Add support for PRK password in TPM plugin

PRK Password needs to be passed to TPM Plugin
for load key operations to work.
P7: Moved readPassword to calling function
P8: Check size of password string before memcpy
P9: Updated readme

Issue-ID: AAF-484
Change-Id: I213446012005f2919ee0912ccfe99c3a555ccb74
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>

4 files changed, 60 insertions, 20 deletions

diff --git a/TPM2-Plugin/README.md b/TPM2-Plugin/README.md
index 978495c..5d8183f 100644
--- a/TPM2-Plugin/README.md
+++ b/TPM2-Plugin/README.md
@@ -1,16 +1,26 @@
-## Introduction
+# Introduction
 
 This is TPM2-Plugin to load asymetric key pairs to TPM2.0 module.
 The private part of keys can only be used for signing when it is loaded in TPM module.
-### Build
+Loading Password protected Primary Keys in plugin requires the setting of the
+following ENVIRONMENT Variable:
+```
+TPM_PRK_PASSWORD
+```
+The plugin will read this and setup hmac appropriately for the session.
+## Build
 
+```
 ./bootstrap
 ./configure --prefix test
+```
 
-### Installation
+## Installation and Uninstallation
+```
 make install
+```
 
-###Uninstall
-
+```
 make clean
 make distclean
+```
\ No newline at end of file
diff --git a/TPM2-Plugin/lib/tpm2_plugin_api.c b/TPM2-Plugin/lib/tpm2_plugin_api.c
index c763ef3..c27ec55 100644
--- a/TPM2-Plugin/lib/tpm2_plugin_api.c
+++ b/TPM2-Plugin/lib/tpm2_plugin_api.c
@@ -277,11 +277,11 @@ int hex2ByteStructure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer)
     }
     return 0;
 }
+
 int load_key(TSS2_SYS_CONTEXT *sapi_context,
              TPMI_DH_OBJECT    parentHandle,
              TPM2B_PUBLIC     *inPublic,
-             TPM2B_PRIVATE    *inPrivate,
-             int               P_flag)
+             TPM2B_PRIVATE    *inPrivate)
 {
     UINT32 rval;
     TPMS_AUTH_RESPONSE sessionDataOut;
@@ -304,9 +304,6 @@ int load_key(TSS2_SYS_CONTEXT *sapi_context,
     sessionData.sessionHandle = TPM_RS_PW;
     sessionData.nonce.t.size = 0;
 
-    if(P_flag == 0)
-        sessionData.hmac.t.size = 0;
-
     *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0;
     if (sessionData.hmac.t.size > 0 && hexPasswd)
     {
@@ -400,6 +397,29 @@ int read_public(TSS2_SYS_CONTEXT *sapi_context,
     return 0;
 }
 
+/*
+Reads the PRK_PASSWORD Environment variable
+and populates that information into the
+sessionData global environment variable
+*/
+int readPassword()
+{
+    char *prk_passwd;
+
+    sessionData.hmac.t.size = 0;
+    
+    prk_passwd = getenv("TPM_PRK_PASSWORD");
+    if (prk_passwd != NULL) {
+        sessionData.hmac.t.size = strlen(prk_passwd);
+        if (sessionData.hmac.t.size > sizeof(sessionData.hmac.t.buffer)) {
+            return -1;
+        }
+        memcpy(sessionData.hmac.t.buffer, prk_passwd, sessionData.hmac.t.size);
+        return 0;
+    }
+    return 0;
+}
+
 TPMS_CONTEXT loaded_key_context;
 
 int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
@@ -443,11 +463,16 @@ int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
         }
     }
 
+    // Read TPM_PRK_PASSWORD and setup sessionsData appropriately
+    if (readPassword() != 0) {
+        // Password read failure
+        return -1;
+    }
+
     returnVal = load_key (sapi_context,
                           parentHandle,
                           &inPublic,
-                          &inPrivate,
-                          0);
+                          &inPrivate);
     returnVal = read_public(sapi_context,
                             handle2048rsa,
                             importkey_info);
diff --git a/bin/caservicecontainer/import.sh b/bin/caservicecontainer/import.sh
index f7aaca8..0efff37 100755
--- a/bin/caservicecontainer/import.sh
+++ b/bin/caservicecontainer/import.sh
@@ -1,17 +1,22 @@
 #!/bin/bash
 
 # NOTE - This scripts expects the Init and the Duplicate tools to be already
-# run and the output files(listedb in README) to be present at the
+# run and the output files(listed in README) to be present at the
 # shared volume (input for Import tool)
+# It also requires the following ENVIRONMENT variables to be set
+# SECRETS_FOLDER - containing the srk_handl and prk_passwd files in base64
+# DATA_FOLDER - containing the files that are produced from the distcenter
 
 set -e
 
+#Primary Key Password used by TPM Plugin to load keys
+TPM_PRK_PASSWORD="$(cat ${SECRETS_FOLDER}/prk_passwd | base64 -d)"
+#Handle to the aforementioned Primary Key
+SRK_HANDLE="$(cat ${SECRETS_FOLDER}/srk_handle | base64 -d)"
 #Placeholder of Input files to the Import tool which is the output of duplicate tool
-sharedvolume="/tmp/files"
+sharedvolume="${DATA_FOLDER}"
 #key_id is the parameter expected by SoftHSM
 key_id="8738"
-#TPM handle
-tpm_handle="0x81000011"
 #Key_label is the  parameter expected by SoftHSM
 key_label="ABC"
 #UserPin for the SoftHSM operations
@@ -40,12 +45,13 @@ if [ -f ${sharedvolume}/out_parent_public ]; then
 
     # 2.b Run the Import Utility
     cd /tpm-util/bin
-    ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \
--dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv
+    ./ossl_tpm_import -H $SRK_HANDLE -dupPub dupPub -dupPriv dupPriv \
+    -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \
+    -password $TPM_PRK_PASSWORD
 
     cd /
     chmod 755 softhsmconfig.sh
-    ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID
+    ./softhsmconfig.sh $SRK_HANDLE $key_id $key_label $upin $sopin $SoftHSMv2SlotID
 else
 
 # 3 SoftHSM mode implementation
diff --git a/bin/caservicecontainer/softhsmconfig.sh b/bin/caservicecontainer/softhsmconfig.sh
index 5464263..316d507 100755
--- a/bin/caservicecontainer/softhsmconfig.sh
+++ b/bin/caservicecontainer/softhsmconfig.sh
@@ -17,7 +17,6 @@ echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
 
 # Configuration generation for SoftHSM
 # 1.a Create the directory as expected by the SoftHSM to read the files
-mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
 mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
 mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01