ECC: Support all ECC functionality in chaps |
|||
Issue descriptionFor chaps, we have multiple milestone for supporting ECC. 1. Software support all ECC PKCS#11 functionality 2. Utilize TPM as hardware ECC key storage/generater when TPM is present. (reference the RSA implementation)
,
Nov 30
,
Dec 12
,
Dec 19
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/18c89d632b6800ead6d5775aa700eada9990a182 commit 18c89d632b6800ead6d5775aa700eada9990a182 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Wed Dec 19 05:33:30 2018 chaps: Isolate RSA key generation code to GenerateRSAKeyPair() Move all RSA key generation related code out from GenerateKeyPair() in session_impl which is the implementation of PKCS#11 C_GenerateKeyPair. Then we can put the general stuff in GenerateKeyPair() and dispatch to the corresponse function according to the mechanism. The shared RSA logic is put in GenerateRSAKeyPair(), software-backed generation is put in GenerateRSAKeyPairSoftware(), and TPM-backed is put in GenerateRSAKeyPairTPM(). BUG=chromium:910633 TEST=passed chaps unit tests (expected no change of behavior) passed manually test of p11_replay Change-Id: I489e18c05855eca565bcd50599ae8b8242e22660 Reviewed-on: https://chromium-review.googlesource.com/1373593 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/18c89d632b6800ead6d5775aa700eada9990a182/chaps/session_impl.cc [modify] https://crrev.com/18c89d632b6800ead6d5775aa700eada9990a182/chaps/session_impl.h
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/be2ec18641db2e124cdc0a0e802268afcd4ac601 commit be2ec18641db2e124cdc0a0e802268afcd4ac601 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Dec 21 02:06:15 2018 chaps: Isolate RSA key object checking Mark all RSA related attributes to non-required. Check in IsObjectComplete() instead. BUG=chromium:910633 TEST=passed unittest (expected no behavior change) Change-Id: If0bb6601610d4b51c031df033728cea5b24b8125 Reviewed-on: https://chromium-review.googlesource.com/1382313 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/be2ec18641db2e124cdc0a0e802268afcd4ac601/chaps/object_policy_public_key.h [modify] https://crrev.com/be2ec18641db2e124cdc0a0e802268afcd4ac601/chaps/object_policy_private_key.cc [modify] https://crrev.com/be2ec18641db2e124cdc0a0e802268afcd4ac601/chaps/object_policy_public_key.cc
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/99d3da98860f021a0905092631d4fe640a3aa40f commit 99d3da98860f021a0905092631d4fe640a3aa40f Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Dec 21 02:06:15 2018 chaps: add ECC key object policy Add ECC key checking policy. BUG=chromium:910633 TEST=passed unittest (expected no behavior change) Change-Id: Id799be8683beda6aa98995cc8474f5fe4dc67093 Reviewed-on: https://chromium-review.googlesource.com/1382314 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/99d3da98860f021a0905092631d4fe640a3aa40f/chaps/object_policy_private_key.cc [modify] https://crrev.com/99d3da98860f021a0905092631d4fe640a3aa40f/chaps/object_policy_public_key.cc
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/322014d22d5ff5c68f1d3ce1b86786f4b2b5208c commit 322014d22d5ff5c68f1d3ce1b86786f4b2b5208c Author: Meng-Huan Yu <menghuan@chromium.org> Date: Thu Jan 10 21:58:32 2019 chaps: Support software ECC key pair generation BUG=chromium:910633 TEST=manually test pkcs11-tool --module=`ls /usr/lib*/libchaps.so` -k --key-type \ EC:prime256v1 TEST=unittest at the incoming CL Change-Id: Id7a6604cb05ae269091f08fa88e35cac9964ba23 Reviewed-on: https://chromium-review.googlesource.com/1382315 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/322014d22d5ff5c68f1d3ce1b86786f4b2b5208c/chaps/session_impl.cc [modify] https://crrev.com/322014d22d5ff5c68f1d3ce1b86786f4b2b5208c/chaps/session_impl.h
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/3a4f6493cb4f84f14751e0c9eb2bc95265e7af86 commit 3a4f6493cb4f84f14751e0c9eb2bc95265e7af86 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Thu Jan 10 21:58:32 2019 chaps: Support software ECC Sign/Verify Only the implementation. The mechanism has not been enabled yet. BUG=chromium:910633 TEST=unitest at the incoming CL. Change-Id: I077d7d92db06cc913bb886bccf5d82b9e13585c1 Reviewed-on: https://chromium-review.googlesource.com/1391047 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/3a4f6493cb4f84f14751e0c9eb2bc95265e7af86/chaps/session_impl.cc [modify] https://crrev.com/3a4f6493cb4f84f14751e0c9eb2bc95265e7af86/chaps/session_impl.h
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/f6aa5f226a68fa219f16f31ed8853fc3f9e22b5a commit f6aa5f226a68fa219f16f31ed8853fc3f9e22b5a Author: Meng-Huan Yu <menghuan@chromium.org> Date: Thu Jan 10 21:58:33 2019 chaps: Add ECDSA and ECDSA_SHA1 mechanism for Sign/Verify * Add CKM_ECDSA without manually test since OpenSSL doesn't support this. But we have unittest later. * Add CKM_ECDSA_SHA1 with manually test. BUG=chromium:910633 TEST=manually sign/verify # Generate key pkcs11-tool --module=`ls /usr/lib*/libchaps.so` --label 'ec-test' \ --keypairgen --key-type EC:prime256v1 # Sign echo "ABCDEF" > /tmp/1.txt pkcs11-tool --module=`ls /usr/lib*/libchaps.so` --label 'ec-test' \ --sign --mechanism ECDSA-SHA1 --signature-format openssl \ -i /tmp/1.txt -o /tmp/1.sig # Dump DER pubkey to file pkcs11-tool --module=`ls /usr/lib*/libchaps.so` --label 'ec-test' \ --read-object --type pubkey > pubkey # Verify by OpenSSL openssl dgst -ecdsa-with-SHA1 -verify pubkey -keyform der \ -signature /tmp/1.sig /tmp/1.txt # Expected output: Verified OK TEST=manually run test-ec pkcs11-tool --module=`ls /usr/lib*/libchaps.so` \ --login --test-ec --id 01 --key-type EC:prime256v1 TEST=unittest in the coming CL. Change-Id: If23b83653015d554b6dff82c33233f57bc362a09 Reviewed-on: https://chromium-review.googlesource.com/1391051 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/f6aa5f226a68fa219f16f31ed8853fc3f9e22b5a/chaps/session_impl.cc
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67 commit 89f327e69745eb9d9d3f3187fe34c96f2c2e5a67 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Thu Jan 10 21:58:39 2019 chaps: Rename GenerateKey/GetPublicKey in tpm_utility for RSA * GenerateKey -> GenerateRSAKey * GetPublicKey -> GetRSAPublicKey BUG=chromium:910633 TEST=passed unittest Change-Id: Ibb8330f77e025976db2216945826d3f6c933953e Reviewed-on: https://chromium-review.googlesource.com/1404460 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Louis Collard <louiscollard@chromium.org> [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm2_utility_impl.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/slot_manager_test.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm_utility.h [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/session_test.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm_utility_impl.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/slot_manager_impl.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm_utility_impl.h [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm_utility_test.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/session_impl.cc [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm_utility_mock.h [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm2_utility_impl.h [modify] https://crrev.com/89f327e69745eb9d9d3f3187fe34c96f2c2e5a67/chaps/tpm2_utility_test.cc
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/778cb567e611ca7f5f48488c923ff4158deb79c7 commit 778cb567e611ca7f5f48488c923ff4158deb79c7 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Jan 11 21:32:08 2019 chaps: Isolate WrapRSAPrivateKey out from WrapPrivateKey BUG=chromium:910633 TEST=unittest Change-Id: I3a091cc4b89e92e450e3d94be2dec57389e1a77a Reviewed-on: https://chromium-review.googlesource.com/1392129 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/778cb567e611ca7f5f48488c923ff4158deb79c7/chaps/session_impl.cc [modify] https://crrev.com/778cb567e611ca7f5f48488c923ff4158deb79c7/chaps/session_impl.h
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/da22a996c2c0154a84e6fa4f02a274641c2366bf commit da22a996c2c0154a84e6fa4f02a274641c2366bf Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Jan 11 21:32:08 2019 chaps: p11_replay: Refactor the object importing process p11_replay is used for integration test (autotest). Some changes of importing process to make adding the ECC stuff easily. * Rename the functions: * InjectKeyPair -> InjectRSAKeyPair. * CreatePublicKey -> CreateRSAPublicKey. * CreatePrivateKey -> CreateRSAPrivateKey. * Add ParseAndCreatePublicKey/PrivateKey/Certificate. * Isolate ParseRSAPrivateKey/PrivateKey. * Use Scoped OpenSSL object. * Rewrite the logic of parsing RSA key to make it possible to support ECC later. BUG=chromium:910633 TEST=build successfully TEST=manually test # Generate RSA key by OpenSSL openssl genrsa -out /tmp/priv.key openssl rsa -in /tmp/priv.key -pubout \ -out /tmp/pub-x509.key -outform der openssl rsa -in /tmp/priv.key -pubout \ -RSAPublicKey_out -out /tmp/pub-pkcs1.key -outform der openssl rsa -in /tmp/priv.key -out /tmp/priv.der -outform der openssl pkcs8 -topk8 -in /tmp/priv.key -out /tmp/priv.pk8 \ -outform der -nocryptz openssl req -nodes -x509 -sha1 -key /tmp/priv.key \ -out /tmp/cert -outform der \ -days 365 -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/" # Test PKCS#1 and X.509 SubjectPublicKeyInfo format of RSA public key p11_replay --import --path=/tmp/pub-x509.key --type=pubkey --id=aa p11_replay --import --path=/tmp/pub-pkcs1.key --type=pubkey --id=aa # Test PKCS#1 and PKCS#8 format of RSA private key p11_replay --import --path=/tmp/priv.pk8 --type=privkey --id=aa p11_replay --import --path=/tmp/priv.der --type=privkey --id=aa # Test RSA cert importing p11_replay --import --path=/tmp/cert --type=cert --id=aa Change-Id: Ia998c263e16a43ebc313beca479b226490247a83 Reviewed-on: https://chromium-review.googlesource.com/1393189 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/da22a996c2c0154a84e6fa4f02a274641c2366bf/chaps/p11_replay.cc
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/7c1964e526a0961a5b31e61a291f536d34995620 commit 7c1964e526a0961a5b31e61a291f536d34995620 Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Jan 11 21:32:08 2019 chaps: p11_replay: Support ECC Public key private key importing BUG=chromium:910633 TEST=build successfully TEST=manually test # Generate ECC key by OpenSSL openssl ecparam -name prime256v1 -genkey -noout -out /tmp/priv.key openssl ec -in /tmp/priv.key -pubout \ -out /tmp/pub.der -outform der openssl ec -in /tmp/priv.key \ -out /tmp/priv.der -outform der # Test X.509 SubjectPublicKeyInfo of ECC public key p11_replay --import --path=/tmp/pub.der --type=pubkey --id=aa # Test RFC 5915 format of ECC private key p11_replay --import --path=/tmp/priv.der --type=privkey --id=aa Change-Id: I3b89ae4e75559fc98b53d2ac277ad5bf4b914d5b Reviewed-on: https://chromium-review.googlesource.com/1393190 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org> [modify] https://crrev.com/7c1964e526a0961a5b31e61a291f536d34995620/chaps/p11_replay.cc
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/67f4d8bcf78d323472dcb706d4bb9347f031805f commit 67f4d8bcf78d323472dcb706d4bb9347f031805f Author: Meng-Huan Yu <menghuan@chromium.org> Date: Fri Jan 11 21:32:07 2019 chaps: Add unittest for ECC key gen/sign/verify. * Add test for ECC key generation * Add test for raw ECDSA (CKM_ECDSA) and ECDSA with SHA1 (CKM_ECDSA_SHA1) BUG=chromium:910633 TEST=unittest passed Change-Id: I53a9cab91c01f411b5dd3e9f9aa716d3d01021a9 Reviewed-on: https://chromium-review.googlesource.com/1401975 Commit-Ready: Meng-Huan Yu <menghuan@chromium.org> Tested-by: Meng-Huan Yu <menghuan@chromium.org> Reviewed-by: Meng-Huan Yu <menghuan@chromium.org> [modify] https://crrev.com/67f4d8bcf78d323472dcb706d4bb9347f031805f/chaps/session_test.cc
,
Jan 13
1 is done. Work on 2. for HW (TPM) support. |
|||
►
Sign in to add a comment |
|||
Comment 1 by menghuan@chromium.org
, Nov 30