uint32_t TPM_PCRReset(TPM_PCR_SELECTION * selection)
{
uint32_t ret;
uint32_t ordinal_no = htonl(TPM_ORD_PCR_Reset);
STACK_TPM_BUFFER(tpmdata)
struct tpm_buffer *serPCRMap = TSS_AllocTPMBuffer(TPM_U16_SIZE + selection->sizeOfSelect + 10);
uint32_t serPCRMapSize;
if (NULL == serPCRMap) {
return ERR_MEM_ERR;
}
ret = TPM_WritePCRSelection(serPCRMap, selection);
if ((ret & ERR_MASK) != 0) {
TSS_FreeTPMBuffer(serPCRMap);
return ret;
}
serPCRMapSize = ret;
ret = TSS_buildbuff("00 c1 T l %",&tpmdata,
ordinal_no,
serPCRMapSize, serPCRMap->buffer);
TSS_FreeTPMBuffer(serPCRMap);
if ((ret & ERR_MASK)) {
return ret;
}
ret = TPM_Transmit(&tpmdata,"PCR Reset");
return ret;
}
uint32_t TPM_SHA1Update(void * data, uint32_t datalen) {
uint32_t ordinal_no;
uint32_t ret;
struct tpm_buffer *tpmdata = TSS_AllocTPMBuffer(datalen+20);
/* move Network byte order data to variable for hmac calcualtion */
ordinal_no = htonl(TPM_ORD_SHA1Update);
if (NULL == tpmdata) {
return ERR_BAD_SIZE;
}
ret = TSS_buildbuff("00 c1 T l @", tpmdata,
ordinal_no,
datalen, data);
if (ret & ERR_MASK) {
goto err_exit;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(tpmdata,"SHA1Update");
err_exit:
TSS_FreeTPMBuffer(tpmdata);
return ret;
}
uint32_t TPM_HashPCRComposite(TPM_PCR_COMPOSITE * comp, unsigned char * digest)
{
int len;
struct tpm_buffer *buffer = TSS_AllocTPMBuffer(comp->pcrValue.size + sizeof(TPM_PCR_COMPOSITE));
if (NULL != buffer) {
len = TPM_WritePCRComposite(buffer, comp);
TSS_sha1(buffer->buffer, len, digest);
TSS_FreeTPMBuffer(buffer);
} else {
return ERR_MEM_ERR;
}
return 0;
}
uint32_t TPM_HashMSAComposite(TPM_MSA_COMPOSITE * comp,
unsigned char *digest)
{
uint32_t ret = 0;
struct tpm_buffer *buffer =
TSS_AllocTPMBuffer(comp->MSAlist * TPM_HASH_SIZE + TPM_U32_SIZE);
if (buffer) {
uint32_t len = TPM_WriteMSAComposite(buffer, comp);
TSS_sha1(buffer->buffer, len, digest);
TSS_FreeTPMBuffer(buffer);
} else
ret = ERR_MEM_ERR;
return ret;
}
int main(int argc, char *argv[])
{
unsigned char passhash1[20];
char * ownerpass = NULL;
char * filename = NULL;
int ret;
int verbose = FALSE;
TPM_MSA_COMPOSITE msaList = {0, NULL};
unsigned char migAuthDigest[TPM_DIGEST_SIZE];
unsigned char hmac[TPM_DIGEST_SIZE];
char * msa_list_filename = NULL;
int i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -pwdo.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-of",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -of.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-msa",argv[i])) {
i++;
if (i < argc) {
msa_list_filename = argv[i];
} else {
printf("Missing parameter for -msa.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-ik",argv[i])) {
i++;
if (i < argc) {
if (0 != addKeyToMSAList(&msaList,argv[i])) {
exit(-1);
}
} else {
printf("Missing parameter for -ik.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
} else
if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
} else {
printf("\n%s is not a valid option\n",argv[i]);
usage();
exit(-1);
}
i++;
}
(void)verbose;
if (NULL == ownerpass ||
msaList.MSAlist == 0 ||
NULL == filename) {
printf("Missing argument.\n");
usage();
exit(-1);
}
if (NULL != ownerpass) {
TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
}
TPM_HashMSAComposite(&msaList, migAuthDigest);
ret = TPM_CMK_ApproveMA(migAuthDigest,
passhash1,
hmac);
if (0 != ret) {
printf("CMK_ApproveMA returned error '%s' (%d).\n",
TPM_GetErrMsg(ret),
ret);
} else {
FILE * f = fopen(filename, "wb+");
if (f != NULL) {
if (TPM_DIGEST_SIZE == fwrite(hmac, 1, TPM_DIGEST_SIZE, f) &&
TPM_DIGEST_SIZE == fwrite(migAuthDigest, 1, TPM_DIGEST_SIZE, f) ) {
printf("Successfully wrote HMAC and digest to %s.\n",
filename);
}
fclose(f);
} else {
printf("Could not open file %s for writing.\n",
filename);
}
}
if (NULL != msa_list_filename) {
struct tpm_buffer * buffer = TSS_AllocTPMBuffer(sizeof(msaList) + msaList.MSAlist * TPM_HASH_SIZE);
if (NULL != buffer) {
uint32_t len = TPM_WriteMSAComposite(buffer, &msaList);
FILE * f = fopen(msa_list_filename, "wb");
if (NULL != f) {
fwrite(buffer->buffer,len,1, f);
printf("Successfully wrote msa list to %s.\n",
msa_list_filename);
fclose(f);
} else {
printf("Could not open file %s for writing.\n",
msa_list_filename);
}
TSS_FreeTPMBuffer(buffer);
}
}
exit(ret);
}
uint32_t TPM_Quote2(uint32_t keyhandle,
TPM_PCR_SELECTION * selection,
TPM_BOOL addVersion,
unsigned char *keyauth,
unsigned char *antiReplay,
TPM_PCR_INFO_SHORT * pcrinfo,
struct tpm_buffer *versionblob,
struct tpm_buffer *signature)
{
uint32_t ret;
uint32_t rc;
STACK_TPM_BUFFER( tpmdata )
session sess;
unsigned char pubauth[TPM_HASH_SIZE];
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char c = 0;
uint32_t ordinal_no = htonl(TPM_ORD_Quote2);
uint16_t pcrselsize;
uint32_t verinfosize;
uint32_t sigsize;
uint32_t storedsize;
uint32_t keyhndl = htonl(keyhandle);
uint16_t keytype;
struct tpm_buffer * serPCRSelection;
uint32_t serPCRSelectionSize;
/* check input arguments */
if (pcrinfo == NULL ||
selection == NULL ||
antiReplay == NULL) return ERR_NULL_ARG;
keytype = 0x0001;
ret = needKeysRoom(keyhandle, 0, 0, 0);
if (ret != 0) {
return ret;
}
TSS_gennonce(antiReplay);
serPCRSelection = TSS_AllocTPMBuffer(TPM_U16_SIZE +
selection->sizeOfSelect);
if (NULL == serPCRSelection) {
return ERR_MEM_ERR;
}
ret = TPM_WritePCRSelection(serPCRSelection, selection);
if (( ret & ERR_MASK) != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
return ret;
}
serPCRSelectionSize = ret;
if (keyauth != NULL) {
/* Open OSAP Session */
ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess,keyauth,keytype,keyhandle);
if (ret != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
return ret;
}
/* generate odd nonce */
TSS_gennonce(nonceodd);
/* move Network byte order data to variables for hmac calculation */
/* calculate authorization HMAC value */
ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c,
TPM_U32_SIZE,&ordinal_no,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize, serPCRSelection->buffer,
sizeof(TPM_BOOL), &addVersion,
0,0);
if (ret != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
TSS_SessionClose(&sess);
return ret;
}
/* build the request buffer */
ret = TSS_buildbuff("00 C2 T l l % % o L % o %",&tpmdata,
ordinal_no,
keyhndl,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize,serPCRSelection->buffer,
addVersion,
TSS_Session_GetHandle(&sess),
TPM_NONCE_SIZE,nonceodd,
c,
TPM_HASH_SIZE,pubauth);
TSS_FreeTPMBuffer(serPCRSelection);
if ((ret & ERR_MASK) != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote2 - AUTH1");
TSS_SessionClose(&sess);
if (ret != 0) {
return ret;
}
} else {
/* build the request buffer */
ret = TSS_buildbuff("00 C1 T l l % % o",&tpmdata,
ordinal_no,
keyhndl,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize,serPCRSelection->buffer,
addVersion);
TSS_FreeTPMBuffer(serPCRSelection);
if ((ret & ERR_MASK) != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote2");
TSS_SessionClose(&sess);
if (ret != 0) {
return ret;
}
}
/* calculate the size of the returned Blob */
ret = tpm_buffer_load16(&tpmdata,TPM_DATA_OFFSET, &pcrselsize);
if ((ret & ERR_MASK)) {
return ret;
}
pcrselsize += TPM_U16_SIZE + 1 + TPM_HASH_SIZE;
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize, &verinfosize);
if ((ret & ERR_MASK)) {
return ret;
}
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize + TPM_U32_SIZE + verinfosize, &sigsize);
if ((ret & ERR_MASK)) {
return ret;
}
storedsize = pcrselsize + TPM_U32_SIZE + verinfosize +
TPM_U32_SIZE + sigsize;
if (keyauth != NULL) {
/* check the HMAC in the response */
ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,
storedsize,TPM_DATA_OFFSET,
0,0);
if (ret != 0) {
return ret;
}
}
/* copy the returned PCR composite to caller */
if (pcrselsize != (rc =
TPM_ReadPCRInfoShort(&tpmdata, TPM_DATA_OFFSET,
pcrinfo))) {
if ((rc & ERR_MASK))
return rc;
return ERR_BUFFER;
}
if (NULL != versionblob) {
SET_TPM_BUFFER(
versionblob,
&tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE],
verinfosize);
}
if (NULL != signature) {
SET_TPM_BUFFER(signature,
&tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE+verinfosize+TPM_U32_SIZE],
sigsize);
}
return ret;
}
int main(int argc, char * argv[]) {
char * ownerpass = NULL;
char * migpass = NULL;
char * parpass = NULL;
char * filename = NULL;
char * migkeyfile = NULL;
char * migkeypass = NULL;
uint32_t parhandle = -1; /* handle of parent key */
unsigned char * passptr1 = NULL;
unsigned char passhash1[20];
unsigned char hashpass1[20]; /* hash of new key password */
unsigned char hashpass3[20]; /* hash of parent key password */
unsigned char hashpass4[20]; /* hash of migration key pwd */
uint32_t ret = 0;
int i = 0;
keydata keyparms;
keydata idkey;
unsigned char *aptr1 = NULL;
unsigned char *aptr3 = NULL;
unsigned char *aptr4 = NULL;
keydata migkey;
uint16_t migscheme = TPM_MS_RESTRICT_MIGRATE;
uint32_t sigTicketSize = 0;
char * msa_list_filename = NULL;
TPM_MSA_COMPOSITE msaList = {0, NULL};
char * keyfile = NULL;
keydata q;
uint32_t sigkeyhandle = -1;
char * sigkeypass = NULL;
unsigned char sigkeypasshash[TPM_HASH_SIZE];
unsigned char * sigkeypassptr = NULL;
unsigned char sigTicket[TPM_HASH_SIZE];
TPM_CMK_AUTH restrictTicket;
TPM_CMK_AUTH *restrictTicketParameter; /* parameter to command function call */
unsigned char resTicketHash[TPM_HASH_SIZE];
memset(&keyparms, 0x0, sizeof(keyparms));
memset(&idkey , 0x0, sizeof(idkey));
memset(&restrictTicket, 0x0, sizeof(restrictTicket));
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-hp",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&parhandle);
} else {
printf("Missing parameter for -hp.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwdp",argv[i])) {
i++;
if (i < argc) {
parpass = argv[i];
} else {
printf("Missing parameter for -pwdp.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-ok",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -ok.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwdo",argv[i])) {
i++;
if (i < argc) {
ownerpass = argv[i];
} else {
printf("Missing parameter for -pwdo.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwdm",argv[i])) {
i++;
if (i < argc) {
migpass = argv[i];
} else {
printf("Missing parameter for -pwdm.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-msa",argv[i])) {
i++;
if (i < argc) {
msa_list_filename = argv[i];
} else {
printf("Missing parameter for -msa.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-ik",argv[i])) {
i++;
if (i < argc) {
keyfile = argv[i];
} else {
printf("Missing parameter for -ik.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-im",argv[i])) {
i++;
if (i < argc) {
migkeyfile = argv[i];
} else {
printf("Missing parameter for -im.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwdk",argv[i])) {
i++;
if (i < argc) {
migkeypass = argv[i];
} else {
printf("Missing parameter for -pwdk.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-v",argv[i])) {
TPM_setlog(1);
} else
if (!strcmp("-hs",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&sigkeyhandle);
} else {
printf("Missing mandatory parameter for -hs.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-pwds",argv[i])) {
i++;
if (i < argc) {
sigkeypass = argv[i];
} else {
printf("Missing mandatory parameter for -pwds.\n");
usage();
exit(-1);
}
} else
if (!strcmp("-double",argv[i])) {
migscheme = TPM_MS_RESTRICT_APPROVE;
} else {
printf("Unknown option '%s'.",argv[i]);
usage();
exit(-1);
}
i++;
}
if (NULL == keyfile ||
NULL == ownerpass ||
-1 == (int)parhandle ||
NULL == migkeyfile ||
NULL == msa_list_filename) {
printf("Missing or wrong parameter.\n");
usage();
exit(-1);
}
if (TPM_MS_RESTRICT_APPROVE == migscheme) {
if (-1 == (int)sigkeyhandle) {
printf("Must provide signing key data when '-double' has been selected.\n");
exit(-1);
}
}
if (NULL != ownerpass) {
TSS_sha1(ownerpass,strlen(ownerpass),passhash1);
passptr1 = passhash1;
} else {
passptr1 = NULL;
}
if (NULL !=sigkeypass) {
TSS_sha1(sigkeypass, strlen(sigkeypass), sigkeypasshash);
sigkeypassptr = sigkeypasshash;
} else {
sigkeypassptr = NULL;
}
/*
** use the SHA1 hash of the password string as the Parent Key Authorization Data
*/
if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; }
/*
** use the SHA1 hash of the password string as the Key Migration Authorization Data
*/
if (migpass != NULL) { TSS_sha1(migpass,strlen(migpass),hashpass3); aptr3 = hashpass3; }
/*
** use the SHA1 hash of the password string as the Key Migration Authorization Data
*/
if (migkeypass != NULL) { TSS_sha1(migkeypass,strlen(migkeypass),hashpass4); aptr4 = hashpass4; }
/*
*
* - Create an RSA key pair.
* - Call TPM_AuthorizeMigrationKey for the RSA public key authorization
* - Call TPM_CreateMigrationBlob with the result from AuthorizeMigrationKey
* and the encrypted TPM_STORE_ASYMKEY structure
*
*/
/*
* readthe msa list from the file.
*/
ret = TPM_ReadMSAFile(msa_list_filename, &msaList);
if ( ( ret & ERR_MASK ) != 0) {
printf("Error while reading msa list file.\n");
exit(-1);
}
/*
** create and wrap an asymmetric key and get back the
** resulting keydata structure with the public and encrypted
** private keys filled in by the TPM
*/
/*
* q is the key that we want to migrate. Create one such key.
* migkey is the (public) key part from another TPM that we want to use
* to migrate q. Since I am not loading a public key from another TPM,
* I create a migration key here as well. I must never refer to this
* key via any handle or load it into the TPM
*/
printf("Loading the (public) key to use for migration...\n");
if (0 == ret) {
printf("Migration key is: %s\n",migkeyfile);
ret = TPM_ReadKeyfile(migkeyfile, &migkey);
if ((ret & ERR_MASK)) {
ret = TPM_ReadPubKeyfile(migkeyfile, &migkey.pub);
if ((ret & ERR_MASK)) {
printf("Could not read the keyfile %s as a "
"key or a pubkey.\n", migkeyfile);
exit(-1);
}
}
ret = TPM_ReadKeyfile(keyfile, &q);
if ((ret & ERR_MASK)) {
printf("Could not read the keyfile %s.\n",
keyfile);
}
}
/*
* Create a ticket if needed.
*/
if (migscheme == TPM_MS_RESTRICT_APPROVE) {
keydata signingkey;
unsigned char signatureValue[2048];
uint32_t signatureValueSize = sizeof(signatureValue);
STACK_TPM_BUFFER(sigkey)
/*
* Get the public key part of the signing key.
*/
ret = TPM_GetPubKey(sigkeyhandle,
sigkeypassptr,
&signingkey.pub);
if ( 0 != ret ) {
printf("Error %s while retrieving public signing key.\n",
TPM_GetErrMsg(ret));
exit(-1);
}
/*
* Build the restrictTicket!!!
*/
restrictTicketParameter = &restrictTicket; /* command needs restrictTicket */
ret = TPM_HashPubKey(&q,
restrictTicket.sourceKeyDigest);
if ( ( ret & ERR_MASK ) != 0) {
printf("Could not calculate hash over the public key of the key to be migrated.\n");
exit(ret);
}
ret = TPM_HashPubKey(&migkey,
restrictTicket.destinationKeyDigest);
if ( ( ret & ERR_MASK ) != 0) {
printf("Could not calculate hash over the public key of the migration key.\n");
exit(ret);
}
ret = TPM_HashCMKAuth(&restrictTicket, resTicketHash);
ret = TPM_Sign(sigkeyhandle, sigkeypassptr,
resTicketHash, sizeof(resTicketHash),
signatureValue, &signatureValueSize);
if ( 0 != ret) {
printf("Error %s while sigining.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
ret = TPM_CMK_CreateTicket(&signingkey,
resTicketHash,
signatureValue, signatureValueSize,
passptr1,
sigTicket);
sigTicketSize = TPM_DIGEST_SIZE;
}
else { /* TPM_MS_RESTRICT_MIGRATE */
restrictTicketParameter = NULL; /* command does not need restrictTicket */
}
if (0 == ret) {
if (0 == ret) {
STACK_TPM_BUFFER( keyblob)
STACK_TPM_BUFFER( migblob);
keydata keyd;
memset(&keyd, 0x0, sizeof(keyd));
ret = TPM_WriteKeyPub(&keyblob, &migkey);
if ((ret & ERR_MASK) != 0) {
printf("Could not serialize the keydata: %s\n",
TPM_GetErrMsg(ret));
exit(-1);
}
ret = TPM_AuthorizeMigrationKey(passptr1,
migscheme, // migration scheme
&keyblob, // public key to be authorized
&migblob);
if (0 == ret) {
unsigned char rndblob[1024];
uint32_t rndblen = sizeof(rndblob);
unsigned char outblob[1024];
uint32_t outblen = sizeof(outblob);
unsigned char sourceKeyDigest[TPM_DIGEST_SIZE];
unsigned char encblob[1024];
uint32_t encblen;
memcpy(encblob,
q.encData.buffer,
q.encData.size);
encblen = q.encData.size;
if (0!= ret) {
printf("Error occurred while creating encrypted blob.\n");
exit (-1);
}
TPM_HashPubKey(&q,sourceKeyDigest);
printf("parhandle = %x\n",parhandle);
/*
* Now call the TPM_CreateMigrationBlob function.
*/
ret = TPM_CMK_CreateBlob(parhandle, // handle of a key that can decrypt the encblob below
aptr1, // password for that parent key
migscheme,
&migblob,
sourceKeyDigest,
&msaList,
restrictTicketParameter, /* either NULL or restrictTicket */
sigTicket, sigTicketSize,
encblob, encblen, // encrypted private key that will show up re-encrypted in outblob
rndblob, &rndblen, // output: used for xor encryption
outblob, &outblen);// output: re-encrypted private key
if (0 == ret) {
if (NULL != filename) {
STACK_TPM_BUFFER(keybuf)
// serialize the key in 'q'
ret = TPM_WriteKey(&keybuf,&q);
if (ret > 0) {
unsigned int keybuflen = ret;
FILE * f = fopen(filename,"wb");
if (NULL != f) {
struct tpm_buffer * filebuf = TSS_AllocTPMBuffer(10240);
if (NULL != filebuf) {
int l;
l = TSS_buildbuff("@ @ @",filebuf,
rndblen, rndblob,
outblen, outblob,
keybuflen, keybuf.buffer);
fwrite(filebuf->buffer,
l,
1,
f);
fclose(f);
TSS_FreeTPMBuffer(filebuf);
printf("Wrote migration blob and associated data to file.\n");
ret = 0;
} else {
printf("Error. Could not allocate memory.\n");
ret = -1;
}
} else {
printf("Error. Could not write blob to file.\n");
ret = -1;
}
} else {
printf("Error while serializing key!\n");
}
} else {
}
} else {
printf("CMK_CreateBlob returned '%s' (%d).\n",
TPM_GetErrMsg(ret),
ret);
}
} else {
printf("AuthorizeMigrationKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
} else {
}
} else {
}
return ret;
}
int main(int argc, char * argv[]) {
char * migrationkeyfile = NULL;
char * filename = NULL;
char * migrationKeyPassword = NULL;
unsigned char migrationkeyUsageAuth[TPM_DIGEST_SIZE];
unsigned char * passptr = NULL;
uint32_t ret = 0;
int i = 0;
keydata migrationkey;
int verbose = FALSE;
uint32_t migrationkeyhandle = 0;
unsigned char * buffer = NULL;
uint32_t bufferSize = 0;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -if.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-pwdm",argv[i])) {
i++;
if (i < argc) {
migrationKeyPassword = argv[i];
} else {
printf("Missing parameter for -pwdm.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-hm",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&migrationkeyhandle);
} else {
printf("Missing parameter for -hm.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-ik",argv[i])) {
i++;
if (i < argc) {
migrationkeyfile = argv[i];
} else {
printf("Missing parameter for -ik.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
} else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
exit(-1);
}
i++;
}
if (NULL == migrationkeyfile ||
NULL == filename ||
-1 == (int)migrationkeyhandle) {
printf("Missing or wrong parameter.\n");
usage();
exit(-1);
}
if (NULL != migrationKeyPassword) {
TSS_sha1(migrationKeyPassword,
strlen(migrationKeyPassword),
migrationkeyUsageAuth);
passptr = migrationkeyUsageAuth;
}
/*
* load the key to be migrated from a file.
*/
ret = 0;
buffer = readFile(filename, &bufferSize);
if (NULL != buffer) {
unsigned int offset = 0;
unsigned char * encblob = NULL;
uint32_t encsize = 0;
unsigned char * rndblob = NULL;
uint32_t rndsize = 0;
uint32_t keysize = 0;
unsigned char * keyblob = NULL;
keydata tobemigkey;
STACK_TPM_BUFFER(tb)
rndsize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
rndblob = &buffer[offset];
offset += rndsize;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
encsize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
encblob = &buffer[offset];
offset += encsize;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
keysize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
keyblob = &buffer[offset];
offset += keysize;
if (offset != bufferSize) {
printf("Bad input file. Exiting");
return -1;
}
SET_TPM_BUFFER(&tb, keyblob, keysize);
TSS_KeyExtract(&tb,0,&tobemigkey);
/*
* load the migration key from the destination
* TPM from a file. Need the public key part of
* that key.
*/
ret = loadKey(migrationkeyfile, &migrationkey);
if (0 == ret) {
STACK_TPM_BUFFER(keyblob)
uint32_t keyblen = 0;
unsigned char * reencData = malloc(encsize);
uint32_t reencDataSize = encsize;
if (NULL == encblob || NULL == reencData) {
printf("Could not get memory for encryted private key blob.\n");
exit (-1);
}
ret = TPM_WriteKeyPub(&keyblob, &migrationkey);
if (ret & ERR_MASK) {
printf("Could not serialize the keydata!\n");
free(reencData);
exit(-1);
}
keyblen = ret;
ret = TPM_MigrateKey(migrationkeyhandle,
passptr,
keyblob.buffer, keyblen,
encblob, encsize,
reencData, &reencDataSize);
if (0 == ret) {
STACK_TPM_BUFFER(keybuf)
// serialize the key to be migrated
ret = TPM_WriteKey(&keybuf,&tobemigkey);
if (ret > 0) {
unsigned int keybuflen = ret;
FILE * f = fopen(filename,"wb");
if (NULL != f) {
struct tpm_buffer *filebuf = TSS_AllocTPMBuffer(10240);
if (NULL != filebuf) {
int l;
l = TSS_buildbuff("@ @ @",filebuf,
rndsize, rndblob,
reencDataSize, reencData,
keybuflen, keybuf.buffer);
fwrite(filebuf->buffer,
l,
1,
f);
fclose(f);
printf("Wrote migration blob and associated data to file.\n");
ret = 0;
TSS_FreeTPMBuffer(filebuf);
} else {
printf("Error. Could not allocate memory.\n");
ret = -1;
}
}
}
} else {
printf("MigrateKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
free(reencData);
} else {
printf("Error. Could not load the migration key.");
}
} else {
printf("Error. Could not load the blob from file '%s'.\n",
filename);
}
return ret;
}
