From 569c3c58dc69d5c8628f3c329937c136be38df3f Mon Sep 17 00:00:00 2001
From: Andrey Pronin <apronin@chromium.org>
Date: Thu, 15 Dec 2016 14:19:49 -0800
Subject: tpm2: add support for padding-only RSASSA

Perform PKCS1-padding-only signing for RSASSA if hashing algorithm is
TPM_ALG_NULL in TPM2_Sign parameters and in the key public area.

This feature is guarded by SUPPORT_PADDING_ONLY_RSASSA macro.

BUG=chrome-os-partner:60967
BRANCH=none
TEST=On a unowned machine with TPM2: corp enroll, login, install
     a network certificate (gECC or GMC), then:
     a) retrieve the public key from the installed certificate
       LIBCHAPS=`ls /usr/lib**/libchaps.so`
       CERTID=`pkcs11-tool --module=$LIBCHAPS --slot=1 --type=cert \
               -O | grep "ID:" | awk '{print $2}'`
       pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID \
                   --type=cert -r > /tmp/cert
       openssl x509 -inform der -pubkey -noout -in /tmp/cert > /tmp/pub.key
     b) sign a sample text using the private key for the certificate and
        MD5-RSA-PKCS mechanism, not supported by TPM2_Sign command:
       echo "ABCDEF" > /tmp/1.txt
       pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID --sign \
                 -i /tmp/1.txt -o /tmp/1.sig -m MD5-RSA-PKCS
     c) verify signature:
       openssl dgst -md5 -verify /tmp/pub.key -signature /tmp/1.sig /tmp/1.txt
     Step (b) should succeed and step (c) should return "Verified OK".

Change-Id: Iefc85d163089d6f7e09b3e7a41e1df33ba88fa3b
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420811
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
---
 CpriRSA.c        | 12 ++++++++++--
 Implementation.h |  1 +
 Sign.c           |  6 +++++-
 tpm_generated.c  |  4 ++++
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CpriRSA.c b/CpriRSA.c
index a436716..c3f5d62 100644
--- a/CpriRSA.c
+++ b/CpriRSA.c
@@ -805,11 +805,19 @@ RSASSA_Encode(
    INT32               fillSize;
    pAssert(eOut != NULL && hIn != NULL);
    // Can't use this scheme if the algorithm doesn't have a DER string defined.
-   if(derSize == 0 )
+   if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+       hashAlg != TPM_ALG_NULL &&
+#endif
+       derSize == 0)
        return CRYPT_SCHEME;
    // If the digest size of 'hashAl' doesn't match the input digest size, then
    // the DER will misidentify the digest so return an error
-   if((unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
+   if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+       hashAlg != TPM_ALG_NULL &&
+#endif
+       (unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
        return CRYPT_PARAMETER;
    fillSize = eOutSize - derSize - hInSize - 3;
    // Make sure that this combination will fit in the provided space
diff --git a/Implementation.h b/Implementation.h
index f67d513..a503d2a 100644
--- a/Implementation.h
+++ b/Implementation.h
@@ -357,6 +357,7 @@ typedef UINT16              TPM_ALG_ID;
 #define ALG_SM4_VALUE                0x0013
 #if defined ALG_RSASSA && ALG_RSASSA == YES
 #define TPM_ALG_RSASSA               (TPM_ALG_ID)(0x0014)
+#define SUPPORT_PADDING_ONLY_RSASSA  YES
 #endif
 #define ALG_RSASSA_VALUE             0x0014
 #if defined ALG_RSAES && ALG_RSAES == YES
diff --git a/Sign.c b/Sign.c
index f0e29f9..10b673b 100644
--- a/Sign.c
+++ b/Sign.c
@@ -63,7 +63,11 @@ TPM2_Sign(
    // NOTE: this does not guarantee that the 'digest' is actually produced using
    // the indicated hash algorithm, but at least it might be.
    {
-       if(       in->digest.t.size
+       if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+           in->inScheme.details.any.hashAlg != TPM_ALG_NULL &&
+#endif
+           in->digest.t.size
              != CryptGetHashDigestSize(in->inScheme.details.any.hashAlg))
              return TPM_RC_SIZE + RC_Sign_digest;
    }
diff --git a/tpm_generated.c b/tpm_generated.c
index b471be1..e3c72ab 100644
--- a/tpm_generated.c
+++ b/tpm_generated.c
@@ -2349,7 +2349,11 @@ UINT16 TPMS_SIG_SCHEME_RSASSA_Marshal(TPMS_SIG_SCHEME_RSASSA* source,
 TPM_RC TPMS_SIG_SCHEME_RSASSA_Unmarshal(TPMS_SIG_SCHEME_RSASSA* target,
                                         BYTE** buffer,
                                         INT32* size) {
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+  return TPMI_ALG_HASH_Unmarshal(&target->hashAlg, buffer, size, TRUE);
+#else
   return TPMS_SCHEME_HASH_Unmarshal(target, buffer, size);
+#endif
 }
 
 UINT16 TPMS_ENC_SCHEME_OAEP_Marshal(TPMS_ENC_SCHEME_OAEP* source,
-- 
cgit v1.2.3