Task #2242
Updated by Yingdi Yu over 9 years ago
It would be desired to pair up a TPM with a PublicInfoBase, so that when KeyChain loads a PublicInfoBase, the corresponding TPM will be loaded as well. As a result, user does not have to explicitly specify both TPM and PublicInfoBase. Instead, user only needs to specify a PublicInfoBase, so that it is guaranteed that the corresponding TPM will be loaded, and for any key that is described in PublicInfoBase, its private part can be found in the TPM. This can avoid the "Private key does not exist" problem due to wrong configuration. We To enable this feature, we need to define a TPM URI. A scheme is defined the locator for TPM & PIB in #2260 each type of SecTpm implementation. The scheme for SecTpmOsx and SecTpmFile are: `sec-tpm-osx` and `sec-tpm-file`. For example: sec-tpm-osx:/app-keychain sec-tpm-file:/var/tmp And we also need to add two more method in SecPublicInfo: void SecPublicInfo::setTpmLocator(const std::string& locator); SecPublicInfo::setTpmPath(const SecTpmUri& path); std::string SecTpmUri SecPublicInfo::getTpmLocator(); SecPublicInfo::getTpmPath(); The first method is used to associate a TPM to the PIB. PublicInfoBase. The second method can be used by KeyChain to get the TpmLocator TpmInfo from PIB, SecPublicInfo, and use that to load the corresponding TPM. Note that the default PIB (as specified in client.conf or compilation settings) is always paired up with the default TPM (which is also specified in client.conf or compilation settings). If one change the default TPM but keep the PIB as the same, the PIB will be reset. Note that ideally, one PIB should be paired up with only one TPM, it is possible for two PIBs to share one TPM, but one PIB can NEVER be shared by more than one TPMs. With this change, the way in which a KeyChain is created will be changed because: * we need to accommodate the existing PIB. * we need to accommodate the existing KeyChain constructor interfaces. As a result, now KeyChain will be created as follows: 1. When the default KeyChain constructor is called, KeyChain will load the default PIB and the default TPM as specified in client.conf file or compilation settings. The TpmLocator in PIB will be set the to default TPM. If TpmLocator in PIB has been set before, then PIB will be reset and the default TpmLocator will be set in PIB. 2. When other constructor is called, KeyChain will first check if the supplied PIB is the default one. If so, it will follow step 1. Otherwise, it load the PIB and get the TpmLocator from the PIB. 2.1. If the supplied TpmLocator is the same as the one obtained from PIB, then KeyChain will load TPM. 2.2. If the supplied TpmLocator mismatches the existing one, depending on whether a reset is needed, the constructor will throw an exception or reset the PIB and its TpmLocator. 2.3. If the TpmLocator is not set in PIB, the supplied TpmLocator will be set in PIB. However this may cause some problem if the supplied Tpm does not match the PIB or the PIB has been previously shared by more than one PIBs.