TSS2_RC EncryptCFB( SESSION *session, TPM2B_MAX_BUFFER *encryptedData, TPM2B_MAX_BUFFER *clearData, TPM2B_AUTH *authValue ) { TSS2_RC rval = TSS2_RC_SUCCESS; TPM2B_MAX_BUFFER encryptKey; TPM2B_IV ivIn, ivOut; TPM_HANDLE keyHandle; TPM2B_NAME keyName; TSS2_SYS_CONTEXT *sysContext; // Authorization structure for command. TPMS_AUTH_COMMAND sessionData; // Create and init authorization area for command: // only 1 authorization area. TPMS_AUTH_COMMAND *sessionDataArray[1] = { &sessionData }; // Authorization array for command (only has one auth structure). TSS2_SYS_CMD_AUTHS sessionsData = { 1, &sessionDataArray[0] }; sysContext = InitSysContext( 1000, resMgrTctiContext, &abiVersion ); if( sysContext == 0 ) { TeardownSysContext( &sysContext ); return TSS2_APP_RC_TEARDOWN_SYS_CONTEXT_FAILED; } rval = GenerateSessionEncryptDecryptKey( session, &encryptKey, &ivIn, authValue ); if( rval == TSS2_RC_SUCCESS ) { rval = LoadSessionEncryptDecryptKey( &session->symmetric, &encryptKey, &keyHandle, &keyName ); if( rval == TSS2_RC_SUCCESS ) { // Encrypt the data. sessionData.sessionHandle = TPM_RS_PW; sessionData.nonce.t.size = 0; *( (UINT8 *)((void *)&sessionData.sessionAttributes ) ) = 0; sessionData.hmac.t.size = 0; encryptedData->t.size = sizeof( *encryptedData ) - 1; ivOut.t.size = sizeof( ivOut ) - 2; rval = Tss2_Sys_EncryptDecrypt( sysContext, keyHandle, &sessionsData, NO, TPM_ALG_CFB, &ivIn, clearData, encryptedData, &ivOut, 0 ); if( rval == TSS2_RC_SUCCESS ) { rval = Tss2_Sys_FlushContext( sysContext, keyHandle ); } } } TeardownSysContext( &sysContext ); return rval; }
int makeCredential() { UINT32 rval; TPMS_AUTH_RESPONSE sessionDataOut; TSS2_SYS_RSP_AUTHS sessionsDataOut; TPMS_AUTH_RESPONSE *sessionDataOutArray[1]; TPM2B_NAME nameExt = { { sizeof(TPM2B_NAME)-2, } }; TPM2B_ID_OBJECT credentialBlob = { { 0 }, }; TPM2B_ENCRYPTED_SECRET secret; sessionDataOutArray[0] = &sessionDataOut; sessionsDataOut.rspAuths = &sessionDataOutArray[0]; sessionsDataOut.rspAuthsCount = 1; rval = Tss2_Sys_LoadExternal(sysContext, 0, NULL , &inPublic,TPM_RH_NULL,&handle2048rsa, &nameExt, &sessionsDataOut); if(rval != TPM_RC_SUCCESS) { printf("\n......LoadExternal failed. TPM Error:0x%x......\n", rval); return -1; } printf("LoadExternal succ.\n"); rval = Tss2_Sys_MakeCredential(sysContext, handle2048rsa, 0, &inCredential, &objectName,&credentialBlob, &secret, &sessionsDataOut); if(rval != TPM_RC_SUCCESS) { printf("\n......MakeCredential failed. TPM Error:0x%x......\n", rval); return -2; } printf("MakeCredential succ.\n"); rval = Tss2_Sys_FlushContext(sysContext, handle2048rsa); if( rval != TPM_RC_SUCCESS ) { printf("\n......Flush loaded key failed. TPM Error:0x%x......\n", rval); return -3; } printf("Flush loaded key succ.\n"); if(writeCrtSecToFile(outFilePath,&credentialBlob,&secret)) return -4; printf("OutFile: %s completed!\n\n",outFilePath); return 0; }
int createEKHandle() { UINT32 rval; TPMS_AUTH_COMMAND sessionData; TPMS_AUTH_RESPONSE sessionDataOut; TSS2_SYS_CMD_AUTHS sessionsData; TSS2_SYS_RSP_AUTHS sessionsDataOut; TPMS_AUTH_COMMAND *sessionDataArray[1]; TPMS_AUTH_RESPONSE *sessionDataOutArray[1]; TPM2B_SENSITIVE_CREATE inSensitive = { { sizeof(TPM2B_SENSITIVE_CREATE) - 2, } }; TPM2B_PUBLIC inPublic = { { sizeof(TPM2B_PUBLIC) - 2, } }; TPM2B_DATA outsideInfo = { { 0, } }; TPML_PCR_SELECTION creationPCR; TPM2B_NAME name = { { sizeof(TPM2B_NAME) - 2, } }; TPM2B_PUBLIC outPublic = { { 0, } }; TPM2B_CREATION_DATA creationData = { { 0, } }; TPM2B_DIGEST creationHash = { { sizeof(TPM2B_DIGEST) - 2, } }; TPMT_TK_CREATION creationTicket = { 0, }; TPM_HANDLE handle2048ek; sessionDataArray[0] = &sessionData; sessionDataOutArray[0] = &sessionDataOut; sessionsDataOut.rspAuths = &sessionDataOutArray[0]; sessionsData.cmdAuths = &sessionDataArray[0]; sessionsDataOut.rspAuthsCount = 1; sessionsData.cmdAuthsCount = 1; sessionData.sessionHandle = TPM_RS_PW; sessionData.nonce.t.size = 0; sessionData.hmac.t.size = 0; *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0; // use enAuth in Tss2_Sys_CreatePrimary if (strlen(endorsePasswd) > 0 && !hexPasswd) { sessionData.hmac.t.size = strlen(endorsePasswd); memcpy( &sessionData.hmac.t.buffer[0], endorsePasswd, sessionData.hmac.t.size ); } else if (strlen(endorsePasswd) > 0 && hexPasswd) { sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2; if (hex2ByteStructure(endorsePasswd, &sessionData.hmac.t.size, sessionData.hmac.t.buffer) != 0) { printf( "Failed to convert Hex format password for endorsePasswd.\n"); return -1; } } if (strlen(ekPasswd) > 0 && !hexPasswd) { sessionData.hmac.t.size = strlen(ekPasswd); memcpy( &sessionData.hmac.t.buffer[0], ekPasswd, sessionData.hmac.t.size ); } else if (strlen(ekPasswd) > 0 && hexPasswd) { inSensitive.t.sensitive.userAuth.t.size = sizeof(inSensitive.t.sensitive.userAuth) - 2; if (hex2ByteStructure(ekPasswd, &inSensitive.t.sensitive.userAuth.t.size, inSensitive.t.sensitive.userAuth.t.buffer) != 0) { printf( "Failed to convert Hex format password for ekPasswd.\n"); return -1; } } inSensitive.t.sensitive.data.t.size = 0; inSensitive.t.size = inSensitive.t.sensitive.userAuth.b.size + 2; if ( setKeyAlgorithm(algorithmType, inSensitive, inPublic) ) return -1; creationPCR.count = 0; /*To Create EK*/ rval = Tss2_Sys_CreatePrimary(sysContext, TPM_RH_ENDORSEMENT, &sessionsData, &inSensitive, &inPublic, &outsideInfo, &creationPCR, &handle2048ek, &outPublic, &creationData, &creationHash, &creationTicket, &name, &sessionsDataOut); if ( rval != TPM_RC_SUCCESS ) { printf("\n......TPM2_CreatePrimary Error. TPM Error:0x%x......\n", rval); return -2; } printf("\nEK create succ.. Handle: 0x%8.8x\n", handle2048ek); if (!nonPersistentRead) { // To make EK persistent, use own auth sessionData.hmac.t.size = 0; if (strlen(ownerPasswd) > 0 && !hexPasswd) { sessionData.hmac.t.size = strlen(ownerPasswd); memcpy( &sessionData.hmac.t.buffer[0], ownerPasswd, sessionData.hmac.t.size ); } else if (strlen(ownerPasswd) > 0 && hexPasswd) { sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2; if (hex2ByteStructure(ownerPasswd, &sessionData.hmac.t.size, sessionData.hmac.t.buffer) != 0) { printf( "Failed to convert Hex format password for ownerPasswd.\n"); return -1; } } rval = Tss2_Sys_EvictControl(sysContext, TPM_RH_OWNER, handle2048ek, &sessionsData, persistentHandle, &sessionsDataOut); if ( rval != TPM_RC_SUCCESS ) { printf("\n......EvictControl:Make EK persistent Error. TPM Error:0x%x......\n", rval); return -3; } printf("EvictControl EK persistent succ.\n"); } rval = Tss2_Sys_FlushContext(sysContext, handle2048ek); if ( rval != TPM_RC_SUCCESS ) { printf("\n......Flush transient EK failed. TPM Error:0x%x......\n", rval); return -4; } printf("Flush transient EK succ.\n"); // save ek public if ( saveDataToFile(outputFile, (UINT8 *)&outPublic, sizeof(outPublic)) ) { printf("\n......Failed to save EK pub key into file(%s)......\n", outputFile); return -5; } return 0; }
// // This function does an HMAC on a null-terminated list of input buffers. // UINT32 TpmHmac( TPMI_ALG_HASH hashAlg, TPM2B *key, TPM2B **bufferList, TPM2B_DIGEST *result ) { TPM2B_AUTH nullAuth; TPMI_DH_OBJECT sequenceHandle; int i; TPM2B emptyBuffer; TPMT_TK_HASHCHECK validation; TPMS_AUTH_COMMAND *sessionDataArray[1]; TPMS_AUTH_COMMAND sessionData; TSS2_SYS_CMD_AUTHS sessionsData; TPM2B_AUTH hmac; TPM2B_NONCE nonce; TPMS_AUTH_RESPONSE *sessionDataOutArray[1]; TPMS_AUTH_RESPONSE sessionDataOut; TSS2_SYS_RSP_AUTHS sessionsDataOut; UINT32 rval; TPM_HANDLE keyHandle; TPM2B_NAME keyName; TPM2B keyAuth; TSS2_SYS_CONTEXT *sysContext; sessionDataArray[0] = &sessionData; sessionDataOutArray[0] = &sessionDataOut; // Set result size to 0, in case any errors occur result->b.size = 0; keyAuth.size = 0; nullAuth.t.size = 0; rval = LoadExternalHMACKey( hashAlg, key, &keyHandle, &keyName ); if( rval != TPM_RC_SUCCESS ) { return( rval ); } // Init input sessions struct sessionData.sessionHandle = TPM_RS_PW; nonce.t.size = 0; sessionData.nonce = nonce; CopySizedByteBuffer( &(hmac.b), &keyAuth ); sessionData.hmac = hmac; *( (UINT8 *)((void *)&( sessionData.sessionAttributes ) ) ) = 0; sessionsData.cmdAuthsCount = 1; sessionsData.cmdAuths = &sessionDataArray[0]; // Init sessions out struct sessionsDataOut.rspAuthsCount = 1; sessionsDataOut.rspAuths = &sessionDataOutArray[0]; emptyBuffer.size = 0; sysContext = InitSysContext( 3000, resMgrTctiContext, &abiVersion ); if( sysContext == 0 ) return TSS2_APP_ERROR_LEVEL + TPM_RC_FAILURE; rval = Tss2_Sys_HMAC_Start( sysContext, keyHandle, &sessionsData, &nullAuth, hashAlg, &sequenceHandle, 0 ); if( rval != TPM_RC_SUCCESS ) return( rval ); hmac.t.size = 0; sessionData.hmac = hmac; for( i = 0; bufferList[i] != 0; i++ ) { rval = Tss2_Sys_SequenceUpdate ( sysContext, sequenceHandle, &sessionsData, (TPM2B_MAX_BUFFER *)( bufferList[i] ), &sessionsDataOut ); if( rval != TPM_RC_SUCCESS ) return( rval ); } result->t.size = sizeof( TPM2B_DIGEST ) - 2; rval = Tss2_Sys_SequenceComplete ( sysContext, sequenceHandle, &sessionsData, ( TPM2B_MAX_BUFFER *)&emptyBuffer, TPM_RH_PLATFORM, result, &validation, &sessionsDataOut ); if( rval != TPM_RC_SUCCESS ) return( rval ); rval = Tss2_Sys_FlushContext( sysContext, keyHandle ); TeardownSysContext( &sysContext ); return rval; }
int activateCredential() { UINT32 rval; TPM2B_DIGEST certInfoData = { { sizeof(certInfoData)-2, } }; printf("\nACTIVATE CREDENTIAL TESTS:\n"); cmdAuth.sessionHandle = TPM_RS_PW; cmdAuth2.sessionHandle = TPM_RS_PW; *((UINT8 *)((void *)&cmdAuth.sessionAttributes)) = 0; *((UINT8 *)((void *)&cmdAuth2.sessionAttributes)) = 0; *((UINT8 *)((void *)&cmdAuth3.sessionAttributes)) = 0; TPMS_AUTH_COMMAND *cmdSessionArray[2] = { &cmdAuth, &cmdAuth3 }; TSS2_SYS_CMD_AUTHS cmdAuthArray = { 2, &cmdSessionArray[0] }; TPMS_AUTH_COMMAND *cmdSessionArray1[1] = { &cmdAuth2 }; TSS2_SYS_CMD_AUTHS cmdAuthArray1 = { 1, &cmdSessionArray1[0] }; SESSION *session; TPM2B_ENCRYPTED_SECRET encryptedSalt = { { 0, } }; TPM2B_NONCE nonceCaller = { { 0, } }; TPMT_SYM_DEF symmetric; symmetric.algorithm = TPM_ALG_NULL; if (cmdAuth.hmac.t.size > 0 && hexPasswd) { cmdAuth.hmac.t.size = sizeof(cmdAuth.hmac) - 2; if (hex2ByteStructure((char *)cmdAuth.hmac.t.buffer, &cmdAuth.hmac.t.size, cmdAuth.hmac.t.buffer) != 0) { printf( "Failed to convert Hex format password for handlePasswd.\n"); return -1; } } if (cmdAuth2.hmac.t.size > 0 && hexPasswd) { cmdAuth2.hmac.t.size = sizeof(cmdAuth2.hmac) - 2; if (hex2ByteStructure((char *)cmdAuth2.hmac.t.buffer, &cmdAuth2.hmac.t.size, cmdAuth2.hmac.t.buffer) != 0) { printf( "Failed to convert Hex format password for endorsePasswd.\n"); return -1; } } rval = StartAuthSessionWithParams( &session, TPM_RH_NULL, 0, TPM_RH_NULL, 0, &nonceCaller, &encryptedSalt, TPM_SE_POLICY, &symmetric, TPM_ALG_SHA256 ); if( rval != TPM_RC_SUCCESS ) { printf("\n......StartAuthSessionWithParams Error. TPM Error:0x%x......\n", rval); return -1; } printf("\nStartAuthSessionWithParams succ.......\n"); rval = Tss2_Sys_PolicySecret(sysContext, TPM_RH_ENDORSEMENT, session->sessionHandle, &cmdAuthArray1, 0, 0, 0, 0, 0, 0, 0); if( rval != TPM_RC_SUCCESS ) { printf("\n......Tss2_Sys_PolicySecret Error. TPM Error:0x%x......\n", rval); return -2; } printf("\nTss2_Sys_PolicySecret succ.......\n"); cmdAuth3.sessionHandle = session->sessionHandle; cmdAuth3.sessionAttributes.continueSession = 1; cmdAuth3.hmac.t.size = 0; rval = Tss2_Sys_ActivateCredential(sysContext, activateHandle, keyHandle, &cmdAuthArray, &credentialBlob, &secret, &certInfoData, 0); if(rval != TPM_RC_SUCCESS) { printf("\n......ActivateCredential failed. TPM Error:0x%x......\n", rval); return -3; } printf("\nActivate Credential succ.\n"); // Need to flush the session here. rval = Tss2_Sys_FlushContext( sysContext, session->sessionHandle ); if( rval != TPM_RC_SUCCESS ) { printf("\n......TPM2_Sys_FlushContext Error. TPM Error:0x%x......\n", rval); return -4; } // And remove the session from sessions table. rval = EndAuthSession( session ); if( rval != TPM_RC_SUCCESS ) { printf("\n......EndAuthSession Error. TPM Error:0x%x......\n", rval); return -5; } printf("\nCertInfoData :\n"); for (int k = 0; k<certInfoData.t.size; k++) { printf("0x%.2x ", certInfoData.t.buffer[k]); } printf("\n\n"); if(saveDataToFile(outFilePath, certInfoData.t.buffer, certInfoData.t.size) == 0) printf("OutFile %s completed!\n",outFilePath); else return -6; return 0; }