Beispiel #1
0
TPW_RESULT create_key(TSS_HCONTEXT tss_context, TSS_FLAG aflags, TSS_HKEY *user_key, TSS_HKEY p_key, char *auth, int authlen)
{
    TSS_RESULT result;
    TSS_HPOLICY policy;
    if(!authlen)
        aflags |= TSS_KEY_NO_AUTHORIZATION;
    else
        aflags |= TSS_KEY_AUTHORIZATION;

    result = Tspi_Context_CreateObject(tss_context, TSS_OBJECT_TYPE_RSAKEY, aflags, user_key);

    if(TSS_SUCCESS != result)
    {
        Log_Text("create_key", TPW_KEY_ERROR);
        return TPW_KEY_ERROR;
    }

    if(authlen)
    {
        result = Tspi_Context_CreateObject(tss_context, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &policy); 
 
        result = policySetSecret(policy, authlen, auth);

        if(TSS_SUCCESS != result)
        {
            Log_Text("setPolicy_in_create_key", TPW_POLICY_ERROR);
            return TPW_POLICY_ERROR;
        }

        result = policyAssign(policy, *user_key);

        if(TSS_SUCCESS != result)
        {
            Log_Text("assignPolicy_in_create_key", TPW_POLICY_ERROR);
            return TPW_KEY_ERROR;
        }
    }

    result = keyCreateKey(*user_key, p_key, 0);
    if(TSS_SUCCESS != result)
    {
        Log_Text("Create_in_create_key", TPW_KEY_ERROR);
        return TPW_KEY_ERROR;
    }

    return TPW_SUCCESS;
}
Beispiel #2
0
TPW_RESULT load_key_and_auth(TSS_HCONTEXT tss_context, TSS_HKEY *h_srk, TSS_UUID key_uuid, TSS_FLAG aflags, BYTE *auth, int len)
{
    TSS_RESULT result;
    TSS_HPOLICY h_policy;

    result = keyLoadKeyByUUID(tss_context, aflags, key_uuid, h_srk);

    if(TSS_SUCCESS != result)
        return TPW_KEY_ERROR;

    result = policyGet(*h_srk, &h_policy);

    if(TSS_SUCCESS != result)
        return TPW_KEY_ERROR;

    result = policySetSecret(h_policy, len, auth);

    if(TSS_SUCCESS != result)
        return TPW_KEY_ERROR;
}
Beispiel #3
0
/*
 * Affect: Change owner or srk password
 * Default: No action
 * Required: Owner authentication
 */
int main(int argc, char **argv)
{

	int i = 0, iRc = -1;
	char *passwd = NULL;
	int pswd_len;
	TSS_HPOLICY hTpmPolicy, hNewPolicy;
	TSS_HTPM hTpm;
	TSS_HTPM hSrk;
	BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
	struct option opts[] = { {"owner", no_argument, NULL, 'o'},
	{"srk", no_argument, NULL, 's'},
	{"original_password_unicode", no_argument, NULL, 'g'},
	{"new_password_unicode", no_argument, NULL, 'n'},
	{"well-known", no_argument, NULL, 'z'},
	{"set-well-known", no_argument, NULL, 'r'},
	};

	initIntlSys();

	if (genericOptHandler
	    (argc, argv, "zrsogn", opts, sizeof(opts) / sizeof(struct option),
	     parse, help) != 0)
		goto out;

	//nothing selected
	if ((!changeRequested && wellKnown) || (!changeRequested)) {
		help(argv[0]);
		goto out;
	}

	//Connect to TSS and TPM
	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	if (wellKnown) {
		passwd = (char *)well_known_secret;
		pswd_len = TCPA_SHA1_160_HASH_LEN;
	} else {
		passwd = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
			goto out_close;
		}
	}

	if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
		goto out_close;

	if (policySetSecret(hTpmPolicy, pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
		goto out_close;

	if (!wellKnown && !setWellKnown) {
		shredPasswd(passwd);
		passwd = NULL;
	}

	do {
		if (auths[i].change) {
			logInfo(_("Changing password for: %s.\n"), _(auths[i].name));
			if (setWellKnown) {
				passwd = (char *)well_known_secret;
				pswd_len = TCPA_SHA1_160_HASH_LEN;
			} else {
				passwd = _GETPASSWD(_(auths[i].prompt), &pswd_len,
					TRUE, newUnicode || useUnicode );
				if (!passwd) {
					logError(_("Failed to get new password.\n"));
					goto out_close;
				}
			}

			if (contextCreateObject
			    (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
			     &hNewPolicy) != TSS_SUCCESS)
				goto out_close;

			if (policySetSecret
			    (hNewPolicy, pswd_len,
			     (BYTE *)passwd) != TSS_SUCCESS)
				goto out_close;

			if (i == owner) {
				if (tpmChangeAuth(hTpm, NULL_HOBJECT, hNewPolicy) != TSS_SUCCESS)
					goto out_close;
			} else if (i == srk) {
				if (keyLoadKeyByUUID
				    (hContext, TSS_PS_TYPE_SYSTEM,
				     SRK_UUID, &hSrk) != TSS_SUCCESS)
					goto out_close;
				if (tpmChangeAuth(hSrk, hTpm, hNewPolicy) != TSS_SUCCESS)
					goto out_close;
			}
			logInfo(_("Change of %s password successful.\n"), _(auths[i].name));
			if (!wellKnown && !setWellKnown) {
				shredPasswd(passwd);
				passwd = NULL;
			}
		}
	} while (auths[++i].name);

	iRc = 0;

	out_close:
		contextClose(hContext);

	out:
		if (passwd && !wellKnown && !setWellKnown)
			shredPasswd(passwd);

	return iRc;
}
Beispiel #4
0
int main(int argc, char **argv)
{

	char *szTpmPasswd = NULL;
	int pswd_len;
	TSS_HTPM hTpm;
	TSS_HPOLICY hTpmPolicy;
	int iRc = -1;
	struct option opts[] = {
			{"force", no_argument, NULL, 'f'},
			{"well-known", no_argument, NULL, 'z'},
	};
	BYTE well_known[] = TSS_WELL_KNOWN_SECRET;

        initIntlSys();

	if (genericOptHandler
	    (argc, argv, "fz", opts, sizeof(opts) / sizeof(struct option),
	     parse, help) != 0)
		goto out;

	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	if (!bValue) {
		if (isWellKnown){
			szTpmPasswd = (char *)well_known;
			pswd_len = sizeof(well_known);
		}else{
			szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
				goto out_close;
			}
		}

		if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
			goto out_close;

		if (policySetSecret(hTpmPolicy, pswd_len,
				    (BYTE *)szTpmPasswd) != TSS_SUCCESS)
			goto out_close;
	}
	//Setup complete attempt command
	if (tpmClearOwner(hTpm, bValue) != TSS_SUCCESS)
		goto out_close;

	//Command successful
	iRc = 0;
	logSuccess(argv[0]);

	logMsg( _("TPM Successfuly Cleared.  You need to reboot to complete this operation.  After reboot the TPM will be in the default state: unowned, disabled and inactive.\n") );

	//Cleanup
      out_close:
	if (szTpmPasswd && !isWellKnown)
		shredPasswd(szTpmPasswd);

	contextClose(hContext);

      out:
	return iRc;
}
int main(int argc, char **argv)
{

	char *szTpmPasswd = NULL;
	int pswd_len;
	TSS_HPOLICY hTpmPolicy;
	TSS_HTPM hTpm;
	int iRc = -1;
	struct option opts[] = { {"allow", no_argument, NULL, 'a'},
	{"status", no_argument, NULL, 's'},
	{"restrict", no_argument, NULL, 'r'},
	{"well-known", no_argument, NULL, 'z'},
	};
	BYTE well_known[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;

        initIntlSys();

	if (genericOptHandler
	    (argc, argv, "asrz", opts, sizeof(opts) / sizeof(struct option),
	     parse, help) != 0)
		goto out;

	/* If no args are given, the default should be to give status */
	if (argc == 1)
		bCheck = TRUE;

	//Connect to TSS and TPM
	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	if (isWellKnown) {
		szTpmPasswd = (char *)well_known;
		pswd_len = sizeof(well_known);
	} else {
		// Prompt for owner password
		szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
			goto out_close;
		}
	}
	if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
		goto out_close;

	if (policySetSecret
	    (hTpmPolicy, pswd_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
		goto out_close;

	if (bCheck) {
		TSS_BOOL bValue;
		if (tpmGetStatus
		    (hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD,
		     &bValue) != TSS_SUCCESS)
			goto out;
		logMsg(_("Storage Root Key readable with: %s\n"),
		       bValue ? _("owner auth") : _("SRK auth"));

	} else {
		if (tpmSetStatus(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD, bRestrict)
		    != TSS_SUCCESS)
			goto out_close;
	}

	iRc = 0;
	logSuccess(argv[0]);

      out_close:
	contextClose(hContext);

      out:
	if (szTpmPasswd && !isWellKnown)
		shredPasswd(szTpmPasswd);

	return iRc;

}
int
main( int argc, char **argv )
{
	char *szTpmPasswd = NULL;
	int tpm_len;
	TSS_HTPM hTpm;
	TSS_HPOLICY hTpmPolicy;
	TSS_BOOL bValue = TRUE;
	int iRc = -1;
	struct option opts[] = {
		{"use-hex",    no_argument, NULL, 'x'},
		{"well-known", no_argument, NULL, 'z'},
	};
	BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
	BYTE* pTpmPasswd = NULL;
	int iTpmPasswdLen;

	initIntlSys();

	if (genericOptHandler(argc, argv, "xz", opts, sizeof(opts) / sizeof(struct option), parse,
			      help) != 0)
		goto out;

	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (!isWellKnown) {
		// Prompt for owner password
		szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get Owner password\n"));
			goto out;
		}
		if( decodeHexPassword ) {
			if( hex2bytea(szTpmPasswd, &pTpmPasswd, &iTpmPasswdLen) != 0 ) {
				logError(_("Invalid hex owner secret\n"));
				goto out_close;
			}
		}
	} else {
		szTpmPasswd = (char *)wellKnown;
		tpm_len = sizeof(wellKnown);
	}

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
		goto out_close;

	if( decodeHexPassword ) {
		if( Tspi_Policy_SetSecret(hTpmPolicy, TSS_SECRET_MODE_PLAIN, iTpmPasswdLen,
					pTpmPasswd) != TSS_SUCCESS)
			goto out_close;
	}
	else {
	if (policySetSecret(hTpmPolicy, tpm_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
		goto out_close;
	}
	
	if (tpmSetStatus(hTpm, TSS_TPMSTATUS_RESETLOCK, bValue) != TSS_SUCCESS)
		goto out_close;

	iRc = 0;
	logSuccess(argv[0]);

	out_close:
		contextClose(hContext);

	out:
	if (!isWellKnown && szTpmPasswd)
		shredPasswd(szTpmPasswd);
	if( pTpmPasswd )
		shredByteArray(pTpmPasswd, iTpmPasswdLen);

	return iRc;
}
Beispiel #7
0
int main(int argc, char **argv)
{
	TSS_HTPM hTpm;
	TSS_HNVSTORE nvObject;
	TSS_FLAG fNvAttrs;
	TSS_HPOLICY hTpmPolicy, hDataPolicy;
	int iRc = -1;
	BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
	int opswd_len = -1;
	int dpswd_len = -1;
	struct option hOpts[] = {
		{"index"           , required_argument, NULL, 'i'},
		{"size"            , required_argument, NULL, 's'},
		{"permissions"     , required_argument, NULL, 'p'},
		{"pwdo"            , optional_argument, NULL, 'o'},
		{"pwda"            , optional_argument, NULL, 'a'},
		{"use-unicode"     ,       no_argument, NULL, 'u'},
		{"data-well-known" ,       no_argument, NULL, 'z'},
		{"owner-well-known",       no_argument, NULL, 'y'},
		{NULL              ,       no_argument, NULL, 0},
	};

	initIntlSys();

	if (genericOptHandler
		    (argc, argv, "i:s:p:o:a:yzu", hOpts,
		     sizeof(hOpts) / sizeof(struct option), parse, help) != 0)
		goto out;

	if (end) {
		iRc = 0;
		goto out;
	}

	if (!nvindex_set) {
		logError(_("You must provide an index for the NVRAM area.\n"));
		goto out;
	}

	if (nvperm == 0 &&
	    (UINT32)nvindex != TPM_NV_INDEX_LOCK &&
	    (UINT32)nvindex != TPM_NV_INDEX0) {
		logError(_("You must provide permission bits for the NVRAM area.\n"));
		goto out;
	}

	logDebug("permissions = 0x%08x\n", nvperm);

	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	fNvAttrs = 0;

	if (contextCreateObject(hContext,
				TSS_OBJECT_TYPE_NV,
				fNvAttrs,
				&nvObject) != TSS_SUCCESS)
		goto out_close;

	if (askOwnerPass) {
		ownerpass = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
			goto out_close;
		}
	}

	if (ownerpass || ownerWellKnown) {
		if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
			goto out_close;
		if (ownerpass) {
			if (opswd_len < 0)
				opswd_len = strlen(ownerpass);
			if (policySetSecret(hTpmPolicy, opswd_len,
					    (BYTE *)ownerpass) != TSS_SUCCESS)
				goto out_close;
		} else {
			if (policySetSecret(hTpmPolicy, TCPA_SHA1_160_HASH_LEN,
					    (BYTE *)well_known_secret) != TSS_SUCCESS)
				goto out_close;
		}
	}

	if (askDataPass) {
		datapass = _GETPASSWD(_("Enter NVRAM data password: "******"Failed to get NVRAM data password\n"));
			goto out_close;
		}
	}

	if (datapass || dataWellKnown) {
		if (contextCreateObject
		    (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
		     &hDataPolicy) != TSS_SUCCESS)
			goto out_close;

		if (datapass) {
			if (dpswd_len < 0)
				dpswd_len = strlen(datapass);
			if (policySetSecret(hDataPolicy, dpswd_len,
				    (BYTE *)datapass) != TSS_SUCCESS)
				goto out_close;
		} else {
			if (policySetSecret(hDataPolicy, TCPA_SHA1_160_HASH_LEN,
				    (BYTE *)well_known_secret) != TSS_SUCCESS)
				goto out_close;
		}

		if (Tspi_Policy_AssignToObject(hDataPolicy, nvObject) !=
		    TSS_SUCCESS)
			goto out_close;
	}

	if (Tspi_SetAttribUint32(nvObject,
				 TSS_TSPATTRIB_NV_INDEX,
				 0,
				 nvindex) != TSS_SUCCESS)
		goto out_close_obj;

	if (Tspi_SetAttribUint32(nvObject,
				 TSS_TSPATTRIB_NV_PERMISSIONS,
				 0,
				 nvperm) != TSS_SUCCESS)
		goto out_close_obj;

	if (Tspi_SetAttribUint32(nvObject,
				 TSS_TSPATTRIB_NV_DATASIZE,
				 0,
				 nvsize) != TSS_SUCCESS)
		goto out_close_obj;

	if (NVDefineSpace(nvObject, (TSS_HPCRS)0, (TSS_HPCRS)0) !=
	    TSS_SUCCESS)
		goto out_close;

	logMsg(_("Successfully created NVRAM area at index 0x%x (%u).\n"),
	       nvindex, nvindex);

	iRc = 0;

	goto out_close;

      out_close_obj:
	contextCloseObject(hContext, nvObject);

      out_close:
	contextClose(hContext);

      out:
	return iRc;
}
Beispiel #8
0
int main(int argc, char **argv)
{

	TSS_HKEY hSrk, hKey;
	TSS_HENCDATA hEncdata;
	TSS_HPOLICY hPolicy;
	int iRc = -1;
	struct option opts[] =
	    { {"infile", required_argument, NULL, 'i'},
	{"outfile", required_argument, NULL, 'o'},
	{"pcr", required_argument, NULL, 'p'},
	{"unicode", no_argument, NULL, 'u'},
	{"well-known", no_argument, NULL, 'z'}
	};
	unsigned char line[EVP_CIPHER_block_size(EVP_aes_256_cbc()) * 16];
	int lineLen;
	unsigned char encData[sizeof(line) + EVP_CIPHER_block_size(EVP_aes_256_cbc())];
	int encDataLen;
	UINT32 encLen, i;
	BYTE *encKey;
	BYTE *randKey = NULL;
	UINT32 sealKeyLen;
	BYTE *sealKey;
	TSS_FLAG keyFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 |
	    TSS_KEY_VOLATILE | TSS_KEY_AUTHORIZATION |
	    TSS_KEY_NOT_MIGRATABLE;
	TSS_HPOLICY hSrkPolicy;
	char *passwd = NULL;
	int pswd_len;
	BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;

	BIO *bin = NULL, *bdata=NULL, *b64=NULL;

	initIntlSys();

	if (genericOptHandler(argc, argv, "i:o:p:uz", opts,
			      sizeof(opts) / sizeof(struct option), parse,
			      help) != 0)
		goto out;

	if (contextCreate(&hContext) != TSS_SUCCESS)
		goto out;

	if (contextConnect(hContext) != TSS_SUCCESS)
		goto out_close;

	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
		goto out_close;

	/* Create a BIO for the input file */
	if ((bin = BIO_new(BIO_s_file())) == NULL) {
		logError(_("Unable to open input BIO\n"));
		goto out_close;
	}

	/* Assign the input file to the BIO */
	if (strlen(in_filename) == 0) 
		BIO_set_fp(bin, stdin, BIO_NOCLOSE);
	else if (!BIO_read_filename(bin, in_filename)) {
		logError(_("Unable to open input file: %s\n"),
			 in_filename);
		goto out_close;
	}

	/* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
	 * a 1.2 TSS/TPM */
	if (selectedPcrsLen) {
		TSS_FLAG initFlag = 0;
		UINT32 pcrSize;
		BYTE *pcrValue;

		for (i = 0; i < selectedPcrsLen; i++) {
			if (selectedPcrs[i] > 15) {
#ifdef TSS_LIB_IS_12
				initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
#else
				logError(_("This version of %s was compiled for a v1.1 TSS, which "
					 "can only seal\n data to PCRs 0-15. PCR %u is out of range"
					 "\n"), argv[0], selectedPcrs[i]);
				goto out_close;
#endif
			}
		}

		if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
					&hPcrs) != TSS_SUCCESS)
			goto out_close;

		for (i = 0; i < selectedPcrsLen; i++) {
			if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
				goto out_close;

			if (pcrcompositeSetPcrValue(hPcrs, selectedPcrs[i], pcrSize, pcrValue)
					!= TSS_SUCCESS)
				goto out_close;
		}
#ifdef TSS_LIB_IS_12
		if (initFlag) {
			UINT32 localityValue =
				TPM_LOC_ZERO | TPM_LOC_ONE | TPM_LOC_TWO | TPM_LOC_THREE |
				TPM_LOC_FOUR;

			if (pcrcompositeSetPcrLocality(hPcrs, localityValue) != TSS_SUCCESS)
				goto out_close;
		}
#endif
	}

	/* Retrieve random data to be used as the symmetric key
	   (this key will encrypt the input file contents) */
	if (tpmGetRandom(hTpm, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
			 &randKey) != TSS_SUCCESS)
		goto out_close;

	/* Load the SRK and set the SRK policy (no password) */
	if (keyLoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSrk)
	    != TSS_SUCCESS)
		goto out_close;

	/* Use the context's default policy for the SRK secret */
	if (policyGet(hSrk, &hSrkPolicy) != TSS_SUCCESS)
		goto out_close;

	/* Prompt for SRK password */
	if (!isWellKnown) {
		passwd = _GETPASSWD(_("Enter SRK password: "******"Failed to get SRK password\n"));
			goto out_close;
		}
	} else {
		passwd = (char *)wellKnown;
		pswd_len = sizeof(wellKnown);
	}

	if (policySetSecret(hSrkPolicy, (UINT32)pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
		goto out_close;

	if (!isWellKnown)
		shredPasswd(passwd);
	passwd = NULL;

	/* Build an RSA key object that will be created by the TPM
	   (this will encrypt and protect the symmetric key) */
	if (contextCreateObject
	    (hContext, TSS_OBJECT_TYPE_RSAKEY, keyFlags,
	     &hKey) != TSS_SUCCESS)
		goto out_close;

	if (contextCreateObject
	    (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
	     &hPolicy) != TSS_SUCCESS)
		goto out_close;

	if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
	    != TSS_SUCCESS)
		goto out_close;

	if (policyAssign(hPolicy, hKey) != TSS_SUCCESS)
		goto out_close;

	/* Create the RSA key (under the SRK) */
	if (keyCreateKey(hKey, hSrk, NULL_HPCRS) != TSS_SUCCESS)
		goto out_close;

	/* Load the newly created RSA key */
	if (keyLoadKey(hKey, hSrk) != TSS_SUCCESS)
		goto out_close;

	/* Build an encrypted data object that will hold the encrypted
	   version of the symmetric key */
	if (contextCreateObject
	    (hContext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL,
	     &hEncdata) != TSS_SUCCESS)
		goto out_close;

	if (contextCreateObject
	    (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
	     &hPolicy) != TSS_SUCCESS)
		goto out_close;

	if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
	    != TSS_SUCCESS)
		goto out_close;

	if (policyAssign(hPolicy, hEncdata) != TSS_SUCCESS)
		goto out_close;

	/* Encrypt and seal the symmetric key */
	if (dataSeal
	    (hEncdata, hKey, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
	     randKey, hPcrs) != TSS_SUCCESS)
		goto out_close;

	if (getAttribData(hEncdata, TSS_TSPATTRIB_ENCDATA_BLOB,
			  TSS_TSPATTRIB_ENCDATABLOB_BLOB, &encLen,
			  &encKey) != TSS_SUCCESS)
		goto out_close;

	if (getAttribData
	    (hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB,
	     &sealKeyLen, &sealKey) != TSS_SUCCESS)
		goto out_close;

	/* Create a BIO to perform base64 encoding */
	if ((b64 = BIO_new(BIO_f_base64())) == NULL) {
		logError(_("Unable to open base64 BIO\n"));
		goto out_close;
	}

	/* Create a BIO for the output file */
	if ((bdata = BIO_new(BIO_s_file())) == NULL) {
		logError(_("Unable to open output BIO\n"));
		goto out_close;
	}

	/* Assign the output file to the BIO */
	if (strlen(out_filename) == 0)
		BIO_set_fp(bdata, stdout, BIO_NOCLOSE);
	else if (BIO_write_filename(bdata, out_filename) <= 0) {
		logError(_("Unable to open output file: %s\n"),
			 out_filename);
		goto out_close;
	}

	/* Output the sealed data header string */
	BIO_puts(bdata, TPMSEAL_HDR_STRING);

	/* Sealing key used on the TPM */
	BIO_puts(bdata, TPMSEAL_TSS_STRING);
	bdata = BIO_push(b64, bdata);
	BIO_write(bdata, sealKey, sealKeyLen);
	if (BIO_flush(bdata) != 1) {
		logError(_("Unable to flush output\n"));
		goto out_close;
	}
	bdata = BIO_pop(b64);

	/* Sealed EVP Symmetric Key */
	BIO_puts(bdata, TPMSEAL_EVP_STRING);
	BIO_puts(bdata, TPMSEAL_KEYTYPE_SYM);
	BIO_puts(bdata, TPMSEAL_CIPHER_AES256CBC);
	bdata = BIO_push(b64, bdata);
	BIO_write(bdata, encKey, encLen);
	if (BIO_flush(bdata) != 1) {
		logError(_("Unable to flush output\n"));
		goto out_close;
	}
	bdata = BIO_pop(b64);

	/* Encrypted Data */
	BIO_puts(bdata, TPMSEAL_ENC_STRING); 
	bdata = BIO_push(b64, bdata);

	EVP_CIPHER_CTX ctx;
	EVP_EncryptInit(&ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV);

	while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) {
		EVP_EncryptUpdate(&ctx, encData, &encDataLen,
				  line, lineLen);
		BIO_write(bdata, encData, encDataLen);
	}

	EVP_EncryptFinal(&ctx, encData, &encDataLen);
	BIO_write(bdata, encData, encDataLen);
	if (BIO_flush(bdata) != 1) {
		logError(_("Unable to flush output\n"));
		goto out_close;
	}
	bdata = BIO_pop(b64);

	BIO_puts( bdata, TPMSEAL_FTR_STRING);
	
	iRc = 0;
	logSuccess(argv[0]);

out_close:
	contextClose(hContext);

out:
	if (bin)
		BIO_free(bin);
	if (bdata)
		BIO_free(bdata);
	if (b64)
		BIO_free(b64);
	return iRc;
}