Here is a proposal for importing persistent keys and key objects into a token without relying on third-party software, where it will work with both backends (FAPI/ESYSDB).
If there isn't any opposition, I'll start the implementation soon.
C_GenerateKeyPair: Utilize a key template that contains vendor-specific attributes, linking the key object to either the persistent TPM key or TPM key objects.
For TPM key objects:
CKA_TPM2_PUB_BLOB
CKA_TPM2_PRIV_BLOB
CKA_TPM2_OBJAUTH // The TPM key auth value in plain text
For persistent TPM key:
CKA_TPM2_PERSISTENT_HANDLE // Allows persistent handle only
CKA_TPM2_OBJAUTH
C_GenerateKeyPair:
If either key templates (pub/priv) include the attribute CKA_TPM2_PERSISTENT_HANDLE, indicating that a tpm_persistent_handle is used:
Create two tobjs: pub_tobj and priv_tobj.
Set pub_tobj->tpm_persistent_handle and priv_tobj->tpm_persistent_handle to the value of CKA_TPM2_PERSISTENT_HANDLE.
Leave the x_tobj->priv & pub fields empty.
Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
Store the x_tobj in the backend.
Store the x_tobj in the global variable (token->tobjects).
If the pub key template includes attribute CKA_TPM2_PUB_BLOB and priv key template includes attribute CKA_TPM2_PRIV_BLOB, indicating that TPM key objects are used:
Create two tobjs: pub_tobj and priv_tobj.
Set pub_tobj->pub and priv_tobj->pub & priv to the value of CKA_TPM2_PUB_BLOB and CKA_TPM2_PRIV_BLOB, respectively.
Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
Store the x_tobj in the backend.
Store the x_tobj in the global variable (token->tobjects).
Otherwise, follow the default implementation.
TPM key loading using token_load_object():
Set tobject->tpm_esys_tr according to the rules:
If tobject->tpm_persistent_handle is not empty:
If CKA_CLASS == CKO_PRIVATE_KEY, set tobject->tpm_esys_tr to Esys_TR_FromTPMPublic(tobject->tpm_persistent_handle).
If CKA_CLASS == CKO_PUBLIC_KEY, set tobject->tpm_esys_tr to Esys_LoadExternal(Esys_ReadPublic(tobject->tpm_persistent_handle)).
Otherwise, follow the default implementation.
C_SignInit/C_EncryptInit/C_DecryptInit Operation:
During the initialization operation, the tobj is loaded using token_load_object():
If tobj->tpm_esys_tr is already set, no action is required.
Otherwise:
If pub_tobj->tpm_persistent_handle is not empty, set tobject->tpm_esys_tr according to the above rules.
Otherwise, follow the default implementation to load the TPM key objects.
If the tobj->tpm_esys_tr is set, flush it during C_Logout -> session_ctx_logout.
*this is the default implementation
Here is a proposal for importing persistent keys and key objects into a token without relying on third-party software, where it will work with both backends (FAPI/ESYSDB).
If there isn't any opposition, I'll start the implementation soon.
Modify
struct tobject:C_GenerateKeyPair: Utilize a key template that contains vendor-specific attributes, linking the key object to either the persistent TPM key or TPM key objects.
C_GenerateKeyPair:
TPM key loading using token_load_object():
C_SignInit/C_EncryptInit/C_DecryptInit Operation: