Example #1
0
int main(int argc, char *argv[])
   {
   int ret;
   unsigned char passhash[TPM_HASH_SIZE];     /* hash of parent key password */
   unsigned char datahash[TPM_HASH_SIZE];     /* hash of data file */
   unsigned char sig[4096];        /* resulting signature */
   uint32_t  siglen;           /* signature length */
   unsigned char *passptr;
   FILE *sigfile;
   
   TPM_setlog(0);                  /* turn off verbose output */
   ParseArgs(argc, argv);
   if ((keyhandle == 0) ||
       (message == NULL) ||
       (sigfilename == NULL)) {
       printf("Missing parameter\n");
       printUsage();
   }

   /*
   ** use the SHA1 hash of the password string as the Key Authorization Data
   */
   if (keypass != NULL)
      {
      TSS_sha1(keypass,strlen(keypass),passhash);
      passptr = passhash;
      }
   else passptr = NULL;
   /*
   ** hash the message
   */
   TSS_sha1(message,strlen(message),datahash);

   ret = TPM_Sign(keyhandle,              /* Key Handle */
                  passptr,                /* key Password */
                  datahash,sizeof (datahash),     /* data to be signed, length */
                  sig,&siglen);           /* buffer to receive sig, int to receive sig length */
   if (ret != 0)
      {
      printf("Error %s from TPM_Sign\n",TPM_GetErrMsg(ret));
      exit(1);
      }
   sigfile = fopen(sigfilename, "wb");
   if (sigfile == NULL)
      {
      printf("Unable to open output file '%s'\n", sigfilename);
      exit(4);
      }
   ret = fwrite(sig,1,siglen,sigfile);
   if (ret != (int)siglen)
      {
      printf("I/O Error while writing output file '%s'\n", sigfilename);
      exit(5); 
      }
   fclose(sigfile);
   exit(0);
   }
Example #2
0
int main(int argc, char *argv[])
   {
   int ret;
   uint32_t parhandle;             /* handle of parent key */
   unsigned char passhash[TPM_HASH_SIZE];     /* hash of parent key password */
   unsigned char datahash[TPM_HASH_SIZE];     /* hash of data file */
   unsigned char sig[4096];        /* resulting signature */
   uint32_t  siglen;           /* signature length */
   unsigned char *passptr;
   char *indata;
   FILE *sigfile;
   
   int nxtarg;
   
   nxtarg = ParseArgs(argc, argv);
   if (argc < (nxtarg + 3) ) usage();
   TPM_setlog(0);                  /* turn off verbose output */
   /*
   ** convert parent key handle from hex
   */
   ret = sscanf(argv[nxtarg+0],"%x",&parhandle);
   if (ret != 1)
      {
      printf("Invalid argument '%s'\n",argv[nxtarg+0]);
      exit(2);
      }
   /*
   ** use the SHA1 hash of the password string as the Key Authorization Data
   */
   if (keypass != NULL)
      {
      TSS_sha1(keypass,strlen(keypass),passhash);
      passptr = passhash;
      }
   else passptr = NULL;
   /*
   ** read and hash the message
   */
   indata = argv[nxtarg+1];
   if (indata == NULL)
      {
      printf("Unable to get input data'\n");
      exit(-2);
      }
   TSS_sha1(indata,strlen(indata),datahash);

   ret = TPM_Sign(parhandle,              /* Key Handle */
                  passptr,                /* key Password */
                  datahash,sizeof (datahash),     /* data to be signed, length */
                  sig,&siglen);           /* buffer to receive sig, int to receive sig length */
   if (ret != 0)
      {
      printf("Error %s from TPM_Sign\n",TPM_GetErrMsg(ret));
      exit(1);
      }
   sigfile = fopen(argv[nxtarg+2],"wb");
   if (sigfile == NULL)
      {
      printf("Unable to open output file '%s'\n",argv[nxtarg+2]);
      exit(4);
      }
   ret = fwrite(sig,1,siglen,sigfile);
   if (ret != (int)siglen)
      {
      printf("I/O Error while writing output file '%s'\n",argv[nxtarg+2]);
      exit(5);
      }
   fclose(sigfile);
   exit(0);
   }
Example #3
0
int main(int argc, char * argv[]) {
	char * ownerpass = NULL;
	char * migpass = NULL;
	char * parpass = NULL;
	char * filename = NULL;
	char * migkeyfile = NULL;
	char * migkeypass = NULL;
	uint32_t parhandle = -1;             /* handle of parent key */
	unsigned char * passptr1 = NULL;
	unsigned char passhash1[20];
	unsigned char hashpass1[20];    /* hash of new key password */
	unsigned char hashpass3[20];    /* hash of parent key password */
	unsigned char hashpass4[20];    /* hash of migration key pwd */
	uint32_t ret = 0;
	int i =	0;
	keydata keyparms;
	keydata idkey;
	unsigned char *aptr1 = NULL;
	unsigned char *aptr3 = NULL;
	unsigned char *aptr4 = NULL;
	keydata migkey;
	uint16_t migscheme = TPM_MS_RESTRICT_MIGRATE;
	uint32_t sigTicketSize = 0;
	char * msa_list_filename = NULL;
	TPM_MSA_COMPOSITE msaList = {0, NULL};
	char * keyfile = NULL;
	keydata q;
	uint32_t sigkeyhandle = -1;
	char * sigkeypass = NULL;
	unsigned char sigkeypasshash[TPM_HASH_SIZE];
	unsigned char * sigkeypassptr = NULL;
	unsigned char sigTicket[TPM_HASH_SIZE];
	TPM_CMK_AUTH restrictTicket;
	TPM_CMK_AUTH *restrictTicketParameter;	/* parameter to command function call */
	unsigned char resTicketHash[TPM_HASH_SIZE];
	
	
	memset(&keyparms, 0x0, sizeof(keyparms));
	memset(&idkey   , 0x0, sizeof(idkey));
	memset(&restrictTicket, 0x0, sizeof(restrictTicket));
	
	i = 1;
	
	TPM_setlog(0);
	
	while (i < argc) {
		if (!strcmp("-hp",argv[i])) {
			i++;
			if (i < argc) {
				sscanf(argv[i],"%x",&parhandle);
			} else {
				printf("Missing parameter for -hp.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-pwdp",argv[i])) {
			i++;
			if (i < argc) {
				parpass = argv[i];
			} else {
				printf("Missing parameter for -pwdp.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-ok",argv[i])) {
			i++;
			if (i < argc) {
				filename = argv[i];
			} else {
				printf("Missing parameter for -ok.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-pwdo",argv[i])) {
			i++;
			if (i < argc) {
				ownerpass = argv[i];
			} else {
				printf("Missing parameter for -pwdo.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-pwdm",argv[i])) {
			i++;
			if (i < argc) {
				migpass = argv[i];
			} else {
				printf("Missing parameter for -pwdm.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-msa",argv[i])) {
			i++;
			if (i < argc) {
				msa_list_filename = argv[i];
			} else {
				printf("Missing parameter for -msa.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-ik",argv[i])) {
			i++;
			if (i < argc) {
				keyfile = argv[i];
			} else {
				printf("Missing parameter for -ik.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-im",argv[i])) {
			i++;
			if (i < argc) {
				migkeyfile = argv[i];
			} else {
				printf("Missing parameter for -im.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-pwdk",argv[i])) {
			i++;
			if (i < argc) {
				migkeypass = argv[i];
			} else {
				printf("Missing parameter for -pwdk.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-v",argv[i])) {
			TPM_setlog(1);
		} else
		if (!strcmp("-hs",argv[i])) {
			i++;
			if (i < argc) {
				sscanf(argv[i],"%x",&sigkeyhandle);
			} else {
				printf("Missing mandatory parameter for -hs.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-pwds",argv[i])) {
			i++;
			if (i < argc) {
				sigkeypass = argv[i];
			} else {
				printf("Missing mandatory parameter for -pwds.\n");
				usage();
				exit(-1);
			}
		} else
		if (!strcmp("-double",argv[i])) {
			migscheme = TPM_MS_RESTRICT_APPROVE;
		} else {
			printf("Unknown option '%s'.",argv[i]);
			usage();
			exit(-1);
		}
		i++;
	}


	if (NULL == keyfile ||
	    NULL == ownerpass || 
	    -1 == (int)parhandle   || 
	    NULL == migkeyfile ||
	    NULL == msa_list_filename) {
		printf("Missing or wrong parameter.\n");
		usage();
		exit(-1);
	}
	
	if (TPM_MS_RESTRICT_APPROVE == migscheme) {
		if (-1 == (int)sigkeyhandle) {
			printf("Must provide signing key data when '-double' has been selected.\n");
			exit(-1);
		}
	}

	if (NULL != ownerpass) {
		TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
		passptr1 = passhash1;
	} else {
		passptr1 = NULL;
	}

	if (NULL !=sigkeypass) {
		TSS_sha1(sigkeypass, strlen(sigkeypass), sigkeypasshash);
		sigkeypassptr = sigkeypasshash;
	} else {
		sigkeypassptr = NULL;
	}
	

	/*
	** use the SHA1 hash of the password string as the Parent Key Authorization Data
	*/
	if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; }
	/*
	** use the SHA1 hash of the password string as the Key Migration Authorization Data
	*/
	if (migpass != NULL) { TSS_sha1(migpass,strlen(migpass),hashpass3); aptr3 = hashpass3; }
	/*
	** use the SHA1 hash of the password string as the Key Migration Authorization Data
	*/
	if (migkeypass != NULL) { TSS_sha1(migkeypass,strlen(migkeypass),hashpass4); aptr4 = hashpass4; }
	
	/*
	 * 
	 * - Create an RSA key pair.
	 * - Call TPM_AuthorizeMigrationKey for the RSA public key authorization
	 * - Call TPM_CreateMigrationBlob   with the result from AuthorizeMigrationKey
	 *                                  and the encrypted TPM_STORE_ASYMKEY structure
	 * 
	 */

	/*
	 * readthe msa list from the file.
	 */
	ret = TPM_ReadMSAFile(msa_list_filename, &msaList);
	if ( ( ret & ERR_MASK ) != 0) {
		printf("Error while reading msa list file.\n");
		exit(-1);
	}

	/*
	** create and wrap an asymmetric key and get back the
	** resulting keydata structure with the public and encrypted
	** private keys filled in by the TPM
	*/
	
	/*
	 * q is the key that we want to migrate. Create one such key.
	 * migkey is the (public) key part from another TPM that we want to use 
	 *   to migrate q. Since I am not loading a public key from another TPM,
	 *   I create a migration key here as well. I must never refer to this
	 *   key via any handle or load it into the TPM
	 */
	
	printf("Loading the (public) key to use for migration...\n");
	if (0 == ret) {
		printf("Migration key is: %s\n",migkeyfile);
		ret = TPM_ReadKeyfile(migkeyfile, &migkey);
		if ((ret & ERR_MASK)) {
			ret = TPM_ReadPubKeyfile(migkeyfile, &migkey.pub);
			if ((ret & ERR_MASK)) {
				printf("Could not read the keyfile %s as a "
				       "key or a pubkey.\n", migkeyfile);
				exit(-1);
			}
		}
		ret = TPM_ReadKeyfile(keyfile, &q);
		if ((ret & ERR_MASK)) {
			printf("Could not read the keyfile %s.\n",
			       keyfile);
		}
	}
	
	/*
	 * Create a ticket if needed.
	 */
	if (migscheme == TPM_MS_RESTRICT_APPROVE) {
		keydata signingkey;
		unsigned char signatureValue[2048];
		uint32_t signatureValueSize = sizeof(signatureValue);
		STACK_TPM_BUFFER(sigkey)
		
		/*
		 * Get the public key part of the signing key.
		 */
		ret = TPM_GetPubKey(sigkeyhandle,
		                    sigkeypassptr,
		                    &signingkey.pub);
		if ( 0 != ret ) {
			printf("Error %s while retrieving public signing key.\n", 
			       TPM_GetErrMsg(ret));
			exit(-1);
		}

		/*
		 * Build the restrictTicket!!!
		 */
		restrictTicketParameter = &restrictTicket;	/* command needs restrictTicket */     
		ret = TPM_HashPubKey(&q,
		                     restrictTicket.sourceKeyDigest);

		if ( ( ret & ERR_MASK ) != 0) {
			printf("Could not calculate hash over the public key of the key to be migrated.\n");
			exit(ret);
		}
		
		ret = TPM_HashPubKey(&migkey,
		                     restrictTicket.destinationKeyDigest);

		if ( ( ret & ERR_MASK ) != 0) {
			printf("Could not calculate hash over the public key of the migration key.\n");
			exit(ret);
		}

		ret = TPM_HashCMKAuth(&restrictTicket, resTicketHash);

		ret = TPM_Sign(sigkeyhandle, sigkeypassptr,
		               resTicketHash, sizeof(resTicketHash),
		               signatureValue, &signatureValueSize);

		if ( 0 != ret) {
			printf("Error %s while sigining.\n",
			       TPM_GetErrMsg(ret));
			exit(ret);
		}


		ret = TPM_CMK_CreateTicket(&signingkey,
		                           resTicketHash,
		                           signatureValue, signatureValueSize,
		                           passptr1,
		                           sigTicket);
		sigTicketSize = TPM_DIGEST_SIZE;
		
	}
	else {	/* TPM_MS_RESTRICT_MIGRATE */
	    restrictTicketParameter = NULL;	/* command does not need restrictTicket */     
	}
	if (0 == ret) {
		if (0 == ret) {

			STACK_TPM_BUFFER( keyblob)
			STACK_TPM_BUFFER( migblob);
			keydata keyd;

			memset(&keyd, 0x0, sizeof(keyd));

			ret = TPM_WriteKeyPub(&keyblob, &migkey);

			if ((ret & ERR_MASK) != 0) {
				printf("Could not serialize the keydata: %s\n",
				       TPM_GetErrMsg(ret));
				exit(-1);
			}

			ret = TPM_AuthorizeMigrationKey(passptr1,
			                                migscheme,         // migration scheme
			                                &keyblob,  // public key to be authorized
			                                &migblob);
			if (0 == ret) {
				unsigned char rndblob[1024];
				uint32_t rndblen = sizeof(rndblob);
				unsigned char outblob[1024];
				uint32_t outblen = sizeof(outblob);
				unsigned char sourceKeyDigest[TPM_DIGEST_SIZE];

				unsigned char encblob[1024];
				uint32_t encblen;
				
				memcpy(encblob,
				       q.encData.buffer,
				       q.encData.size);
				encblen = q.encData.size;

				if (0!= ret) {
					printf("Error occurred while creating encrypted blob.\n");
					exit (-1);
				}
				
				TPM_HashPubKey(&q,sourceKeyDigest);
				
				printf("parhandle = %x\n",parhandle);
				/*
				 * Now call the TPM_CreateMigrationBlob function.
				 */
				ret = TPM_CMK_CreateBlob(parhandle,         // handle of a key that can decrypt the encblob below
				                         aptr1,             // password for that parent key
				                         migscheme,
				                         &migblob,
				                         sourceKeyDigest,
				                         &msaList,
				                         restrictTicketParameter,	/* either NULL or restrictTicket */
				                         sigTicket, sigTicketSize,
				                         encblob, encblen,  // encrypted private key that will show up re-encrypted in outblob
				                         rndblob, &rndblen, // output: used for xor encryption
				                         outblob, &outblen);// output: re-encrypted private key
				if (0 == ret) {
					if (NULL != filename) {
						STACK_TPM_BUFFER(keybuf)
						// serialize the key in 'q'
						ret = TPM_WriteKey(&keybuf,&q);
						if (ret > 0) {
							unsigned int keybuflen = ret;
							FILE * f = fopen(filename,"wb");
							if (NULL != f) {
								struct tpm_buffer * filebuf = TSS_AllocTPMBuffer(10240);
								if (NULL != filebuf) {
									int l;
									l = TSS_buildbuff("@ @ @",filebuf,
									                   rndblen, rndblob,
									                     outblen, outblob,
									                       keybuflen, keybuf.buffer);
									fwrite(filebuf->buffer,
									       l,
									       1,
									       f);
									fclose(f);
									TSS_FreeTPMBuffer(filebuf);
									printf("Wrote migration blob and associated data to file.\n");
									ret = 0;
									
								} else {
									printf("Error. Could not allocate memory.\n");
									ret = -1;
								}
							} else {
								printf("Error. Could not write blob to file.\n");
								ret = -1;
							}
						} else {
							printf("Error while serializing key!\n");
						}
					} else {
					}
				} else {
					printf("CMK_CreateBlob returned '%s' (%d).\n",
					       TPM_GetErrMsg(ret),
					       ret);
				}

			} else {
				printf("AuthorizeMigrationKey returned '%s' (0x%x).\n",
				       TPM_GetErrMsg(ret),
				       ret);
			}

		} else {
		}
	} else {
	}
	return ret;
}