int aik_verify(char * user) { int ret; BYTE buf[128]; TESI_SIGN_DATA signdata; TSS_RESULT result; void * struct_template; struct aik_cert_info server_info; struct node_key_list * key_list; BYTE digest[DIGEST_SIZE]; BYTE filename[DIGEST_SIZE*2+DIGEST_SIZE]; ret=ReadSignDataFromFile(&signdata,"cert/AIK"); if(ret<0) return -EIO; result=TESI_AIK_VerifySignData(&signdata,"cert/CA"); if (result != TSS_SUCCESS) { printf("verify AIK data error!\n"); return -EINVAL; } struct_template=create_struct_template(&aik_cert_info_desc); if(struct_template==NULL) return -EINVAL; ret=blob_2_struct(signdata.data,&server_info,struct_template); if(ret<0) return -EINVAL; /* if(strcmp(server_info.user_info.user_name,"bind_server")!=0) { printf("Wrong Server! Server is %s\n",server_info.user_info.user_name); return -EINVAL; } */ calculate_sm3("pubkey/AIK.pem",&digest); digest_to_uuid(digest,buf); if(strncmp(buf,server_info.pubkey_uuid,DIGEST_SIZE*2)!=0) { printf("Wrong Key!\n" ); return -EINVAL; } key_list=malloc(sizeof(struct node_key_list)); if(key_list==NULL) return -ENOMEM; if(user!=NULL) { strncpy(user,server_info.user_info.user_name,DIGEST_SIZE); } return 0; }
int proc_tcm_activateidentity(void * sub_proc,void * recv_msg) { int ret=0; int fd; BYTE Buf[DIGEST_SIZE*32]; BYTE NameBuf[DIGEST_SIZE*4]; BYTE KeyBuf[DIGEST_SIZE*4]; BYTE digest[DIGEST_SIZE]; UINT32 result; DB_RECORD * db_record; RECORD(TCM_PIK_DESC,USERINFO) * pik_userinfo; RECORD(TCM_PIK_DESC,CADATA) * pik_cadata; RECORD(TCM_PIK_DESC,PIKCERT) * pik_cert; RECORD(VTCM_IN_KEY,TCM_BIN_KEY) tcm_pik; RECORD(VTCM_IN_KEY,TCM_BIN_PUBKEY) tcm_pikpub; RECORD(TCM_KEY_MANAGE,PRIVATE_KEY) * tcm_pik_info; TCM_SYMMETRIC_KEY symmkey; void * new_msg; int key_len; void * tcm_key_template; UINT32 smkHandle; UINT32 ownerHandle; UINT32 keyHandle; UINT32 keyAuthHandle; char uuid[DIGEST_SIZE*2+1]; printf("begin pik activateidentity!\n"); // get pik cadata from message ret=message_get_record(recv_msg,&pik_cadata,0); if(ret<0) return -EINVAL; if(pik_cadata==NULL) return -EINVAL; // find pikinfo record db_record=memdb_find_first(TYPE_PAIR(TCM_KEY_MANAGE,PRIVATE_KEY),"pubkey_uuid",pik_cadata->pikpub_uuid); if(db_record==NULL) { print_cubeerr("can't find pik record!\n"); return -EINVAL; } tcm_pik_info=db_record->record; // get pik file name digest_to_uuid(tcm_pik_info->uuid,uuid); uuid[DIGEST_SIZE*2]=0; printf("get pik's uuid is %s!\n",uuid); Strcpy(NameBuf,"tcmkey/"); Strcat(NameBuf,uuid); ret=TCM_ExLoadTcmKey(&tcm_pik,NameBuf); if(ret!=0) { print_cubeerr("Load TCMKey from file failed!\n"); return ret; } // Load pik to TCM ret=TCM_APCreate(TCM_ET_SMK, NULL, "sss", &smkHandle); printf("smkHandle is : %x\n",smkHandle); if(ret<0) { printf("TCM_APCreate failed!\n"); return -EINVAL; } ret=TCM_LoadKey(smkHandle,NameBuf,&keyHandle); if(ret!=0) { print_cubeerr("TCM_LoadKey failed!\n"); return ret; } ret=TCM_APTerminate(smkHandle); if(ret!=0) { printf("TCM_APTerminate failed!\n"); return ret; } // do the activateidentity ret=TCM_APCreate(TCM_ET_OWNER, NULL, "ooo", &ownerHandle); printf("ownerHandle is : %x\n",ownerHandle); if(ret<0) { print_cubeerr("TCM_APCreate failed!\n"); return -EINVAL; } ret=TCM_APCreate(TCM_ET_KEYHANDLE,keyHandle, "kkk", &keyAuthHandle); printf("pikHandle is : %x\n",keyAuthHandle); if(ret!=0) { printf("TCM_APCreate failed!\n"); return -EINVAL; } ret=TCM_ActivateIdentity(keyHandle,keyAuthHandle,ownerHandle, pik_cadata->symmkey_len,pik_cadata->symmkey,&symmkey,"ooo","kkk"); if(ret!=0) { printf("TCM_ActivateIdentity failed!\n"); return -EINVAL; } ret=TCM_APTerminate(ownerHandle); if(ret<0) { printf("TCM_APTerminate failed!\n"); return -EINVAL; } ret=TCM_APTerminate(keyAuthHandle); if(ret<0) { printf("TCM_APTerminate failed!\n"); return -EINVAL; } ret=TCM_EvictKey(keyHandle); if(ret<0) { printf("TCM_APTerminate failed!\n"); return -EINVAL; } // decrypt cert blob int blobsize; BYTE * cert; int certsize; ret=TCM_ExSymmkeyDecrypt(&symmkey,pik_cadata->cert,pik_cadata->certlen,&cert,&certsize); if(ret!=0) { printf("decrypt cert blob file error!\n"); return -EINVAL; } int offset; for(offset=0;cert[offset]==0;offset++) { if((offset>=16)|| (offset>=certsize)) { print_cubeerr("cert data failed!\n"); return -EINVAL; } } // build pik cert, it is organized by userinfo, pubkey and ca_conts // pik_cert=Talloc0(sizeof(*pik_cert)); if(pik_cert==NULL) return -ENOMEM; tcm_key_template=memdb_get_template(TYPE_PAIR(TCM_PIK_DESC,VERIFYDATA)); if(tcm_key_template==NULL) return -EINVAL; ret=blob_2_struct(cert+offset,&pik_cert->verifydata,tcm_key_template); if(ret<0) return -EINVAL; db_record=memdb_find(pik_cadata->userinfo_uuid,TYPE_PAIR(TCM_PIK_DESC,USERINFO)); if(db_record==NULL) { print_cubeerr("can't find user info data!\n"); return -EINVAL; } pik_userinfo=db_record->record; tcm_key_template=memdb_get_template(TYPE_PAIR(TCM_PIK_DESC,USERINFO)); if(tcm_key_template==NULL) return -EINVAL; ret=struct_clone(pik_userinfo,&pik_cert->userinfo,tcm_key_template); if(ret<0) return -EINVAL; ret=TCM_ExGetPubkeyFromTcmkey(&tcm_pikpub,&tcm_pik); if(ret!=0) { print_cubeerr("Get Pubpik failed!\n"); return -EINVAL; } tcm_key_template=memdb_get_template(TYPE_PAIR(VTCM_IN_KEY,TCM_BIN_PUBKEY)); if(tcm_key_template==NULL) return -EINVAL; ret=struct_clone(&tcm_pikpub,&pik_cert->pikpub,tcm_key_template); if(ret<0) return -EINVAL; // build a message and send it new_msg=message_create(TYPE_PAIR(TCM_PIK_DESC,PIKCERT),recv_msg); if(new_msg==NULL) return -EINVAL; ret=message_add_record(new_msg,pik_cert); if(ret<0) return ret; ret=ex_module_sendmsg(sub_proc,new_msg); return ret; }
int proc_aik_activate(void * sub_proc,void * message) { printf("begin aik activate!\n"); TSS_RESULT result; TSS_HKEY hAIKey, hCAKey; TESI_SIGN_DATA signdata; int fd; int retval; int blobsize=0; struct policyfile_data * reqdata; result=TESI_Local_ReadKeyBlob(&hAIKey,"privkey/AIK"); if ( result != TSS_SUCCESS ) { print_error("TESI_Local_ReadKeyBlob Err!\n",result); return result; } result=TESI_Local_LoadKey(hAIKey,NULL,"kkk"); if ( result != TSS_SUCCESS ) { print_error("TESI_Local_LoadKey Err!\n",result); return result; } retval=get_filedata_from_message(message); if(retval<0) return -EINVAL; printf("get file succeed!\n"); result=TESI_AIK_Activate(hAIKey,"cert/active",&signdata); if (result != TSS_SUCCESS) { print_error("Tspi_Context_CreateObject", result); exit(result); } // Load the CA Key result=TESI_Local_GetPubKeyFromCA(&hCAKey,"cert/CA"); if (result != TSS_SUCCESS) { print_error("Get pubkey error!\n", result); exit(result); } // write the AIK and aipubkey result=TESI_Local_WriteKeyBlob(hAIKey,"privkey/AIK"); if (result != TSS_SUCCESS) { print_error("store aik data error!\n", result); exit(result); } result=TESI_Local_WritePubKey(hAIKey,"pubkey/AIK"); if (result != TSS_SUCCESS) { print_error("store aik data error!\n", result); exit(result); } // verify the CA signed cert result=TESI_AIK_VerifySignData(&signdata,"cert/CA"); if (result != TSS_SUCCESS) { print_error("verify data error!\n", result); exit(result); } // get the content of the CA signed cert struct ca_cert usercert; // read the req info from aik request package void * struct_template=create_struct_template(ca_cert_desc); if(struct_template==NULL) return -EINVAL; blobsize=blob_2_struct(signdata.data,&usercert,struct_template); if(blobsize!=signdata.datalen) return -EINVAL; free_struct_template(struct_template); return 0; }