls_server "ecc" "" "3"
-        run_tpm_tls_server "ecc" "-aes" "3"
-        run_tpm_tls_server "ecc" "" "4"
-        run_tpm_tls_server "ecc" "-aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "ecc" "" "3"
+            run_tpm_tls_server "ecc" "-aes" "3"
+            run_tpm_tls_server "ecc" "" "4"
+            run_tpm_tls_server "ecc" "-aes" "4"
+        fi

        # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
        run_tpm_tls_client "ecc" "-pk" "3"
@ -435,10 +443,12 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
        run_tpm_tls_client "ecc" "-pk" "4"
        run_tpm_tls_client "ecc" "-pk -aes" "4"

-        run_tpm_tls_server "ecc" "-pk" "3"
-        run_tpm_tls_server "ecc" "-pk -aes" "3"
-        run_tpm_tls_server "ecc" "-pk" "4"
-        run_tpm_tls_server "ecc" "-pk -aes" "4"
+        if [ $NO_PUBASPRIV -eq 0 ]; then
+            run_tpm_tls_server "ecc" "-pk" "3"
+            run_tpm_tls_server "ecc" "-pk -aes" "3"
+            run_tpm_tls_server "ecc" "-pk" "4"
+            run_tpm_tls_server "ecc" "-pk -aes" "4"
+        fi
    fi
 fi

--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@ -2818,6 +2818,8 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
    rc = wc_InitRsaKey(key, NULL);
    if (rc == 0) {
        idx = 0;
+        /* skip PKCS8 header */
+        (void)wc_GetPkcs8TraditionalOffset((byte*)der, &idx, derSz);
        rc = wc_RsaPrivateKeyDecode(der, &idx, key, derSz);
        if (rc == 0) {
            isPrivateKey = 1;
@ -3033,7 +3035,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
            /* load public portion of key into wolf RSA Key */
            rc = wolfTPM2_RsaKey_TpmToWolf(dev, tpmKey, &key.rsa);
            if (rc == 0) {
-                rc = wc_RsaKeyToPublicDer_ex(&key.rsa, out, *outSz, 1);
+                rc = wc_RsaKeyToPublicDer(&key.rsa, out, *outSz);
                if (rc > 0) {
                    derSz = rc;
                    rc = 0;
@ -6836,15 +6838,19 @@ static int CSR_Parse_DN(CertName* name, const char* subject)
        {"/CN=",     OFFSETOF(CertName, commonName)}, /* Common Name */
        {"/C=",      OFFSETOF(CertName, country)},    /* Country */
        {"/ST=",     OFFSETOF(CertName, state)},      /* State */
-        {"/street=", OFFSETOF(CertName, street)},     /* Street */
        {"/L=",      OFFSETOF(CertName, locality)},   /* Locality */
        {"/SN=",     OFFSETOF(CertName, sur)},        /* Surname */
        {"/O=",      OFFSETOF(CertName, org)},        /* Organization */
        {"/OU=",     OFFSETOF(CertName, unit)},       /* Organization Unit */
-        {"/postalCode=",   OFFSETOF(CertName, postalCode)}, /* PostalCode */
-        {"/userid=",       OFFSETOF(CertName, userId)},     /* UserID */
        {"/serialNumber=", OFFSETOF(CertName, serialDev)},  /* Serial Number */
        {"/emailAddress=", OFFSETOF(CertName, email)},      /* Email Address */
+    #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05000000
+        {"/street=", OFFSETOF(CertName, street)},     /* Street */
+        {"/postalCode=",   OFFSETOF(CertName, postalCode)}, /* PostalCode */
+    #endif
+    #if defined(LIBWOLFSSL_VERSION_HEX) && LIBWOLFSSL_VERSION_HEX > 0x05003000
+        {"/userid=",       OFFSETOF(CertName, userId)},     /* UserID */
+    #endif
    #ifdef WOLFSSL_CERT_EXT
        {"/businessCategory=", OFFSETOF(CertName, busCat)}, /* Business Category */
    #endif
@ -6916,7 +6922,7 @@ static int CSR_MakeAndSign(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, CSRKey* key,
    }

    /* Optionally convert to PEM */
-    if (rc >= 0 && outFormat == CTC_FILETYPE_PEM) {
+    if (rc >= 0 && outFormat == ENCODING_TYPE_PEM) {
    #ifdef WOLFSSL_DER_TO_PEM
        byte tmp[MAX_CONTEXT_SIZE];
        if (rc > (int)sizeof(tmp)) {
--- a/wolftpm/tpm2_types.h
+++ b/wolftpm/tpm2_types.h
@ -125,6 +125,17 @@ typedef int64_t  INT64;
    #define ENCODING_TYPE_PEM  1 /* CTC_FILETYPE_PEM */
    #define ENCODING_TYPE_ASN1 2 /* CTC_FILETYPE_ASN1 */

+    #ifndef WOLFSSL_HAVE_ECC_KEY_GET_PRIV
+        #define wc_ecc_key_get_priv(key) (&((key)->k))
+        #define WOLFSSL_HAVE_ECC_KEY_GET_PRIV
+    #endif
+
+    #ifndef PRIVATE_KEY_LOCK
+    #define PRIVATE_KEY_LOCK() do {} while (0)
+    #endif
+    #ifndef PRIVATE_KEY_UNLOCK
+    #define PRIVATE_KEY_UNLOCK() do {} while (0)
+    #endif
 #else

    #include <stdio.h>
@ -172,14 +183,6 @@ typedef int64_t  INT64;
        #define LITTLE_ENDIAN_ORDER
    #endif

-    #ifndef OFFSETOF
-        #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4))
-            #define OFFSETOF(type, field) __builtin_offsetof(type, field)
-        #else
-            #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field))
-        #endif
-    #endif
-
    /* GCC Version */
    #ifndef __GNUC_PREREQ
        #if defined(__GNUC__) && defined(__GNUC_MINOR__)
@ -223,6 +226,14 @@ typedef int64_t  INT64;

 #endif /* !WOLFTPM2_NO_WOLFCRYPT */

+#ifndef OFFSETOF
+    #if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 4))
+        #define OFFSETOF(type, field) __builtin_offsetof(type, field)
+    #else
+        #define OFFSETOF(type, field) ((size_t)&(((type *)0)->field))
+    #endif
+#endif
+
 #ifndef WOLFTPM_CUSTOM_TYPES
    #include <stdlib.h>