int main(int argc, char *argv[])
{
int rc;
initIntlSys();
rc = genericOptHandler(argc, argv, "", NULL, 0, NULL, NULL);
if (rc)
exit(0);
rc = cmdVersion(argv[0]);
return rc;
}
int main(int argc, char **argv)
{
TSS_RESULT tResult;
TSS_HTPM hTpm;
int iRc = -1;
struct option opts[] = {
{"infile", required_argument, NULL, 'i'},
};
BYTE revokeData[TPM_SHA1BASED_NONCE_LEN];
BYTE *revData = revokeData;
initIntlSys();
if (genericOptHandler(argc, argv, "i:", opts, sizeof(opts) / sizeof(struct option), parse,
help) != 0)
goto out;
if (isInputSet) {
if (readData(sizeof(revokeData), &revData))
goto out;
} else {
logError(_("Please specify which file contains the secret to revoke the Ek (use option -i, --infile).\n"));
goto out;
}
logDebug("Input file name: %s\n", in_filename);
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
tResult = tpmRevokeEk(hTpm, sizeof(revokeData), revData);
if (tResult != TSS_SUCCESS)
goto out_close;
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
return iRc;
}
/*
* Affect: Change owner or srk password
* Default: No action
* Required: Owner authentication
*/
int main(int argc, char **argv)
{
int i = 0, iRc = -1;
char *passwd = NULL;
int pswd_len;
TSS_HPOLICY hTpmPolicy, hNewPolicy;
TSS_HTPM hTpm;
TSS_HTPM hSrk;
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
struct option opts[] = { {"owner", no_argument, NULL, 'o'},
{"srk", no_argument, NULL, 's'},
{"original_password_unicode", no_argument, NULL, 'g'},
{"new_password_unicode", no_argument, NULL, 'n'},
{"well-known", no_argument, NULL, 'z'},
{"set-well-known", no_argument, NULL, 'r'},
};
initIntlSys();
if (genericOptHandler
(argc, argv, "zrsogn", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
//nothing selected
if ((!changeRequested && wellKnown) || (!changeRequested)) {
help(argv[0]);
goto out;
}
//Connect to TSS and TPM
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (wellKnown) {
passwd = (char *)well_known_secret;
pswd_len = TCPA_SHA1_160_HASH_LEN;
} else {
passwd = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hTpmPolicy, pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (!wellKnown && !setWellKnown) {
shredPasswd(passwd);
passwd = NULL;
}
do {
if (auths[i].change) {
logInfo(_("Changing password for: %s.\n"), _(auths[i].name));
if (setWellKnown) {
passwd = (char *)well_known_secret;
pswd_len = TCPA_SHA1_160_HASH_LEN;
} else {
passwd = _GETPASSWD(_(auths[i].prompt), &pswd_len,
TRUE, newUnicode || useUnicode );
if (!passwd) {
logError(_("Failed to get new password.\n"));
goto out_close;
}
}
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hNewPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret
(hNewPolicy, pswd_len,
(BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (i == owner) {
if (tpmChangeAuth(hTpm, NULL_HOBJECT, hNewPolicy) != TSS_SUCCESS)
goto out_close;
} else if (i == srk) {
if (keyLoadKeyByUUID
(hContext, TSS_PS_TYPE_SYSTEM,
SRK_UUID, &hSrk) != TSS_SUCCESS)
goto out_close;
if (tpmChangeAuth(hSrk, hTpm, hNewPolicy) != TSS_SUCCESS)
goto out_close;
}
logInfo(_("Change of %s password successful.\n"), _(auths[i].name));
if (!wellKnown && !setWellKnown) {
shredPasswd(passwd);
passwd = NULL;
}
}
} while (auths[++i].name);
iRc = 0;
out_close:
contextClose(hContext);
out:
if (passwd && !wellKnown && !setWellKnown)
shredPasswd(passwd);
return iRc;
}
int main(int argc, char **argv)
{
char *szTpmPasswd = NULL;
int pswd_len;
TSS_HTPM hTpm;
TSS_HPOLICY hTpmPolicy;
int iRc = -1;
struct option opts[] = {
{"force", no_argument, NULL, 'f'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE well_known[] = TSS_WELL_KNOWN_SECRET;
initIntlSys();
if (genericOptHandler
(argc, argv, "fz", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (!bValue) {
if (isWellKnown){
szTpmPasswd = (char *)well_known;
pswd_len = sizeof(well_known);
}else{
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hTpmPolicy, pswd_len,
(BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
//Setup complete attempt command
if (tpmClearOwner(hTpm, bValue) != TSS_SUCCESS)
goto out_close;
//Command successful
iRc = 0;
logSuccess(argv[0]);
logMsg( _("TPM Successfuly Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive.\n") );
//Cleanup
out_close:
if (szTpmPasswd && !isWellKnown)
shredPasswd(szTpmPasswd);
contextClose(hContext);
out:
return iRc;
}
int main(int argc, char **argv)
{
char *szTpmPasswd = NULL;
int pswd_len;
TSS_HPOLICY hTpmPolicy;
TSS_HTPM hTpm;
int iRc = -1;
struct option opts[] = { {"allow", no_argument, NULL, 'a'},
{"status", no_argument, NULL, 's'},
{"restrict", no_argument, NULL, 'r'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE well_known[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
initIntlSys();
if (genericOptHandler
(argc, argv, "asrz", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
/* If no args are given, the default should be to give status */
if (argc == 1)
bCheck = TRUE;
//Connect to TSS and TPM
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (isWellKnown) {
szTpmPasswd = (char *)well_known;
pswd_len = sizeof(well_known);
} else {
// Prompt for owner password
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret
(hTpmPolicy, pswd_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
if (bCheck) {
TSS_BOOL bValue;
if (tpmGetStatus
(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD,
&bValue) != TSS_SUCCESS)
goto out;
logMsg(_("Storage Root Key readable with: %s\n"),
bValue ? _("owner auth") : _("SRK auth"));
} else {
if (tpmSetStatus(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD, bRestrict)
!= TSS_SUCCESS)
goto out_close;
}
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (szTpmPasswd && !isWellKnown)
shredPasswd(szTpmPasswd);
return iRc;
}
int main(int argc, char **argv)
{
TSS_RESULT tResult;
TSS_HTPM hTpm;
TSS_HKEY hEk;
TSS_FLAG fEkAttrs;
int iRc = -1;
#ifdef TSS_LIB_IS_12
struct option opts[] = {{"revocable", no_argument, NULL, 'r'},
{"generate-secret", no_argument, NULL, 'g'},
{"infile", required_argument, NULL, 'i'},
{"outfile", required_argument, NULL, 'o'},
};
UINT32 revDataSz;
BYTE revokeData[TPM_SHA1BASED_NONCE_LEN];
BYTE *pRevData;
#endif
initIntlSys();
#ifdef TSS_LIB_IS_12
if (genericOptHandler(argc, argv, "rgi:o:", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
//Check commands for command hierarchy
if (isRevocable) {
if (needGenerateSecret) {
if (!outFileSet) {
logError(_("Please specify an output file\n"));
goto out;
}
if (inFileSet) {
logError(_("The option -i, --infile is not valid with -g\n"));
goto out;
}
} else if (!inFileSet) {
logError(_("Please specify -i, --infile or -g, --generate-secret\n"));
goto out;
} else if (outFileSet) {
logError(_("The option -o, --outfile is not valid with -i, --infile"));
goto out;
}
}
logDebug("Input file name: %s\n", in_filename);
logDebug("Output file name: %s\n", out_filename);
if (inFileSet) {
pRevData = revokeData;
revDataSz = sizeof(revokeData);
if (readData(revDataSz, &pRevData))
goto out;
} else if (outFileSet) {
FILE *outfile = fopen(out_filename, "w");
if (!outfile) {
iRc = -1;
logError(_("Unable to open output file: %s\n"), out_filename);
goto out;
}
fclose(outfile);
//TPM should generate the revoke data
revDataSz = 0;
pRevData = NULL;
}
#else
if (genericOptHandler(argc, argv, NULL, NULL, 0, NULL, NULL) != 0){
logError(_("See man pages for details.\n"));
goto out;
}
#endif
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
//Initialize EK attributes here
fEkAttrs = TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_LEGACY;
if (contextCreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, fEkAttrs, &hEk) != TSS_SUCCESS)
goto out_close;
#ifdef TSS_LIB_IS_12
if (isRevocable){
tResult = tpmCreateRevEk(hTpm, hEk, NULL, &revDataSz, &pRevData);
if (tResult != TSS_SUCCESS)
goto out_close;
//Writes the generated secret into the output file
if (outFileSet) {
if (writeData(revDataSz, pRevData)) {
logError(_("Creating revocable EK succeeded, but writing the EK "
"revoke authorization to disk failed.\nPrinting the "
"revoke authorization instead:\n"));
logHex(revDataSz, pRevData);
logError(_("You should record this data, as its the authorization "
"you'll need to revoke your EK!\n"));
goto out_close;
}
}
} else
#endif
tResult = tpmCreateEk(hTpm, hEk, NULL);
if (tResult != TSS_SUCCESS)
goto out_close;
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
return iRc;
}
int
main( int argc, char **argv )
{
char *szTpmPasswd = NULL;
int tpm_len;
TSS_HTPM hTpm;
TSS_HPOLICY hTpmPolicy;
TSS_BOOL bValue = TRUE;
int iRc = -1;
struct option opts[] = {
{"use-hex", no_argument, NULL, 'x'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
BYTE* pTpmPasswd = NULL;
int iTpmPasswdLen;
initIntlSys();
if (genericOptHandler(argc, argv, "xz", opts, sizeof(opts) / sizeof(struct option), parse,
help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (!isWellKnown) {
// Prompt for owner password
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get Owner password\n"));
goto out;
}
if( decodeHexPassword ) {
if( hex2bytea(szTpmPasswd, &pTpmPasswd, &iTpmPasswdLen) != 0 ) {
logError(_("Invalid hex owner secret\n"));
goto out_close;
}
}
} else {
szTpmPasswd = (char *)wellKnown;
tpm_len = sizeof(wellKnown);
}
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if( decodeHexPassword ) {
if( Tspi_Policy_SetSecret(hTpmPolicy, TSS_SECRET_MODE_PLAIN, iTpmPasswdLen,
pTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
else {
if (policySetSecret(hTpmPolicy, tpm_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
if (tpmSetStatus(hTpm, TSS_TPMSTATUS_RESETLOCK, bValue) != TSS_SUCCESS)
goto out_close;
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (!isWellKnown && szTpmPasswd)
shredPasswd(szTpmPasswd);
if( pTpmPasswd )
shredByteArray(pTpmPasswd, iTpmPasswdLen);
return iRc;
}
int
main( int a_iArgc,
char **a_pszArgv ) {
int rc = 1;
// Create buffers for PIN prompts for formatting using sprintf
char szSoNewPinPrompt[ strlen( TOKEN_SO_NEW_PIN_PROMPT ) + 16 ];
char szUserNewPinPrompt[ strlen( TOKEN_USER_NEW_PIN_PROMPT ) + 16 ];
char *pszReply = NULL;
char *pszSoPin = NULL;
char *pszNewSoPin = NULL;
char *pszNewUserPin = NULL;
CK_RV rv = CKR_OK;
CK_SESSION_HANDLE hSession = 0;
// Set up i18n
initIntlSys( );
// Parse the command
if ( parseCmd( a_iArgc, a_pszArgv ) == -1 )
goto out;
// Open the PKCS#11 TPM Token
rv = openToken( g_pszToken );
if ( rv != CKR_OK )
goto out;
// Check if the token is already initialized
if ( isTokenInitialized( ) ) {
// Warn and ask the user before clearing
if ( !g_bYes ) {
pszReply = getReply( TOKEN_CLEAR_PROMPT, 1 );
if ( !pszReply ||
( strlen( pszReply ) == 0 ) ||
( strcasecmp( pszReply, TOKEN_CLEAR_NO ) == 0 ) ) {
goto out;
}
}
// Prompt for the current SO password
pszSoPin = getPlainPasswd( TOKEN_SO_PIN_PROMPT, FALSE );
if ( !pszSoPin )
goto out;
}
else
pszSoPin = strdup( TOKEN_SO_INIT_PIN );
// Clear the TPM token
rv = initToken( pszSoPin );
if ( rv != CKR_OK )
goto out;
// Open a session
rv = openTokenSession( CKF_RW_SESSION, &hSession );
if ( rv != CKR_OK )
goto out;
// Login to the token
rv = loginToken( hSession, CKU_SO, TOKEN_SO_INIT_PIN );
if ( rv != CKR_OK )
goto out;
sprintf( szSoNewPinPrompt, TOKEN_SO_NEW_PIN_PROMPT, getMinPinLen( ), getMaxPinLen( ) );
while ( TRUE ) {
// Prompt for a new SO password
pszNewSoPin = getPlainPasswd( szSoNewPinPrompt, TRUE );
if ( !pszNewSoPin )
goto out;
// Set the new password
rv = setPin( hSession, TOKEN_SO_INIT_PIN, pszNewSoPin );
if ( rv == CKR_OK )
break;
if ( ( rv == CKR_PIN_INVALID ) || ( rv == CKR_PIN_LEN_RANGE ) )
logError( TOKEN_INVALID_PIN );
else
goto out;
shredPasswd( pszNewSoPin );
}
// Open a new session
closeTokenSession( hSession );
hSession = 0;
rv = openTokenSession( CKF_RW_SESSION, &hSession );
if ( rv != CKR_OK )
goto out;
// Login to the token
rv = loginToken( hSession, CKU_USER, TOKEN_USER_INIT_PIN );
if ( rv != CKR_OK )
goto out;
sprintf( szUserNewPinPrompt, TOKEN_USER_NEW_PIN_PROMPT, getMinPinLen( ), getMaxPinLen( ) );
while ( TRUE ) {
// Prompt for a new User password
pszNewUserPin = getPlainPasswd( szUserNewPinPrompt, TRUE );
if ( !pszNewUserPin )
goto out;
// Set the new password
rv = setPin( hSession, TOKEN_USER_INIT_PIN, pszNewUserPin );
if ( rv == CKR_OK )
break;
if ( ( rv == CKR_PIN_INVALID ) || ( rv == CKR_PIN_LEN_RANGE ) )
logError( TOKEN_INVALID_PIN );
else
goto out;
shredPasswd( pszNewUserPin );
}
rc = 0;
out:
free( pszReply );
shredPasswd( pszSoPin );
shredPasswd( pszNewSoPin );
shredPasswd( pszNewUserPin );
if ( hSession )
closeTokenSession( hSession );
closeToken( );
if ( rc == 0 )
logInfo( TOKEN_CMD_SUCCESS, a_pszArgv[ 0 ] );
else
logInfo( TOKEN_CMD_FAILED, a_pszArgv[ 0 ] );
return rc;
}
int main(int argc, char **argv)
{
TSS_HTPM hTpm;
TSS_HNVSTORE nvObject;
TSS_FLAG fNvAttrs;
TSS_HPOLICY hTpmPolicy, hDataPolicy;
int iRc = -1;
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
int opswd_len = -1;
int dpswd_len = -1;
struct option hOpts[] = {
{"index" , required_argument, NULL, 'i'},
{"size" , required_argument, NULL, 's'},
{"permissions" , required_argument, NULL, 'p'},
{"pwdo" , optional_argument, NULL, 'o'},
{"pwda" , optional_argument, NULL, 'a'},
{"use-unicode" , no_argument, NULL, 'u'},
{"data-well-known" , no_argument, NULL, 'z'},
{"owner-well-known", no_argument, NULL, 'y'},
{NULL , no_argument, NULL, 0},
};
initIntlSys();
if (genericOptHandler
(argc, argv, "i:s:p:o:a:yzu", hOpts,
sizeof(hOpts) / sizeof(struct option), parse, help) != 0)
goto out;
if (end) {
iRc = 0;
goto out;
}
if (!nvindex_set) {
logError(_("You must provide an index for the NVRAM area.\n"));
goto out;
}
if (nvperm == 0 &&
(UINT32)nvindex != TPM_NV_INDEX_LOCK &&
(UINT32)nvindex != TPM_NV_INDEX0) {
logError(_("You must provide permission bits for the NVRAM area.\n"));
goto out;
}
logDebug("permissions = 0x%08x\n", nvperm);
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
fNvAttrs = 0;
if (contextCreateObject(hContext,
TSS_OBJECT_TYPE_NV,
fNvAttrs,
&nvObject) != TSS_SUCCESS)
goto out_close;
if (askOwnerPass) {
ownerpass = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
goto out_close;
}
}
if (ownerpass || ownerWellKnown) {
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (ownerpass) {
if (opswd_len < 0)
opswd_len = strlen(ownerpass);
if (policySetSecret(hTpmPolicy, opswd_len,
(BYTE *)ownerpass) != TSS_SUCCESS)
goto out_close;
} else {
if (policySetSecret(hTpmPolicy, TCPA_SHA1_160_HASH_LEN,
(BYTE *)well_known_secret) != TSS_SUCCESS)
goto out_close;
}
}
if (askDataPass) {
datapass = _GETPASSWD(_("Enter NVRAM data password: "******"Failed to get NVRAM data password\n"));
goto out_close;
}
}
if (datapass || dataWellKnown) {
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hDataPolicy) != TSS_SUCCESS)
goto out_close;
if (datapass) {
if (dpswd_len < 0)
dpswd_len = strlen(datapass);
if (policySetSecret(hDataPolicy, dpswd_len,
(BYTE *)datapass) != TSS_SUCCESS)
goto out_close;
} else {
if (policySetSecret(hDataPolicy, TCPA_SHA1_160_HASH_LEN,
(BYTE *)well_known_secret) != TSS_SUCCESS)
goto out_close;
}
if (Tspi_Policy_AssignToObject(hDataPolicy, nvObject) !=
TSS_SUCCESS)
goto out_close;
}
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_INDEX,
0,
nvindex) != TSS_SUCCESS)
goto out_close_obj;
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_PERMISSIONS,
0,
nvperm) != TSS_SUCCESS)
goto out_close_obj;
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_DATASIZE,
0,
nvsize) != TSS_SUCCESS)
goto out_close_obj;
if (NVDefineSpace(nvObject, (TSS_HPCRS)0, (TSS_HPCRS)0) !=
TSS_SUCCESS)
goto out_close;
logMsg(_("Successfully created NVRAM area at index 0x%x (%u).\n"),
nvindex, nvindex);
iRc = 0;
goto out_close;
out_close_obj:
contextCloseObject(hContext, nvObject);
out_close:
contextClose(hContext);
out:
return iRc;
}
int main(int argc, char **argv)
{
TSS_HKEY hSrk, hKey;
TSS_HENCDATA hEncdata;
TSS_HPOLICY hPolicy;
int iRc = -1;
struct option opts[] =
{ {"infile", required_argument, NULL, 'i'},
{"outfile", required_argument, NULL, 'o'},
{"pcr", required_argument, NULL, 'p'},
{"unicode", no_argument, NULL, 'u'},
{"well-known", no_argument, NULL, 'z'}
};
unsigned char line[EVP_CIPHER_block_size(EVP_aes_256_cbc()) * 16];
int lineLen;
unsigned char encData[sizeof(line) + EVP_CIPHER_block_size(EVP_aes_256_cbc())];
int encDataLen;
UINT32 encLen, i;
BYTE *encKey;
BYTE *randKey = NULL;
UINT32 sealKeyLen;
BYTE *sealKey;
TSS_FLAG keyFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 |
TSS_KEY_VOLATILE | TSS_KEY_AUTHORIZATION |
TSS_KEY_NOT_MIGRATABLE;
TSS_HPOLICY hSrkPolicy;
char *passwd = NULL;
int pswd_len;
BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
BIO *bin = NULL, *bdata=NULL, *b64=NULL;
initIntlSys();
if (genericOptHandler(argc, argv, "i:o:p:uz", opts,
sizeof(opts) / sizeof(struct option), parse,
help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
/* Create a BIO for the input file */
if ((bin = BIO_new(BIO_s_file())) == NULL) {
logError(_("Unable to open input BIO\n"));
goto out_close;
}
/* Assign the input file to the BIO */
if (strlen(in_filename) == 0)
BIO_set_fp(bin, stdin, BIO_NOCLOSE);
else if (!BIO_read_filename(bin, in_filename)) {
logError(_("Unable to open input file: %s\n"),
in_filename);
goto out_close;
}
/* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
* a 1.2 TSS/TPM */
if (selectedPcrsLen) {
TSS_FLAG initFlag = 0;
UINT32 pcrSize;
BYTE *pcrValue;
for (i = 0; i < selectedPcrsLen; i++) {
if (selectedPcrs[i] > 15) {
#ifdef TSS_LIB_IS_12
initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
#else
logError(_("This version of %s was compiled for a v1.1 TSS, which "
"can only seal\n data to PCRs 0-15. PCR %u is out of range"
"\n"), argv[0], selectedPcrs[i]);
goto out_close;
#endif
}
}
if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
&hPcrs) != TSS_SUCCESS)
goto out_close;
for (i = 0; i < selectedPcrsLen; i++) {
if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
goto out_close;
if (pcrcompositeSetPcrValue(hPcrs, selectedPcrs[i], pcrSize, pcrValue)
!= TSS_SUCCESS)
goto out_close;
}
#ifdef TSS_LIB_IS_12
if (initFlag) {
UINT32 localityValue =
TPM_LOC_ZERO | TPM_LOC_ONE | TPM_LOC_TWO | TPM_LOC_THREE |
TPM_LOC_FOUR;
if (pcrcompositeSetPcrLocality(hPcrs, localityValue) != TSS_SUCCESS)
goto out_close;
}
#endif
}
/* Retrieve random data to be used as the symmetric key
(this key will encrypt the input file contents) */
if (tpmGetRandom(hTpm, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
&randKey) != TSS_SUCCESS)
goto out_close;
/* Load the SRK and set the SRK policy (no password) */
if (keyLoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSrk)
!= TSS_SUCCESS)
goto out_close;
/* Use the context's default policy for the SRK secret */
if (policyGet(hSrk, &hSrkPolicy) != TSS_SUCCESS)
goto out_close;
/* Prompt for SRK password */
if (!isWellKnown) {
passwd = _GETPASSWD(_("Enter SRK password: "******"Failed to get SRK password\n"));
goto out_close;
}
} else {
passwd = (char *)wellKnown;
pswd_len = sizeof(wellKnown);
}
if (policySetSecret(hSrkPolicy, (UINT32)pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (!isWellKnown)
shredPasswd(passwd);
passwd = NULL;
/* Build an RSA key object that will be created by the TPM
(this will encrypt and protect the symmetric key) */
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_RSAKEY, keyFlags,
&hKey) != TSS_SUCCESS)
goto out_close;
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
!= TSS_SUCCESS)
goto out_close;
if (policyAssign(hPolicy, hKey) != TSS_SUCCESS)
goto out_close;
/* Create the RSA key (under the SRK) */
if (keyCreateKey(hKey, hSrk, NULL_HPCRS) != TSS_SUCCESS)
goto out_close;
/* Load the newly created RSA key */
if (keyLoadKey(hKey, hSrk) != TSS_SUCCESS)
goto out_close;
/* Build an encrypted data object that will hold the encrypted
version of the symmetric key */
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL,
&hEncdata) != TSS_SUCCESS)
goto out_close;
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
!= TSS_SUCCESS)
goto out_close;
if (policyAssign(hPolicy, hEncdata) != TSS_SUCCESS)
goto out_close;
/* Encrypt and seal the symmetric key */
if (dataSeal
(hEncdata, hKey, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
randKey, hPcrs) != TSS_SUCCESS)
goto out_close;
if (getAttribData(hEncdata, TSS_TSPATTRIB_ENCDATA_BLOB,
TSS_TSPATTRIB_ENCDATABLOB_BLOB, &encLen,
&encKey) != TSS_SUCCESS)
goto out_close;
if (getAttribData
(hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB,
&sealKeyLen, &sealKey) != TSS_SUCCESS)
goto out_close;
/* Create a BIO to perform base64 encoding */
if ((b64 = BIO_new(BIO_f_base64())) == NULL) {
logError(_("Unable to open base64 BIO\n"));
goto out_close;
}
/* Create a BIO for the output file */
if ((bdata = BIO_new(BIO_s_file())) == NULL) {
logError(_("Unable to open output BIO\n"));
goto out_close;
}
/* Assign the output file to the BIO */
if (strlen(out_filename) == 0)
BIO_set_fp(bdata, stdout, BIO_NOCLOSE);
else if (BIO_write_filename(bdata, out_filename) <= 0) {
logError(_("Unable to open output file: %s\n"),
out_filename);
goto out_close;
}
/* Output the sealed data header string */
BIO_puts(bdata, TPMSEAL_HDR_STRING);
/* Sealing key used on the TPM */
BIO_puts(bdata, TPMSEAL_TSS_STRING);
bdata = BIO_push(b64, bdata);
BIO_write(bdata, sealKey, sealKeyLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
/* Sealed EVP Symmetric Key */
BIO_puts(bdata, TPMSEAL_EVP_STRING);
BIO_puts(bdata, TPMSEAL_KEYTYPE_SYM);
BIO_puts(bdata, TPMSEAL_CIPHER_AES256CBC);
bdata = BIO_push(b64, bdata);
BIO_write(bdata, encKey, encLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
/* Encrypted Data */
BIO_puts(bdata, TPMSEAL_ENC_STRING);
bdata = BIO_push(b64, bdata);
EVP_CIPHER_CTX ctx;
EVP_EncryptInit(&ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV);
while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) {
EVP_EncryptUpdate(&ctx, encData, &encDataLen,
line, lineLen);
BIO_write(bdata, encData, encDataLen);
}
EVP_EncryptFinal(&ctx, encData, &encDataLen);
BIO_write(bdata, encData, encDataLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
BIO_puts( bdata, TPMSEAL_FTR_STRING);
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (bin)
BIO_free(bin);
if (bdata)
BIO_free(bdata);
if (b64)
BIO_free(b64);
return iRc;
}
