Merged PR 846969: Make a iothsm-tpm library that links in TPM functio…

…nality. Adds the TPM code from C_SDK fixed up to work with iothsm needs, including adding `hsm_tpm_derive_and_sign_with_identity`, TPM as a device is selectable at runtime by setting "IOTEDGE_USE_TPM_DEVICE" to "ON".
Federico-Figalli · May 24, 2018 · 1b68baf · 1b68baf
1 parent e38801c
commit 1b68baf
Show file tree

Hide file tree

Showing 25 changed files with 2,308 additions and 165 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,6 @@
-[submodule "edgelet/hsm-sys/azure-iot-hsm-c/azure-c-shared-utility"]
-	path = edgelet/hsm-sys/azure-iot-hsm-c/azure-c-shared-utility
-	url = https://github.com/Azure/azure-c-shared-utility
+[submodule "edgelet/hsm-sys/azure-iot-hsm-c/deps/azure-c-shared-utility"]
+	path = edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared
+	url = https://github.com/Azure/azure-c-shared-utility.git
+[submodule "edgelet/hsm-sys/azure-iot-hsm-c/deps/azure-utpm-c"]
+	path = edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm
+	url = https://github.com/Azure/azure-utpm-c.git
diff --git a/edgelet/build/windows/test.ps1 b/edgelet/build/windows/test.ps1
@@ -22,7 +22,6 @@ $env:IOTEDGE_HOMEDIR = $env:Temp
 
 Write-Host "$cargo test --all $(if ($Release) { '--release' }) --manifest-path $ManifestPath"
 Invoke-Expression "$cargo test --all $(if ($Release) { '--release' }) --manifest-path $ManifestPath"
-if ($LastExitCode)
-{
+if ($LastExitCode) {
     Throw "cargo test failed with exit code $LastExitCode"
 }
diff --git a/edgelet/hsm-sys/README.md b/edgelet/hsm-sys/README.md
@@ -5,6 +5,12 @@ This crate is the unsafe C to Rust interface for the HSM API library.
 This crate represents the functions that the HSM API implements. This crate is 
 used by the HSM-RS crate to provide more Rust-friendly interfaces.
 
+## TPM functionality
+
+The default hsm library built as part of this crate has two modes for the TPM functional interface: 
+an in-memory keystore, and a TPM device keystore.  The default is the in-memory keystore. To enable 
+the TPM device keystore set an envronment variable `IOTEDGE_USE_TPM_DEVICE` to "ON".
+
 ## Memory allocation
 
 The current HSPM API functions expect the calling function to allocate 

diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/CMakeLists.txt b/edgelet/hsm-sys/azure-iot-hsm-c/CMakeLists.txt
@@ -9,7 +9,8 @@ set (iothsm_VERSION_MINOR 1)
 #Use solution folders.
 set_property(GLOBAL PROPERTY USE_FOLDERS ON)
 
-include_directories(./azure-c-shared-utility/inc)
+include_directories(./deps/c-shared/inc)
+include_directories(./deps/utpm/inc)
 include_directories(. ./inc)
 
 find_package(OpenSSL REQUIRED)
@@ -20,13 +21,16 @@ set(source_c_files
     ./src/constants.c
     ./src/edge_hsm_client_crypto.c
     ./src/edge_hsm_client_store.c
-    ./src/edge_hsm_client_tpm.c
     ./src/edge_hsm_client_x509.c
     ./src/edge_hsm_key_interface.c
+    ./src/edge_sas_perform_sign_with_key.c
     ./src/edge_pki_openssl.c
     ./src/edge_sas_key.c
     ./src/hsm_certificate_props.c
     ./src/hsm_client_data.c
+    ./src/hsm_client_tpm_device.c
+    ./src/hsm_client_tpm_in_mem.c
+    ./src/hsm_client_tpm_select.c
     ./src/hsm_log.c
     ./src/hsm_utils.c
 )
@@ -35,6 +39,14 @@ set(source_h_files
     ./inc/certificate_info.h
     ./inc/hsm_client_data.h
     ./inc/hsm_certificate_props.h
+    ./src/edge_sas_perform_sign_with_key.h
+    ./src/hsm_client_store.h
+    ./src/hsm_client_tpm_device.h
+    ./src/hsm_client_tpm_in_mem.h
+    ./src/hsm_constants.h
+    ./src/hsm_key.h
+    ./src/hsm_log.h
+    ./src/hsm_utils.h
 )
 
 if(WIN32)
@@ -71,21 +83,22 @@ endif(WIN32)
 # We want this to always be a shared library and let the dynamic linker on the
 # target system find the HSM library.
 if(BUILD_SHARED)
-    add_library(iothsm SHARED ${source_c_files} ${source_h_files})
+    add_library(iothsm SHARED ${source_c_files} ${source_in_mem_store_c_files} ${source_h_files})
 else()
-    add_library(iothsm STATIC ${source_c_files} ${source_h_files})
+    add_library(iothsm STATIC ${source_c_files} ${source_in_mem_store_c_files} ${source_h_files})
 endif(BUILD_SHARED)
 
 if (run_unittests)
     enable_testing()
     set(save_ut ${run_unittests})
     set(run_unittests OFF CACHE BOOL "unittests" FORCE)
-    add_subdirectory(./azure-c-shared-utility/testtools/ctest)
-    add_subdirectory(./azure-c-shared-utility/testtools/testrunner)
-    add_subdirectory(./azure-c-shared-utility/testtools/umock-c)
+    add_subdirectory(./deps/c-shared/testtools/ctest)
+    add_subdirectory(./deps/c-shared/testtools/testrunner)
+    add_subdirectory(./deps/c-shared/testtools/umock-c)
 endif(run_unittests)
 
-add_subdirectory(./azure-c-shared-utility EXCLUDE_FROM_ALL)
+add_subdirectory(./deps/c-shared EXCLUDE_FROM_ALL)
+add_subdirectory(./deps/utpm EXCLUDE_FROM_ALL)
 
 if (save_ut)
     set(run_unittests ${save_ut} CACHE BOOL "unittests" FORCE)
@@ -96,9 +109,9 @@ if (${run_unittests})
 endif()
 
 if(WIN32)
-    target_link_libraries(iothsm aziotsharedutil $ENV{OPENSSL_ROOT_DIR}/lib/ssleay32.lib $ENV{OPENSSL_ROOT_DIR}/lib/libeay32.lib)
+    target_link_libraries(iothsm aziotsharedutil utpm $ENV{OPENSSL_ROOT_DIR}/lib/ssleay32.lib $ENV{OPENSSL_ROOT_DIR}/lib/libeay32.lib)
 else()
-     target_link_libraries(iothsm aziotsharedutil ${OPENSSL_LIBRARIES})
+     target_link_libraries(iothsm aziotsharedutil utpm ${OPENSSL_LIBRARIES})
 endif(WIN32)
 
 install(TARGETS iothsm DESTINATION lib)

diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/azure-c-shared-utility b/edgelet/hsm-sys/azure-iot-hsm-c/azure-c-shared-utility
diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared b/edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared
diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm b/edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm
diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/constants.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/constants.c
@@ -1,3 +1,4 @@
+// Copyright (c) Microsoft. All rights reserved.
 #include "hsm_constants.h"
 
 /* IOTEDGE env variables set by iotedged */
@@ -6,6 +7,7 @@ const char* const ENV_DEVICE_CA_PATH = "IOTEDGE_DEVICE_CA_PATH";
 const char* const ENV_DEVICE_CA_CHAIN_PATH = "IOTEDGE_DEVICE_CA_CHAIN_PATH";
 const char* const ENV_DEVICE_PK_PATH = "IOTEDGE_DEVICE_PK_PATH";
 const char* const ENV_OWNER_CA_PATH = "IOTEDGE_OWNER_CA_PATH";
+const char* const ENV_TPM_SELECT = "IOTEDGE_USE_TPM_DEVICE"; 
 
 /* HSM directory name under IOTEDGE_HOMEDIR */
 const char* const DEFAULT_EDGE_HOME_DIR_UNIX = "/var/lib/iotedge"; // note MacOS is included

diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_key.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_key.c
@@ -1,7 +1,7 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
 #include "azure_c_shared_utility/gballoc.h"
-#include "azure_c_shared_utility/buffer_.h"
-#include "azure_c_shared_utility/hmacsha256.h"
-
+#include "edge_sas_perform_sign_with_key.h"
 #include "hsm_key.h"
 #include "hsm_log.h"
 
@@ -13,62 +13,6 @@ struct SAS_KEY_TAG
 };
 typedef struct SAS_KEY_TAG SAS_KEY;
 
-static int perform_sign_with_key
-(
-    const unsigned char* key,
-    size_t key_len,
-    const unsigned char* data_to_be_signed,
-    size_t data_to_be_signed_size,
-    unsigned char** digest,
-    size_t* digest_size
-)
-{
-    int result;
-    BUFFER_HANDLE signed_payload_handle;
-
-    if ((signed_payload_handle = BUFFER_new()) == NULL)
-    {
-        LOG_ERROR("Error allocating new buffer handle");
-        result = 1;
-    }
-    else
-    {
-        size_t signed_payload_size;
-        unsigned char *result_digest, *src_digest;
-        int status = HMACSHA256_ComputeHash(key, key_len, data_to_be_signed,
-                                            data_to_be_signed_size, signed_payload_handle);
-        if (status != HMACSHA256_OK)
-        {
-            LOG_ERROR("Error computing HMAC256SHA signature");
-            result = 1;
-        }
-        else if ((signed_payload_size = BUFFER_length(signed_payload_handle)) == 0)
-        {
-            LOG_ERROR("Error computing HMAC256SHA. Signature size is 0");
-            result = 1;
-        }
-        else if ((src_digest = BUFFER_u_char(signed_payload_handle)) == NULL)
-        {
-            LOG_ERROR("Error obtaining underlying uchar buffer");
-            result = 1;
-        }
-        else if ((result_digest = (unsigned char*)malloc(signed_payload_size)) == NULL)
-        {
-            LOG_ERROR("Error allocating memory for digest");
-            result = 1;
-        }
-        else
-        {
-            memcpy(result_digest, src_digest, signed_payload_size);
-            *digest = result_digest;
-            *digest_size = signed_payload_size;
-            result = 0;
-        }
-        BUFFER_delete(signed_payload_handle);
-    }
-    return result;
-}
-
 static int sas_key_sign
 (
     KEY_HANDLE key_handle,

diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_perform_sign_with_key.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_perform_sign_with_key.c
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+#include "azure_c_shared_utility/buffer_.h"
+#include "azure_c_shared_utility/gballoc.h"
+#include "azure_c_shared_utility/hmacsha256.h"
+#include "azure_c_shared_utility/macro_utils.h"
+
+#include "hsm_log.h"
+
+int perform_sign_with_key
+(
+    const unsigned char* key,
+    size_t key_len,
+    const unsigned char* data_to_be_signed,
+    size_t data_to_be_signed_size,
+    unsigned char** digest,
+    size_t* digest_size
+)
+{
+    int result;
+    BUFFER_HANDLE signed_payload_handle;
+
+    if ((signed_payload_handle = BUFFER_new()) == NULL)
+    {
+        LOG_ERROR("Error allocating new buffer handle");
+        result = __FAILURE__;
+    }
+    else
+    {
+        size_t signed_payload_size;
+        unsigned char *result_digest, *src_digest;
+        int status = HMACSHA256_ComputeHash(key, key_len, data_to_be_signed,
+                                            data_to_be_signed_size, signed_payload_handle);
+        if (status != HMACSHA256_OK)
+        {
+            LOG_ERROR("Error computing HMAC256SHA signature");
+            result =  __FAILURE__;
+        }
+        else if ((signed_payload_size = BUFFER_length(signed_payload_handle)) == 0)
+        {
+            LOG_ERROR("Error computing HMAC256SHA. Signature size is 0");
+            result =  __FAILURE__;
+        }
+        else if ((src_digest = BUFFER_u_char(signed_payload_handle)) == NULL)
+        {
+            LOG_ERROR("Error obtaining underlying uchar buffer");
+            result =  __FAILURE__;
+        }
+        else if ((result_digest = (unsigned char*)malloc(signed_payload_size)) == NULL)
+        {
+            LOG_ERROR("Error allocating memory for digest");
+            result =  __FAILURE__;
+        }
+        else
+        {
+            memcpy(result_digest, src_digest, signed_payload_size);
+            *digest = result_digest;
+            *digest_size = signed_payload_size;
+            result = 0;
+        }
+        BUFFER_delete(signed_payload_handle);
+    }
+    return result;
+}
+
diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_perform_sign_with_key.h b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_sas_perform_sign_with_key.h
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+#include "azure_c_shared_utility/umock_c_prod.h"
+
+MOCKABLE_FUNCTION(,int, perform_sign_with_key, const unsigned char *, key, size_t,  key_len, 
+                                  const unsigned char *, data_to_be_signed, size_t, data_to_be_signed_size, 
+                                  unsigned char **, digest, size_t *, digest_size);
+