int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig)
{
static const TSS_UUID SRK_UUID = TSS_UUID_SRK;
gnutls_datum_t asn1;
unsigned int tss_len;
char *pass;
int ofs, err;
err = gnutls_pem_base64_decode_alloc("TSS KEY BLOB", fdata, &asn1);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Error decoding TSS key blob: %s\n"),
gnutls_strerror(err));
return -EINVAL;
}
/* Ick. We have to parse the ASN1 OCTET_STRING for ourselves. */
if (asn1.size < 2 || asn1.data[0] != 0x04 /* OCTET_STRING */) {
vpn_progress(vpninfo, PRG_ERR,
_("Error in TSS key blob\n"));
goto out_blob;
}
tss_len = asn1.data[1];
ofs = 2;
if (tss_len & 0x80) {
int lenlen = tss_len & 0x7f;
if (asn1.size < 2 + lenlen || lenlen > 3) {
vpn_progress(vpninfo, PRG_ERR,
_("Error in TSS key blob\n"));
goto out_blob;
}
tss_len = 0;
while (lenlen) {
tss_len <<= 8;
tss_len |= asn1.data[ofs++];
lenlen--;
}
}
if (tss_len + ofs != asn1.size) {
vpn_progress(vpninfo, PRG_ERR,
_("Error in TSS key blob\n"));
goto out_blob;
}
err = Tspi_Context_Create(&vpninfo->tpm_context);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to create TPM context: %s\n"),
Trspi_Error_String(err));
goto out_blob;
}
err = Tspi_Context_Connect(vpninfo->tpm_context, NULL);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to connect TPM context: %s\n"),
Trspi_Error_String(err));
goto out_context;
}
err = Tspi_Context_LoadKeyByUUID(vpninfo->tpm_context, TSS_PS_TYPE_SYSTEM,
SRK_UUID, &vpninfo->srk);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM SRK key: %s\n"),
Trspi_Error_String(err));
goto out_context;
}
err = Tspi_GetPolicyObject(vpninfo->srk, TSS_POLICY_USAGE, &vpninfo->srk_policy);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM SRK policy object: %s\n"),
Trspi_Error_String(err));
goto out_srk;
}
pass = vpninfo->cert_password;
vpninfo->cert_password = NULL;
while (1) {
static const char nullpass[20];
/* We don't seem to get the error here... */
if (pass)
err = Tspi_Policy_SetSecret(vpninfo->srk_policy,
TSS_SECRET_MODE_PLAIN,
strlen(pass), (BYTE *)pass);
else /* Well-known NULL key */
err = Tspi_Policy_SetSecret(vpninfo->srk_policy,
TSS_SECRET_MODE_SHA1,
sizeof(nullpass), (BYTE *)nullpass);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TPM PIN: %s\n"),
Trspi_Error_String(err));
goto out_srkpol;
}
free(pass);
/* ... we get it here instead. */
err = Tspi_Context_LoadKeyByBlob(vpninfo->tpm_context, vpninfo->srk,
tss_len, asn1.data + ofs,
&vpninfo->tpm_key);
if (!err)
break;
if (pass)
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM key blob: %s\n"),
Trspi_Error_String(err));
if (err != TPM_E_AUTHFAIL)
goto out_srkpol;
err = request_passphrase(vpninfo, "openconnect_tpm_srk",
&pass, _("Enter TPM SRK PIN:"));
if (err)
goto out_srkpol;
}
#ifdef HAVE_GNUTLS_CERTIFICATE_SET_KEY
gnutls_privkey_init(pkey);
/* This would be nicer if there was a destructor callback. I could
allocate a data structure with the TPM handles and the vpninfo
pointer, and destroy that properly when the key is destroyed. */
gnutls_privkey_import_ext(*pkey, GNUTLS_PK_RSA, vpninfo, tpm_sign_fn, NULL, 0);
#else
*pkey = OPENCONNECT_TPM_PKEY;
#endif
retry_sign:
err = sign_dummy_data(vpninfo, *pkey, fdata, pkey_sig);
if (err == GNUTLS_E_INSUFFICIENT_CREDENTIALS) {
if (!vpninfo->tpm_key_policy) {
err = Tspi_Context_CreateObject(vpninfo->tpm_context,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&vpninfo->tpm_key_policy);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to create key policy object: %s\n"),
Trspi_Error_String(err));
goto out_key;
}
err = Tspi_Policy_AssignToObject(vpninfo->tpm_key_policy,
vpninfo->tpm_key);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to assign policy to key: %s\n"),
Trspi_Error_String(err));
goto out_key_policy;
}
}
err = request_passphrase(vpninfo, "openconnect_tpm_key",
&pass, _("Enter TPM key PIN:"));
if (err)
goto out_key_policy;
err = Tspi_Policy_SetSecret(vpninfo->tpm_key_policy,
TSS_SECRET_MODE_PLAIN,
strlen(pass), (void *)pass);
free (pass);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set key PIN: %s\n"),
Trspi_Error_String(err));
goto out_key_policy;
}
goto retry_sign;
}
free (asn1.data);
return 0;
out_key_policy:
Tspi_Context_CloseObject(vpninfo->tpm_context, vpninfo->tpm_key_policy);
vpninfo->tpm_key_policy = 0;
out_key:
Tspi_Context_CloseObject(vpninfo->tpm_context, vpninfo->tpm_key);
vpninfo->tpm_key = 0;
out_srkpol:
Tspi_Context_CloseObject(vpninfo->tpm_context, vpninfo->srk_policy);
vpninfo->srk_policy = 0;
out_srk:
Tspi_Context_CloseObject(vpninfo->tpm_context, vpninfo->srk);
vpninfo->srk = 0;
out_context:
Tspi_Context_Close(vpninfo->tpm_context);
vpninfo->tpm_context = 0;
out_blob:
free (asn1.data);
return -EIO;
}
int
main_v1_1( void )
{
char *function = "Tspi_Context_LoadKeyByBlob04";
TSS_HCONTEXT hContext;
TSS_HKEY hSRK, hSigningKey, hBindingKey;
TSS_HPOLICY hPolicy;
TSS_RESULT result;
UINT32 exitCode, attrib;
TSS_FLAG initFlags;
BYTE *signBlob, *bindBlob;
UINT32 signBlobLen, bindBlobLen;
print_begin_test( function );
// Create Context
if ((result = connect_load_srk(&hContext, &hSRK))) {
print_error( "connect_load_srk", result );
exit( result );
}
// create a no-auth, signing key
initFlags = TSS_KEY_TYPE_SIGNING | TSS_KEY_SIZE_2048 |
TSS_KEY_NO_AUTHORIZATION;
if ((result = create_load_key(hContext, initFlags, hSRK, &hSigningKey))) {
print_error( "create_load_key(Signing Key)", result );
Tspi_Context_Close( hContext );
exit( result );
}
print_success("Signing key created successfully", TSS_SUCCESS);
// get blob
result = Tspi_GetAttribData( hSigningKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB,
&signBlobLen, &signBlob );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_GetAttribData", result );
Tspi_Context_Close( hContext );
exit( result );
}
// create a auth, binding key
initFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION;
if ((result = create_load_key(hContext, initFlags, hSRK, &hBindingKey))) {
print_error( "create_load_key(Binding Key)", result );
Tspi_Context_Close( hContext );
exit( result );
}
print_success("Binding key created successfully", TSS_SUCCESS);
// get blob
result = Tspi_GetAttribData( hBindingKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB,
&bindBlobLen, &bindBlob );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_GetAttribData", result );
Tspi_Context_Close( hContext );
exit( result );
}
// verify attribs before we close the context
if ((result = verify_sign_attribs(hSigningKey))) {
print_error( "verify_sign_attribs", result );
Tspi_Context_Close( hContext );
exit( result );
}
// verify attribs before we close the context
if ((result = verify_bind_attribs(hBindingKey))) {
print_error( "verify_bind_attribs", result );
Tspi_Context_Close( hContext );
exit( result );
}
// close context, to get rid of all context state
if ((result = Tspi_Context_Close(hContext))) {
print_error( "Tspi_Context_Close", result );
exit( result );
}
// re-connect
if ((result = connect_load_srk(&hContext, &hSRK))) {
print_error( "connect_load_srk", result );
Tspi_Context_Close( hContext );
exit( result );
}
// Load both Keys by blob
if ((result = Tspi_Context_LoadKeyByBlob( hContext, hSRK,
signBlobLen,
signBlob,
&hSigningKey ))) {
print_error( "Tspi_Context_LoadKeyByBlob", result );
Tspi_Context_Close( hContext );
exit( result );
}
if ((result = Tspi_Context_LoadKeyByBlob( hContext, hSRK,
bindBlobLen,
bindBlob,
&hBindingKey ))) {
print_error( "Tspi_Context_LoadKeyByBlob", result );
Tspi_Context_Close( hContext );
exit( result );
}
// verify attribs after we've re-loaded by blob
if ((result = verify_sign_attribs(hSigningKey))) {
print_error( "verify_sign_attribs", result );
Tspi_Context_Close( hContext );
exit( result );
}
// verify attribs after we've re-loaded by blob
if ((result = verify_bind_attribs(hBindingKey))) {
print_error( "verify_bind_attribs", result );
Tspi_Context_Close( hContext );
exit( result );
}
// Do a sign/verify test
if ((result = sign_and_verify(hContext, hSigningKey))) {
print_error( "sign_and_verify", result );
Tspi_Context_Close( hContext );
exit( result );
}
// Do a bind/unbind test
result = bind_and_unbind(hContext, hBindingKey);
if (TSS_ERROR_CODE(result) != TSS_E_POLICY_NO_SECRET) {
print_verifyerr("bind and unbind", TSS_E_POLICY_NO_SECRET, result);
print_error( function, result );
Tspi_Context_Close( hContext );
exit( result );
}
// set up policies
if ((result = set_secret(hContext, hBindingKey, &hPolicy))) {
print_error("set_secret", result);
Tspi_Context_Close( hContext );
exit( result );
}
if ((result = bind_and_unbind(hContext, hBindingKey))) {
print_error( "bind_and_unbind", result );
Tspi_Context_Close( hContext );
exit( result );
}
exitCode = 0;
print_success(function, TSS_SUCCESS);
print_end_test( function );
Tspi_Context_Close( hContext );
exit( exitCode );
}
int
main_v1_1( void )
{
char *function = "Tspi_Context_LoadKeyByBlob03";
TSS_HCONTEXT hContext;
TSS_HKEY hSRK;
TSS_HKEY hMSigningKey;
BYTE* migratableSignKeyBlob;
UINT32 blobLength;
TSS_RESULT result;
TSS_HPOLICY srkUsagePolicy;
UINT32 exitCode = 0;
print_begin_test( function );
// Create Context
result = Tspi_Context_Create( &hContext );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_Context_Create", result );
exit( result );
}
// Connect to Context
result = Tspi_Context_Connect( hContext, get_server(GLOBALSERVER) );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_Context_Connect", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
//Load Key By UUID
result = Tspi_Context_LoadKeyByUUID( hContext, TSS_PS_TYPE_SYSTEM,
SRK_UUID, &hSRK );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_Context_LoadKeyByUUID (hSRK)", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
#ifndef TESTSUITE_NOAUTH_SRK
//Get Policy Object
result = Tspi_GetPolicyObject( hSRK, TSS_POLICY_USAGE,
&srkUsagePolicy );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_GetPolicyObject", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
//Set Secret
result = Tspi_Policy_SetSecret( srkUsagePolicy, TESTSUITE_SRK_SECRET_MODE,
TESTSUITE_SRK_SECRET_LEN, TESTSUITE_SRK_SECRET );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_Policy_SetSecret (1)", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
#endif
//Create Signing Key
result = Tspi_Context_CreateObject( hContext, TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_SIZE_2048 |
TSS_KEY_TYPE_SIGNING,
&hMSigningKey );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_CreateObject (signing key)", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
result = Tspi_Key_CreateKey( hMSigningKey, hSRK, 0 );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_Key_CreateKey (Signing Key)", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
// get blob
result = Tspi_GetAttribData( hMSigningKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB,
&blobLength, &migratableSignKeyBlob );
if ( result != TSS_SUCCESS )
{
print_error( "Tspi_GetAttribData", result );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( result );
}
//Load Key Blob
result = Tspi_Context_LoadKeyByBlob( hContext, hSRK,
blobLength,
NULL,
&hMSigningKey );
if ( TSS_ERROR_CODE(result) != TSS_E_BAD_PARAMETER )
{
if( !(checkNonAPI(result)) )
{
print_error( function, result );
exitCode = result;
}
else
{
print_error_nonapi( function, result );
exitCode = result;
}
}
else
{
print_success( function, result );
}
print_end_test( function );
Tspi_Context_FreeMemory( hContext, NULL );
Tspi_Context_Close( hContext );
exit( exitCode );
}
static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const char *key_id,
UI_METHOD *ui, void *cb_data)
{
ASN1_OCTET_STRING *blobstr;
TSS_HKEY hKey;
TSS_RESULT result;
UINT32 authusage;
RSA *rsa;
EVP_PKEY *pkey;
BIO *bf;
DBG("%s", __FUNCTION__);
if (!key_id) {
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if (!tpm_load_srk(ui, cb_data)) {
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_SRK_LOAD_FAILED);
return NULL;
}
if ((bf = BIO_new_file(key_id, "r")) == NULL) {
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
TPM_R_FILE_NOT_FOUND);
return NULL;
}
blobstr = PEM_ASN1_read_bio((void *)d2i_ASN1_OCTET_STRING,
"TSS KEY BLOB", bf, NULL, NULL, NULL);
if (!blobstr) {
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
TPM_R_FILE_READ_FAILED);
BIO_free(bf);
return NULL;
}
BIO_free(bf);
DBG("Loading blob of size: %d", blobstr->length);
if ((result = Tspi_Context_LoadKeyByBlob(hContext, hSRK,
blobstr->length,
blobstr->data, &hKey))) {
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
TPM_R_REQUEST_FAILED);
return NULL;
}
ASN1_OCTET_STRING_free(blobstr);
if ((result = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_AUTHUSAGE,
&authusage))) {
Tspi_Context_CloseObject(hContext, hKey);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
TPM_R_REQUEST_FAILED);
return NULL;
}
if (authusage) {
TSS_HPOLICY hPolicy;
BYTE *auth;
if ((auth = calloc(1, 128)) == NULL) {
Tspi_Context_CloseObject(hContext, hKey);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (!tpm_engine_get_auth(ui, (char *)auth, 128,
"TPM Key Password: ",
cb_data)) {
Tspi_Context_CloseObject(hContext, hKey);
free(auth);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_REQUEST_FAILED);
return NULL;
}
if ((result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&hPolicy))) {
Tspi_Context_CloseObject(hContext, hKey);
free(auth);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_REQUEST_FAILED);
return 0;
}
if ((result = Tspi_Policy_AssignToObject(hPolicy, hKey))) {
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_CloseObject(hContext, hPolicy);
free(auth);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_REQUEST_FAILED);
return 0;
}
if ((result = Tspi_Policy_SetSecret(hPolicy,
TSS_SECRET_MODE_PLAIN,
strlen((char *)auth), auth))) {
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_CloseObject(hContext, hPolicy);
free(auth);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_REQUEST_FAILED);
return 0;
}
free(auth);
}
/* create the new objects to return */
if ((pkey = EVP_PKEY_new()) == NULL) {
Tspi_Context_CloseObject(hContext, hKey);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_MALLOC_FAILURE);
return NULL;
}
pkey->type = EVP_PKEY_RSA;
if ((rsa = RSA_new()) == NULL) {
EVP_PKEY_free(pkey);
Tspi_Context_CloseObject(hContext, hKey);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_MALLOC_FAILURE);
return NULL;
}
rsa->meth = &tpm_rsa;
/* call our local init function here */
rsa->meth->init(rsa);
pkey->pkey.rsa = rsa;
if (!fill_out_rsa_object(rsa, hKey)) {
EVP_PKEY_free(pkey);
RSA_free(rsa);
Tspi_Context_CloseObject(hContext, hKey);
TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, TPM_R_REQUEST_FAILED);
return NULL;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return pkey;
}
static int load_key(TSS_HCONTEXT tpm_ctx, TSS_HKEY srk,
const gnutls_datum_t * fdata,
gnutls_tpmkey_fmt_t format, TSS_HKEY * tpm_key)
{
int ret, err;
gnutls_datum_t asn1 = { NULL, 0 };
if (format == GNUTLS_TPMKEY_FMT_CTK_PEM) {
gnutls_datum_t td;
ret =
gnutls_pem_base64_decode_alloc("TSS KEY BLOB", fdata,
&asn1);
if (ret) {
gnutls_assert();
_gnutls_debug_log
("Error decoding TSS key blob: %s\n",
gnutls_strerror(ret));
return ret;
}
ret =
_gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING,
asn1.data, asn1.size, &td);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
gnutls_free(asn1.data);
asn1.data = td.data;
asn1.size = td.size;
} else { /* DER */
UINT32 tint2;
UINT32 type;
asn1.size = fdata->size;
asn1.data = gnutls_malloc(asn1.size);
if (asn1.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
tint2 = asn1.size;
err =
Tspi_DecodeBER_TssBlob(fdata->size, fdata->data, &type,
&tint2, asn1.data);
if (err != 0) {
gnutls_assert();
ret = tss_err(err);
goto cleanup;
}
asn1.size = tint2;
}
/* ... we get it here instead. */
err = Tspi_Context_LoadKeyByBlob(tpm_ctx, srk,
asn1.size, asn1.data, tpm_key);
if (err != 0) {
gnutls_assert();
ret = tss_err(err);
goto cleanup;
}
ret = 0;
cleanup:
gnutls_free(asn1.data);
return ret;
}
int
main (int ac, char **av)
{
TSS_HCONTEXT hContext;
TSS_HTPM hTPM;
TSS_HKEY hSRK;
TSS_HKEY hAIK;
TSS_HPOLICY hTPMPolicy;
TSS_HPOLICY hSrkPolicy;
TSS_HPOLICY hAIKPolicy;
TSS_UUID SRK_UUID = TSS_UUID_SRK;
BYTE srkSecret[] = TSS_WELL_KNOWN_SECRET;
FILE *f_in;
FILE *f_out;
char *pass = NULL;
BYTE *response;
UINT32 responseLen;
BYTE *buf;
UINT32 bufLen;
BYTE *asym;
UINT32 asymLen;
BYTE *sym;
UINT32 symLen;
int i;
int result;
if ((ac<2) || ((0==strcmp(av[1],"-p")) ? (ac!=6) : (ac!=4))) {
fprintf (stderr, "Usage: %s [-p password] aikblobfile challengefile outresponsefile\n", av[0]);
exit (1);
}
if (0 == strcmp(av[1], "-p")) {
pass = av[2];
for (i=3; i<ac; i++)
av[i-2] = av[i];
ac -= 2;
}
result = Tspi_Context_Create(&hContext); CKERR;
result = Tspi_Context_Connect(hContext, NULL); CKERR;
result = Tspi_Context_LoadKeyByUUID(hContext,
TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSRK); CKERR;
result = Tspi_GetPolicyObject (hSRK, TSS_POLICY_USAGE, &hSrkPolicy); CKERR;
result = Tspi_Policy_SetSecret(hSrkPolicy, TSS_SECRET_MODE_SHA1,
sizeof(srkSecret), srkSecret); CKERR;
result = Tspi_Context_GetTpmObject (hContext, &hTPM); CKERR;
result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE, &hTPMPolicy); CKERR;
result = Tspi_Policy_AssignToObject(hTPMPolicy, hTPM);
#ifdef OWNER_SECRET
result = Tspi_Policy_SetSecret (hTPMPolicy, TSS_SECRET_MODE_PLAIN,
strlen(OWNER_SECRET)+1, OWNER_SECRET); CKERR;
#else
result = Tspi_Policy_SetSecret (hTPMPolicy, TSS_SECRET_MODE_POPUP, 0, NULL); CKERR;
#endif
/* Read AIK blob */
if ((f_in = fopen(av[1], "rb")) == NULL) {
fprintf (stderr, "Unable to open file %s\n", av[1]);
exit (1);
}
fseek (f_in, 0, SEEK_END);
bufLen = ftell (f_in);
fseek (f_in, 0, SEEK_SET);
buf = malloc (bufLen);
if (fread(buf, 1, bufLen, f_in) != bufLen) {
fprintf (stderr, "Unable to readn file %s\n", av[1]);
exit (1);
}
fclose (f_in);
result = Tspi_Context_LoadKeyByBlob (hContext, hSRK, bufLen, buf, &hAIK); CKERR;
free (buf);
if (pass) {
result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE, &hAIKPolicy); CKERR;
result = Tspi_Policy_AssignToObject(hAIKPolicy, hAIK);
result = Tspi_Policy_SetSecret (hAIKPolicy, TSS_SECRET_MODE_PLAIN,
strlen(pass)+1, pass); CKERR;
}
/* Read challenge file */
if ((f_in = fopen(av[2], "rb")) == NULL) {
fprintf (stderr, "Unable to open file %s\n", av[2]);
exit (1);
}
fseek (f_in, 0, SEEK_END);
bufLen = ftell (f_in);
fseek (f_in, 0, SEEK_SET);
buf = malloc (bufLen);
if (fread(buf, 1, bufLen, f_in) != bufLen) {
fprintf (stderr, "Unable to readn file %s\n", av[2]);
exit (1);
}
fclose (f_in);
/* Parse challenge */
if (bufLen < 8)
goto badchal;
asymLen = ntohl(*(UINT32*)buf);
asym = buf + 4;
buf += asymLen + 4;
if (bufLen < asymLen+8)
goto badchal;
symLen = ntohl(*(UINT32*)buf);
if (bufLen != asymLen + symLen + 8)
goto badchal;
sym = buf + 4;
/* Decrypt challenge data */
#ifndef OWNER_SECRET
{
/* Work around a bug in Trousers 0.3.1 - remove this block when fixed */
/* Force POPUP to activate, it is being ignored */
BYTE *dummyblob1; UINT32 dummylen1;
if (Tspi_TPM_OwnerGetSRKPubKey(hTPM, &dummylen1, &dummyblob1)
== TSS_SUCCESS) {
Tspi_Context_FreeMemory (hContext, dummyblob1);
}
}
#endif
result = Tspi_TPM_ActivateIdentity (hTPM, hAIK, asymLen, asym,
symLen, sym,
&responseLen, &response); CKERR;
/* Output response file */
if ((f_out = fopen (av[3], "wb")) == NULL) {
fprintf (stderr, "Unable to create file %s\n", av[3]);
exit (1);
}
if (fwrite (response, 1, responseLen, f_out) != responseLen) {
fprintf (stderr, "Unable to write to file %s\n", av[3]);
exit (1);
}
fclose (f_out);
printf ("Success!\n");
return 0;
error:
fprintf (stderr, "Failure, error code: 0x%x\n", result);
return 1;
badchal:
fprintf (stderr, "Challenge file format is wrong\n");
return 1;
}
