static TPM_RESULT execute_TPM_GetPubKey(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE keyHandle; TPM_PUBKEY pubKey; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &keyHandle) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_GetPubKey(keyHandle, &req->auth1, &pubKey); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_PUBKEY(pubKey); rsp->param = ptr = malloc(len); if (ptr == NULL || tpm_marshal_TPM_PUBKEY(&ptr, &len, &pubKey)) { free(rsp->param); res = TPM_FAIL; } free_TPM_PUBKEY(pubKey); return res; }
int main(int argc, char *argv[]) { uint32_t ret; STACK_TPM_BUFFER(resp); int index = 0; STACK_TPM_BUFFER( subcap );; TPM_setlog(0); /* turn off verbose output */ ParseArgs(argc, argv); while ((int)matrx[index].cap != -1) { if (cap == matrx[index].cap) { break; } index++; } if (-1 == (int)matrx[index].cap) { printf("Unknown or unsupported capability!\n"); exit(-1); } subcap.used = 0; if (matrx[index].subcap_size > 0) { if ((int)scap == -1) { printf("Need subcap parameter for this capability!\n"); exit(-1); } if (0 == prepare_subcap(cap, &subcap, scap)) { if (2 == matrx[index].subcap_size) { STORE16(subcap.buffer,0,scap); subcap.used = 2; } else if (matrx[index].subcap_size >= 4) { STORE32(subcap.buffer,0,scap); subcap.used = 4; } } } #if 0 /* This was for VTPM extensions and needs retest */ if (cap == TPM_CAP_MFR) { int idx2 = 0; while ((int)mfr_matrix[idx2].cap != -1) { if (mfr_matrix[idx2].cap == scap) { break; } idx2++; } if (mfr_matrix[idx2].subcap_size > 0) { uint32_t used = subcap.used + mfr_matrix[idx2].subcap_size; while (subcap.used < used) { if (argc <= nxtarg) { printf("Need one more parameter for this " "capability!\n"); exit(-1); } if (!strncmp("0x",argv[nxtarg],2)) { sscanf(argv[nxtarg],"%x",&sscap); } else { sscanf(argv[nxtarg],"%d",&sscap); } nxtarg++; if (2 == matrx[index].subcap_size) { STORE16(subcap.buffer, subcap.used,sscap); subcap.used += 2; } else if (matrx[index].subcap_size >= 4) { STORE32(subcap.buffer, subcap.used,sscap); subcap.used += 4; } } } } #endif if (0 == sikeyhandle) { ret = TPM_GetCapability(cap, &subcap, &resp); if (0 != ret) { printf("TPM_GetCapability returned %s.\n", TPM_GetErrMsg(ret)); exit(ret); } } else { unsigned char antiReplay[TPM_HASH_SIZE]; unsigned char signature[2048]; uint32_t signaturelen = sizeof(signature); pubkeydata pubkey; RSA * rsa; unsigned char sighash[TPM_HASH_SIZE]; unsigned char * buffer = NULL; unsigned char * sigkeyhashptr = NULL; unsigned char sigkeypasshash[TPM_HASH_SIZE]; if (NULL != sikeypass) { TSS_sha1(sikeypass,strlen(sikeypass),sigkeypasshash); sigkeyhashptr = sigkeypasshash; } TSS_gennonce(antiReplay); ret = TPM_GetPubKey(sikeyhandle, sigkeyhashptr, &pubkey); if (0 != ret) { printf("Error while trying to access the signing key's public key.\n"); exit(-1); } rsa = TSS_convpubkey(&pubkey); ret = TPM_GetCapabilitySigned(sikeyhandle, sigkeyhashptr, antiReplay, cap, &subcap, &resp, signature, &signaturelen); if (0 != ret) { printf("TPM_GetCapabilitySigned returned %s.\n", TPM_GetErrMsg(ret)); exit(ret); } buffer = malloc(resp.used+TPM_NONCE_SIZE); if (NULL == buffer) { printf("Could not allocate buffer.\n"); exit(-1); } memcpy(&buffer[0], resp.buffer, resp.used); memcpy(&buffer[resp.used], antiReplay, TPM_NONCE_SIZE); TSS_sha1(buffer, resp.used+TPM_NONCE_SIZE, sighash); free(buffer); ret = RSA_verify(NID_sha1, sighash,TPM_HASH_SIZE, signature,signaturelen, rsa); if (1 != ret) { printf("Error: Signature verification failed.\n"); exit(-1); } } if (0 == resp.used) { printf("Empty response.\n"); } else { if (-1 == (int)scap) { printf("Result for capability 0x%x is : ",cap); } else { printf("Result for capability 0x%x, subcapability 0x%x is : ",cap,scap); } if (TYPE_BOOL == matrx[index].result_size) { if (resp.buffer[0] == 0) { printf("FALSE\n"); } else { printf("TRUE\n"); } } else if (TYPE_UINT32 == matrx[index].result_size) { uint32_t rsp; rsp = LOAD32(resp.buffer,0); printf("0x%08X = %d\n",rsp,rsp); } else if (TYPE_UINT32_ARRAY == matrx[index].result_size) { int i = 0; printf("\n"); while (i+3 < (int)resp.used) { uint32_t rsp = LOAD32(resp.buffer,i); i+=4; if (TPM_CAP_NV_LIST == cap) { /* don't zero extend, grep needs the exact value for test suite */ printf("%d. Index : %d = 0x%x.\n", i/4, rsp, rsp); } else if (TPM_CAP_KEY_HANDLE == cap) { printf("%d. keyhandle : %d.\n", i/4, rsp); } else { printf("%d. item : %d.\n", i/4, rsp); } } } else if (TYPE_STRUCTURE == matrx[index].result_size) { switch(cap) { case TPM_CAP_FLAG: { if (scap == TPM_CAP_FLAG_PERMANENT) { TPM_PERMANENT_FLAGS pf; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadPermanentFlags(&tb, 0, &pf, resp.used); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showPermanentFlags(&pf, resp.used); } else if (scap == TPM_CAP_FLAG_VOLATILE) { TPM_STCLEAR_FLAGS sf; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadSTClearFlags(&tb, 0, &sf); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showVolatileFlags(&sf); } } break; case TPM_CAP_KEY_HANDLE: { uint16_t num = LOAD16(resp.buffer, 0); uint32_t i = 0; uint32_t handle; printf("\n"); while (i < num) { handle = LOAD32(resp.buffer,2+i*4); printf("%d. handle: 0x%08X\n", i, handle); i++; } } break; case TPM_CAP_NV_INDEX: { //char scratch_info[256]; unsigned char scratch_info[256]; uint32_t scratch_info_len; TPM_NV_DATA_PUBLIC ndp; uint32_t i, c; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadNVDataPublic(&tb, 0, &ndp); if ( ( ret & ERR_MASK) != 0) { printf("Could not deserialize the TPM_NV_DATA_PUBLIC structure.\n"); exit(-1); } printf("permission.attributes : %08X\n",(unsigned int)ndp.permission.attributes); printf("ReadSTClear : %02X\n",ndp.bReadSTClear); printf("WriteSTClear : %02X\n",ndp.bWriteSTClear); printf("WriteDefine : %02X\n",ndp.bWriteDefine); printf("dataSize : %08X = %d",(unsigned int)ndp.dataSize, (unsigned int)ndp.dataSize); c = 0; for (i = 0; i < ndp.pcrInfoRead.pcrSelection.sizeOfSelect*8; i++) { if (ndp.pcrInfoRead.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) { if (!c) printf("\nRead PCRs selected: "); else printf(", "); printf("%d", i); c++; } } if (c) { char pcrmap[4], *pf; memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect, ndp.pcrInfoRead.pcrSelection.sizeOfSelect); // printf("\npcrmap: %02x%02x%02x%02x\n", pcrmap[0], pcrmap[1], // pcrmap[2], pcrmap[3]); ret = TSS_GenPCRInfo(*(uint32_t *)pcrmap, scratch_info, &scratch_info_len); printf("\nRead PCR Composite: "); for (i = 0; i < 20; i++) printf("%02x", ndp.pcrInfoRead.digestAtRelease[i] & 0xff); printf("\n"); #if 1 pf = &scratch_info[5]; printf("\nCurrent PCR composite: "); for (i = 0; i < 20; i++) //printf("%02x", scratch_info.digestAtRelease[i] & 0xff); printf("%02x", pf[i] & 0xff); printf("\n"); #endif if (!ret) { printf("Matches current TPM state: "); if (!memcmp(&scratch_info[5], &ndp.pcrInfoRead.digestAtRelease, 20)) { printf("Yes\n"); } else { printf("No\n"); } } } c = 0; for (i = 0; i < ndp.pcrInfoWrite.pcrSelection.sizeOfSelect*8; i++) { if (ndp.pcrInfoWrite.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) { if (!c) printf("\nWrite PCRs selected: "); else printf(", "); printf("%d", i); c++; } } if (c) { printf("\nWrite PCR Composite: "); for (i = 0; i < 20; i++) printf("%02x", ndp.pcrInfoWrite.digestAtRelease[i] & 0xff); printf("\n"); } } break; case TPM_CAP_HANDLE: { uint16_t num = LOAD16(resp.buffer, 0); uint16_t x = 0; while (x < num) { uint32_t handle = LOAD32(resp.buffer, sizeof(num)+4*x); printf("%02d. 0x%08X\n",x,handle); x++; } } break; case TPM_CAP_VERSION_VAL: { int i = 0; TPM_CAP_VERSION_INFO cvi; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadCapVersionInfo(&tb, 0, &cvi); if ( ( ret & ERR_MASK) != 0) { printf("Could not read the version info structure.\n"); exit(-1); } printf("\n"); printf("major : 0x%02X\n",cvi.version.major); printf("minor : 0x%02X\n",cvi.version.minor); printf("revMajor : 0x%02X\n",cvi.version.revMajor); printf("revMinor : 0x%02X\n",cvi.version.revMinor); printf("specLevel : 0x%04X\n",cvi.specLevel); printf("errataRev : 0x%02X\n",cvi.errataRev); printf("VendorID : "); while (i < 4) { printf("%02X ",cvi.tpmVendorID[i]); i++; } printf("\n"); /* Print vendor ID in text if printable */ for (i=0 ; i<4 ; i++) { if (isprint(cvi.tpmVendorID[i])) { if (i == 0) { printf("VendorID : "); } printf("%c", cvi.tpmVendorID[i]); } else { break; } } printf("\n"); printf("[not displaying vendor specific information]\n"); } break; #if 0 /* kgold: I don't think these are valid cap values */ case TPM_CAP_FLAG_PERMANENT: { TPM_PERMANENT_FLAGS pf; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); if (resp.used == 21) { ret = TPM_ReadPermanentFlagsPre103(&tb, 0, &pf); } else { ret = TPM_ReadPermanentFlags(&tb, 0, &pf); } if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showPermanentFlags(&pf, resp.used); } break; case TPM_CAP_FLAG_VOLATILE: { TPM_STCLEAR_FLAGS sf; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadSTClearFlags(&tb, 0, &sf); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showVolatileFlags(&sf); } break; #endif case TPM_CAP_DA_LOGIC: { uint32_t ctr; TPM_BOOL lim = FALSE; TPM_DA_INFO dainfo; TPM_DA_INFO_LIMITED dainfo_lim; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadDAInfo(&tb, 0, &dainfo); if ( ( ret & ERR_MASK) != 0 || ret > resp.used) { ret = TPM_ReadDAInfoLimited(&tb, 0, &dainfo_lim); if ( (ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } else { lim = TRUE; } } printf("\n"); if (lim) { printf("State : %d\n",dainfo_lim.state); printf("Actions : 0x%08x\n",dainfo_lim.actionAtThreshold.actions); ctr = 0; while (ctr < dainfo_lim.vendorData.size) { printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]); ctr++; } } else { printf("State : %d\n",dainfo.state); printf("currentCount : %d\n",dainfo.currentCount); printf("thresholdCount : %d\n",dainfo.thresholdCount); printf("Actions : 0x%08x\n",dainfo.actionAtThreshold.actions); printf("actionDependValue : %d\n",dainfo.actionDependValue); #if 0 ctr = 0; while (ctr < dainfo_lim.vendorData.size) { printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]); ctr++; } #endif } } break; } } else if (TYPE_VARIOUS == matrx[index].result_size) { switch(cap) { case TPM_CAP_MFR: switch (scap) { case TPM_CAP_PROCESS_ID: { uint32_t rsp; rsp = LOAD32(resp.buffer,0); printf("%d\n",rsp); } break; } break; /* TPM_CAP_MFR */ default: /* Show booleans */ if (scap == TPM_CAP_PROP_OWNER || scap == TPM_CAP_PROP_DAA_INTERRUPT ) { if (0 == resp.buffer[0]) { printf("FALSE\n"); } else { printf("TRUE\n"); } } else /* check for array of 4 UINTs */ if (scap == TPM_CAP_PROP_TIS_TIMEOUT /* || scap == TPM_CAP_PROP_TIMEOUTS */) { int i = 0; while (i < 4) { uint32_t val = LOAD32(resp.buffer,i * 4); printf("%d ", val); i++; } printf("\n"); } else /* check for TPM_STARTUP_EFFECTS */ if (scap == TPM_CAP_PROP_STARTUP_EFFECT) { TPM_STARTUP_EFFECTS se = 0; ret = TPM_ReadStartupEffects(resp.buffer, &se); if ( ( ret & ERR_MASK ) != 0 ) { printf("Could not read startup effects structure.\n"); exit(-1); } printf("0x%08X=%d\n", (unsigned int)se, (unsigned int)se); printf("\n"); printf("Startup effects:\n"); printf("Effect on audit digest: %s\n", (se & (1 << 7)) ? "none" : "active"); printf("Audit Digest on TPM_Startup(ST_CLEAR): %s\n", ( se & (1 << 6)) ? "set to NULL" : "not set to NULL" ); printf("Audit Digest on TPM_Startup(any) : %s\n", ( se & (1 << 5)) ? "set to NULL" : "not set to NULL" ); printf("TPM_RT_KEY resource initialized on TPM_Startup(ST_ANY) : %s\n", (se & ( 1 << 4)) ? "yes" : "no"); printf("TPM_RT_AUTH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 3)) ? "yes" : "no"); printf("TPM_RT_HASH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 2)) ? "yes" : "no"); printf("TPM_RT_TRANS resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 1)) ? "yes" : "no"); printf("TPM_RT_CONTEXT session initialized on TPM_Startup(ST_STATE): %s\n", (se & ( 1 << 0)) ? "yes" : "no"); } else /* check for array of 3 UINTs */ if (scap == TPM_CAP_PROP_DURATION) { int i = 0; while (i < 4*3) { uint32_t val = LOAD32(resp.buffer,i); printf("%d ", val); i+= 4; } printf("\n"); } else /* check for TPM_COUNT_ID */ if (scap == TPM_CAP_PROP_ACTIVE_COUNTER) { uint32_t val = LOAD32(resp.buffer,0); printf("0x%08X=%d",val,val); if (0xffffffff == val) { printf(" (no counter is active)"); } printf("\n"); } else { /* just a single UINT32 */ printf("%ld=0x%08lX.\n", (long)LOAD32(resp.buffer, 0), (long)LOAD32(resp.buffer, 0)); } } } } printf("\n"); exit(0); }
int main(int argc, char *argv[]) { uint32_t startOrdinal = -1; int ret; int verbose = FALSE; TPM_COUNTER_VALUE counter; int i = 1; char * keypass = NULL; unsigned char keyAuth[TPM_HASH_SIZE]; unsigned char * keyAuthPtr = NULL; uint32_t keyhandle = -1; STACK_TPM_BUFFER(signature); unsigned char digest[TPM_DIGEST_SIZE]; unsigned char ordinalDigest[TPM_DIGEST_SIZE]; unsigned char antiReplay[TPM_NONCE_SIZE]; TPM_setlog(0); TSS_gennonce(antiReplay); while (i < argc) { if (!strcmp("-s",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%d",&startOrdinal); } else { printf("Missing parameter for -s.\n"); usage(); } } else if (!strcmp("-h",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&keyhandle); } else { printf("Missing parameter for -h.\n"); usage(); } } else if (!strcmp("-p",argv[i])) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter for -p.\n"); usage(); } } else if (!strcmp("-v",argv[i])) { verbose = TRUE; TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); usage(); } i++; } (void)verbose; if (-1 == (int)startOrdinal || -1 == (int)keyhandle) { printf("Missing command line parameter.\n"); usage(); } if (NULL != keypass) { TSS_sha1(keypass,strlen(keypass),keyAuth); keyAuthPtr = keyAuth; } ret = TPM_GetAuditDigestSigned(keyhandle, FALSE, keyAuthPtr, antiReplay, &counter, digest, ordinalDigest, &signature); if (0 != ret) { printf("Error %s from GetAuditDigestSigned.\n", TPM_GetErrMsg(ret)); } else { TPM_SIGN_INFO tsi; STACK_TPM_BUFFER(tsi_ser); STACK_TPM_BUFFER(serial); STACK_TPM_BUFFER(ctr_ser); pubkeydata pubkey; RSA *rsa; i = 0; printf("AuditDigest : "); while (i < (int)sizeof(digest)) { printf("%02X",digest[i]); i++; } printf("\n"); i = 0; printf("OrdinalDigest : "); while (i < (int)sizeof(digest)) { printf("%02X",ordinalDigest[i]); i++; } printf("\n"); ret = TPM_GetPubKey(keyhandle, keyAuthPtr, &pubkey); if (ret != 0) { printf("Could not get public key of signing key.\n"); exit(-1); } rsa = TSS_convpubkey(&pubkey); if (!rsa) { printf("Could not convert public key.\n"); exit(-1); } tsi.tag = TPM_TAG_SIGNINFO; memcpy(tsi.fixed, "ADIG", 4); memcpy(tsi.replay, antiReplay, sizeof(antiReplay)); /* D4=ordinalDigest */ TPM_WriteCounterValue(&ctr_ser, &counter); memcpy(&serial.buffer[0], digest, sizeof(digest)); memcpy(&serial.buffer[sizeof(digest)], ctr_ser.buffer, ctr_ser.used); memcpy(&serial.buffer[sizeof(digest)+ctr_ser.used], ordinalDigest, sizeof(ordinalDigest)); serial.used = sizeof(digest) + ctr_ser.used + sizeof(ordinalDigest); tsi.data.size = serial.used; tsi.data.buffer = serial.buffer; ret = TPM_WriteSignInfo(&tsi_ser, &tsi); if ((ret & ERR_MASK)) { printf("Error serializing TPM_SIGN_INFO.\n"); exit(-1); } ret = TPM_ValidateSignature(TPM_SS_RSASSAPKCS1v15_SHA1, &tsi_ser, &signature, rsa); if (ret != 0) { printf("Error validating signature.\n"); exit(-1); } printf("Signature verification successful.\n"); } exit(ret); }
int main(int argc, char *argv[]) { int ret; /* general return value */ uint32_t keyhandle = 0; /* handle of quote key */ unsigned int pcrmask = 0; /* pcr register mask */ unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */ unsigned char data[TPM_HASH_SIZE];/* nonce data */ STACK_TPM_BUFFER(signature); pubkeydata pubkey; /* public key structure */ RSA *rsa; /* openssl RSA public key */ unsigned char *passptr; TPM_PCR_SELECTION selection; TPM_PCR_INFO_SHORT s1; TPM_QUOTE_INFO2 quoteinfo; STACK_TPM_BUFFER( serQuoteInfo ) uint32_t pcrs; int i; uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1; TPM_BOOL addVersion = FALSE; STACK_TPM_BUFFER(versionblob); static char *keypass = NULL; TPM_setlog(0); /* turn off verbose output from TPM driver */ for (i=1 ; i<argc ; i++) { if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-pwdk")) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter to -pwdk\n"); printUsage(); } } else if (strcmp(argv[i],"-bm") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &pcrmask)) { printf("Invalid -bm argument '%s'\n",argv[i]); exit(2); } } else { printf("-bm option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-vinfo")) { addVersion = TRUE; printf("Adding version info.\n"); } else if (!strcmp(argv[i], "-h")) { printUsage(); } else if (!strcmp(argv[i], "-v")) { TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if ((keyhandle == 0) || (pcrmask == 0)) { printf("Missing argument\n"); printUsage(); } memset(&s1, 0x0, sizeof(s1)); /* ** Parse and process the command line arguments */ /* get the SHA1 hash of the password string for use as the Key Authorization Data */ if (keypass != NULL) { TSS_sha1((unsigned char *)keypass,strlen(keypass),passhash1); passptr = passhash1; } else { passptr = NULL; } /* for testing, use the password hash as the test nonce */ memcpy(data,passhash1,TPM_HASH_SIZE); ret = TPM_GetNumPCRRegisters(&pcrs); if (ret != 0) { printf("Error reading number of PCR registers.\n"); exit(-1); } if (pcrs > TPM_NUM_PCR) { printf("Library does not support that many PCRs.\n"); exit(-1); } memset(&selection, 0x0, sizeof(selection)); selection.sizeOfSelect = pcrs / 8; for (i = 0; i < selection.sizeOfSelect; i++) { selection.pcrSelect[i] = (pcrmask & 0xff); pcrmask >>= 8; } /* ** perform the TPM Quote function */ ret = TPM_Quote2(keyhandle, /* key handle */ &selection, /* specify PCR registers */ addVersion, /* add Version */ passptr, /* Key Password (hashed), or null */ data, /* nonce data */ &s1, /* pointer to pcr info */ &versionblob, /* pointer to TPM_CAP_VERSION_INFO */ &signature); /* buffer to receive result, int to receive result length */ if (ret != 0) { printf("Error '%s' from TPM_Quote2\n",TPM_GetErrMsg(ret)); exit(ret); } /* ** Get the public key and convert to an OpenSSL RSA public key */ ret = TPM_GetPubKey(keyhandle,passptr,&pubkey); if (ret != 0) { printf("Error '%s' from TPM_GetPubKey\n",TPM_GetErrMsg(ret)); exit(ret); } rsa = TSS_convpubkey(&pubkey); /* ** fill the quote info structure and calculate the hashes needed for verification */ quoteinfo.tag = TPM_TAG_QUOTE_INFO2; memcpy(&(quoteinfo.fixed),"QUT2",4); quoteinfo.infoShort = s1; memcpy(&(quoteinfo.externalData),data,TPM_NONCE_SIZE); unsigned char *corey_ptr = (unsigned char *)"einfo; unsigned int x; printf("quote info: \n"); for (x=0;x<128;x++) { if (x != 0 && x % 16 == 0) printf("\n"); printf("%02x ", corey_ptr[x]); } printf("\n"); /* create the hash of the quoteinfo structure for signature verification */ ret = TPM_WriteQuoteInfo2(&serQuoteInfo, "einfo); if ( ( ret & ERR_MASK ) != 0) { exit(-1); } printf("serquoteinfo: \n"); for (x=0;x<128;x++) { if (x != 0 && x % 16 == 0) printf("\n"); printf("%02x ", serQuoteInfo.buffer[x]); } printf("\n"); /* append version information if given in response */ if (addVersion) { printf("addversion is called\n"); memcpy(serQuoteInfo.buffer + serQuoteInfo.used, versionblob.buffer, versionblob.used); serQuoteInfo.used += versionblob.used; } ret = TPM_ValidateSignature(sigscheme, &serQuoteInfo, &signature, rsa); if (ret != 0) { printf("Verification failed\n"); } else { printf("Verification succeeded\n"); } RSA_free(rsa); exit(ret); }
int main(int argc, char * argv[]) { char * ownerpass = NULL; char * migpass = NULL; char * parpass = NULL; char * filename = NULL; char * migkeyfile = NULL; char * migkeypass = NULL; uint32_t parhandle = -1; /* handle of parent key */ unsigned char * passptr1 = NULL; unsigned char passhash1[20]; unsigned char hashpass1[20]; /* hash of new key password */ unsigned char hashpass3[20]; /* hash of parent key password */ unsigned char hashpass4[20]; /* hash of migration key pwd */ uint32_t ret = 0; int i = 0; keydata keyparms; keydata idkey; unsigned char *aptr1 = NULL; unsigned char *aptr3 = NULL; unsigned char *aptr4 = NULL; keydata migkey; uint16_t migscheme = TPM_MS_RESTRICT_MIGRATE; uint32_t sigTicketSize = 0; char * msa_list_filename = NULL; TPM_MSA_COMPOSITE msaList = {0, NULL}; char * keyfile = NULL; keydata q; uint32_t sigkeyhandle = -1; char * sigkeypass = NULL; unsigned char sigkeypasshash[TPM_HASH_SIZE]; unsigned char * sigkeypassptr = NULL; unsigned char sigTicket[TPM_HASH_SIZE]; TPM_CMK_AUTH restrictTicket; TPM_CMK_AUTH *restrictTicketParameter; /* parameter to command function call */ unsigned char resTicketHash[TPM_HASH_SIZE]; memset(&keyparms, 0x0, sizeof(keyparms)); memset(&idkey , 0x0, sizeof(idkey)); memset(&restrictTicket, 0x0, sizeof(restrictTicket)); i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-hp",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&parhandle); } else { printf("Missing parameter for -hp.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdp",argv[i])) { i++; if (i < argc) { parpass = argv[i]; } else { printf("Missing parameter for -pwdp.\n"); usage(); exit(-1); } } else if (!strcmp("-ok",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -ok.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdo",argv[i])) { i++; if (i < argc) { ownerpass = argv[i]; } else { printf("Missing parameter for -pwdo.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdm",argv[i])) { i++; if (i < argc) { migpass = argv[i]; } else { printf("Missing parameter for -pwdm.\n"); usage(); exit(-1); } } else if (!strcmp("-msa",argv[i])) { i++; if (i < argc) { msa_list_filename = argv[i]; } else { printf("Missing parameter for -msa.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { keyfile = argv[i]; } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-im",argv[i])) { i++; if (i < argc) { migkeyfile = argv[i]; } else { printf("Missing parameter for -im.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdk",argv[i])) { i++; if (i < argc) { migkeypass = argv[i]; } else { printf("Missing parameter for -pwdk.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { TPM_setlog(1); } else if (!strcmp("-hs",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&sigkeyhandle); } else { printf("Missing mandatory parameter for -hs.\n"); usage(); exit(-1); } } else if (!strcmp("-pwds",argv[i])) { i++; if (i < argc) { sigkeypass = argv[i]; } else { printf("Missing mandatory parameter for -pwds.\n"); usage(); exit(-1); } } else if (!strcmp("-double",argv[i])) { migscheme = TPM_MS_RESTRICT_APPROVE; } else { printf("Unknown option '%s'.",argv[i]); usage(); exit(-1); } i++; } if (NULL == keyfile || NULL == ownerpass || -1 == (int)parhandle || NULL == migkeyfile || NULL == msa_list_filename) { printf("Missing or wrong parameter.\n"); usage(); exit(-1); } if (TPM_MS_RESTRICT_APPROVE == migscheme) { if (-1 == (int)sigkeyhandle) { printf("Must provide signing key data when '-double' has been selected.\n"); exit(-1); } } if (NULL != ownerpass) { TSS_sha1(ownerpass,strlen(ownerpass),passhash1); passptr1 = passhash1; } else { passptr1 = NULL; } if (NULL !=sigkeypass) { TSS_sha1(sigkeypass, strlen(sigkeypass), sigkeypasshash); sigkeypassptr = sigkeypasshash; } else { sigkeypassptr = NULL; } /* ** use the SHA1 hash of the password string as the Parent Key Authorization Data */ if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migpass != NULL) { TSS_sha1(migpass,strlen(migpass),hashpass3); aptr3 = hashpass3; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migkeypass != NULL) { TSS_sha1(migkeypass,strlen(migkeypass),hashpass4); aptr4 = hashpass4; } /* * * - Create an RSA key pair. * - Call TPM_AuthorizeMigrationKey for the RSA public key authorization * - Call TPM_CreateMigrationBlob with the result from AuthorizeMigrationKey * and the encrypted TPM_STORE_ASYMKEY structure * */ /* * readthe msa list from the file. */ ret = TPM_ReadMSAFile(msa_list_filename, &msaList); if ( ( ret & ERR_MASK ) != 0) { printf("Error while reading msa list file.\n"); exit(-1); } /* ** create and wrap an asymmetric key and get back the ** resulting keydata structure with the public and encrypted ** private keys filled in by the TPM */ /* * q is the key that we want to migrate. Create one such key. * migkey is the (public) key part from another TPM that we want to use * to migrate q. Since I am not loading a public key from another TPM, * I create a migration key here as well. I must never refer to this * key via any handle or load it into the TPM */ printf("Loading the (public) key to use for migration...\n"); if (0 == ret) { printf("Migration key is: %s\n",migkeyfile); ret = TPM_ReadKeyfile(migkeyfile, &migkey); if ((ret & ERR_MASK)) { ret = TPM_ReadPubKeyfile(migkeyfile, &migkey.pub); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s as a " "key or a pubkey.\n", migkeyfile); exit(-1); } } ret = TPM_ReadKeyfile(keyfile, &q); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s.\n", keyfile); } } /* * Create a ticket if needed. */ if (migscheme == TPM_MS_RESTRICT_APPROVE) { keydata signingkey; unsigned char signatureValue[2048]; uint32_t signatureValueSize = sizeof(signatureValue); STACK_TPM_BUFFER(sigkey) /* * Get the public key part of the signing key. */ ret = TPM_GetPubKey(sigkeyhandle, sigkeypassptr, &signingkey.pub); if ( 0 != ret ) { printf("Error %s while retrieving public signing key.\n", TPM_GetErrMsg(ret)); exit(-1); } /* * Build the restrictTicket!!! */ restrictTicketParameter = &restrictTicket; /* command needs restrictTicket */ ret = TPM_HashPubKey(&q, restrictTicket.sourceKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the key to be migrated.\n"); exit(ret); } ret = TPM_HashPubKey(&migkey, restrictTicket.destinationKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the migration key.\n"); exit(ret); } ret = TPM_HashCMKAuth(&restrictTicket, resTicketHash); ret = TPM_Sign(sigkeyhandle, sigkeypassptr, resTicketHash, sizeof(resTicketHash), signatureValue, &signatureValueSize); if ( 0 != ret) { printf("Error %s while sigining.\n", TPM_GetErrMsg(ret)); exit(ret); } ret = TPM_CMK_CreateTicket(&signingkey, resTicketHash, signatureValue, signatureValueSize, passptr1, sigTicket); sigTicketSize = TPM_DIGEST_SIZE; } else { /* TPM_MS_RESTRICT_MIGRATE */ restrictTicketParameter = NULL; /* command does not need restrictTicket */ } if (0 == ret) { if (0 == ret) { STACK_TPM_BUFFER( keyblob) STACK_TPM_BUFFER( migblob); keydata keyd; memset(&keyd, 0x0, sizeof(keyd)); ret = TPM_WriteKeyPub(&keyblob, &migkey); if ((ret & ERR_MASK) != 0) { printf("Could not serialize the keydata: %s\n", TPM_GetErrMsg(ret)); exit(-1); } ret = TPM_AuthorizeMigrationKey(passptr1, migscheme, // migration scheme &keyblob, // public key to be authorized &migblob); if (0 == ret) { unsigned char rndblob[1024]; uint32_t rndblen = sizeof(rndblob); unsigned char outblob[1024]; uint32_t outblen = sizeof(outblob); unsigned char sourceKeyDigest[TPM_DIGEST_SIZE]; unsigned char encblob[1024]; uint32_t encblen; memcpy(encblob, q.encData.buffer, q.encData.size); encblen = q.encData.size; if (0!= ret) { printf("Error occurred while creating encrypted blob.\n"); exit (-1); } TPM_HashPubKey(&q,sourceKeyDigest); printf("parhandle = %x\n",parhandle); /* * Now call the TPM_CreateMigrationBlob function. */ ret = TPM_CMK_CreateBlob(parhandle, // handle of a key that can decrypt the encblob below aptr1, // password for that parent key migscheme, &migblob, sourceKeyDigest, &msaList, restrictTicketParameter, /* either NULL or restrictTicket */ sigTicket, sigTicketSize, encblob, encblen, // encrypted private key that will show up re-encrypted in outblob rndblob, &rndblen, // output: used for xor encryption outblob, &outblen);// output: re-encrypted private key if (0 == ret) { if (NULL != filename) { STACK_TPM_BUFFER(keybuf) // serialize the key in 'q' ret = TPM_WriteKey(&keybuf,&q); if (ret > 0) { unsigned int keybuflen = ret; FILE * f = fopen(filename,"wb"); if (NULL != f) { struct tpm_buffer * filebuf = TSS_AllocTPMBuffer(10240); if (NULL != filebuf) { int l; l = TSS_buildbuff("@ @ @",filebuf, rndblen, rndblob, outblen, outblob, keybuflen, keybuf.buffer); fwrite(filebuf->buffer, l, 1, f); fclose(f); TSS_FreeTPMBuffer(filebuf); printf("Wrote migration blob and associated data to file.\n"); ret = 0; } else { printf("Error. Could not allocate memory.\n"); ret = -1; } } else { printf("Error. Could not write blob to file.\n"); ret = -1; } } else { printf("Error while serializing key!\n"); } } else { } } else { printf("CMK_CreateBlob returned '%s' (%d).\n", TPM_GetErrMsg(ret), ret); } } else { printf("AuthorizeMigrationKey returned '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } } else { } } else { } return ret; }
int main(int argc, char *argv[]) { int ret; /* general return value */ uint32_t keyhandle = 0; /* handle of quote key */ unsigned int pcrmask = 0; /* pcr register mask */ unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */ unsigned char nonce[TPM_NONCE_SIZE]; /* nonce data */ STACK_TPM_BUFFER(signature); pubkeydata pubkey; /* public key structure */ unsigned char *passptr; TPM_PCR_COMPOSITE tpc; STACK_TPM_BUFFER (ser_tpc); STACK_TPM_BUFFER (ser_tqi); STACK_TPM_BUFFER (response); uint32_t pcrs; int i; uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1; TPM_PCR_SELECTION tps; static char *keypass = NULL; const char *certFilename = NULL; int verbose = FALSE; TPM_setlog(0); /* turn off verbose output from TPM driver */ for (i=1 ; i<argc ; i++) { if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } if (keyhandle == 0) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-pwdk")) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter to -pwdk\n"); printUsage(); } } else if (strcmp(argv[i],"-bm") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &pcrmask)) { printf("Invalid -bm argument '%s'\n",argv[i]); exit(2); } } else { printf("-bm option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-cert")) { i++; if (i < argc) { certFilename = argv[i]; } else { printf("Missing parameter to -cert\n"); printUsage(); } } else if (!strcmp(argv[i], "-h")) { printUsage(); } else if (!strcmp(argv[i], "-v")) { verbose = TRUE; TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if ((keyhandle == 0) || (pcrmask == 0)) { printf("Missing argument\n"); printUsage(); } /* get the SHA1 hash of the password string for use as the Key Authorization Data */ if (keypass != NULL) { TSS_sha1((unsigned char *)keypass, strlen(keypass), passhash1); passptr = passhash1; } else { passptr = NULL; } /* for testing, use the password hash as the test nonce */ memcpy(nonce, passhash1, TPM_HASH_SIZE); ret = TPM_GetNumPCRRegisters(&pcrs); if (ret != 0) { printf("Error reading number of PCR registers.\n"); exit(-1); } if (pcrs > TPM_NUM_PCR) { printf("Library does not support that many PCRs.\n"); exit(-1); } tps.sizeOfSelect = pcrs / 8; for (i = 0; i < tps.sizeOfSelect; i++) { tps.pcrSelect[i] = (pcrmask & 0xff); pcrmask >>= 8; } /* ** perform the TPM Quote function */ ret = TPM_Quote(keyhandle, /* KEY handle */ passptr, /* Key Password (hashed), or null */ nonce, /* nonce data */ &tps, /* specify PCR registers */ &tpc, /* pointer to pcr composite */ &signature);/* buffer to receive result, int to receive result length */ if (ret != 0) { printf("Error '%s' from TPM_Quote\n", TPM_GetErrMsg(ret)); exit(ret); } /* ** Get the public key and convert to an OpenSSL RSA public key */ ret = TPM_GetPubKey(keyhandle, passptr, &pubkey); if (ret != 0) { printf("quote: Error '%s' from TPM_GetPubKey\n", TPM_GetErrMsg(ret)); exit(-6); } ret = TPM_ValidatePCRCompositeSignature(&tpc, nonce, &pubkey, &signature, sigscheme); if (ret) { printf("Error %s from validating the signature over the PCR composite.\n", TPM_GetErrMsg(ret)); exit(ret); } printf("Verification against AIK succeeded\n"); /* optionally verify the quote signature against the key certificate */ if (certFilename != NULL) { unsigned char *certStream = NULL; /* freed @1 */ uint32_t certStreamLength; X509 *x509Certificate = NULL; /* freed @2 */ unsigned char *tmpPtr; /* because d2i_X509 moves the ptr */ /* AIK public key parts */ RSA *rsaKey = NULL; /* freed @3 */ if (verbose) printf("quote: verifying the signature against the certificate\n"); /* load the key certificate */ if (ret == 0) { ret = TPM_ReadFile(certFilename, &certStream, /* freed @1 */ &certStreamLength); } /* convert to openssl X509 */ if (ret == 0) { if (verbose) printf("quote: parsing the certificate stream\n"); tmpPtr = certStream; x509Certificate = d2i_X509(NULL, (const unsigned char **)&tmpPtr, certStreamLength); if (x509Certificate == NULL) { printf("Error in certificate deserialization d2i_X509()\n"); ret = -1; } } if (ret == 0) { if (verbose) printf("quote: get the certificate public key\n"); ret = GetRSAKey(&rsaKey, /* freed @3 */ x509Certificate); } if (ret == 0) { if (verbose) printf("quote: quote validate signature\n"); ret = TPM_ValidatePCRCompositeSignatureRSA(&tpc, nonce, rsaKey, &signature, sigscheme); if (ret != 0) { printf("Verification against certificate failed\n"); } } if (ret == 0) { printf("Verification against certificate succeeded\n"); } free(certStream); /* @1 */ X509_free(x509Certificate); /* @2 */ RSA_free(rsaKey); /* @3 */ } exit(ret); }