uint32_t TPM_PCRReset(TPM_PCR_SELECTION * selection) { uint32_t ret; uint32_t ordinal_no = htonl(TPM_ORD_PCR_Reset); STACK_TPM_BUFFER(tpmdata) struct tpm_buffer *serPCRMap = TSS_AllocTPMBuffer(TPM_U16_SIZE + selection->sizeOfSelect + 10); uint32_t serPCRMapSize; if (NULL == serPCRMap) { return ERR_MEM_ERR; } ret = TPM_WritePCRSelection(serPCRMap, selection); if ((ret & ERR_MASK) != 0) { TSS_FreeTPMBuffer(serPCRMap); return ret; } serPCRMapSize = ret; ret = TSS_buildbuff("00 c1 T l %",&tpmdata, ordinal_no, serPCRMapSize, serPCRMap->buffer); TSS_FreeTPMBuffer(serPCRMap); if ((ret & ERR_MASK)) { return ret; } ret = TPM_Transmit(&tpmdata,"PCR Reset"); return ret; }
uint32_t TPM_SHA1Update(void * data, uint32_t datalen) { uint32_t ordinal_no; uint32_t ret; struct tpm_buffer *tpmdata = TSS_AllocTPMBuffer(datalen+20); /* move Network byte order data to variable for hmac calcualtion */ ordinal_no = htonl(TPM_ORD_SHA1Update); if (NULL == tpmdata) { return ERR_BAD_SIZE; } ret = TSS_buildbuff("00 c1 T l @", tpmdata, ordinal_no, datalen, data); if (ret & ERR_MASK) { goto err_exit; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata,"SHA1Update"); err_exit: TSS_FreeTPMBuffer(tpmdata); return ret; }
uint32_t TPM_HashPCRComposite(TPM_PCR_COMPOSITE * comp, unsigned char * digest) { int len; struct tpm_buffer *buffer = TSS_AllocTPMBuffer(comp->pcrValue.size + sizeof(TPM_PCR_COMPOSITE)); if (NULL != buffer) { len = TPM_WritePCRComposite(buffer, comp); TSS_sha1(buffer->buffer, len, digest); TSS_FreeTPMBuffer(buffer); } else { return ERR_MEM_ERR; } return 0; }
uint32_t TPM_HashMSAComposite(TPM_MSA_COMPOSITE * comp, unsigned char *digest) { uint32_t ret = 0; struct tpm_buffer *buffer = TSS_AllocTPMBuffer(comp->MSAlist * TPM_HASH_SIZE + TPM_U32_SIZE); if (buffer) { uint32_t len = TPM_WriteMSAComposite(buffer, comp); TSS_sha1(buffer->buffer, len, digest); TSS_FreeTPMBuffer(buffer); } else ret = ERR_MEM_ERR; return ret; }
int main(int argc, char *argv[]) { unsigned char passhash1[20]; char * ownerpass = NULL; char * filename = NULL; int ret; int verbose = FALSE; TPM_MSA_COMPOSITE msaList = {0, NULL}; unsigned char migAuthDigest[TPM_DIGEST_SIZE]; unsigned char hmac[TPM_DIGEST_SIZE]; char * msa_list_filename = NULL; int i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-pwdo",argv[i])) { i++; if (i < argc) { ownerpass = argv[i]; } else { printf("Missing parameter for -pwdo.\n"); usage(); exit(-1); } } else if (!strcmp("-of",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -of.\n"); usage(); exit(-1); } } else if (!strcmp("-msa",argv[i])) { i++; if (i < argc) { msa_list_filename = argv[i]; } else { printf("Missing parameter for -msa.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { if (0 != addKeyToMSAList(&msaList,argv[i])) { exit(-1); } } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { verbose = TRUE; TPM_setlog(1); } else if (!strcmp("-h",argv[i])) { usage(); exit(-1); } else { printf("\n%s is not a valid option\n",argv[i]); usage(); exit(-1); } i++; } (void)verbose; if (NULL == ownerpass || msaList.MSAlist == 0 || NULL == filename) { printf("Missing argument.\n"); usage(); exit(-1); } if (NULL != ownerpass) { TSS_sha1(ownerpass,strlen(ownerpass),passhash1); } TPM_HashMSAComposite(&msaList, migAuthDigest); ret = TPM_CMK_ApproveMA(migAuthDigest, passhash1, hmac); if (0 != ret) { printf("CMK_ApproveMA returned error '%s' (%d).\n", TPM_GetErrMsg(ret), ret); } else { FILE * f = fopen(filename, "wb+"); if (f != NULL) { if (TPM_DIGEST_SIZE == fwrite(hmac, 1, TPM_DIGEST_SIZE, f) && TPM_DIGEST_SIZE == fwrite(migAuthDigest, 1, TPM_DIGEST_SIZE, f) ) { printf("Successfully wrote HMAC and digest to %s.\n", filename); } fclose(f); } else { printf("Could not open file %s for writing.\n", filename); } } if (NULL != msa_list_filename) { struct tpm_buffer * buffer = TSS_AllocTPMBuffer(sizeof(msaList) + msaList.MSAlist * TPM_HASH_SIZE); if (NULL != buffer) { uint32_t len = TPM_WriteMSAComposite(buffer, &msaList); FILE * f = fopen(msa_list_filename, "wb"); if (NULL != f) { fwrite(buffer->buffer,len,1, f); printf("Successfully wrote msa list to %s.\n", msa_list_filename); fclose(f); } else { printf("Could not open file %s for writing.\n", msa_list_filename); } TSS_FreeTPMBuffer(buffer); } } exit(ret); }
uint32_t TPM_Quote2(uint32_t keyhandle, TPM_PCR_SELECTION * selection, TPM_BOOL addVersion, unsigned char *keyauth, unsigned char *antiReplay, TPM_PCR_INFO_SHORT * pcrinfo, struct tpm_buffer *versionblob, struct tpm_buffer *signature) { uint32_t ret; uint32_t rc; STACK_TPM_BUFFER( tpmdata ) session sess; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char c = 0; uint32_t ordinal_no = htonl(TPM_ORD_Quote2); uint16_t pcrselsize; uint32_t verinfosize; uint32_t sigsize; uint32_t storedsize; uint32_t keyhndl = htonl(keyhandle); uint16_t keytype; struct tpm_buffer * serPCRSelection; uint32_t serPCRSelectionSize; /* check input arguments */ if (pcrinfo == NULL || selection == NULL || antiReplay == NULL) return ERR_NULL_ARG; keytype = 0x0001; ret = needKeysRoom(keyhandle, 0, 0, 0); if (ret != 0) { return ret; } TSS_gennonce(antiReplay); serPCRSelection = TSS_AllocTPMBuffer(TPM_U16_SIZE + selection->sizeOfSelect); if (NULL == serPCRSelection) { return ERR_MEM_ERR; } ret = TPM_WritePCRSelection(serPCRSelection, selection); if (( ret & ERR_MASK) != 0) { TSS_FreeTPMBuffer(serPCRSelection); return ret; } serPCRSelectionSize = ret; if (keyauth != NULL) { /* Open OSAP Session */ ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess,keyauth,keytype,keyhandle); if (ret != 0) { TSS_FreeTPMBuffer(serPCRSelection); return ret; } /* generate odd nonce */ TSS_gennonce(nonceodd); /* move Network byte order data to variables for hmac calculation */ /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, TPM_U32_SIZE,&ordinal_no, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize, serPCRSelection->buffer, sizeof(TPM_BOOL), &addVersion, 0,0); if (ret != 0) { TSS_FreeTPMBuffer(serPCRSelection); TSS_SessionClose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff("00 C2 T l l % % o L % o %",&tpmdata, ordinal_no, keyhndl, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize,serPCRSelection->buffer, addVersion, TSS_Session_GetHandle(&sess), TPM_NONCE_SIZE,nonceodd, c, TPM_HASH_SIZE,pubauth); TSS_FreeTPMBuffer(serPCRSelection); if ((ret & ERR_MASK) != 0) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote2 - AUTH1"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } } else { /* build the request buffer */ ret = TSS_buildbuff("00 C1 T l l % % o",&tpmdata, ordinal_no, keyhndl, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize,serPCRSelection->buffer, addVersion); TSS_FreeTPMBuffer(serPCRSelection); if ((ret & ERR_MASK) != 0) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote2"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } } /* calculate the size of the returned Blob */ ret = tpm_buffer_load16(&tpmdata,TPM_DATA_OFFSET, &pcrselsize); if ((ret & ERR_MASK)) { return ret; } pcrselsize += TPM_U16_SIZE + 1 + TPM_HASH_SIZE; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize, &verinfosize); if ((ret & ERR_MASK)) { return ret; } ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize + TPM_U32_SIZE + verinfosize, &sigsize); if ((ret & ERR_MASK)) { return ret; } storedsize = pcrselsize + TPM_U32_SIZE + verinfosize + TPM_U32_SIZE + sigsize; if (keyauth != NULL) { /* check the HMAC in the response */ ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, storedsize,TPM_DATA_OFFSET, 0,0); if (ret != 0) { return ret; } } /* copy the returned PCR composite to caller */ if (pcrselsize != (rc = TPM_ReadPCRInfoShort(&tpmdata, TPM_DATA_OFFSET, pcrinfo))) { if ((rc & ERR_MASK)) return rc; return ERR_BUFFER; } if (NULL != versionblob) { SET_TPM_BUFFER( versionblob, &tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE], verinfosize); } if (NULL != signature) { SET_TPM_BUFFER(signature, &tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE+verinfosize+TPM_U32_SIZE], sigsize); } return ret; }
int main(int argc, char * argv[]) { char * ownerpass = NULL; char * migpass = NULL; char * parpass = NULL; char * filename = NULL; char * migkeyfile = NULL; char * migkeypass = NULL; uint32_t parhandle = -1; /* handle of parent key */ unsigned char * passptr1 = NULL; unsigned char passhash1[20]; unsigned char hashpass1[20]; /* hash of new key password */ unsigned char hashpass3[20]; /* hash of parent key password */ unsigned char hashpass4[20]; /* hash of migration key pwd */ uint32_t ret = 0; int i = 0; keydata keyparms; keydata idkey; unsigned char *aptr1 = NULL; unsigned char *aptr3 = NULL; unsigned char *aptr4 = NULL; keydata migkey; uint16_t migscheme = TPM_MS_RESTRICT_MIGRATE; uint32_t sigTicketSize = 0; char * msa_list_filename = NULL; TPM_MSA_COMPOSITE msaList = {0, NULL}; char * keyfile = NULL; keydata q; uint32_t sigkeyhandle = -1; char * sigkeypass = NULL; unsigned char sigkeypasshash[TPM_HASH_SIZE]; unsigned char * sigkeypassptr = NULL; unsigned char sigTicket[TPM_HASH_SIZE]; TPM_CMK_AUTH restrictTicket; TPM_CMK_AUTH *restrictTicketParameter; /* parameter to command function call */ unsigned char resTicketHash[TPM_HASH_SIZE]; memset(&keyparms, 0x0, sizeof(keyparms)); memset(&idkey , 0x0, sizeof(idkey)); memset(&restrictTicket, 0x0, sizeof(restrictTicket)); i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-hp",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&parhandle); } else { printf("Missing parameter for -hp.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdp",argv[i])) { i++; if (i < argc) { parpass = argv[i]; } else { printf("Missing parameter for -pwdp.\n"); usage(); exit(-1); } } else if (!strcmp("-ok",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -ok.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdo",argv[i])) { i++; if (i < argc) { ownerpass = argv[i]; } else { printf("Missing parameter for -pwdo.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdm",argv[i])) { i++; if (i < argc) { migpass = argv[i]; } else { printf("Missing parameter for -pwdm.\n"); usage(); exit(-1); } } else if (!strcmp("-msa",argv[i])) { i++; if (i < argc) { msa_list_filename = argv[i]; } else { printf("Missing parameter for -msa.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { keyfile = argv[i]; } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-im",argv[i])) { i++; if (i < argc) { migkeyfile = argv[i]; } else { printf("Missing parameter for -im.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdk",argv[i])) { i++; if (i < argc) { migkeypass = argv[i]; } else { printf("Missing parameter for -pwdk.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { TPM_setlog(1); } else if (!strcmp("-hs",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&sigkeyhandle); } else { printf("Missing mandatory parameter for -hs.\n"); usage(); exit(-1); } } else if (!strcmp("-pwds",argv[i])) { i++; if (i < argc) { sigkeypass = argv[i]; } else { printf("Missing mandatory parameter for -pwds.\n"); usage(); exit(-1); } } else if (!strcmp("-double",argv[i])) { migscheme = TPM_MS_RESTRICT_APPROVE; } else { printf("Unknown option '%s'.",argv[i]); usage(); exit(-1); } i++; } if (NULL == keyfile || NULL == ownerpass || -1 == (int)parhandle || NULL == migkeyfile || NULL == msa_list_filename) { printf("Missing or wrong parameter.\n"); usage(); exit(-1); } if (TPM_MS_RESTRICT_APPROVE == migscheme) { if (-1 == (int)sigkeyhandle) { printf("Must provide signing key data when '-double' has been selected.\n"); exit(-1); } } if (NULL != ownerpass) { TSS_sha1(ownerpass,strlen(ownerpass),passhash1); passptr1 = passhash1; } else { passptr1 = NULL; } if (NULL !=sigkeypass) { TSS_sha1(sigkeypass, strlen(sigkeypass), sigkeypasshash); sigkeypassptr = sigkeypasshash; } else { sigkeypassptr = NULL; } /* ** use the SHA1 hash of the password string as the Parent Key Authorization Data */ if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migpass != NULL) { TSS_sha1(migpass,strlen(migpass),hashpass3); aptr3 = hashpass3; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migkeypass != NULL) { TSS_sha1(migkeypass,strlen(migkeypass),hashpass4); aptr4 = hashpass4; } /* * * - Create an RSA key pair. * - Call TPM_AuthorizeMigrationKey for the RSA public key authorization * - Call TPM_CreateMigrationBlob with the result from AuthorizeMigrationKey * and the encrypted TPM_STORE_ASYMKEY structure * */ /* * readthe msa list from the file. */ ret = TPM_ReadMSAFile(msa_list_filename, &msaList); if ( ( ret & ERR_MASK ) != 0) { printf("Error while reading msa list file.\n"); exit(-1); } /* ** create and wrap an asymmetric key and get back the ** resulting keydata structure with the public and encrypted ** private keys filled in by the TPM */ /* * q is the key that we want to migrate. Create one such key. * migkey is the (public) key part from another TPM that we want to use * to migrate q. Since I am not loading a public key from another TPM, * I create a migration key here as well. I must never refer to this * key via any handle or load it into the TPM */ printf("Loading the (public) key to use for migration...\n"); if (0 == ret) { printf("Migration key is: %s\n",migkeyfile); ret = TPM_ReadKeyfile(migkeyfile, &migkey); if ((ret & ERR_MASK)) { ret = TPM_ReadPubKeyfile(migkeyfile, &migkey.pub); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s as a " "key or a pubkey.\n", migkeyfile); exit(-1); } } ret = TPM_ReadKeyfile(keyfile, &q); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s.\n", keyfile); } } /* * Create a ticket if needed. */ if (migscheme == TPM_MS_RESTRICT_APPROVE) { keydata signingkey; unsigned char signatureValue[2048]; uint32_t signatureValueSize = sizeof(signatureValue); STACK_TPM_BUFFER(sigkey) /* * Get the public key part of the signing key. */ ret = TPM_GetPubKey(sigkeyhandle, sigkeypassptr, &signingkey.pub); if ( 0 != ret ) { printf("Error %s while retrieving public signing key.\n", TPM_GetErrMsg(ret)); exit(-1); } /* * Build the restrictTicket!!! */ restrictTicketParameter = &restrictTicket; /* command needs restrictTicket */ ret = TPM_HashPubKey(&q, restrictTicket.sourceKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the key to be migrated.\n"); exit(ret); } ret = TPM_HashPubKey(&migkey, restrictTicket.destinationKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the migration key.\n"); exit(ret); } ret = TPM_HashCMKAuth(&restrictTicket, resTicketHash); ret = TPM_Sign(sigkeyhandle, sigkeypassptr, resTicketHash, sizeof(resTicketHash), signatureValue, &signatureValueSize); if ( 0 != ret) { printf("Error %s while sigining.\n", TPM_GetErrMsg(ret)); exit(ret); } ret = TPM_CMK_CreateTicket(&signingkey, resTicketHash, signatureValue, signatureValueSize, passptr1, sigTicket); sigTicketSize = TPM_DIGEST_SIZE; } else { /* TPM_MS_RESTRICT_MIGRATE */ restrictTicketParameter = NULL; /* command does not need restrictTicket */ } if (0 == ret) { if (0 == ret) { STACK_TPM_BUFFER( keyblob) STACK_TPM_BUFFER( migblob); keydata keyd; memset(&keyd, 0x0, sizeof(keyd)); ret = TPM_WriteKeyPub(&keyblob, &migkey); if ((ret & ERR_MASK) != 0) { printf("Could not serialize the keydata: %s\n", TPM_GetErrMsg(ret)); exit(-1); } ret = TPM_AuthorizeMigrationKey(passptr1, migscheme, // migration scheme &keyblob, // public key to be authorized &migblob); if (0 == ret) { unsigned char rndblob[1024]; uint32_t rndblen = sizeof(rndblob); unsigned char outblob[1024]; uint32_t outblen = sizeof(outblob); unsigned char sourceKeyDigest[TPM_DIGEST_SIZE]; unsigned char encblob[1024]; uint32_t encblen; memcpy(encblob, q.encData.buffer, q.encData.size); encblen = q.encData.size; if (0!= ret) { printf("Error occurred while creating encrypted blob.\n"); exit (-1); } TPM_HashPubKey(&q,sourceKeyDigest); printf("parhandle = %x\n",parhandle); /* * Now call the TPM_CreateMigrationBlob function. */ ret = TPM_CMK_CreateBlob(parhandle, // handle of a key that can decrypt the encblob below aptr1, // password for that parent key migscheme, &migblob, sourceKeyDigest, &msaList, restrictTicketParameter, /* either NULL or restrictTicket */ sigTicket, sigTicketSize, encblob, encblen, // encrypted private key that will show up re-encrypted in outblob rndblob, &rndblen, // output: used for xor encryption outblob, &outblen);// output: re-encrypted private key if (0 == ret) { if (NULL != filename) { STACK_TPM_BUFFER(keybuf) // serialize the key in 'q' ret = TPM_WriteKey(&keybuf,&q); if (ret > 0) { unsigned int keybuflen = ret; FILE * f = fopen(filename,"wb"); if (NULL != f) { struct tpm_buffer * filebuf = TSS_AllocTPMBuffer(10240); if (NULL != filebuf) { int l; l = TSS_buildbuff("@ @ @",filebuf, rndblen, rndblob, outblen, outblob, keybuflen, keybuf.buffer); fwrite(filebuf->buffer, l, 1, f); fclose(f); TSS_FreeTPMBuffer(filebuf); printf("Wrote migration blob and associated data to file.\n"); ret = 0; } else { printf("Error. Could not allocate memory.\n"); ret = -1; } } else { printf("Error. Could not write blob to file.\n"); ret = -1; } } else { printf("Error while serializing key!\n"); } } else { } } else { printf("CMK_CreateBlob returned '%s' (%d).\n", TPM_GetErrMsg(ret), ret); } } else { printf("AuthorizeMigrationKey returned '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } } else { } } else { } return ret; }
int main(int argc, char * argv[]) { char * migrationkeyfile = NULL; char * filename = NULL; char * migrationKeyPassword = NULL; unsigned char migrationkeyUsageAuth[TPM_DIGEST_SIZE]; unsigned char * passptr = NULL; uint32_t ret = 0; int i = 0; keydata migrationkey; int verbose = FALSE; uint32_t migrationkeyhandle = 0; unsigned char * buffer = NULL; uint32_t bufferSize = 0; i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-if",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -if.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdm",argv[i])) { i++; if (i < argc) { migrationKeyPassword = argv[i]; } else { printf("Missing parameter for -pwdm.\n"); usage(); exit(-1); } } else if (!strcmp("-hm",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&migrationkeyhandle); } else { printf("Missing parameter for -hm.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { migrationkeyfile = argv[i]; } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { verbose = TRUE; TPM_setlog(1); } else if (!strcmp("-h",argv[i])) { usage(); exit(-1); } else { printf("\n%s is not a valid option\n", argv[i]); usage(); exit(-1); } i++; } if (NULL == migrationkeyfile || NULL == filename || -1 == (int)migrationkeyhandle) { printf("Missing or wrong parameter.\n"); usage(); exit(-1); } if (NULL != migrationKeyPassword) { TSS_sha1(migrationKeyPassword, strlen(migrationKeyPassword), migrationkeyUsageAuth); passptr = migrationkeyUsageAuth; } /* * load the key to be migrated from a file. */ ret = 0; buffer = readFile(filename, &bufferSize); if (NULL != buffer) { unsigned int offset = 0; unsigned char * encblob = NULL; uint32_t encsize = 0; unsigned char * rndblob = NULL; uint32_t rndsize = 0; uint32_t keysize = 0; unsigned char * keyblob = NULL; keydata tobemigkey; STACK_TPM_BUFFER(tb) rndsize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } rndblob = &buffer[offset]; offset += rndsize; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } encsize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } encblob = &buffer[offset]; offset += encsize; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } keysize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } keyblob = &buffer[offset]; offset += keysize; if (offset != bufferSize) { printf("Bad input file. Exiting"); return -1; } SET_TPM_BUFFER(&tb, keyblob, keysize); TSS_KeyExtract(&tb,0,&tobemigkey); /* * load the migration key from the destination * TPM from a file. Need the public key part of * that key. */ ret = loadKey(migrationkeyfile, &migrationkey); if (0 == ret) { STACK_TPM_BUFFER(keyblob) uint32_t keyblen = 0; unsigned char * reencData = malloc(encsize); uint32_t reencDataSize = encsize; if (NULL == encblob || NULL == reencData) { printf("Could not get memory for encryted private key blob.\n"); exit (-1); } ret = TPM_WriteKeyPub(&keyblob, &migrationkey); if (ret & ERR_MASK) { printf("Could not serialize the keydata!\n"); free(reencData); exit(-1); } keyblen = ret; ret = TPM_MigrateKey(migrationkeyhandle, passptr, keyblob.buffer, keyblen, encblob, encsize, reencData, &reencDataSize); if (0 == ret) { STACK_TPM_BUFFER(keybuf) // serialize the key to be migrated ret = TPM_WriteKey(&keybuf,&tobemigkey); if (ret > 0) { unsigned int keybuflen = ret; FILE * f = fopen(filename,"wb"); if (NULL != f) { struct tpm_buffer *filebuf = TSS_AllocTPMBuffer(10240); if (NULL != filebuf) { int l; l = TSS_buildbuff("@ @ @",filebuf, rndsize, rndblob, reencDataSize, reencData, keybuflen, keybuf.buffer); fwrite(filebuf->buffer, l, 1, f); fclose(f); printf("Wrote migration blob and associated data to file.\n"); ret = 0; TSS_FreeTPMBuffer(filebuf); } else { printf("Error. Could not allocate memory.\n"); ret = -1; } } } } else { printf("MigrateKey returned '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } free(reencData); } else { printf("Error. Could not load the migration key."); } } else { printf("Error. Could not load the blob from file '%s'.\n", filename); } return ret; }