int PEM_write(FILE *fp, char *name, char *header, unsigned char *data,
long len)
{
BIO *b;
int ret;
if ((b=BIO_new(BIO_s_file())) == NULL)
{
PEMerr(PEM_F_PEM_WRITE,ERR_R_BUF_LIB);
return(0);
}
BIO_set_fp(b,fp,BIO_NOCLOSE);
ret=PEM_write_bio(b, name, header, data,len);
BIO_free(b);
return(ret);
}
int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
char *x, const EVP_CIPHER *enc, unsigned char *kstr,
int klen, pem_password_cb *callback, void *u)
{
EVP_CIPHER_CTX ctx;
int dsize=0,i,j,ret=0;
unsigned char *p,*data=NULL;
const char *objstr=NULL;
char buf[PEM_BUFSIZE];
unsigned char key[EVP_MAX_KEY_LENGTH];
unsigned char iv[EVP_MAX_IV_LENGTH];
if (enc != NULL)
{
objstr=OBJ_nid2sn(EVP_CIPHER_nid(enc));
if (objstr == NULL)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
}
if ((dsize=i2d(x,NULL)) < 0)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
dsize=0;
goto err;
}
/* dzise + 8 bytes are needed */
/* actually it needs the cipher block size extra... */
data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20);
if (data == NULL)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
goto err;
}
p=data;
i=i2d(x,&p);
if (enc != NULL)
{
if (kstr == NULL)
{
if (callback == NULL)
klen=PEM_def_callback(buf,PEM_BUFSIZE,1,u);
else
klen=(*callback)(buf,PEM_BUFSIZE,1,u);
if (klen <= 0)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_READ_KEY);
goto err;
}
#ifdef CHARSET_EBCDIC
/* Convert the pass phrase from EBCDIC */
ebcdic2ascii(buf, buf, klen);
#endif
kstr=(unsigned char *)buf;
}
RAND_add(data,i,0);/* put in the RSA key. */
OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
goto err;
/* The 'iv' is used as the iv and as a salt. It is
* NOT taken from the BytesToKey function */
EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
buf[0]='\0';
PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
/* k=strlen(buf); */
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
EVP_EncryptUpdate(&ctx,data,&j,data,i);
EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
EVP_CIPHER_CTX_cleanup(&ctx);
i+=j;
ret=1;
}
else
{
ret=1;
buf[0]='\0';
}
i=PEM_write_bio(bp,name,buf,data,i);
if (i <= 0) ret=0;
err:
OPENSSL_cleanse(key,sizeof(key));
OPENSSL_cleanse(iv,sizeof(iv));
OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
OPENSSL_cleanse(buf,PEM_BUFSIZE);
if (data != NULL)
{
OPENSSL_cleanse(data,(unsigned int)dsize);
OPENSSL_free(data);
}
return(ret);
}
int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
void *x, const EVP_CIPHER *enc, unsigned char *kstr,
int klen, pem_password_cb *callback, void *u)
{
EVP_CIPHER_CTX *ctx = NULL;
int dsize = 0, i = 0, j = 0, ret = 0;
unsigned char *p, *data = NULL;
const char *objstr = NULL;
char buf[PEM_BUFSIZE];
unsigned char key[EVP_MAX_KEY_LENGTH];
unsigned char iv[EVP_MAX_IV_LENGTH];
if (enc != NULL) {
objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0
|| EVP_CIPHER_iv_length(enc) > (int)sizeof(iv)
/*
* Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n"
* fits into buf
*/
|| (strlen(objstr) + 23 + 2 * EVP_CIPHER_iv_length(enc) + 13)
> sizeof(buf)) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
}
if ((dsize = i2d(x, NULL)) < 0) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_ASN1_LIB);
dsize = 0;
goto err;
}
/* dsize + 8 bytes are needed */
/* actually it needs the cipher block size extra... */
data = OPENSSL_malloc((unsigned int)dsize + 20);
if (data == NULL) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
p = data;
i = i2d(x, &p);
if (enc != NULL) {
if (kstr == NULL) {
if (callback == NULL)
klen = PEM_def_callback(buf, PEM_BUFSIZE, 1, u);
else
klen = (*callback) (buf, PEM_BUFSIZE, 1, u);
if (klen <= 0) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_READ_KEY);
goto err;
}
#ifdef CHARSET_EBCDIC
/* Convert the pass phrase from EBCDIC */
ebcdic2ascii(buf, buf, klen);
#endif
kstr = (unsigned char *)buf;
}
if (RAND_bytes(iv, EVP_CIPHER_iv_length(enc)) <= 0) /* Generate a salt */
goto err;
/*
* The 'iv' is used as the iv and as a salt. It is NOT taken from
* the BytesToKey function
*/
if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1, key, NULL))
goto err;
if (kstr == (unsigned char *)buf)
OPENSSL_cleanse(buf, PEM_BUFSIZE);
buf[0] = '\0';
PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc), (char *)iv);
/* k=strlen(buf); */
ret = 1;
if ((ctx = EVP_CIPHER_CTX_new()) == NULL
|| !EVP_EncryptInit_ex(ctx, enc, NULL, key, iv)
|| !EVP_EncryptUpdate(ctx, data, &j, data, i)
|| !EVP_EncryptFinal_ex(ctx, &(data[j]), &i))
ret = 0;
if (ret == 0)
goto err;
i += j;
} else {
ret = 1;
buf[0] = '\0';
}
i = PEM_write_bio(bp, name, buf, data, i);
if (i <= 0)
ret = 0;
err:
OPENSSL_cleanse(key, sizeof(key));
OPENSSL_cleanse(iv, sizeof(iv));
EVP_CIPHER_CTX_free(ctx);
OPENSSL_cleanse(buf, PEM_BUFSIZE);
OPENSSL_clear_free(data, (unsigned int)dsize);
return ret;
}
int main(int argc, char **argv)
{
TSS_HCONTEXT hContext;
TSS_FLAG initFlags = TSS_KEY_TYPE_LEGACY | TSS_KEY_VOLATILE;
TSS_HKEY hKey;
TSS_HKEY hSRK;
TSS_RESULT result;
TSS_HPOLICY srkUsagePolicy, keyUsagePolicy, keyMigrationPolicy;
BYTE *blob;
UINT32 blob_size, srk_authusage;
BIO *outb;
ASN1_OCTET_STRING *blob_str;
unsigned char *blob_asn1 = NULL;
int asn1_len;
char *filename, c, *openssl_key = NULL;
int option_index, auth = 0, popup = 0, wrap = 0, well_known = 0;
UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
UINT32 key_size = 2048;
RSA *rsa;
while (1) {
option_index = 0;
c = getopt_long(argc, argv, "pe:q:s:azhw:",
long_options, &option_index);
if (c == -1)
break;
switch (c) {
case 'a':
initFlags |= TSS_KEY_AUTHORIZATION;
auth = 1;
break;
case 'h':
usage(argv[0]);
break;
case 's':
key_size = atoi(optarg);
break;
case 'e':
if (!strncasecmp("oaep", optarg, 4)) {
enc_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1;
} else if (strncasecmp("pkcs", optarg, 4)) {
usage(argv[0]);
}
break;
case 'q':
if (!strncasecmp("der", optarg, 3)) {
sig_scheme = TSS_SS_RSASSAPKCS1V15_SHA1;
} else if (strncasecmp("sha", optarg, 3)) {
usage(argv[0]);
}
break;
case 'p':
initFlags |= TSS_KEY_AUTHORIZATION;
auth = 1;
popup = 1;
break;
case 'w':
initFlags |= TSS_KEY_MIGRATABLE;
wrap = 1;
openssl_key = optarg;
break;
case 'z':
well_known = 1;
break;
default:
usage(argv[0]);
break;
}
}
/* set up the key option flags */
switch (key_size) {
case 512:
initFlags |= TSS_KEY_SIZE_512;
break;
case 1024:
initFlags |= TSS_KEY_SIZE_1024;
break;
case 2048:
initFlags |= TSS_KEY_SIZE_2048;
break;
case 4096:
initFlags |= TSS_KEY_SIZE_4096;
break;
case 8192:
initFlags |= TSS_KEY_SIZE_8192;
break;
case 16384:
initFlags |= TSS_KEY_SIZE_16384;
break;
default:
usage(argv[0]);
break;
}
#if 0
while (argc--) {
printf("argv[%d] = \"%s\"\n", argc, argv[argc]);
}
exit(1);
#endif
filename = argv[argc - 1];
if (argc < 2 || filename[0] == '-')
usage(argv[0]);
//Create Context
if ((result = Tspi_Context_Create(&hContext))) {
print_error("Tspi_Context_Create", result);
exit(result);
}
//Connect Context
if ((result = Tspi_Context_Connect(hContext, NULL))) {
print_error("Tspi_Context_Connect", result);
Tspi_Context_Close(hContext);
exit(result);
}
//Create Object
if ((result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
initFlags, &hKey))) {
print_error("Tspi_Context_CreateObject", result);
Tspi_Context_Close(hContext);
exit(result);
}
if ((result = Tspi_SetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
sig_scheme))) {
print_error("Tspi_SetAttribUint32", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
if ((result = Tspi_SetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
enc_scheme))) {
print_error("Tspi_SetAttribUint32", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
//Load Key By UUID
if ((result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM,
SRK_UUID, &hSRK))) {
print_error("Tspi_Context_LoadKeyByUUID", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
if ((result = Tspi_GetAttribUint32(hSRK, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_AUTHUSAGE,
&srk_authusage))) {
print_error("Tspi_GetAttribUint32", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
if (srk_authusage) {
if ((result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE,
&srkUsagePolicy))) {
print_error("Tspi_GetPolicyObject", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
if (well_known) {
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
//Set Well Known Secret
if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
TSS_SECRET_MODE_SHA1,
sizeof(well_known_secret),
(BYTE *)well_known_secret))) {
print_error("Tspi_Policy_SetSecret", result);
Tspi_Context_Close(hContext);
exit(result);
}
} else {
char *authdata = calloc(1, 128);
if (!authdata) {
fprintf(stderr, "malloc failed.\n");
Tspi_Context_Close(hContext);
exit(result);
}
if (EVP_read_pw_string(authdata, 128, "SRK Password: "******"Tspi_Policy_SetSecret", result);
free(authdata);
Tspi_Context_Close(hContext);
exit(result);
}
free(authdata);
}
}
if (auth) {
if ((result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&keyUsagePolicy))) {
print_error("Tspi_Context_CreateObject", result);
Tspi_Context_Close(hContext);
exit(result);
}
if (popup) {
//Set Secret
if ((result = Tspi_Policy_SetSecret(keyUsagePolicy,
TSS_SECRET_MODE_POPUP,
0, NULL))) {
print_error("Tspi_Policy_SetSecret", result);
Tspi_Context_Close(hContext);
exit(result);
}
} else {
char *authdata = calloc(1, 128);
if (!authdata) {
fprintf(stderr, "malloc failed.\n");
Tspi_Context_Close(hContext);
exit(result);
}
if (EVP_read_pw_string(authdata, 128,
"Enter Key Usage Password: "******"Passwords do not match.\n");
free(authdata);
Tspi_Context_Close(hContext);
exit(result);
}
//Set Secret
if ((result = Tspi_Policy_SetSecret(keyUsagePolicy,
TSS_SECRET_MODE_PLAIN,
strlen(authdata),
(BYTE *)authdata))) {
print_error("Tspi_Policy_SetSecret", result);
free(authdata);
Tspi_Context_Close(hContext);
exit(result);
}
free(authdata);
}
if ((result = Tspi_Policy_AssignToObject(keyUsagePolicy, hKey))) {
print_error("Tspi_Policy_AssignToObject", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
}
// Create or Wrap Key
if (wrap) {
char n[256], p[128];
unsigned int size_n, size_p;
BYTE *pubSRK;
/*Set migration policy needed to wrap the key*/
if ((result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_MIGRATION,
&keyMigrationPolicy))) {
print_error("Tspi_Context_CreateObject", result);
Tspi_Context_Close(hContext);
exit(result);
}
if (auth) {
char *authdata = calloc(1, 128);
if (!authdata) {
fprintf(stderr, "malloc failed.\n");
Tspi_Context_Close(hContext);
exit(result);
}
if (EVP_read_pw_string(authdata, 128,
"Enter Key Migration Password: "******"Passwords do not match.\n");
free(authdata);
Tspi_Context_Close(hContext);
exit(result);
}
if ((result = Tspi_Policy_SetSecret(keyMigrationPolicy,
TSS_SECRET_MODE_PLAIN,
strlen(authdata),
(BYTE *)authdata))) {
print_error("Tspi_Policy_SetSecret", result);
Tspi_Context_Close(hContext);
exit(result);
}
free(authdata);
}
if ((result = Tspi_Policy_AssignToObject(keyMigrationPolicy, hKey))) {
print_error("Tspi_Policy_AssignToObject", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
/* Pull the PubKRK out of the TPM */
if ((result = Tspi_Key_GetPubKey(hSRK, &size_n, &pubSRK))) {
print_error("Tspi_Key_WrapKey", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
Tspi_Context_FreeMemory(hContext, pubSRK);
if ((rsa = openssl_read_key(openssl_key)) == NULL) {
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
if (RSA_size(rsa) != key_size / 8) {
fprintf(stderr,
"Error, key size is incorrect, please use the '-s' option\n");
RSA_free(rsa);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
if (openssl_get_modulus_and_prime(rsa, &size_n, (unsigned char *)n,
&size_p, (unsigned char *)p)) {
fprintf(stderr, "Error getting modulus and prime!\n");
RSA_free(rsa);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
if ((result = Tspi_SetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO,
TSS_TSPATTRIB_KEYINFO_RSA_MODULUS,
size_n, (BYTE *)n))) {
print_error("Tspi_SetAttribData (RSA modulus)", result);
RSA_free(rsa);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
if ((result = Tspi_SetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY,
size_p, (BYTE *)p))) {
print_error("Tspi_SetAttribData (private key)", result);
RSA_free(rsa);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
if ((result = Tspi_Key_WrapKey(hKey, hSRK, 0))) {
print_error("Tspi_Key_WrapKey", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
} else {
if ((result = Tspi_Key_CreateKey(hKey, hSRK, 0))) {
print_error("Tspi_Key_CreateKey", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
}
if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB,
&blob_size, &blob))) {
print_error("Tspi_GetAttribData", result);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(result);
}
if ((outb = BIO_new_file(filename, "w")) == NULL) {
fprintf(stderr, "Error opening file for write: %s\n", filename);
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
blob_str = ASN1_OCTET_STRING_new();
if (!blob_str) {
fprintf(stderr, "Error allocating ASN1_OCTET_STRING\n");
Tspi_Context_CloseObject(hContext, hKey);
Tspi_Context_Close(hContext);
exit(-1);
}
ASN1_STRING_set(blob_str, blob, blob_size);
asn1_len = i2d_ASN1_OCTET_STRING(blob_str, &blob_asn1);
PEM_write_bio(outb, "TSS KEY BLOB", "", blob_asn1, asn1_len);
BIO_free(outb);
Tspi_Context_Close(hContext);
printf("Success.\n");
return 0;
}
