Fixes for TPM based RSA key reloading. ZD 20045. Improve WP11_Rsa_GenerateKeyPair exponent logic. Fix for missing HAVE_GETPID in random.h WC_RNG.

Author: dgarske

.github/workflows/unit-test.yml

@@ -20,7 +20,7 @@ jobs:
     uses: ./.github/workflows/build-workflow.yml
     with:
       config: --enable-singlethreaded --enable-wolftpm --disable-dh C_EXTRA_FLAGS="-DWOLFPKCS11_TPM_STORE"
-      check: ./tests/pkcs11str && ./tests/pkcs11test
+      check: ./tests/pkcs11str && ./tests/pkcs11test && ./tests/rsa_session_persistence_test
 
   no_rsa:
     uses: ./.github/workflows/build-workflow.yml

.gitignore

@@ -60,5 +60,6 @@ tests/wp11_symmkey_*
 tests/wp11_token_*
 tests/wp11_obj_*
 tests/token_path_test
+tests/rsa_session_persistence_test
 
 IDE/VisualStudio/.vs

configure.ac

@@ -75,7 +75,7 @@ AC_CHECK_SIZEOF([long long], 8)
 AC_CHECK_SIZEOF([long], 4)
 
 # Check headers/libs
-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket])
+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket getpid])
 AC_CHECK_LIB([network],[socket])
 
 # DEBUG

src/internal.c

@@ -19,7 +19,6 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-#include "wolfpkcs11/pkcs11.h"
 #ifdef HAVE_CONFIG_H
     #include <wolfpkcs11/config.h>
 #endif
@@ -2421,9 +2420,21 @@ static int wp11_Object_Decode_RsaKey(WP11_Object* object)
         }
         if (ret == 0) {
             /* load public portion into wolf RsaKey structure */
+            object->slot->tpmCtx.rsaKey = (WOLFTPM2_KEY*)&object->tpmKey;
             ret = wolfTPM2_RsaKey_TpmToWolf(&object->slot->tpmDev,
                 (WOLFTPM2_KEY*)&object->tpmKey, &object->data.rsaKey);
         }
+        if (ret == 0) {
+            /* load key into TPM (get handle) */
+            if (object->tpmKey.priv.size == 0) {
+                ret = wolfTPM2_LoadPublicKey(&object->slot->tpmDev,
+                    (WOLFTPM2_KEY*)&object->tpmKey, &object->tpmKey.pub);
+            }
+            else {
+                ret = wolfTPM2_LoadKey(&object->slot->tpmDev, &object->tpmKey,
+                    &object->slot->tpmCtx.storageKey->handle);
+            }
+        }
     }
     else
 #endif
@@ -8243,21 +8254,22 @@ int WP11_Rsa_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv,
 {
     int ret = 0;
     unsigned char eData[sizeof(long)];
-    int i;
+    int i, eSz;
     long e = 0;
     WC_RNG rng;
 
     /* Use public exponent if public key has one set. */
     if (!mp_iszero(&pub->data.rsaKey.e)) {
         XMEMSET(eData, 0, sizeof(eData));
         /* Public exponent must be size of a long for API. */
-        if (mp_unsigned_bin_size(&pub->data.rsaKey.e) > (int)sizeof(eData))
+        eSz = mp_unsigned_bin_size(&pub->data.rsaKey.e);
+        if (eSz > (int)sizeof(eData))
             ret = BAD_FUNC_ARG;
         if (ret == 0)
-            ret = mp_to_unsigned_bin(&pub->data.rsaKey.e, eData);
+            ret = mp_to_unsigned_bin_len(&pub->data.rsaKey.e, eData, eSz);
         if (ret == 0) {
             /* Convert big-endian data into number. */
-            for (i = sizeof(eData) - 1; i >= 0; i--) {
+            for (i = eSz - 1; i >= 0; i--) {
                 e <<= 8;
                 e |= eData[i];
             }

tests/include.am

@@ -21,11 +21,17 @@ noinst_PROGRAMS += tests/token_path_test
 tests_token_path_test_SOURCES = tests/token_path_test.c
 tests_token_path_test_LDADD =
 
+check_PROGRAMS += tests/rsa_session_persistence_test
+noinst_PROGRAMS += tests/rsa_session_persistence_test
+tests_rsa_session_persistence_test_SOURCES = tests/rsa_session_persistence_test.c
+tests_rsa_session_persistence_test_LDADD =
+
 if BUILD_STATIC
 tests_pkcs11test_LDADD += src/libwolfpkcs11.la
 tests_pkcs11mtt_LDADD  += src/libwolfpkcs11.la
 tests_pkcs11str_LDADD  += src/libwolfpkcs11.la
 tests_token_path_test_LDADD += src/libwolfpkcs11.la
+tests_rsa_session_persistence_test_LDADD += src/libwolfpkcs11.la
 endif
 
 EXTRA_DIST += tests/unit.h \