hash: add more configurable hash algorithm for public key digest

The current public key digest is using SHA1 and SHA256, and the digest will extend to TPM PCR 16. But from TPM2, SHA1 is not mandatory anymore, so this patch makes the hash algorithm configurable. Reference: TCG PC Client Platform TPM Profile Specification for TPM 2.0, Section 4.6 https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf Signed-off-by: Dong, Xiaocheng <[email protected]>
keylime · Jul 6, 2023 · de2e420 · de2e420
1 parent 636c80a
commit de2e420
Showing 1 changed file with 10 additions and 16 deletions.
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
@@ -284,8 +284,6 @@ impl Context {
 
     // This function extends Pcr16 with the digest, then creates a PcrList
     // from the given mask and pcr16.
-    // Note: Currently, this will build the list for both SHA256 and SHA1 as
-    // necessary for the Python components of Keylime.
     fn build_pcr_list(
         &mut self,
         digest: DigestValues,
@@ -329,7 +327,7 @@ impl Context {
         hash_alg: HashAlgorithm,
         sign_alg: SignAlgorithm,
     ) -> Result<String> {
-        let nk_digest = pubkey_to_tpm_digest(pubkey)?;
+        let nk_digest = pubkey_to_tpm_digest(pubkey, hash_alg)?;
 
         let pcrlist =
             self.build_pcr_list(nk_digest, mask, hash_alg.into())?;
@@ -452,10 +450,9 @@ fn parse_cred_and_secret(
 }
 
 // Takes a public PKey and returns a DigestValue of it.
-// Note: Currently, this creates a DigestValue including both SHA256 and
-// SHA1 because these banks are checked by Keylime on the Python side.
 fn pubkey_to_tpm_digest<T: HasPublic>(
     pubkey: &PKeyRef<T>,
+    algo: HashAlgorithm
 ) -> Result<DigestValues> {
     let mut keydigest = DigestValues::new();
 
@@ -468,16 +465,11 @@ fn pubkey_to_tpm_digest<T: HasPublic>(
         }
     };
 
-    // SHA256
-    let mut hasher = openssl::sha::Sha256::new();
-    hasher.update(&keybytes);
-    let hashvec: Vec<u8> = hasher.finish().into();
-    keydigest.set(HashingAlgorithm::Sha256, Digest::try_from(hashvec)?);
-    // SHA1
-    let mut hasher = openssl::sha::Sha1::new();
-    hasher.update(&keybytes);
-    let hashvec: Vec<u8> = hasher.finish().into();
-    keydigest.set(HashingAlgorithm::Sha1, Digest::try_from(hashvec)?);
+    let hash_algo = HashingAlgorithm::from(algo);
+    let mut hasher = Hasher::new(hash_alg_to_message_digest(hash_algo)?)?;
+    hasher.update(&keybytes)?;
+    let hashvec = hasher.finish()?;
+    keydigest.set(hash_algo, Digest::try_from(hashvec.as_ref())?);
 
     Ok(keydigest)
 }
@@ -607,6 +599,8 @@ fn hash_alg_to_message_digest(
     match hash_alg {
         HashingAlgorithm::Sha256 => Ok(MessageDigest::sha256()),
         HashingAlgorithm::Sha1 => Ok(MessageDigest::sha1()),
+        HashingAlgorithm::Sha384 => Ok(MessageDigest::sha384()),
+        HashingAlgorithm::Sha512 => Ok(MessageDigest::sha512()),
         other => Err(TpmError::Other(format!(
             "Unsupported hashing algorithm: {other:?}"
         ))),
@@ -956,7 +950,7 @@ fn pubkey_to_digest() {
     let rsa = Rsa::generate(2048).unwrap(); //#[allow_ci]
     let pkey = PKey::from_rsa(rsa).unwrap(); //#[allow_ci]
 
-    assert!(pubkey_to_tpm_digest(pkey.as_ref()).is_ok());
+    assert!(pubkey_to_tpm_digest(pkey.as_ref(), HashAlgorithm::Sha256).is_ok());
 }
 
 #[test]