# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. import tempfile from autotest_lib.client.bin import utils from autotest_lib.client.common_lib import error from autotest_lib.client.cros import cryptohome class TPMStore(object): """Context enclosing the use of the TPM.""" CHAPS_CLIENT_COMMAND = 'chaps_client' CONVERT_TYPE_RSA = 'rsa' CONVERT_TYPE_X509 = 'x509' OPENSSL_COMMAND = 'openssl' OUTPUT_TYPE_CERTIFICATE = 'cert' OUTPUT_TYPE_PRIVATE_KEY = 'privkey' PIN = '11111' # TPM maintain two slots for certificates, slot 0 for system specific # certificates, slot 1 for user specific certificates. Currently, all # certificates are programmed in slot 1. So hardcode this slot ID for now. SLOT_ID = '1' PKCS11_REPLAY_COMMAND = 'p11_replay --slot=%s' % SLOT_ID TPM_GROUP = 'chronos-access' TPM_USER = 'chaps' def __enter__(self): self.setup() return self def __exit__(self, exception, value, traceback): self.reset() def _install_object(self, pem, identifier, conversion_type, output_type): """Convert a PEM object to DER and store it in the TPM. @param pem string PEM encoded object to be stored. @param identifier string associated with the new object. @param conversion_type the object type to use in PEM to DER conversion. @param output_type the object type to use in inserting into the TPM. """ if cryptohome.is_tpm_lockout_in_effect(): raise error.TestError('The TPM is in dictonary defend mode. ' 'The TPMStore may behave in unexpected ' 'ways, exiting.') pem_file = tempfile.NamedTemporaryFile() pem_file.file.write(pem) pem_file.file.flush() der_file = tempfile.NamedTemporaryFile() utils.system('%s %s -in %s -out %s -inform PEM -outform DER' % (self.OPENSSL_COMMAND, conversion_type, pem_file.name, der_file.name)) utils.system('%s --import --type=%s --path=%s --id="%s"' % (self.PKCS11_REPLAY_COMMAND, output_type, der_file.name, identifier)) def setup(self): """Set the TPM up for operation in tests.""" self.reset() self._directory = tempfile.mkdtemp() utils.system('chown %s:%s %s' % (self.TPM_USER, self.TPM_GROUP, self._directory)) utils.system('%s --load --path=%s --auth="%s"' % (self.CHAPS_CLIENT_COMMAND, self._directory, self.PIN)) def reset(self): """Reset the crypto store and take ownership of the device.""" utils.system('initctl restart chapsd') cryptohome.take_tpm_ownership(wait_for_ownership=True) def install_certificate(self, certificate, identifier): """Install a certificate into the TPM, returning the certificate ID. @param certificate string PEM x509 contents of the certificate. @param identifier string associated with this certificate in the TPM. """ return self._install_object(certificate, identifier, self.CONVERT_TYPE_X509, self.OUTPUT_TYPE_CERTIFICATE) def install_private_key(self, key, identifier): """Install a private key into the TPM, returning the certificate ID. @param key string PEM RSA private key contents. @param identifier string associated with this private key in the TPM. """ return self._install_object(key, identifier, self.CONVERT_TYPE_RSA, self.OUTPUT_TYPE_PRIVATE_KEY)