int main(int argc, char *argv[])
{
int ret;
unsigned char passhash[TPM_HASH_SIZE]; /* hash of parent key password */
unsigned char datahash[TPM_HASH_SIZE]; /* hash of data file */
unsigned char sig[4096]; /* resulting signature */
uint32_t siglen; /* signature length */
unsigned char *passptr;
FILE *sigfile;
TPM_setlog(0); /* turn off verbose output */
ParseArgs(argc, argv);
if ((keyhandle == 0) ||
(message == NULL) ||
(sigfilename == NULL)) {
printf("Missing parameter\n");
printUsage();
}
/*
** use the SHA1 hash of the password string as the Key Authorization Data
*/
if (keypass != NULL)
{
TSS_sha1(keypass,strlen(keypass),passhash);
passptr = passhash;
}
else passptr = NULL;
/*
** hash the message
*/
TSS_sha1(message,strlen(message),datahash);
ret = TPM_Sign(keyhandle, /* Key Handle */
passptr, /* key Password */
datahash,sizeof (datahash), /* data to be signed, length */
sig,&siglen); /* buffer to receive sig, int to receive sig length */
if (ret != 0)
{
printf("Error %s from TPM_Sign\n",TPM_GetErrMsg(ret));
exit(1);
}
sigfile = fopen(sigfilename, "wb");
if (sigfile == NULL)
{
printf("Unable to open output file '%s'\n", sigfilename);
exit(4);
}
ret = fwrite(sig,1,siglen,sigfile);
if (ret != (int)siglen)
{
printf("I/O Error while writing output file '%s'\n", sigfilename);
exit(5);
}
fclose(sigfile);
exit(0);
}
uint32_t TPM_HashPubKey(keydata * pubkey, unsigned char *digest)
{
STACK_TPM_BUFFER(buffer)
uint32_t len = TPM_WriteKeyPub(&buffer, pubkey);
if ((len & ERR_MASK) == 0)
TSS_sha1(buffer.buffer, len, digest);
return len;
}
static uint32_t swapOutKey(uint32_t handle)
{
unsigned char labelhash[20];
char *filename = createKeyFilename(handle);
STACK_TPM_BUFFER(context);
uint32_t ret = 0;
if (NULL == filename) {
ret = ERR_MEM_ERR;
}
#if 0
printf("Swapping OUT key with handle %08x\n",handle);
#endif
TSS_sha1("KEY",3,labelhash);
if (ret == 0) {
ret = TPM_SaveContext(handle,
TPM_RT_KEY,
(char *)labelhash,
&context);
}
if (ret == 0) {
FILE * f = fopen(filename, "w+");
if (f) {
fwrite(context.buffer, context.used, 1, f);
fclose(f);
} else {
ret = ERR_BAD_FILE;
}
}
if (ret == 0) {
ret = TPM_EvictKey(handle);
#if 0
printf("Evicted key with handle 0x%08x\n",handle);
} else {
printf("DID NOT Evicted key with handle 0x%08x\n",handle);
#endif
}
#if 0
if (ret == 0) {
printf("Swapped out key with handle %08x.\n",handle);
} else {
printf("Could NOT swap out key with handle %08x.\n",handle);
}
#endif
return ret;
}
uint32_t TPM_HashCMKAuth(TPM_CMK_AUTH * auth, unsigned char *hash)
{
STACK_TPM_BUFFER(buffer)
uint32_t len;
uint32_t ret = TPM_WriteCMKAuth(&buffer, auth);
if (ret & ERR_MASK)
return ret;
len = ret;
TSS_sha1(buffer.buffer, len, hash);
return 0;
}
uint32_t TPM_HashPCRComposite(TPM_PCR_COMPOSITE * comp, unsigned char * digest)
{
int len;
struct tpm_buffer *buffer = TSS_AllocTPMBuffer(comp->pcrValue.size + sizeof(TPM_PCR_COMPOSITE));
if (NULL != buffer) {
len = TPM_WritePCRComposite(buffer, comp);
TSS_sha1(buffer->buffer, len, digest);
TSS_FreeTPMBuffer(buffer);
} else {
return ERR_MEM_ERR;
}
return 0;
}
uint32_t TPM_HashMSAComposite(TPM_MSA_COMPOSITE * comp,
unsigned char *digest)
{
uint32_t ret = 0;
struct tpm_buffer *buffer =
TSS_AllocTPMBuffer(comp->MSAlist * TPM_HASH_SIZE + TPM_U32_SIZE);
if (buffer) {
uint32_t len = TPM_WriteMSAComposite(buffer, comp);
TSS_sha1(buffer->buffer, len, digest);
TSS_FreeTPMBuffer(buffer);
} else
ret = ERR_MEM_ERR;
return ret;
}
/*
* Validate the signature over a PCR composite structure.
* Returns '0' on success, an error code otherwise.
*/
uint32_t TPM_ValidatePCRCompositeSignature(TPM_PCR_COMPOSITE *tpc,
unsigned char *antiReplay,
pubkeydata *pk,
struct tpm_buffer *signature,
uint16_t sigscheme)
{
uint32_t ret;
RSA *rsa; /* openssl RSA public key */
TPM_QUOTE_INFO tqi;
STACK_TPM_BUFFER (ser_tqi);
STACK_TPM_BUFFER(response);
STACK_TPM_BUFFER (ser_tpc);
/*
** Convert to an OpenSSL RSA public key
*/
rsa = TSS_convpubkey(pk);
ret = TPM_GetCapability(TPM_CAP_VERSION, NULL,
&response);
if (ret != 0) {
RSA_free(rsa);
return ret;
}
memcpy(&(tqi.version), response.buffer, response.used);
memcpy(&(tqi.fixed), "QUOT", 4);
memcpy(&(tqi.externalData), antiReplay, TPM_NONCE_SIZE);
ret = TPM_WritePCRComposite(&ser_tpc, tpc);
if ((ret & ERR_MASK)) {
RSA_free(rsa);
return ret;
}
/* create the hash of the PCR_composite data for the quoteinfo structure */
TSS_sha1(ser_tpc.buffer, ser_tpc.used, tqi.digestValue);
ret = TPM_WriteQuoteInfo(&ser_tqi, &tqi);
if ((ret & ERR_MASK)) {
RSA_free(rsa);
return ret;
}
ret = TPM_ValidateSignature(sigscheme,
&ser_tqi,
signature,
rsa);
RSA_free(rsa);
return ret;
}
int main(int argc, char *argv[])
{
int ret = 0;
unsigned char *passptr1;
char * password = NULL;
unsigned char passhash1[20]; /* hash of password */
int i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp(argv[i],"-pwdk")) {
i++;
if (i >= argc) {
printf("Parameter missing!\n");
usage();
}
password = argv[i];
} else
if (!strcmp(argv[i],"-v")) {
TPM_setlog(1);
} else
if (!strcmp(argv[i],"-h")) {
usage();
} else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
i++;
}
if (password != NULL) {
TSS_sha1(password,strlen(password),passhash1);
passptr1 = passhash1;
} else {
printf("Missing parameter -pwdk\n");
exit(-1);
}
ret = TPM_RevokeTrust(passptr1);
if (0 != ret) {
printf("Error %s from TPM_RevokeTrust\n",
TPM_GetErrMsg(ret));
}
exit(ret);
}
int main(int argc, char *argv[])
{
uint32_t startOrdinal = -1;
int ret;
int verbose = FALSE;
TPM_COUNTER_VALUE counter;
int i = 1;
char * keypass = NULL;
unsigned char keyAuth[TPM_HASH_SIZE];
unsigned char * keyAuthPtr = NULL;
uint32_t keyhandle = -1;
STACK_TPM_BUFFER(signature);
unsigned char digest[TPM_DIGEST_SIZE];
unsigned char ordinalDigest[TPM_DIGEST_SIZE];
unsigned char antiReplay[TPM_NONCE_SIZE];
TPM_setlog(0);
TSS_gennonce(antiReplay);
while (i < argc) {
if (!strcmp("-s",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%d",&startOrdinal);
} else {
printf("Missing parameter for -s.\n");
usage();
}
} else
if (!strcmp("-h",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&keyhandle);
} else {
printf("Missing parameter for -h.\n");
usage();
}
} else
if (!strcmp("-p",argv[i])) {
i++;
if (i < argc) {
keypass = argv[i];
} else {
printf("Missing parameter for -p.\n");
usage();
}
} else
if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
} else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
i++;
}
(void)verbose;
if (-1 == (int)startOrdinal ||
-1 == (int)keyhandle) {
printf("Missing command line parameter.\n");
usage();
}
if (NULL != keypass) {
TSS_sha1(keypass,strlen(keypass),keyAuth);
keyAuthPtr = keyAuth;
}
ret = TPM_GetAuditDigestSigned(keyhandle,
FALSE,
keyAuthPtr,
antiReplay,
&counter,
digest,
ordinalDigest,
&signature);
if (0 != ret) {
printf("Error %s from GetAuditDigestSigned.\n",
TPM_GetErrMsg(ret));
} else {
TPM_SIGN_INFO tsi;
STACK_TPM_BUFFER(tsi_ser);
STACK_TPM_BUFFER(serial);
STACK_TPM_BUFFER(ctr_ser);
pubkeydata pubkey;
RSA *rsa;
i = 0;
printf("AuditDigest : ");
while (i < (int)sizeof(digest)) {
printf("%02X",digest[i]);
i++;
}
printf("\n");
i = 0;
printf("OrdinalDigest : ");
while (i < (int)sizeof(digest)) {
printf("%02X",ordinalDigest[i]);
i++;
}
printf("\n");
ret = TPM_GetPubKey(keyhandle, keyAuthPtr, &pubkey);
if (ret != 0) {
printf("Could not get public key of signing key.\n");
exit(-1);
}
rsa = TSS_convpubkey(&pubkey);
if (!rsa) {
printf("Could not convert public key.\n");
exit(-1);
}
tsi.tag = TPM_TAG_SIGNINFO;
memcpy(tsi.fixed, "ADIG", 4);
memcpy(tsi.replay, antiReplay, sizeof(antiReplay));
/* D4=ordinalDigest */
TPM_WriteCounterValue(&ctr_ser, &counter);
memcpy(&serial.buffer[0], digest, sizeof(digest));
memcpy(&serial.buffer[sizeof(digest)],
ctr_ser.buffer, ctr_ser.used);
memcpy(&serial.buffer[sizeof(digest)+ctr_ser.used],
ordinalDigest, sizeof(ordinalDigest));
serial.used = sizeof(digest) + ctr_ser.used + sizeof(ordinalDigest);
tsi.data.size = serial.used;
tsi.data.buffer = serial.buffer;
ret = TPM_WriteSignInfo(&tsi_ser, &tsi);
if ((ret & ERR_MASK)) {
printf("Error serializing TPM_SIGN_INFO.\n");
exit(-1);
}
ret = TPM_ValidateSignature(TPM_SS_RSASSAPKCS1v15_SHA1,
&tsi_ser,
&signature,
rsa);
if (ret != 0) {
printf("Error validating signature.\n");
exit(-1);
}
printf("Signature verification successful.\n");
}
exit(ret);
}
int main(int argc, char * argv[]) {
uint32_t ret = 0;
int i = 0;
int verbose = FALSE;
uint32_t migkeyhandle = 0;
char * filename = NULL;
unsigned char * buffer = NULL;
unsigned char keypasshash[TPM_HASH_SIZE];
char * keypass = NULL;
uint16_t migscheme = TPM_MS_MIGRATE;
unsigned char * keyhashptr = NULL;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing mandatory parameter for -if.\n");
usage();
}
}
else if (!strcmp("-hp",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&migkeyhandle);
} else {
printf("Missing mandatory parameter for -hp.\n");
usage();
}
}
else if (!strcmp("-pwdp",argv[i])) {
i++;
if (i < argc) {
keypass = argv[i];
} else {
printf("Missing mandatory parameter for -pwdp.\n");
usage();
}
}
else if (!strcmp("-rewrap",argv[i])) {
migscheme = TPM_MS_REWRAP;
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
}
else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
i++;
}
if (0 == migkeyhandle ||
NULL == filename) {
printf("Missing mandatory parameter.\n");
usage();
}
if (NULL != keypass) {
TSS_sha1(keypass,strlen(keypass),keypasshash);
keyhashptr = keypasshash;
} else {
keyhashptr = NULL;
}
buffer = readFile(filename);
if (NULL != buffer) {
int offset = 0;
unsigned char * encblob = NULL;
uint32_t encsize = 0;
unsigned char * rndblob = NULL;
uint32_t rndsize = 0;
uint32_t keysize = 0;
unsigned char * keyblob = NULL;
unsigned char * outblob = NULL;
uint32_t outblen;
keydata newkey;
STACK_TPM_BUFFER( tb );
rndsize = LOAD32(buffer,offset); offset += 4;
rndblob = &buffer[offset]; offset += rndsize;
encsize = LOAD32(buffer,offset); offset += 4;
encblob = &buffer[offset]; offset += encsize;
keysize = LOAD32(buffer,offset); offset += 4;
keyblob = &buffer[offset]; offset += keysize;
SET_TPM_BUFFER(&tb, keyblob, keysize);
TSS_KeyExtract(&tb, 0,&newkey);
outblob = malloc(encsize);
if (NULL == outblob) {
printf("Error allocating memory for decrypted blob.\n");
exit(-1);
}
outblen = encsize;
if (TPM_MS_REWRAP == migscheme || 0 == rndsize) {
memcpy(newkey.encData.buffer,
encblob,
encsize);
newkey.encData.size = outblen;
ret = 0;
} else {
ret = TPM_ConvertMigrationBlob(migkeyhandle,
keyhashptr,
rndblob, rndsize,
encblob, encsize,
outblob, &outblen);
if (0 == ret) {
memcpy(newkey.encData.buffer,
outblob,
outblen);
newkey.encData.size = outblen;
} else {
printf("ConvertMigrationBlob returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
if (0 == ret) {
uint32_t newhandle;
ret = TPM_LoadKey(migkeyhandle,
keyhashptr,
&newkey,
&newhandle);
if (0 == ret) {
printf("Successfully loaded key into TPM.\n"
"New Key Handle = %08X\n",
newhandle);
} else {
printf("LoadKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
}
return ret;
}
int main(int argc, char *argv[])
{
int ret = 0;
TPM_BOOL reset = TRUE;
unsigned char *passptr1;
char * password = NULL;
unsigned char passhash1[20]; /* hash of password */
pubkeydata pubek;
int i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp(argv[i],"-pwdk")) {
i++;
if (i >= argc) {
printf("Parameter missing for -pwdk option!\n");
usage();
}
reset = FALSE;
password = argv[i];
}
else if (!strcmp(argv[i],"-v")) {
TPM_setlog(1);
}
else if (!strcmp(argv[i],"-h")) {
usage();
}
else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
}
i++;
}
if (password != NULL) {
TSS_sha1(password,strlen(password),passhash1);
passptr1 = passhash1;
}
else {
passptr1 = NULL;
}
ret = TPM_CreateRevocableEK(reset, passptr1, &pubek);
if (0 != ret) {
printf("Error %s from TPM_CreateRevocableEK\n",
TPM_GetErrMsg(ret));
} else {
EVP_PKEY *pkey = NULL; /* OpenSSL public key */
FILE * keyfile;
RSA * rsa;
/*
** convert the returned public key to OpenSSL format and
** export it to a file
*/
rsa = TSS_convpubkey(&pubek);
if (rsa == NULL) {
printf("Error from TSS_convpubkey\n");
exit(-3);
}
OpenSSL_add_all_algorithms();
pkey = EVP_PKEY_new();
if (pkey == NULL) {
printf("Unable to create EVP_PKEY\n");
exit(-4);
}
ret = EVP_PKEY_assign_RSA(pkey,rsa);
if (ret == 0) {
printf("Unable to assign public key to EVP_PKEY\n");
exit(-5);
}
keyfile = fopen("pubek.pem","wb");
if (keyfile == NULL) {
printf("Unable to create public key file\n");
exit(-6);
}
ret = PEM_write_PUBKEY(keyfile,pkey);
if (ret == 0) {
printf("Unable to write public key file\n");
exit(-7);
}
printf("pubek.pem successfully written\n");
printf("Pubek keylength %d\nModulus:",pubek.pubKey.keyLength);
for(i=0;i<(int)pubek.pubKey.keyLength;i++){
if(!(i%16))
printf("\n");
printf("%02X ",pubek.pubKey.modulus[i]);
}
printf("\n");
fclose(keyfile);
EVP_PKEY_free(pkey);
ret = 0;
}
exit(ret);
}
int main(int argc, char *argv[])
{
uint32_t ret = 0;
int verbose = FALSE;
char * filename = NULL;
char *out_filename = NULL;
int i = 1;
char *ownerpass = NULL;
unsigned char ownerpasshash[TPM_HASH_SIZE];
unsigned char *ownerHashPtr = NULL;
struct stat _stat;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-o",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -o.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
} else
if (!strcmp("-?",argv[i])) {
usage();
exit(0);
} else {
break;
}
i++;
}
if (i + 1 < argc) {
filename = argv[i];
i++;
out_filename = argv[i+1];
} else {
printf("Missing parameter: filename(s)\n");
usage();
exit(-1);
}
if (NULL != ownerpass) {
TSS_sha1(ownerpass, strlen(ownerpass), ownerpasshash);
ownerHashPtr = ownerpasshash;
}
if (0 == stat(filename, &_stat)) {
unsigned char *blob = malloc(_stat.st_size);
uint32_t blobSize = _stat.st_size;
unsigned char outBlob[1024];
uint32_t outBlobSize = sizeof(outBlob);
FILE *f;
if (NULL == blob) {
printf("Could not allocate memory!\n");
exit(-1);
}
f = fopen(filename, "rb");
if (NULL == f) {
printf("Could not open file for reading.\n");
exit(-1);
}
if (blobSize != fread(blob, 1, blobSize, f)) {
printf("Could not read the file.\n");
fclose(f);
exit(-1);
}
fclose(f);
ret = TPM_Delegate_UpdateVerification(blob, blobSize,
ownerHashPtr,
outBlob,&outBlobSize);
if ( ret != 0) {
printf("Error '%s' from Delegate_UpdateVerification.\n",
TPM_GetErrMsg(ret));
exit(-1);
} else {
printf("Successfully loaded the blob.\n");
f = fopen(out_filename, "wb");
if (NULL != f) {
if (outBlobSize != fwrite(outBlob,
1,
outBlobSize,
f)) {
fclose(f);
printf("Error, could not write to file!\n");
exit(-1);
} else {
printf("Successfully wrote blob to file.\n");
}
fclose(f);
}
}
} else {
printf("Error, file %s not accessible.\n",filename);
}
exit(ret);
}
int main(int argc, char *argv[])
{
int ret;
uint32_t parhandle; /* handle of parent key */
unsigned char passhash[TPM_HASH_SIZE]; /* hash of parent key password */
unsigned char datahash[TPM_HASH_SIZE]; /* hash of data file */
unsigned char sig[4096]; /* resulting signature */
uint32_t siglen; /* signature length */
unsigned char *passptr;
char *indata;
FILE *sigfile;
int nxtarg;
nxtarg = ParseArgs(argc, argv);
if (argc < (nxtarg + 3) ) usage();
TPM_setlog(0); /* turn off verbose output */
/*
** convert parent key handle from hex
*/
ret = sscanf(argv[nxtarg+0],"%x",&parhandle);
if (ret != 1)
{
printf("Invalid argument '%s'\n",argv[nxtarg+0]);
exit(2);
}
/*
** use the SHA1 hash of the password string as the Key Authorization Data
*/
if (keypass != NULL)
{
TSS_sha1(keypass,strlen(keypass),passhash);
passptr = passhash;
}
else passptr = NULL;
/*
** read and hash the message
*/
indata = argv[nxtarg+1];
if (indata == NULL)
{
printf("Unable to get input data'\n");
exit(-2);
}
TSS_sha1(indata,strlen(indata),datahash);
ret = TPM_Sign(parhandle, /* Key Handle */
passptr, /* key Password */
datahash,sizeof (datahash), /* data to be signed, length */
sig,&siglen); /* buffer to receive sig, int to receive sig length */
if (ret != 0)
{
printf("Error %s from TPM_Sign\n",TPM_GetErrMsg(ret));
exit(1);
}
sigfile = fopen(argv[nxtarg+2],"wb");
if (sigfile == NULL)
{
printf("Unable to open output file '%s'\n",argv[nxtarg+2]);
exit(4);
}
ret = fwrite(sig,1,siglen,sigfile);
if (ret != (int)siglen)
{
printf("I/O Error while writing output file '%s'\n",argv[nxtarg+2]);
exit(5);
}
fclose(sigfile);
exit(0);
}
int main(int argc, char * argv[]) {
char * ownerpass = NULL;
char * counterpass = NULL;
unsigned char * passptr1 = NULL;
unsigned char * passptr2 = NULL;
unsigned char passhash1[20];
unsigned char passhash2[20];
uint32_t ret;
int i = 0;
uint32_t id = -1;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-ix",argv[i])) {
i++;
if (i < argc) {
id = atoi(argv[i]);
} else {
printf("Missing mandatory parameter for -ix.\n");
usage();
}
} else
if (!strcmp("-pwdc",argv[i])) {
i++;
if (i < argc) {
counterpass = argv[i];
} else {
printf("Missing parameter for -pwdc.\n");
usage();
}
} else
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -pwdo.\n");
usage();
}
} else
if (!strcmp("-v",argv[i])) {
TPM_setlog(1);
} else
if (!strcmp("-h",argv[i])) {
usage();
} else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
}
i++;
}
if ((NULL == counterpass && NULL == ownerpass) || (int)id < 0) {
printf("Input parameter missing!\n");
usage();
}
if (NULL != ownerpass) {
TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
passptr1 = passhash1;
} else {
passptr1 = NULL;
}
if (NULL != counterpass) {
TSS_sha1(counterpass,strlen(counterpass),passhash2);
passptr2 = passhash2;
} else {
passptr2 = NULL;
}
if (counterpass != NULL) {
ret= TPM_ReleaseCounter(id,
passptr2);
if (0 != ret) {
printf("Got error '%s' (0x%x) from TPM_ReleaseCounter.\n",
TPM_GetErrMsg(ret),
ret);
}
} else {
ret = TPM_ReleaseCounterOwner(id,
passptr1);
if (0 != ret) {
printf("Got error '%s' (0x%x) from TPM_ReleaseCounterOwner.\n",
TPM_GetErrMsg(ret),
ret);
}
}
if (0 == ret) {
printf("Successfully released the counter.\n");
}
return ret;
}
int main(int argc, char * argv[]) {
char * counterpass = NULL;
unsigned char * passptr1 = NULL;
unsigned char passhash1[20];
uint32_t ret;
int i = 0;
uint32_t id = 0xffffffff;
unsigned char buffer[10];
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-ix",argv[i])) {
i++;
if (i < argc) {
id = atoi(argv[i]);
} else {
printf("Missing mandatory parameter for -ix.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwdc",argv[i])) {
i++;
if (i < argc) {
counterpass = argv[i];
} else {
printf("Missing parameter for -pwdc.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-v",argv[i])) {
TPM_setlog(1);
} else
if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
} else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
exit(-1);
}
i++;
}
if (NULL == counterpass || id == 0xffffffff) {
printf("Input parameters wrong or missing!\n");
usage();
exit(-1);
}
printf("Using counterpass: %s\n",counterpass);
TSS_sha1(counterpass,strlen(counterpass),passhash1);
passptr1 = passhash1;
/*
* increment a counter
*/
for (i = 0 , ret = TPM_RETRY ; (ret == TPM_RETRY) && (i < 7) ; i++) {
ret = TPM_IncrementCounter(id,
passptr1,
buffer);
/* must be able to increment once every 5 seconds */
if (ret == TPM_RETRY) {
#ifdef TPM_POSIX
sleep(1);
#endif
#ifdef TPM_WINDOWS
Sleep(1000);
#endif
}
}
if (0 != ret) {
printf("Got error '%s' (0x%x) from TPM_IncrementCounter.\n",
TPM_GetErrMsg(ret),
ret);
} else {
printf("Value of the counter: ");
i = 0;
while (i < (int)sizeof(buffer)){
printf("%02x",buffer[i]);
i++;
}
printf("\n");
}
if (ret > 255) {
ret = -1;
}
return ret;
}
int main(int argc, char *argv[])
{
uint32_t ret;
STACK_TPM_BUFFER(resp);
int index = 0;
STACK_TPM_BUFFER( subcap );;
TPM_setlog(0); /* turn off verbose output */
ParseArgs(argc, argv);
while ((int)matrx[index].cap != -1) {
if (cap == matrx[index].cap) {
break;
}
index++;
}
if (-1 == (int)matrx[index].cap) {
printf("Unknown or unsupported capability!\n");
exit(-1);
}
subcap.used = 0;
if (matrx[index].subcap_size > 0) {
if ((int)scap == -1) {
printf("Need subcap parameter for this capability!\n");
exit(-1);
}
if (0 == prepare_subcap(cap, &subcap, scap)) {
if (2 == matrx[index].subcap_size) {
STORE16(subcap.buffer,0,scap);
subcap.used = 2;
} else
if (matrx[index].subcap_size >= 4) {
STORE32(subcap.buffer,0,scap);
subcap.used = 4;
}
}
}
#if 0
/* This was for VTPM extensions and needs retest */
if (cap == TPM_CAP_MFR) {
int idx2 = 0;
while ((int)mfr_matrix[idx2].cap != -1) {
if (mfr_matrix[idx2].cap == scap) {
break;
}
idx2++;
}
if (mfr_matrix[idx2].subcap_size > 0) {
uint32_t used = subcap.used +
mfr_matrix[idx2].subcap_size;
while (subcap.used < used) {
if (argc <= nxtarg) {
printf("Need one more parameter for this "
"capability!\n");
exit(-1);
}
if (!strncmp("0x",argv[nxtarg],2)) {
sscanf(argv[nxtarg],"%x",&sscap);
} else {
sscanf(argv[nxtarg],"%d",&sscap);
}
nxtarg++;
if (2 == matrx[index].subcap_size) {
STORE16(subcap.buffer,
subcap.used,sscap);
subcap.used += 2;
} else
if (matrx[index].subcap_size >= 4) {
STORE32(subcap.buffer,
subcap.used,sscap);
subcap.used += 4;
}
}
}
}
#endif
if (0 == sikeyhandle) {
ret = TPM_GetCapability(cap,
&subcap,
&resp);
if (0 != ret) {
printf("TPM_GetCapability returned %s.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
} else {
unsigned char antiReplay[TPM_HASH_SIZE];
unsigned char signature[2048];
uint32_t signaturelen = sizeof(signature);
pubkeydata pubkey;
RSA * rsa;
unsigned char sighash[TPM_HASH_SIZE];
unsigned char * buffer = NULL;
unsigned char * sigkeyhashptr = NULL;
unsigned char sigkeypasshash[TPM_HASH_SIZE];
if (NULL != sikeypass) {
TSS_sha1(sikeypass,strlen(sikeypass),sigkeypasshash);
sigkeyhashptr = sigkeypasshash;
}
TSS_gennonce(antiReplay);
ret = TPM_GetPubKey(sikeyhandle,
sigkeyhashptr,
&pubkey);
if (0 != ret) {
printf("Error while trying to access the signing key's public key.\n");
exit(-1);
}
rsa = TSS_convpubkey(&pubkey);
ret = TPM_GetCapabilitySigned(sikeyhandle,
sigkeyhashptr,
antiReplay,
cap,
&subcap,
&resp,
signature, &signaturelen);
if (0 != ret) {
printf("TPM_GetCapabilitySigned returned %s.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
buffer = malloc(resp.used+TPM_NONCE_SIZE);
if (NULL == buffer) {
printf("Could not allocate buffer.\n");
exit(-1);
}
memcpy(&buffer[0], resp.buffer, resp.used);
memcpy(&buffer[resp.used], antiReplay, TPM_NONCE_SIZE);
TSS_sha1(buffer,
resp.used+TPM_NONCE_SIZE,
sighash);
free(buffer);
ret = RSA_verify(NID_sha1,
sighash,TPM_HASH_SIZE,
signature,signaturelen,
rsa);
if (1 != ret) {
printf("Error: Signature verification failed.\n");
exit(-1);
}
}
if (0 == resp.used) {
printf("Empty response.\n");
} else {
if (-1 == (int)scap) {
printf("Result for capability 0x%x is : ",cap);
} else {
printf("Result for capability 0x%x, subcapability 0x%x is : ",cap,scap);
}
if (TYPE_BOOL == matrx[index].result_size) {
if (resp.buffer[0] == 0) {
printf("FALSE\n");
} else {
printf("TRUE\n");
}
} else
if (TYPE_UINT32 == matrx[index].result_size) {
uint32_t rsp;
rsp = LOAD32(resp.buffer,0);
printf("0x%08X = %d\n",rsp,rsp);
} else
if (TYPE_UINT32_ARRAY == matrx[index].result_size) {
int i = 0;
printf("\n");
while (i+3 < (int)resp.used) {
uint32_t rsp = LOAD32(resp.buffer,i);
i+=4;
if (TPM_CAP_NV_LIST == cap) {
/* don't zero extend, grep needs the exact value for test suite */
printf("%d. Index : %d = 0x%x.\n",
i/4,
rsp,
rsp);
} else
if (TPM_CAP_KEY_HANDLE == cap) {
printf("%d. keyhandle : %d.\n",
i/4,
rsp);
} else {
printf("%d. item : %d.\n",
i/4,
rsp);
}
}
} else
if (TYPE_STRUCTURE == matrx[index].result_size) {
switch(cap) {
case TPM_CAP_FLAG:
{
if (scap == TPM_CAP_FLAG_PERMANENT) {
TPM_PERMANENT_FLAGS pf;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadPermanentFlags(&tb, 0, &pf, resp.used);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showPermanentFlags(&pf, resp.used);
} else
if (scap == TPM_CAP_FLAG_VOLATILE) {
TPM_STCLEAR_FLAGS sf;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadSTClearFlags(&tb, 0, &sf);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showVolatileFlags(&sf);
}
}
break;
case TPM_CAP_KEY_HANDLE:
{
uint16_t num = LOAD16(resp.buffer, 0);
uint32_t i = 0;
uint32_t handle;
printf("\n");
while (i < num) {
handle = LOAD32(resp.buffer,2+i*4);
printf("%d. handle: 0x%08X\n",
i,
handle);
i++;
}
}
break;
case TPM_CAP_NV_INDEX:
{
//char scratch_info[256];
unsigned char scratch_info[256];
uint32_t scratch_info_len;
TPM_NV_DATA_PUBLIC ndp;
uint32_t i, c;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadNVDataPublic(&tb,
0,
&ndp);
if ( ( ret & ERR_MASK) != 0) {
printf("Could not deserialize the TPM_NV_DATA_PUBLIC structure.\n");
exit(-1);
}
printf("permission.attributes : %08X\n",(unsigned int)ndp.permission.attributes);
printf("ReadSTClear : %02X\n",ndp.bReadSTClear);
printf("WriteSTClear : %02X\n",ndp.bWriteSTClear);
printf("WriteDefine : %02X\n",ndp.bWriteDefine);
printf("dataSize : %08X = %d",(unsigned int)ndp.dataSize,
(unsigned int)ndp.dataSize);
c = 0;
for (i = 0; i < ndp.pcrInfoRead.pcrSelection.sizeOfSelect*8; i++) {
if (ndp.pcrInfoRead.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) {
if (!c)
printf("\nRead PCRs selected: ");
else
printf(", ");
printf("%d", i);
c++;
}
}
if (c) {
char pcrmap[4], *pf;
memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect,
ndp.pcrInfoRead.pcrSelection.sizeOfSelect);
// printf("\npcrmap: %02x%02x%02x%02x\n", pcrmap[0], pcrmap[1],
// pcrmap[2], pcrmap[3]);
ret = TSS_GenPCRInfo(*(uint32_t *)pcrmap,
scratch_info,
&scratch_info_len);
printf("\nRead PCR Composite: ");
for (i = 0; i < 20; i++)
printf("%02x", ndp.pcrInfoRead.digestAtRelease[i] & 0xff);
printf("\n");
#if 1
pf = &scratch_info[5];
printf("\nCurrent PCR composite: ");
for (i = 0; i < 20; i++)
//printf("%02x", scratch_info.digestAtRelease[i] & 0xff);
printf("%02x", pf[i] & 0xff);
printf("\n");
#endif
if (!ret) {
printf("Matches current TPM state: ");
if (!memcmp(&scratch_info[5],
&ndp.pcrInfoRead.digestAtRelease,
20)) {
printf("Yes\n");
} else {
printf("No\n");
}
}
}
c = 0;
for (i = 0; i < ndp.pcrInfoWrite.pcrSelection.sizeOfSelect*8; i++) {
if (ndp.pcrInfoWrite.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) {
if (!c)
printf("\nWrite PCRs selected: ");
else
printf(", ");
printf("%d", i);
c++;
}
}
if (c) {
printf("\nWrite PCR Composite: ");
for (i = 0; i < 20; i++)
printf("%02x", ndp.pcrInfoWrite.digestAtRelease[i] & 0xff);
printf("\n");
}
}
break;
case TPM_CAP_HANDLE:
{
uint16_t num = LOAD16(resp.buffer, 0);
uint16_t x = 0;
while (x < num) {
uint32_t handle = LOAD32(resp.buffer,
sizeof(num)+4*x);
printf("%02d. 0x%08X\n",x,handle);
x++;
}
}
break;
case TPM_CAP_VERSION_VAL:
{
int i = 0;
TPM_CAP_VERSION_INFO cvi;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadCapVersionInfo(&tb,
0,
&cvi);
if ( ( ret & ERR_MASK) != 0) {
printf("Could not read the version info structure.\n");
exit(-1);
}
printf("\n");
printf("major : 0x%02X\n",cvi.version.major);
printf("minor : 0x%02X\n",cvi.version.minor);
printf("revMajor : 0x%02X\n",cvi.version.revMajor);
printf("revMinor : 0x%02X\n",cvi.version.revMinor);
printf("specLevel : 0x%04X\n",cvi.specLevel);
printf("errataRev : 0x%02X\n",cvi.errataRev);
printf("VendorID : ");
while (i < 4) {
printf("%02X ",cvi.tpmVendorID[i]);
i++;
}
printf("\n");
/* Print vendor ID in text if printable */
for (i=0 ; i<4 ; i++) {
if (isprint(cvi.tpmVendorID[i])) {
if (i == 0) {
printf("VendorID : ");
}
printf("%c", cvi.tpmVendorID[i]);
}
else {
break;
}
}
printf("\n");
printf("[not displaying vendor specific information]\n");
}
break;
#if 0 /* kgold: I don't think these are valid cap values */
case TPM_CAP_FLAG_PERMANENT:
{
TPM_PERMANENT_FLAGS pf;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
if (resp.used == 21) {
ret = TPM_ReadPermanentFlagsPre103(&tb, 0, &pf);
} else {
ret = TPM_ReadPermanentFlags(&tb, 0, &pf);
}
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showPermanentFlags(&pf, resp.used);
}
break;
case TPM_CAP_FLAG_VOLATILE:
{
TPM_STCLEAR_FLAGS sf;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadSTClearFlags(&tb, 0, &sf);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showVolatileFlags(&sf);
}
break;
#endif
case TPM_CAP_DA_LOGIC:
{
uint32_t ctr;
TPM_BOOL lim = FALSE;
TPM_DA_INFO dainfo;
TPM_DA_INFO_LIMITED dainfo_lim;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadDAInfo(&tb, 0, &dainfo);
if ( ( ret & ERR_MASK) != 0 || ret > resp.used) {
ret = TPM_ReadDAInfoLimited(&tb, 0, &dainfo_lim);
if ( (ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
} else {
lim = TRUE;
}
}
printf("\n");
if (lim) {
printf("State : %d\n",dainfo_lim.state);
printf("Actions : 0x%08x\n",dainfo_lim.actionAtThreshold.actions);
ctr = 0;
while (ctr < dainfo_lim.vendorData.size) {
printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]);
ctr++;
}
} else {
printf("State : %d\n",dainfo.state);
printf("currentCount : %d\n",dainfo.currentCount);
printf("thresholdCount : %d\n",dainfo.thresholdCount);
printf("Actions : 0x%08x\n",dainfo.actionAtThreshold.actions);
printf("actionDependValue : %d\n",dainfo.actionDependValue);
#if 0
ctr = 0;
while (ctr < dainfo_lim.vendorData.size) {
printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]);
ctr++;
}
#endif
}
}
break;
}
} else
if (TYPE_VARIOUS == matrx[index].result_size) {
switch(cap) {
case TPM_CAP_MFR:
switch (scap) {
case TPM_CAP_PROCESS_ID:
{
uint32_t rsp;
rsp = LOAD32(resp.buffer,0);
printf("%d\n",rsp);
}
break;
}
break; /* TPM_CAP_MFR */
default:
/* Show booleans */
if (scap == TPM_CAP_PROP_OWNER ||
scap == TPM_CAP_PROP_DAA_INTERRUPT
) {
if (0 == resp.buffer[0]) {
printf("FALSE\n");
} else {
printf("TRUE\n");
}
} else /* check for array of 4 UINTs */
if (scap == TPM_CAP_PROP_TIS_TIMEOUT /* ||
scap == TPM_CAP_PROP_TIMEOUTS */) {
int i = 0;
while (i < 4) {
uint32_t val = LOAD32(resp.buffer,i * 4);
printf("%d ",
val);
i++;
}
printf("\n");
} else /* check for TPM_STARTUP_EFFECTS */
if (scap == TPM_CAP_PROP_STARTUP_EFFECT) {
TPM_STARTUP_EFFECTS se = 0;
ret = TPM_ReadStartupEffects(resp.buffer,
&se);
if ( ( ret & ERR_MASK ) != 0 ) {
printf("Could not read startup effects structure.\n");
exit(-1);
}
printf("0x%08X=%d\n",
(unsigned int)se,
(unsigned int)se);
printf("\n");
printf("Startup effects:\n");
printf("Effect on audit digest: %s\n", (se & (1 << 7))
? "none"
: "active");
printf("Audit Digest on TPM_Startup(ST_CLEAR): %s\n", ( se & (1 << 6))
? "set to NULL"
: "not set to NULL" );
printf("Audit Digest on TPM_Startup(any) : %s\n", ( se & (1 << 5))
? "set to NULL"
: "not set to NULL" );
printf("TPM_RT_KEY resource initialized on TPM_Startup(ST_ANY) : %s\n", (se & ( 1 << 4))
? "yes"
: "no");
printf("TPM_RT_AUTH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 3))
? "yes"
: "no");
printf("TPM_RT_HASH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 2))
? "yes"
: "no");
printf("TPM_RT_TRANS resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 1))
? "yes"
: "no");
printf("TPM_RT_CONTEXT session initialized on TPM_Startup(ST_STATE): %s\n", (se & ( 1 << 0))
? "yes"
: "no");
} else /* check for array of 3 UINTs */
if (scap == TPM_CAP_PROP_DURATION) {
int i = 0;
while (i < 4*3) {
uint32_t val = LOAD32(resp.buffer,i);
printf("%d ",
val);
i+= 4;
}
printf("\n");
} else /* check for TPM_COUNT_ID */
if (scap == TPM_CAP_PROP_ACTIVE_COUNTER) {
uint32_t val = LOAD32(resp.buffer,0);
printf("0x%08X=%d",val,val);
if (0xffffffff == val) {
printf(" (no counter is active)");
}
printf("\n");
} else { /* just a single UINT32 */
printf("%ld=0x%08lX.\n",
(long)LOAD32(resp.buffer, 0),
(long)LOAD32(resp.buffer, 0));
}
}
}
}
printf("\n");
exit(0);
}
int main(int argc, char *argv[])
{
uint32_t ordinal = -1;
int ret;
int verbose = FALSE;
int i = 1;
unsigned char ownerAuth[TPM_DIGEST_SIZE];
char * ownerpass = NULL;
TPM_BOOL auditState = TRUE;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-o",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%d",&ordinal);
} else {
printf("Missing parameter for -o.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-p",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -p.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-d",argv[i])) {
auditState = FALSE;
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
}
else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
exit(-1);
}
i++;
}
if (-1 == (int)ordinal ||
NULL == ownerpass) {
printf("Missing mandatory parameter.\n");
usage();
exit(-1);
}
TSS_sha1(ownerpass,strlen(ownerpass),ownerAuth);
ret = TPM_SetOrdinalAuditStatus(ordinal,
auditState,
ownerAuth);
if (ret != 0) {
printf("SetOrdinalAuditStatus returned error %s.\n",
TPM_GetErrMsg(ret));
}
exit(ret);
}
int main(int argc, char *argv[])
{
int ret;
struct stat sbuf;
unsigned char databuff[65535]; /* data read work buffer */
unsigned char datahash[20]; /* hash of data file */
unsigned char digest[20];
SHA_CTX sha;
FILE *datafile;
const char *datafilename = NULL;
FILE *sigfile;
const char *sigfilename = NULL;
FILE *keyfile;
const char *kfilename = NULL;
EVP_PKEY *pkey;
RSA *rsa;
uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1;
int plain;
unsigned char padded[4096];
unsigned char plainarray[4096];
TPM_SIGN_INFO tsi;
STACK_TPM_BUFFER(tsi_ser);
STACK_TPM_BUFFER(signature);
int i;
for (i=1 ; i<argc ; i++) {
if (!strcmp(argv[i], "-ss")) {
i++;
if (i < argc) {
if (!strcmp(argv[i], "info")) {
sigscheme = TPM_SS_RSASSAPKCS1v15_INFO;
}
else if (!strcmp(argv[i], "der")) {
sigscheme = TPM_SS_RSASSAPKCS1v15_DER;
}
else {
printf("Bad parameter for -ss\n");
printUsage();
}
}
else {
printf("Missing parameter for -ss\n");
printUsage();
}
}
else if (strcmp(argv[i],"-if") == 0) {
i++;
if (i < argc) {
datafilename = argv[i];
}
else {
printf("-if option needs a value\n");
printUsage();
exit(2);
}
}
else if (strcmp(argv[i],"-is") == 0) {
i++;
if (i < argc) {
sigfilename = argv[i];
}
else {
printf("-is option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i],"-ik") == 0) {
i++;
if (i < argc) {
kfilename = argv[i];
}
else {
printf("-ik option needs a value\n");
printUsage();
exit(2);
}
}
else if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if ((datafilename == NULL) ||
(sigfilename == NULL) ||
(kfilename == NULL)) {
printf("Missing parameter\n");
printUsage();
}
/*
** read and hash the data file
*/
datafile = fopen(datafilename,"rb");
if (datafile == NULL)
{
printf("Unable to open data file '%s'\n",datafilename);
exit(2);
}
SHA1_Init(&sha);
for (;;)
{
ret = fread(databuff,1,sizeof databuff,datafile);
if (ret < 0)
{
printf("I/O Error while reading data file '%s'\n",datafilename);
exit(3);
}
SHA1_Update(&sha,databuff,ret);
if (ret < (int)sizeof(databuff)) break;
}
fclose(datafile);
SHA1_Final(datahash,&sha);
/*
** get size of signature file
*/
stat(sigfilename,&sbuf);
signature.used = (int)sbuf.st_size;
sigfile = fopen(sigfilename,"rb");
if (sigfile == NULL)
{
printf("Unable to open signature file '%s'\n",sigfilename);
exit(4);
}
/*
** read the signature file
*/
ret = fread(signature.buffer,1,signature.used,sigfile);
if (ret != (int)signature.used)
{
printf("I/O Error while reading signature file '%s'\n",sigfilename);
exit(5);
}
fclose(sigfile);
/*
** read the key file
*/
keyfile = fopen(kfilename,"rb");
if (keyfile == NULL)
{
printf("Unable to open public key file '%s'\n",kfilename);
exit(6);
}
pkey = PEM_read_PUBKEY(keyfile,NULL,NULL,NULL);
if (pkey == NULL)
{
printf("I/O Error while reading public key file '%s'\n",kfilename);
exit(7);
}
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
{
printf("Error while converting public key \n");
exit(8);
}
switch (sigscheme) {
default:
case TPM_SS_RSASSAPKCS1v15_SHA1:
ret = RSA_verify(NID_sha1,datahash,20,
signature.buffer,signature.used,
rsa);
if (ret != 1) {
printf("Verification Failed\n");
exit(100);
}
break;
case TPM_SS_RSASSAPKCS1v15_DER:
plain = RSA_public_decrypt(signature.used, signature.buffer,
plainarray, rsa, RSA_NO_PADDING);
if (plain == -1) {
printf("Verification (DER) had an error\n");
exit(100);
}
ret = RSA_padding_add_PKCS1_type_1(padded,plain,datahash,sizeof(datahash));
if (ret != 1) {
printf("Could not add the padding.\n");
exit(100);
}
if (memcmp(padded, plainarray, plain) != 0) {
printf("Verfication (DER) failed.\n");
exit(100);
}
break;
case TPM_SS_RSASSAPKCS1v15_INFO:
// the nonce is the digest of the hashed data!!
TSS_sha1(datahash, 20, digest);
tsi.tag = TPM_TAG_SIGNINFO;
memcpy(tsi.fixed,"SIGN",4);
tsi.data.size = TPM_HASH_SIZE;
tsi.data.buffer = datahash;
memcpy(tsi.replay, digest, TPM_HASH_SIZE);
/* need to calcualte the digest of the TPM_SIGN_INFO structure */
ret = TPM_WriteSignInfo(&tsi_ser, &tsi);
if ((ret & ERR_MASK)) {
printf("Could not serialize TPM_SIGN_INFO structure.\n");
exit(100);
}
ret = TPM_ValidateSignature(sigscheme,
&tsi_ser,
&signature,
rsa);
if (ret != 0) {
printf("Verification (INFO) failed.\n");
exit(-1);
}
break;
}
RSA_free(rsa);
EVP_PKEY_free(pkey);
exit(0);
}
int main(int argc, char *argv[])
{
int ret;
unsigned char hashpass1[TPM_HASH_SIZE]; /* hash of new key password */
unsigned char hashpass2[TPM_HASH_SIZE]; /* hash of migration password */
keydata k; /* keydata structure for input key parameters */
keydata q; /* keydata structure for resulting key */
RSA *rsa; /* OpenSSL format Public Key */
FILE *keyfile; /* output file for public key */
FILE *blbfile; /* output file for encrypted blob */
EVP_PKEY *pkey = NULL; /* OpenSSL public key */
char filename[256]; /* file name string of public key file */
unsigned char blob[4096]; /* area to hold key blob */
uint32_t bloblen; /* key blob length */
unsigned char *aptr1 = NULL;
unsigned char *aptr2 = NULL;
int nxtarg;
TPM_setlog(0); /* turn off verbose output */
/*
** parse command line
*/
nxtarg = ParseArgs(argc, argv);
(void)nxtarg;
if ((digestfilename == NULL) ||
(keyname == NULL) ||
(parhandle == 0)) {
printf("Missing parameter\n");
printUsage();
}
if (-1 == readHMACandDigest(digestfilename, migAuthApproval, migAuthDigest)) {
printf("Error reading from file %s.\n", digestfilename);
exit(-1);
}
/*
** convert parent key handle from hex
*/
/*
** use the SHA1 hash of the password string as the Parent Key Authorization Data
*/
if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; }
/*
** use the SHA1 hash of the password string as the Key Authorization Data
*/
if (keypass != NULL) { TSS_sha1(keypass,strlen(keypass),hashpass2); aptr2 = hashpass2; }
/*
** initialize new key parameters
*/
k.v.tag = TPM_TAG_KEY12;
k.keyFlags = TPM_MIGRATABLE | TPM_MIGRATEAUTHORITY;
if (keypass != NULL)
k.authDataUsage = 1; /* key requires authorization (password) */
else
k.authDataUsage = 0; /* key requires no authorization (password) */
k.encData.size = 0; /* no private key specified here */
k.pub.algorithmParms.algorithmID = TPM_ALG_RSA; /* key algorithm 1 = RSA */
if (keytype == 's') {
k.keyUsage = TPM_KEY_SIGNING; /* key Usage - 0x0010 = signing */
k.pub.algorithmParms.encScheme = TPM_ES_NONE; /* encryption scheme 1 = NONE - signing key */
k.pub.algorithmParms.sigScheme = TPM_SS_RSASSAPKCS1v15_SHA1; /* signature scheme RSA/SHA1 */
}
else if (keytype == 'd') {
k.keyUsage = TPM_KEY_SIGNING; /* key Usage - 0x0010 = signing */
k.pub.algorithmParms.encScheme = TPM_ES_NONE; /* encryption scheme 1 = NONE - signing key */
k.pub.algorithmParms.sigScheme = TPM_SS_RSASSAPKCS1v15_DER; /* signature scheme RSA/DER */
}
else if (keytype == 'i') {
k.keyUsage = TPM_KEY_SIGNING; /* key Usage - 0x0010 = signing */
k.pub.algorithmParms.encScheme = TPM_ES_NONE; /* encryption scheme 1 = NONE - signing key */
k.pub.algorithmParms.sigScheme = TPM_SS_RSASSAPKCS1v15_INFO; /* signature scheme RSA/INFO */
}
else if (keytype == 'e') {
k.keyUsage = TPM_KEY_STORAGE; /* key Usage - 0x0011 = encryption */
k.pub.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1; /* encryption scheme 3 RSA */
k.pub.algorithmParms.sigScheme = TPM_SS_NONE; /* signature scheme NONE */
}
else if (keytype == 'b') {
k.keyUsage = TPM_KEY_BIND; /* key Usage - 0x0014 = bind */
k.pub.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1; /* encryption scheme 3 RSA */
k.pub.algorithmParms.sigScheme = TPM_SS_NONE; /* signature scheme none */
}
else if (keytype == 'l') {
k.keyUsage = TPM_KEY_LEGACY; /* key Usage - 0x0015 = legacy */
k.pub.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1; /* encryption scheme 3 RSA */
k.pub.algorithmParms.sigScheme = TPM_SS_RSASSAPKCS1v15_SHA1; /* signature scheme RSA/SHA1 */
}
else if (keytype == 'm') {
k.keyUsage = TPM_KEY_MIGRATE; /* key Usage - 0x0016 = migration */
k.pub.algorithmParms.encScheme = TPM_ES_RSAESOAEP_SHA1_MGF1; /* encryption scheme 3 RSA */
k.pub.algorithmParms.sigScheme = TPM_SS_NONE; /* signature scheme RSA/SHA1 */
}
else {
printUsage();
}
k.pub.algorithmParms.u.rsaKeyParms.keyLength = keysize; /* RSA modulus size 2048 bits */
k.pub.algorithmParms.u.rsaKeyParms.numPrimes = 2; /* required */
k.pub.algorithmParms.u.rsaKeyParms.exponentSize = 0; /* RSA exponent - default 0x010001 */
k.pub.pubKey.keyLength = 0; /* key not specified here */
k.pub.pcrInfo.size = 0; /* no PCR's used at this time */
/*
** create and wrap an asymmetric key and get back the
** resulting keydata structure with the public and encrypted
** private keys filled in by the TPM
*/
bloblen = sizeof(blob);
ret = TPM_CMK_CreateKey(parhandle,
aptr1,
aptr2,
&k,
migAuthApproval,
migAuthDigest,
&q,
blob,
&bloblen);
if (ret != 0) {
printf("Error %s from TPM_CMK_CreateKey\n",
TPM_GetErrMsg(ret));
exit(-2);
}
sprintf(filename,"%s.key",keyname);
blbfile = fopen(filename,"wb+");
if (blbfile == NULL) {
printf("Unable to create key file\n");
exit(-3);
}
ret = fwrite(blob,1,bloblen,blbfile);
if (ret != (int)bloblen) {
printf("I/O Error writing key file\n");
exit(-4);
}
fclose(blbfile);
/*
** convert the returned public key to OpenSSL format and
** export it to a file
*/
rsa = TSS_convpubkey(&(q.pub));
if (rsa == NULL) {
printf("Error from TSS_convpubkey\n");
exit(-5);
}
OpenSSL_add_all_algorithms();
pkey = EVP_PKEY_new();
if (pkey == NULL) {
printf("Unable to create EVP_PKEY\n");
exit(-6);
}
ret = EVP_PKEY_assign_RSA(pkey,rsa);
if (ret == 0) {
printf("Unable to assign public key to EVP_PKEY\n");
exit(-7);
}
sprintf(filename,"%s.pem",keyname);
keyfile = fopen(filename,"wb");
if (keyfile == NULL) {
printf("Unable to create public key file\n");
exit(-8);
}
ret = PEM_write_PUBKEY(keyfile,pkey);
if (ret == 0) {
printf("I/O Error writing public key file\n");
exit(-9);
}
fclose(keyfile);
EVP_PKEY_free(pkey);
exit(0);
}
int main(int argc, char *argv[])
{
int ret;
unsigned char pass1hash[20];
unsigned char pass2hash[20];
keydata srk;
RSA *rsa; /* OpenSSL format Public Key */
FILE *keyfile; /* output file for public key */
EVP_PKEY *pkey = NULL; /* OpenSSL public key */
if (argc < 2)
{
printf("Usage: takeown <owner password> [<storage root key password>]\n");
exit(1);
}
TPM_setlog(0); /* turn off verbose output */
/*
** use the SHA1 hash of the password string as the Owner Authorization Data
*/
TSS_sha1((unsigned char*)argv[1],strlen(argv[1]),pass1hash);
/*
** use the SHA1 hash of the password string as the SRK Authorization Data
*/
if (argc > 2)
{
TSS_sha1((unsigned char *)argv[2],strlen(argv[2]),pass2hash);
ret = TPM_TakeOwnership12(pass1hash,pass2hash,&srk);
}
else
{
TSS_sha1((unsigned char *)"SRK PWD",8,pass2hash); /* hard code for tpmdiag */
ret = TPM_TakeOwnership12(pass1hash,pass2hash,&srk);
}
if (ret != 0)
{
printf("Error %s from TPM_TakeOwnership\n",TPM_GetErrMsg(ret));
exit(2);
}
/*
** convert the returned public key to OpenSSL format and
** export it to a file
*/
rsa = TSS_convpubkey(&(srk.pub));
if (rsa == NULL)
{
printf("Error from TSS_convpubkey\n");
exit(3);
}
OpenSSL_add_all_algorithms();
pkey = EVP_PKEY_new();
if (pkey == NULL) {
printf("Unable to create EVP_PKEY\n");
exit(4);
}
ret = EVP_PKEY_assign_RSA(pkey,rsa);
keyfile = fopen("srk.pem","wb");
if (keyfile == NULL)
{
printf("Unable to create public key file\n");
exit(5);
}
ret = PEM_write_PUBKEY(keyfile,pkey);
if (ret == 0)
{
printf("Unable to write public key file\n");
exit(6);
}
fclose(keyfile);
EVP_PKEY_free(pkey);
exit(0);
}
/*
* Have the TPM seal(encrypt) the trusted key, possibly based on
* Platform Configuration Registers (PCRs). AUTH1 for sealing key.
*/
static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
uint32_t keyhandle, const unsigned char *keyauth,
const unsigned char *data, uint32_t datalen,
unsigned char *blob, uint32_t *bloblen,
const unsigned char *blobauth,
const unsigned char *pcrinfo, uint32_t pcrinfosize)
{
struct osapsess sess;
struct tpm_digests *td;
unsigned char cont;
uint32_t ordinal;
uint32_t pcrsize;
uint32_t datsize;
int sealinfosize;
int encdatasize;
int storedsize;
int ret;
int i;
/* alloc some work space for all the hashes */
td = kmalloc(sizeof *td, GFP_KERNEL);
if (!td)
return -ENOMEM;
/* get session for sealing key */
ret = osap(tb, &sess, keyauth, keytype, keyhandle);
if (ret < 0)
goto out;
dump_sess(&sess);
/* calculate encrypted authorization value */
memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
if (ret < 0)
goto out;
ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
if (ret != TPM_NONCE_SIZE)
goto out;
ordinal = htonl(TPM_ORD_SEAL);
datsize = htonl(datalen);
pcrsize = htonl(pcrinfosize);
cont = 0;
/* encrypt data authorization key */
for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
td->encauth[i] = td->xorhash[i] ^ blobauth[i];
/* calculate authorization HMAC value */
if (pcrinfosize == 0) {
/* no pcr info specified */
ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
sess.enonce, td->nonceodd, cont,
sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
td->encauth, sizeof(uint32_t), &pcrsize,
sizeof(uint32_t), &datsize, datalen, data, 0,
0);
} else {
/* pcr info specified */
ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
sess.enonce, td->nonceodd, cont,
sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
td->encauth, sizeof(uint32_t), &pcrsize,
pcrinfosize, pcrinfo, sizeof(uint32_t),
&datsize, datalen, data, 0, 0);
}
if (ret < 0)
goto out;
/* build and send the TPM request packet */
INIT_BUF(tb);
store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
store32(tb, TPM_ORD_SEAL);
store32(tb, keyhandle);
storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
store32(tb, pcrinfosize);
storebytes(tb, pcrinfo, pcrinfosize);
store32(tb, datalen);
storebytes(tb, data, datalen);
store32(tb, sess.handle);
storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
store8(tb, cont);
storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
if (ret < 0)
goto out;
/* calculate the size of the returned Blob */
sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
sizeof(uint32_t) + sealinfosize);
storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
sizeof(uint32_t) + encdatasize;
/* check the HMAC in the response */
ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
0);
/* copy the returned blob to caller */
if (!ret) {
memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
*bloblen = storedsize;
}
out:
kfree(td);
return ret;
}
int main(int argc, char *argv[])
{
unsigned char passhash1[20];
char * ownerpass = NULL;
char * filename = NULL;
int ret;
int verbose = FALSE;
TPM_MSA_COMPOSITE msaList = {0, NULL};
unsigned char migAuthDigest[TPM_DIGEST_SIZE];
unsigned char hmac[TPM_DIGEST_SIZE];
char * msa_list_filename = NULL;
int i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -pwdo.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-of",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -of.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-msa",argv[i])) {
i++;
if (i < argc) {
msa_list_filename = argv[i];
} else {
printf("Missing parameter for -msa.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-ik",argv[i])) {
i++;
if (i < argc) {
if (0 != addKeyToMSAList(&msaList,argv[i])) {
exit(-1);
}
} else {
printf("Missing parameter for -ik.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
} else
if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
} else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
exit(-1);
}
i++;
}
(void)verbose;
if (NULL == ownerpass ||
msaList.MSAlist == 0 ||
NULL == filename) {
printf("Missing argument.\n");
usage();
exit(-1);
}
if (NULL != ownerpass) {
TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
}
TPM_HashMSAComposite(&msaList, migAuthDigest);
ret = TPM_CMK_ApproveMA(migAuthDigest,
passhash1,
hmac);
if (0 != ret) {
printf("CMK_ApproveMA returned error '%s' (%d).\n",
TPM_GetErrMsg(ret),
ret);
} else {
FILE * f = fopen(filename, "wb+");
if (f != NULL) {
if (TPM_DIGEST_SIZE == fwrite(hmac, 1, TPM_DIGEST_SIZE, f) &&
TPM_DIGEST_SIZE == fwrite(migAuthDigest, 1, TPM_DIGEST_SIZE, f) ) {
printf("Successfully wrote HMAC and digest to %s.\n",
filename);
}
fclose(f);
} else {
printf("Could not open file %s for writing.\n",
filename);
}
}
if (NULL != msa_list_filename) {
struct tpm_buffer * buffer = TSS_AllocTPMBuffer(sizeof(msaList) + msaList.MSAlist * TPM_HASH_SIZE);
if (NULL != buffer) {
uint32_t len = TPM_WriteMSAComposite(buffer, &msaList);
FILE * f = fopen(msa_list_filename, "wb");
if (NULL != f) {
fwrite(buffer->buffer,len,1, f);
printf("Successfully wrote msa list to %s.\n",
msa_list_filename);
fclose(f);
} else {
printf("Could not open file %s for writing.\n",
msa_list_filename);
}
TSS_FreeTPMBuffer(buffer);
}
}
exit(ret);
}
static int check_tpm(void)
{
unsigned char keybuf[TPM_MAX_KEY_SIZE];
unsigned char pcrvalue[TPM_AUTH_SIZE];
unsigned char srkauth[TPM_AUTH_SIZE];
uint32_t ret, srk_handle;
unsigned int keylen;
keydata k, key;
int tpmfp;
/* check /dev/tpm0 */
if ((tpmfp = open("/dev/tpm0", O_RDWR)) < 0) {
printf("Unable to open /dev/tpm0\n");
exit(-1);
}
close(tpmfp);
/* try a TPM_Reset (should work even if TPM disabled) */
if((ret=TPM_Reset())){
printf("TPM_Reset failed, error %s\n", TPM_GetErrMsg(ret));
exit(-2);
}
/* check if TPM enabled with TPM_PcrRead */
if((ret=TPM_PcrRead(0L,pcrvalue))){
printf("TPM_PcrRead failed, error %s\n", TPM_GetErrMsg(ret));
exit(-3);
}
/* check if TPM already has default IBM CSS owner */
srk_handle=TPM_SRK_HANDLE;
TSS_sha1((unsigned char *)SRKPASS,8,srkauth);
k.keyflags = 0;
k.authdatausage = 0; /* key requires no password */
k.privkeylen = 0; /* no private key specified here */
k.pub.algorithm = 0x00000099; /* BOGUS ALG */
k.keyusage = 0x0014; /* key Usage - 0x0014 = bind */
k.pub.encscheme = 0x0003; /* encryption scheme 3 RSA */
k.pub.sigscheme = 0x0001; /* signature scheme none */
k.pub.keybitlen = 2048; /* RSA modulus size 2048 bits */
k.pub.numprimes = 2; /* required */
k.pub.expsize = 0; /* RSA exponent - default 0x010001 */
k.pub.keylength = 0; /* key not specified here */
k.pub.pcrinfolen = 0; /* no PCR's used at this time */
ret=TPM_CreateWrapKey(srk_handle,srkauth,
NULL,NULL, &k,&key,keybuf,&keylen);
if(ret==TPM_AUTHFAIL){
printf("TPM already has unknown owner\n"),
exit(-4);
}
if(ret==TPM_BAD_KEY_PROPS){
printf("TPM is already IBM CSS managed\n");
return(0);
}
if(ret==TPM_NOSRK){
printf("TPM is already owned\n");
return(1);
}
printf("Unexpected return code %d\n",ret);
exit(-5);
}
int main(int argc, char *argv[])
{
int ret;
struct stat sbuf;
unsigned char keyblob[4096];
unsigned int keyblen;
unsigned char outblob[4096];
unsigned int outblen;
unsigned int handle;
unsigned char filename[256];
unsigned char filename2[256];
unsigned char parphash[20];
unsigned char newphash[20];
unsigned char keyphash[20];
unsigned char *passptr1;
FILE *outfile;
FILE *ainfile;
keydata key;
unsigned char *keypass;
unsigned char *newpass;
unsigned char *keyname;
unsigned char *parhndl;
int nxtarg;
nxtarg = ParseArgs(argc, argv);
if (argc < (nxtarg + 4))
usage();
TPM_setlog(0);
parhndl = argv[nxtarg + 0];
keyname = argv[nxtarg + 1];
keypass = argv[nxtarg + 2];
newpass = argv[nxtarg + 3];
/*
** convert parent key handle from hex
*/
ret = sscanf(parhndl, "%x", &handle);
if (ret != 1) {
fprintf(stderr, "Invalid argument '%s'\n", parhndl);
exit(2);
}
/*
* use SHA1 hash of password string as Parent Key Authorization
*/
if (parpass != NULL) {
TSS_sha1(parpass, strlen(parpass), parphash);
passptr1 = parphash;
} else
passptr1 = NULL;
/*
** use SHA1 hash of password string as Key Authorization Data
*/
TSS_sha1(keypass, strlen(keypass), keyphash);
/*
** use SHA1 hash of password string as New Authorization Data
*/
TSS_sha1(newpass, strlen(newpass), newphash);
/*
** read the key blob
*/
ainfile = fopen(keyname, "r");
if (ainfile == NULL) {
fprintf(stderr, "Unable to open key file\n");
exit(3);
}
stat(keyname, &sbuf);
keyblen = (int) sbuf.st_size;
ret = fread(keyblob, 1, keyblen, ainfile);
if (ret != keyblen) {
fprintf(stderr, "Unable to read key file\n");
exit(4);
}
fclose(ainfile);
TSS_KeyExtract(keyblob, &key);
ret = TPM_ChangeAuth(handle, passptr1, keyphash, newphash, &key);
if (ret != 0) {
fprintf(stderr, "Error %s from TPM_ChangeAuth\n",
TPM_GetErrMsg(ret));
exit(5);
}
ret = TPM_BuildKey(outblob, &key);
if ((ret & ERR_MASK) != 0)
return ret;
outblen = ret;
sprintf(filename2, "%s.save", keyname);
sprintf(filename, "%s", keyname);
ret = rename(filename, filename2);
if (ret != 0) {
fprintf(stderr, "Unable to rename old key file\n");
exit(6);
}
outfile = fopen(filename, "w");
if (outfile == NULL) {
fprintf(stderr, "Unable to create new key file\n");
exit(7);
}
ret = fwrite(outblob, 1, outblen, outfile);
if (ret != outblen) {
fprintf(stderr, "Unable to write new key file\n");
exit(8);
}
fclose(outfile);
exit(0);
}
int main(int argc, char *argv[])
{
unsigned char nonce[TPM_NONCE_SIZE];
unsigned char digest[TPM_DIGEST_SIZE];
unsigned char calcdigest[TPM_DIGEST_SIZE];
uint32_t ret;
struct keydata key;
STACK_TPM_BUFFER(serKeyData)
uint32_t serKeySize;
char * pubKeyFile = NULL;
uint32_t buffersize;
char * buffer = NULL;
int index = 1;
if (argc >= 3 && 0 == strcmp(argv[index],"-v")) {
TPM_setlog(1);
index++;
} else {
TPM_setlog(0);
}
if (index >= argc) {
usage();
exit(-1);
}
pubKeyFile = argv[index];
if (NULL == pubKeyFile) {
usage();
exit(-1);
}
TSS_gennonce(nonce);
ret = TPM_ReadKeyfile(pubKeyFile, &key);
if ( ( ret & ERR_MASK ) != 0 ) {
printf("Error - could not read key file.\n");
exit (-1);
}
ret = TPM_WriteKeyPub(&serKeyData, &key);
if ( ( ret & ERR_MASK ) != 0 ) {
exit (-1);
}
serKeySize = ret;
ret = TPM_ReadManuMaintPub(nonce, digest);
if ( 0 != ret ) {
printf("Error %s from ReadManuMainPub.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
/*
* Now check the digest against the serialized public key
* and the hash.
*/
buffersize = serKeySize + sizeof(nonce);
buffer = malloc(buffersize);
if (NULL == buffer) {
exit (-1);
}
memcpy(buffer,
serKeyData.buffer,
serKeySize);
memcpy(&buffer[serKeySize],
nonce,
sizeof(nonce));
TSS_sha1(buffer, buffersize, calcdigest);
free(buffer);
if (0 == memcmp(calcdigest, digest, sizeof(digest))) {
printf("The same public key is in the TPM.\n");
ret = 0;
} else {
printf("Another public key is in the TPM.\n");
ret = -1;
}
exit(ret);
}
int main(int argc, char *argv[])
{
uint32_t ret = 0;
char * filename = NULL;
int i;
char *ownerPassword = NULL;
const char *ownerAuthFilename = NULL;
unsigned char ownerAuth[TPM_HASH_SIZE];
unsigned char *ownerHashPtr = NULL;
struct stat _stat;
uint32_t index = 0xffffffff;
TPM_setlog(0);
for (i=1 ; i<argc ; i++) {
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerPassword = argv[i];
}
else {
printf("Missing parameter for -pwdo.\n");
usage();
}
}
else if (strcmp(argv[i],"-pwdof") == 0) {
i++;
if (i < argc) {
ownerAuthFilename = argv[i];
}
else {
printf("Missing parameter for -pwdo.f\n");
usage();
}
}
else if (!strcmp("-row",argv[i])) {
i++;
if (i < argc) {
if (1 != sscanf(argv[i], "%x", &index)) {
printf("Could not parse the -row value.\n");
usage();
}
}
else {
printf("Missing argument after -row\n");
usage();
}
}
else if (strcmp(argv[i],"-if") == 0) {
i++;
if (i < argc) {
filename = argv[i];
}
else {
printf("-if option needs a value\n");
}
}
else if (!strcmp("-v",argv[i])) {
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
}
else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
}
if (index == 0xfffffff) {
printf("Missing the -row parameter!\n");
usage();
}
if (filename == NULL) {
printf("Missing the -if parameter!\n");
usage();
}
if ((ownerPassword != NULL) && (ownerAuthFilename != NULL)) {
printf("\nCannot have -pwdo and -pwdof arguments\n");
usage();
}
/* use the SHA1 hash of the password string as the Owner Authorization Data */
if (ownerPassword != NULL) {
TSS_sha1((unsigned char *)ownerPassword,
strlen(ownerPassword),
ownerAuth);
ownerHashPtr = ownerAuth;
}
/* get the ownerAuth from a file */
else if (ownerAuthFilename != NULL) {
unsigned char *buffer = NULL;
uint32_t buffersize;
ret = TPM_ReadFile(ownerAuthFilename, &buffer, &buffersize);
if ((ret & ERR_MASK)) {
printf("Error reading %s.\n", ownerAuthFilename);
exit(-1);
}
if (buffersize != sizeof(ownerAuth)) {
printf("Error reading %s, size %u should be %lu.\n",
ownerAuthFilename, buffersize, (unsigned long)sizeof(ownerAuth));
exit(-1);
}
memcpy(ownerAuth, buffer, sizeof(ownerAuth));
ownerHashPtr = ownerAuth;
free(buffer);
}
if (0 == stat(filename, &_stat)) {
unsigned char *blob = malloc(_stat.st_size);
uint32_t blobSize = _stat.st_size;
FILE *f;
if (NULL == blob) {
printf("Could not allocate memory!\n");
exit(-1);
}
f = fopen(filename, "rb");
if (NULL == f) {
printf("Could not open file for reading.\n");
exit(-1);
}
if (blobSize != fread(blob, 1, blobSize, f)) {
printf("Could not read the file.\n");
fclose(f);
exit(-1);
}
fclose(f);
ret = TPM_Delegate_LoadOwnerDelegation(index,
ownerHashPtr,
blob, blobSize);
if ( ret != 0) {
printf("Error '%s' from Delegate_LoadOwnerDelegation.\n",
TPM_GetErrMsg(ret));
exit(-1);
}
else {
printf("Successfully loaded the blob.\n");
}
}
else {
printf("Error, file %s not accessible.\n",filename);
}
exit(ret);
}
int main(int argc, char * argv[]) {
char * ownerpass = NULL;
char * counterpass = NULL;
uint32_t parhandle; /* handle of parent key */
unsigned char * passptr1 = NULL;
unsigned char * passptr2 = NULL;
unsigned char passhash1[20];
unsigned char passhash2[20];
uint32_t ret;
int i = 0;
uint32_t label = 0xffffffff;
uint32_t counterId = 0;
unsigned char counterValue[TPM_COUNTER_VALUE_SIZE];
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -pwdo\n");
usage();
}
}
else if (!strcmp("-la",argv[i])) {
i++;
if (i < argc) {
label = atoi(argv[i]);
} else {
printf("Missing parameter for -la\n");
usage();
}
}
else if (!strcmp("-pwdc",argv[i])) {
i++;
if (i < argc) {
counterpass = argv[i];
} else {
printf("Missing parameter for -pwdc\n");
usage();
}
}
else if (!strcmp("-v",argv[i])) {
TPM_setlog(1);
}
else if (!strcmp(argv[i], "-h")) {
usage();
}
else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
}
i++;
}
if ((ownerpass == NULL) ||
(counterpass == NULL) ||
(label == 0xffffffff)) {
printf("Input parameters wrong or missing!\n");
usage();
}
printf("Using ownerpass : %s\n",ownerpass);
printf("Using counterpass: %s\n",counterpass);
/*
* convert parent key handle from hex
*/
parhandle = 0x00000000;
TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
passptr1 = passhash1;
TSS_sha1(counterpass,strlen(counterpass),passhash2);
passptr2 = passhash2;
/*
* Create a counter
*/
ret = TPM_CreateCounter(parhandle,
passptr1,
label,
passptr2,
&counterId,
counterValue);
if (0 != ret) {
printf("Got error %s (0x%x) from TPM_CreateCounter.\n",
TPM_GetErrMsg(ret),
ret);
} else {
printf("New counter id: %d\n",counterId);
i = 0;
printf("Counter start value: ");
while (i < TPM_COUNTER_VALUE_SIZE) {
printf("%02X",counterValue[i]);
i++;
}
printf("\n");
}
return ret;
}
uint32_t TPM_Seal(uint32_t keyhandle,
unsigned char *pcrinfo, uint32_t pcrinfosize,
unsigned char *keyauth,
unsigned char *dataauth,
unsigned char *data, unsigned int datalen,
unsigned char *blob, unsigned int *bloblen)
{
unsigned char seal_fmt[] = "00 C2 T l l % @ @ l % o %";
uint32_t ret;
int i;
unsigned char tpmdata[TPM_MAX_BUFF_SIZE];
osapsess sess;
unsigned char encauth[TPM_HASH_SIZE];
unsigned char pubauth[TPM_HASH_SIZE];
unsigned char xorwork[TPM_HASH_SIZE * 2];
unsigned char xorhash[TPM_HASH_SIZE];
unsigned char dummyauth[TPM_HASH_SIZE];
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char c;
uint32_t ordinal;
uint32_t pcrsize;
uint32_t datsize;
uint32_t keyhndl;
uint16_t keytype;
unsigned char *passptr1;
unsigned char *passptr2;
int sealinfosize;
int encdatasize;
int storedsize;
memset(dummyauth, 0, sizeof dummyauth);
/* check input arguments */
if (data == NULL || blob == NULL)
return ERR_NULL_ARG;
if (pcrinfosize != 0 && pcrinfo == NULL)
return ERR_NULL_ARG;
if (keyhandle == 0x40000000)
keytype = 0x0004;
else
keytype = 0x0001;
if (keyauth == NULL)
passptr1 = dummyauth;
else
passptr1 = keyauth;
if (dataauth == NULL)
passptr2 = dummyauth;
else
passptr2 = dataauth;
/* Open OSAP Session */
ret = TSS_OSAPopen(&sess, passptr1, keytype, keyhandle);
if (ret != 0)
return ret;
/* calculate encrypted authorization value */
memcpy(xorwork, sess.ssecret, TPM_HASH_SIZE);
memcpy(xorwork + TPM_HASH_SIZE, sess.enonce, TPM_HASH_SIZE);
TSS_sha1(xorwork, TPM_HASH_SIZE * 2, xorhash);
/* generate odd nonce */
TSS_gennonce(nonceodd);
/* move Network byte order data to variables for hmac calculation */
ordinal = htonl(0x17);
datsize = htonl(datalen);
keyhndl = htonl(keyhandle);
pcrsize = htonl(pcrinfosize);
c = 0;
/* encrypt data authorization key */
for (i = 0; i < TPM_HASH_SIZE; ++i)
encauth[i] = xorhash[i] ^ passptr2[i];
/* calculate authorization HMAC value */
if (pcrinfosize == 0) {
/* no pcr info specified */
ret =
TSS_authhmac(pubauth, sess.ssecret, TPM_HASH_SIZE,
sess.enonce, nonceodd, c, TPM_U32_SIZE,
&ordinal, TPM_HASH_SIZE, encauth,
TPM_U32_SIZE, &pcrsize, TPM_U32_SIZE,
&datsize, datalen, data, 0, 0);
} else {
/* pcr info specified */
ret =
TSS_authhmac(pubauth, sess.ssecret, TPM_HASH_SIZE,
sess.enonce, nonceodd, c, TPM_U32_SIZE,
&ordinal, TPM_HASH_SIZE, encauth,
TPM_U32_SIZE, &pcrsize, pcrinfosize,
pcrinfo, TPM_U32_SIZE, &datsize, datalen,
data, 0, 0);
}
if (ret != 0) {
TSS_OSAPclose(&sess);
return ret;
}
/* build the request buffer */
ret = TSS_buildbuff(seal_fmt, tpmdata,
ordinal,
keyhndl,
TPM_HASH_SIZE, encauth,
pcrinfosize, pcrinfo,
datalen, data,
sess.handle,
TPM_NONCE_SIZE, nonceodd,
c, TPM_HASH_SIZE, pubauth);
if ((ret & ERR_MASK) != 0) {
TSS_OSAPclose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(tpmdata, "Seal");
if (ret != 0) {
TSS_OSAPclose(&sess);
return ret;
}
/* calculate the size of the returned Blob */
sealinfosize = LOAD32(tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE);
encdatasize =
LOAD32(tpmdata,
TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE +
sealinfosize);
storedsize =
TPM_U32_SIZE + TPM_U32_SIZE + sealinfosize + TPM_U32_SIZE +
encdatasize;
/* check the HMAC in the response */
ret =
TSS_checkhmac1(tpmdata, ordinal, nonceodd, sess.ssecret,
TPM_HASH_SIZE, storedsize, TPM_DATA_OFFSET, 0,
0);
if (ret != 0) {
TSS_OSAPclose(&sess);
return ret;
}
/* copy the returned blob to caller */
memcpy(blob, tpmdata + TPM_DATA_OFFSET, storedsize);
*bloblen = storedsize;
TSS_OSAPclose(&sess);
return 0;
}
int main(int argc, char *argv[])
{
int ret;
char *ownpass = NULL;
char *newpass = NULL;
unsigned char ownphash[TPM_HASH_SIZE];
unsigned char newphash[TPM_HASH_SIZE];
int i;
TPM_setlog(0);
for (i=1 ; i<argc ; i++) {
if (!strcmp(argv[i], "-pwdo")) {
i++;
if (i < argc) {
ownpass = argv[i];
}
else {
printf("Missing parameter to -pwdo\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-pwdn")) {
i++;
if (i < argc) {
newpass = argv[i];
}
else {
printf("Missing parameter to -pwdn\n");
printUsage();
}
}
else if (strcmp(argv[i],"-own") == 0) {
ownflag = 1;
}
else if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if ((ownpass == NULL) ||
(newpass == NULL)) {
printf("Missing password argument\n");
exit(2);
}
/*
** use the SHA1 hash of the password string as the TPM Owner Password
*/
TSS_sha1((unsigned char*)ownpass,strlen(ownpass),ownphash);
/*
** use the SHA1 hash of the password string as the New Authorization Data
*/
TSS_sha1((unsigned char*)newpass,strlen(newpass),newphash);
if (ownflag)
{
ret = TPM_ChangeOwnAuth(ownphash,newphash);
if (ret != 0)
{
printf("Error %s from TPM_ChangeOwnAuth\n",TPM_GetErrMsg(ret));
exit(1);
}
}
else
{
ret = TPM_ChangeSRKAuth(ownphash,newphash);
if (ret != 0)
{
printf("Error %s from TPM_ChangeSRKAuth\n",TPM_GetErrMsg(ret));
exit(1);
}
}
exit(0);
}
int main(int argc, char *argv[])
{
int ret; /* general return value */
uint32_t keyhandle = 0; /* handle of quote key */
unsigned int pcrmask = 0; /* pcr register mask */
unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */
unsigned char data[TPM_HASH_SIZE];/* nonce data */
STACK_TPM_BUFFER(signature);
pubkeydata pubkey; /* public key structure */
RSA *rsa; /* openssl RSA public key */
unsigned char *passptr;
TPM_PCR_SELECTION selection;
TPM_PCR_INFO_SHORT s1;
TPM_QUOTE_INFO2 quoteinfo;
STACK_TPM_BUFFER( serQuoteInfo )
uint32_t pcrs;
int i;
uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1;
TPM_BOOL addVersion = FALSE;
STACK_TPM_BUFFER(versionblob);
static char *keypass = NULL;
TPM_setlog(0); /* turn off verbose output from TPM driver */
for (i=1 ; i<argc ; i++) {
if (strcmp(argv[i],"-hk") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &keyhandle)) {
printf("Invalid -hk argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-hk option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-pwdk")) {
i++;
if (i < argc) {
keypass = argv[i];
}
else {
printf("Missing parameter to -pwdk\n");
printUsage();
}
}
else if (strcmp(argv[i],"-bm") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &pcrmask)) {
printf("Invalid -bm argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-bm option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-vinfo")) {
addVersion = TRUE;
printf("Adding version info.\n");
}
else if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if ((keyhandle == 0) ||
(pcrmask == 0)) {
printf("Missing argument\n");
printUsage();
}
memset(&s1, 0x0, sizeof(s1));
/*
** Parse and process the command line arguments
*/
/* get the SHA1 hash of the password string for use as the Key Authorization Data */
if (keypass != NULL) {
TSS_sha1((unsigned char *)keypass,strlen(keypass),passhash1);
passptr = passhash1;
} else {
passptr = NULL;
}
/* for testing, use the password hash as the test nonce */
memcpy(data,passhash1,TPM_HASH_SIZE);
ret = TPM_GetNumPCRRegisters(&pcrs);
if (ret != 0) {
printf("Error reading number of PCR registers.\n");
exit(-1);
}
if (pcrs > TPM_NUM_PCR) {
printf("Library does not support that many PCRs.\n");
exit(-1);
}
memset(&selection, 0x0, sizeof(selection));
selection.sizeOfSelect = pcrs / 8;
for (i = 0; i < selection.sizeOfSelect; i++) {
selection.pcrSelect[i] = (pcrmask & 0xff);
pcrmask >>= 8;
}
/*
** perform the TPM Quote function
*/
ret = TPM_Quote2(keyhandle, /* key handle */
&selection, /* specify PCR registers */
addVersion, /* add Version */
passptr, /* Key Password (hashed), or null */
data, /* nonce data */
&s1, /* pointer to pcr info */
&versionblob, /* pointer to TPM_CAP_VERSION_INFO */
&signature); /* buffer to receive result, int to receive result length */
if (ret != 0) {
printf("Error '%s' from TPM_Quote2\n",TPM_GetErrMsg(ret));
exit(ret);
}
/*
** Get the public key and convert to an OpenSSL RSA public key
*/
ret = TPM_GetPubKey(keyhandle,passptr,&pubkey);
if (ret != 0) {
printf("Error '%s' from TPM_GetPubKey\n",TPM_GetErrMsg(ret));
exit(ret);
}
rsa = TSS_convpubkey(&pubkey);
/*
** fill the quote info structure and calculate the hashes needed for verification
*/
quoteinfo.tag = TPM_TAG_QUOTE_INFO2;
memcpy(&(quoteinfo.fixed),"QUT2",4);
quoteinfo.infoShort = s1;
memcpy(&(quoteinfo.externalData),data,TPM_NONCE_SIZE);
unsigned char *corey_ptr = (unsigned char *)"einfo;
unsigned int x;
printf("quote info: \n");
for (x=0;x<128;x++)
{
if (x != 0 && x % 16 == 0)
printf("\n");
printf("%02x ", corey_ptr[x]);
}
printf("\n");
/* create the hash of the quoteinfo structure for signature verification */
ret = TPM_WriteQuoteInfo2(&serQuoteInfo, "einfo);
if ( ( ret & ERR_MASK ) != 0) {
exit(-1);
}
printf("serquoteinfo: \n");
for (x=0;x<128;x++)
{
if (x != 0 && x % 16 == 0)
printf("\n");
printf("%02x ", serQuoteInfo.buffer[x]);
}
printf("\n");
/* append version information if given in response */
if (addVersion) {
printf("addversion is called\n");
memcpy(serQuoteInfo.buffer + serQuoteInfo.used,
versionblob.buffer,
versionblob.used);
serQuoteInfo.used += versionblob.used;
}
ret = TPM_ValidateSignature(sigscheme,
&serQuoteInfo,
&signature,
rsa);
if (ret != 0) {
printf("Verification failed\n");
} else {
printf("Verification succeeded\n");
}
RSA_free(rsa);
exit(ret);
}