int aik_verify(char * user)
{
int ret;
BYTE buf[128];
TESI_SIGN_DATA signdata;
TSS_RESULT result;
void * struct_template;
struct aik_cert_info server_info;
struct node_key_list * key_list;
BYTE digest[DIGEST_SIZE];
BYTE filename[DIGEST_SIZE*2+DIGEST_SIZE];
ret=ReadSignDataFromFile(&signdata,"cert/AIK");
if(ret<0)
return -EIO;
result=TESI_AIK_VerifySignData(&signdata,"cert/CA");
if (result != TSS_SUCCESS) {
printf("verify AIK data error!\n");
return -EINVAL;
}
struct_template=create_struct_template(&aik_cert_info_desc);
if(struct_template==NULL)
return -EINVAL;
ret=blob_2_struct(signdata.data,&server_info,struct_template);
if(ret<0)
return -EINVAL;
/*
if(strcmp(server_info.user_info.user_name,"bind_server")!=0)
{
printf("Wrong Server! Server is %s\n",server_info.user_info.user_name);
return -EINVAL;
}
*/
calculate_sm3("pubkey/AIK.pem",&digest);
digest_to_uuid(digest,buf);
if(strncmp(buf,server_info.pubkey_uuid,DIGEST_SIZE*2)!=0)
{
printf("Wrong Key!\n" );
return -EINVAL;
}
key_list=malloc(sizeof(struct node_key_list));
if(key_list==NULL)
return -ENOMEM;
if(user!=NULL)
{
strncpy(user,server_info.user_info.user_name,DIGEST_SIZE);
}
return 0;
}
int proc_tcm_activateidentity(void * sub_proc,void * recv_msg)
{
int ret=0;
int fd;
BYTE Buf[DIGEST_SIZE*32];
BYTE NameBuf[DIGEST_SIZE*4];
BYTE KeyBuf[DIGEST_SIZE*4];
BYTE digest[DIGEST_SIZE];
UINT32 result;
DB_RECORD * db_record;
RECORD(TCM_PIK_DESC,USERINFO) * pik_userinfo;
RECORD(TCM_PIK_DESC,CADATA) * pik_cadata;
RECORD(TCM_PIK_DESC,PIKCERT) * pik_cert;
RECORD(VTCM_IN_KEY,TCM_BIN_KEY) tcm_pik;
RECORD(VTCM_IN_KEY,TCM_BIN_PUBKEY) tcm_pikpub;
RECORD(TCM_KEY_MANAGE,PRIVATE_KEY) * tcm_pik_info;
TCM_SYMMETRIC_KEY symmkey;
void * new_msg;
int key_len;
void * tcm_key_template;
UINT32 smkHandle;
UINT32 ownerHandle;
UINT32 keyHandle;
UINT32 keyAuthHandle;
char uuid[DIGEST_SIZE*2+1];
printf("begin pik activateidentity!\n");
// get pik cadata from message
ret=message_get_record(recv_msg,&pik_cadata,0);
if(ret<0)
return -EINVAL;
if(pik_cadata==NULL)
return -EINVAL;
// find pikinfo record
db_record=memdb_find_first(TYPE_PAIR(TCM_KEY_MANAGE,PRIVATE_KEY),"pubkey_uuid",pik_cadata->pikpub_uuid);
if(db_record==NULL)
{
print_cubeerr("can't find pik record!\n");
return -EINVAL;
}
tcm_pik_info=db_record->record;
// get pik file name
digest_to_uuid(tcm_pik_info->uuid,uuid);
uuid[DIGEST_SIZE*2]=0;
printf("get pik's uuid is %s!\n",uuid);
Strcpy(NameBuf,"tcmkey/");
Strcat(NameBuf,uuid);
ret=TCM_ExLoadTcmKey(&tcm_pik,NameBuf);
if(ret!=0)
{
print_cubeerr("Load TCMKey from file failed!\n");
return ret;
}
// Load pik to TCM
ret=TCM_APCreate(TCM_ET_SMK, NULL, "sss", &smkHandle);
printf("smkHandle is : %x\n",smkHandle);
if(ret<0)
{
printf("TCM_APCreate failed!\n");
return -EINVAL;
}
ret=TCM_LoadKey(smkHandle,NameBuf,&keyHandle);
if(ret!=0)
{
print_cubeerr("TCM_LoadKey failed!\n");
return ret;
}
ret=TCM_APTerminate(smkHandle);
if(ret!=0)
{
printf("TCM_APTerminate failed!\n");
return ret;
}
// do the activateidentity
ret=TCM_APCreate(TCM_ET_OWNER, NULL, "ooo", &ownerHandle);
printf("ownerHandle is : %x\n",ownerHandle);
if(ret<0)
{
print_cubeerr("TCM_APCreate failed!\n");
return -EINVAL;
}
ret=TCM_APCreate(TCM_ET_KEYHANDLE,keyHandle, "kkk", &keyAuthHandle);
printf("pikHandle is : %x\n",keyAuthHandle);
if(ret!=0)
{
printf("TCM_APCreate failed!\n");
return -EINVAL;
}
ret=TCM_ActivateIdentity(keyHandle,keyAuthHandle,ownerHandle,
pik_cadata->symmkey_len,pik_cadata->symmkey,&symmkey,"ooo","kkk");
if(ret!=0)
{
printf("TCM_ActivateIdentity failed!\n");
return -EINVAL;
}
ret=TCM_APTerminate(ownerHandle);
if(ret<0)
{
printf("TCM_APTerminate failed!\n");
return -EINVAL;
}
ret=TCM_APTerminate(keyAuthHandle);
if(ret<0)
{
printf("TCM_APTerminate failed!\n");
return -EINVAL;
}
ret=TCM_EvictKey(keyHandle);
if(ret<0)
{
printf("TCM_APTerminate failed!\n");
return -EINVAL;
}
// decrypt cert blob
int blobsize;
BYTE * cert;
int certsize;
ret=TCM_ExSymmkeyDecrypt(&symmkey,pik_cadata->cert,pik_cadata->certlen,&cert,&certsize);
if(ret!=0)
{
printf("decrypt cert blob file error!\n");
return -EINVAL;
}
int offset;
for(offset=0;cert[offset]==0;offset++)
{
if((offset>=16)|| (offset>=certsize))
{
print_cubeerr("cert data failed!\n");
return -EINVAL;
}
}
// build pik cert, it is organized by userinfo, pubkey and ca_conts
//
pik_cert=Talloc0(sizeof(*pik_cert));
if(pik_cert==NULL)
return -ENOMEM;
tcm_key_template=memdb_get_template(TYPE_PAIR(TCM_PIK_DESC,VERIFYDATA));
if(tcm_key_template==NULL)
return -EINVAL;
ret=blob_2_struct(cert+offset,&pik_cert->verifydata,tcm_key_template);
if(ret<0)
return -EINVAL;
db_record=memdb_find(pik_cadata->userinfo_uuid,TYPE_PAIR(TCM_PIK_DESC,USERINFO));
if(db_record==NULL)
{
print_cubeerr("can't find user info data!\n");
return -EINVAL;
}
pik_userinfo=db_record->record;
tcm_key_template=memdb_get_template(TYPE_PAIR(TCM_PIK_DESC,USERINFO));
if(tcm_key_template==NULL)
return -EINVAL;
ret=struct_clone(pik_userinfo,&pik_cert->userinfo,tcm_key_template);
if(ret<0)
return -EINVAL;
ret=TCM_ExGetPubkeyFromTcmkey(&tcm_pikpub,&tcm_pik);
if(ret!=0)
{
print_cubeerr("Get Pubpik failed!\n");
return -EINVAL;
}
tcm_key_template=memdb_get_template(TYPE_PAIR(VTCM_IN_KEY,TCM_BIN_PUBKEY));
if(tcm_key_template==NULL)
return -EINVAL;
ret=struct_clone(&tcm_pikpub,&pik_cert->pikpub,tcm_key_template);
if(ret<0)
return -EINVAL;
// build a message and send it
new_msg=message_create(TYPE_PAIR(TCM_PIK_DESC,PIKCERT),recv_msg);
if(new_msg==NULL)
return -EINVAL;
ret=message_add_record(new_msg,pik_cert);
if(ret<0)
return ret;
ret=ex_module_sendmsg(sub_proc,new_msg);
return ret;
}
int proc_aik_activate(void * sub_proc,void * message)
{
printf("begin aik activate!\n");
TSS_RESULT result;
TSS_HKEY hAIKey, hCAKey;
TESI_SIGN_DATA signdata;
int fd;
int retval;
int blobsize=0;
struct policyfile_data * reqdata;
result=TESI_Local_ReadKeyBlob(&hAIKey,"privkey/AIK");
if ( result != TSS_SUCCESS )
{
print_error("TESI_Local_ReadKeyBlob Err!\n",result);
return result;
}
result=TESI_Local_LoadKey(hAIKey,NULL,"kkk");
if ( result != TSS_SUCCESS )
{
print_error("TESI_Local_LoadKey Err!\n",result);
return result;
}
retval=get_filedata_from_message(message);
if(retval<0)
return -EINVAL;
printf("get file succeed!\n");
result=TESI_AIK_Activate(hAIKey,"cert/active",&signdata);
if (result != TSS_SUCCESS) {
print_error("Tspi_Context_CreateObject", result);
exit(result);
}
// Load the CA Key
result=TESI_Local_GetPubKeyFromCA(&hCAKey,"cert/CA");
if (result != TSS_SUCCESS) {
print_error("Get pubkey error!\n", result);
exit(result);
}
// write the AIK and aipubkey
result=TESI_Local_WriteKeyBlob(hAIKey,"privkey/AIK");
if (result != TSS_SUCCESS) {
print_error("store aik data error!\n", result);
exit(result);
}
result=TESI_Local_WritePubKey(hAIKey,"pubkey/AIK");
if (result != TSS_SUCCESS) {
print_error("store aik data error!\n", result);
exit(result);
}
// verify the CA signed cert
result=TESI_AIK_VerifySignData(&signdata,"cert/CA");
if (result != TSS_SUCCESS) {
print_error("verify data error!\n", result);
exit(result);
}
// get the content of the CA signed cert
struct ca_cert usercert;
// read the req info from aik request package
void * struct_template=create_struct_template(ca_cert_desc);
if(struct_template==NULL)
return -EINVAL;
blobsize=blob_2_struct(signdata.data,&usercert,struct_template);
if(blobsize!=signdata.datalen)
return -EINVAL;
free_struct_template(struct_template);
return 0;
}
