int main(int argc, char *argv[])
{
int ret;
struct stat sbuf;
unsigned char databuff[256]; /* data read work buffer */
unsigned int datalen; /* size of data file */
uint32_t keyhandle = 0; /* handle of key */
unsigned char passhash1[20]; /* hash of parent key password */
unsigned char passhash2[20]; /* hash of data password */
unsigned char blob[4096]; /* resulting sealed blob */
uint32_t bloblen; /* blob length */
unsigned char *passptr1 = NULL;
unsigned char *passptr2 = NULL;
unsigned char future_hash[TPM_HASH_SIZE];
FILE *infile;
FILE *outfile;
int i = 1;
int index;
int index_ctr = 0;
int max_index = -1;
TPM_PCR_INFO_LONG pcrInfoLong;
TPM_PCR_COMPOSITE pcrComp;
STACK_TPM_BUFFER(serPcrInfo)
uint32_t pcrs;
char *keypass = NULL;
char *datpass = NULL;
const char *datafilename = NULL;
const char *sealfilename = NULL;
TPM_setlog(0); /* turn off verbose output */
memset(&pcrInfoLong, 0x0, sizeof(pcrInfoLong));
memset(&pcrComp, 0x0, sizeof(pcrComp));
ret = TPM_GetNumPCRRegisters(&pcrs);
if (ret != 0) {
printf("Error reading number of PCR registers.\n");
exit(-1);
}
if (pcrs > TPM_NUM_PCR) {
printf("Library does not support that many PCRs.\n");
exit(-1);
}
/*
* Now build the basic pcrInfoLong
*/
pcrInfoLong.tag = TPM_TAG_PCR_INFO_LONG;
pcrInfoLong.localityAtRelease = TPM_LOC_ZERO;
pcrInfoLong.localityAtCreation = TPM_LOC_ZERO;
pcrInfoLong.releasePCRSelection.sizeOfSelect = pcrs / 8;
pcrInfoLong.creationPCRSelection.sizeOfSelect = pcrs / 8;
for (i=1 ; i<argc ; i++) {
if (!strcmp(argv[i],"-pwdk")) {
i++;
if (i >= argc) {
printf("Missing parameter for option -pwdk.\n");
printUsage();
}
keypass = argv[i];
}
else if (!strcmp(argv[i],"-pwdd")) {
i++;
if (i >= argc) {
printf("Missing parameter for option -pwdd.\n");
printUsage();
}
datpass = argv[i];
}
else if (strcmp(argv[i],"-hk") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &keyhandle)) {
printf("Invalid -hk argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-hk option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i],"-if") == 0) {
i++;
if (i < argc) {
datafilename = argv[i];
}
else {
printf("-if option needs a value\n");
printUsage();
}
}
else if (strcmp(argv[i],"-of") == 0) {
i++;
if (i < argc) {
sealfilename = argv[i];
}
else {
printf("-of option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i],"-ix")) {
int j = 0;
int shift = 4;
char * hash_str = NULL;
i++;
if (i >= argc) {
printf("Missing parameter for option -ix.\n");
printUsage();
}
index = atoi(argv[i]);
if (index < 0 || index > (int)(pcrs-1)) {
printf("Index out of range! Max PCR is %d.\n",pcrs-1);
printUsage();
}
if (index <= max_index) {
printf("Inidices must be given in ascending order.\n");
exit(-1);
}
max_index = index;
i++;
if (i >= argc) {
printf("Missing parameter for option -i.\n");
printUsage();
}
hash_str = argv[i];
if (40 != strlen(hash_str)) {
printf("The hash must be exactly 40 characters long!\n");
exit(-1);
}
memset(future_hash, 0x0, TPM_HASH_SIZE);
shift = 4;
j = 0;
while (j < (2 * TPM_HASH_SIZE)) {
unsigned char c = hash_str[j];
if (c >= '0' && c <= '9') {
future_hash[j>>1] |= ((c - '0') << shift);
} else
if (c >= 'a' && c <= 'f') {
future_hash[j>>1] |= ((c - 'a' + 10) << shift);
} else
int main(int argc, char *argv[])
{
int ret; /* general return value */
uint32_t keyhandle = 0; /* handle of quote key */
unsigned int pcrmask = 0; /* pcr register mask */
unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */
unsigned char data[TPM_HASH_SIZE];/* nonce data */
STACK_TPM_BUFFER(signature);
pubkeydata pubkey; /* public key structure */
RSA *rsa; /* openssl RSA public key */
unsigned char *passptr;
TPM_PCR_SELECTION selection;
TPM_PCR_INFO_SHORT s1;
TPM_QUOTE_INFO2 quoteinfo;
STACK_TPM_BUFFER( serQuoteInfo )
uint32_t pcrs;
int i;
uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1;
TPM_BOOL addVersion = FALSE;
STACK_TPM_BUFFER(versionblob);
static char *keypass = NULL;
TPM_setlog(0); /* turn off verbose output from TPM driver */
for (i=1 ; i<argc ; i++) {
if (strcmp(argv[i],"-hk") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &keyhandle)) {
printf("Invalid -hk argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-hk option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-pwdk")) {
i++;
if (i < argc) {
keypass = argv[i];
}
else {
printf("Missing parameter to -pwdk\n");
printUsage();
}
}
else if (strcmp(argv[i],"-bm") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &pcrmask)) {
printf("Invalid -bm argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-bm option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-vinfo")) {
addVersion = TRUE;
printf("Adding version info.\n");
}
else if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if ((keyhandle == 0) ||
(pcrmask == 0)) {
printf("Missing argument\n");
printUsage();
}
memset(&s1, 0x0, sizeof(s1));
/*
** Parse and process the command line arguments
*/
/* get the SHA1 hash of the password string for use as the Key Authorization Data */
if (keypass != NULL) {
TSS_sha1((unsigned char *)keypass,strlen(keypass),passhash1);
passptr = passhash1;
} else {
passptr = NULL;
}
/* for testing, use the password hash as the test nonce */
memcpy(data,passhash1,TPM_HASH_SIZE);
ret = TPM_GetNumPCRRegisters(&pcrs);
if (ret != 0) {
printf("Error reading number of PCR registers.\n");
exit(-1);
}
if (pcrs > TPM_NUM_PCR) {
printf("Library does not support that many PCRs.\n");
exit(-1);
}
memset(&selection, 0x0, sizeof(selection));
selection.sizeOfSelect = pcrs / 8;
for (i = 0; i < selection.sizeOfSelect; i++) {
selection.pcrSelect[i] = (pcrmask & 0xff);
pcrmask >>= 8;
}
/*
** perform the TPM Quote function
*/
ret = TPM_Quote2(keyhandle, /* key handle */
&selection, /* specify PCR registers */
addVersion, /* add Version */
passptr, /* Key Password (hashed), or null */
data, /* nonce data */
&s1, /* pointer to pcr info */
&versionblob, /* pointer to TPM_CAP_VERSION_INFO */
&signature); /* buffer to receive result, int to receive result length */
if (ret != 0) {
printf("Error '%s' from TPM_Quote2\n",TPM_GetErrMsg(ret));
exit(ret);
}
/*
** Get the public key and convert to an OpenSSL RSA public key
*/
ret = TPM_GetPubKey(keyhandle,passptr,&pubkey);
if (ret != 0) {
printf("Error '%s' from TPM_GetPubKey\n",TPM_GetErrMsg(ret));
exit(ret);
}
rsa = TSS_convpubkey(&pubkey);
/*
** fill the quote info structure and calculate the hashes needed for verification
*/
quoteinfo.tag = TPM_TAG_QUOTE_INFO2;
memcpy(&(quoteinfo.fixed),"QUT2",4);
quoteinfo.infoShort = s1;
memcpy(&(quoteinfo.externalData),data,TPM_NONCE_SIZE);
unsigned char *corey_ptr = (unsigned char *)"einfo;
unsigned int x;
printf("quote info: \n");
for (x=0;x<128;x++)
{
if (x != 0 && x % 16 == 0)
printf("\n");
printf("%02x ", corey_ptr[x]);
}
printf("\n");
/* create the hash of the quoteinfo structure for signature verification */
ret = TPM_WriteQuoteInfo2(&serQuoteInfo, "einfo);
if ( ( ret & ERR_MASK ) != 0) {
exit(-1);
}
printf("serquoteinfo: \n");
for (x=0;x<128;x++)
{
if (x != 0 && x % 16 == 0)
printf("\n");
printf("%02x ", serQuoteInfo.buffer[x]);
}
printf("\n");
/* append version information if given in response */
if (addVersion) {
printf("addversion is called\n");
memcpy(serQuoteInfo.buffer + serQuoteInfo.used,
versionblob.buffer,
versionblob.used);
serQuoteInfo.used += versionblob.used;
}
ret = TPM_ValidateSignature(sigscheme,
&serQuoteInfo,
&signature,
rsa);
if (ret != 0) {
printf("Verification failed\n");
} else {
printf("Verification succeeded\n");
}
RSA_free(rsa);
exit(ret);
}
int main(int argc, char *argv[])
{
int ret; /* general return value */
uint32_t keyhandle = 0; /* handle of quote key */
unsigned int pcrmask = 0; /* pcr register mask */
unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */
unsigned char nonce[TPM_NONCE_SIZE]; /* nonce data */
STACK_TPM_BUFFER(signature);
pubkeydata pubkey; /* public key structure */
unsigned char *passptr;
TPM_PCR_COMPOSITE tpc;
STACK_TPM_BUFFER (ser_tpc);
STACK_TPM_BUFFER (ser_tqi);
STACK_TPM_BUFFER (response);
uint32_t pcrs;
int i;
uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1;
TPM_PCR_SELECTION tps;
static char *keypass = NULL;
const char *certFilename = NULL;
int verbose = FALSE;
TPM_setlog(0); /* turn off verbose output from TPM driver */
for (i=1 ; i<argc ; i++) {
if (strcmp(argv[i],"-hk") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &keyhandle)) {
printf("Invalid -hk argument '%s'\n",argv[i]);
exit(2);
}
if (keyhandle == 0) {
printf("Invalid -hk argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-hk option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-pwdk")) {
i++;
if (i < argc) {
keypass = argv[i];
}
else {
printf("Missing parameter to -pwdk\n");
printUsage();
}
}
else if (strcmp(argv[i],"-bm") == 0) {
i++;
if (i < argc) {
/* convert key handle from hex */
if (1 != sscanf(argv[i], "%x", &pcrmask)) {
printf("Invalid -bm argument '%s'\n",argv[i]);
exit(2);
}
}
else {
printf("-bm option needs a value\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-cert")) {
i++;
if (i < argc) {
certFilename = argv[i];
}
else {
printf("Missing parameter to -cert\n");
printUsage();
}
}
else if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
verbose = TRUE;
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
if ((keyhandle == 0) ||
(pcrmask == 0)) {
printf("Missing argument\n");
printUsage();
}
/* get the SHA1 hash of the password string for use as the Key Authorization Data */
if (keypass != NULL) {
TSS_sha1((unsigned char *)keypass, strlen(keypass), passhash1);
passptr = passhash1;
}
else {
passptr = NULL;
}
/* for testing, use the password hash as the test nonce */
memcpy(nonce, passhash1, TPM_HASH_SIZE);
ret = TPM_GetNumPCRRegisters(&pcrs);
if (ret != 0) {
printf("Error reading number of PCR registers.\n");
exit(-1);
}
if (pcrs > TPM_NUM_PCR) {
printf("Library does not support that many PCRs.\n");
exit(-1);
}
tps.sizeOfSelect = pcrs / 8;
for (i = 0; i < tps.sizeOfSelect; i++) {
tps.pcrSelect[i] = (pcrmask & 0xff);
pcrmask >>= 8;
}
/*
** perform the TPM Quote function
*/
ret = TPM_Quote(keyhandle, /* KEY handle */
passptr, /* Key Password (hashed), or null */
nonce, /* nonce data */
&tps, /* specify PCR registers */
&tpc, /* pointer to pcr composite */
&signature);/* buffer to receive result, int to receive result length */
if (ret != 0) {
printf("Error '%s' from TPM_Quote\n", TPM_GetErrMsg(ret));
exit(ret);
}
/*
** Get the public key and convert to an OpenSSL RSA public key
*/
ret = TPM_GetPubKey(keyhandle, passptr, &pubkey);
if (ret != 0) {
printf("quote: Error '%s' from TPM_GetPubKey\n", TPM_GetErrMsg(ret));
exit(-6);
}
ret = TPM_ValidatePCRCompositeSignature(&tpc,
nonce,
&pubkey,
&signature,
sigscheme);
if (ret) {
printf("Error %s from validating the signature over the PCR composite.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
printf("Verification against AIK succeeded\n");
/* optionally verify the quote signature against the key certificate */
if (certFilename != NULL) {
unsigned char *certStream = NULL; /* freed @1 */
uint32_t certStreamLength;
X509 *x509Certificate = NULL; /* freed @2 */
unsigned char *tmpPtr; /* because d2i_X509 moves the ptr */
/* AIK public key parts */
RSA *rsaKey = NULL; /* freed @3 */
if (verbose) printf("quote: verifying the signature against the certificate\n");
/* load the key certificate */
if (ret == 0) {
ret = TPM_ReadFile(certFilename,
&certStream, /* freed @1 */
&certStreamLength);
}
/* convert to openssl X509 */
if (ret == 0) {
if (verbose) printf("quote: parsing the certificate stream\n");
tmpPtr = certStream;
x509Certificate = d2i_X509(NULL,
(const unsigned char **)&tmpPtr, certStreamLength);
if (x509Certificate == NULL) {
printf("Error in certificate deserialization d2i_X509()\n");
ret = -1;
}
}
if (ret == 0) {
if (verbose) printf("quote: get the certificate public key\n");
ret = GetRSAKey(&rsaKey, /* freed @3 */
x509Certificate);
}
if (ret == 0) {
if (verbose) printf("quote: quote validate signature\n");
ret = TPM_ValidatePCRCompositeSignatureRSA(&tpc,
nonce,
rsaKey,
&signature,
sigscheme);
if (ret != 0) {
printf("Verification against certificate failed\n");
}
}
if (ret == 0) {
printf("Verification against certificate succeeded\n");
}
free(certStream); /* @1 */
X509_free(x509Certificate); /* @2 */
RSA_free(rsaKey); /* @3 */
}
exit(ret);
}
