int main(int argc, char *argv[]) { int ret; struct stat sbuf; unsigned char databuff[256]; /* data read work buffer */ unsigned int datalen; /* size of data file */ uint32_t keyhandle = 0; /* handle of key */ unsigned char passhash1[20]; /* hash of parent key password */ unsigned char passhash2[20]; /* hash of data password */ unsigned char blob[4096]; /* resulting sealed blob */ uint32_t bloblen; /* blob length */ unsigned char *passptr1 = NULL; unsigned char *passptr2 = NULL; unsigned char future_hash[TPM_HASH_SIZE]; FILE *infile; FILE *outfile; int i = 1; int index; int index_ctr = 0; int max_index = -1; TPM_PCR_INFO_LONG pcrInfoLong; TPM_PCR_COMPOSITE pcrComp; STACK_TPM_BUFFER(serPcrInfo) uint32_t pcrs; char *keypass = NULL; char *datpass = NULL; const char *datafilename = NULL; const char *sealfilename = NULL; TPM_setlog(0); /* turn off verbose output */ memset(&pcrInfoLong, 0x0, sizeof(pcrInfoLong)); memset(&pcrComp, 0x0, sizeof(pcrComp)); ret = TPM_GetNumPCRRegisters(&pcrs); if (ret != 0) { printf("Error reading number of PCR registers.\n"); exit(-1); } if (pcrs > TPM_NUM_PCR) { printf("Library does not support that many PCRs.\n"); exit(-1); } /* * Now build the basic pcrInfoLong */ pcrInfoLong.tag = TPM_TAG_PCR_INFO_LONG; pcrInfoLong.localityAtRelease = TPM_LOC_ZERO; pcrInfoLong.localityAtCreation = TPM_LOC_ZERO; pcrInfoLong.releasePCRSelection.sizeOfSelect = pcrs / 8; pcrInfoLong.creationPCRSelection.sizeOfSelect = pcrs / 8; for (i=1 ; i<argc ; i++) { if (!strcmp(argv[i],"-pwdk")) { i++; if (i >= argc) { printf("Missing parameter for option -pwdk.\n"); printUsage(); } keypass = argv[i]; } else if (!strcmp(argv[i],"-pwdd")) { i++; if (i >= argc) { printf("Missing parameter for option -pwdd.\n"); printUsage(); } datpass = argv[i]; } else if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-if") == 0) { i++; if (i < argc) { datafilename = argv[i]; } else { printf("-if option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-of") == 0) { i++; if (i < argc) { sealfilename = argv[i]; } else { printf("-of option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i],"-ix")) { int j = 0; int shift = 4; char * hash_str = NULL; i++; if (i >= argc) { printf("Missing parameter for option -ix.\n"); printUsage(); } index = atoi(argv[i]); if (index < 0 || index > (int)(pcrs-1)) { printf("Index out of range! Max PCR is %d.\n",pcrs-1); printUsage(); } if (index <= max_index) { printf("Inidices must be given in ascending order.\n"); exit(-1); } max_index = index; i++; if (i >= argc) { printf("Missing parameter for option -i.\n"); printUsage(); } hash_str = argv[i]; if (40 != strlen(hash_str)) { printf("The hash must be exactly 40 characters long!\n"); exit(-1); } memset(future_hash, 0x0, TPM_HASH_SIZE); shift = 4; j = 0; while (j < (2 * TPM_HASH_SIZE)) { unsigned char c = hash_str[j]; if (c >= '0' && c <= '9') { future_hash[j>>1] |= ((c - '0') << shift); } else if (c >= 'a' && c <= 'f') { future_hash[j>>1] |= ((c - 'a' + 10) << shift); } else
int main(int argc, char *argv[]) { int ret; /* general return value */ uint32_t keyhandle = 0; /* handle of quote key */ unsigned int pcrmask = 0; /* pcr register mask */ unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */ unsigned char data[TPM_HASH_SIZE];/* nonce data */ STACK_TPM_BUFFER(signature); pubkeydata pubkey; /* public key structure */ RSA *rsa; /* openssl RSA public key */ unsigned char *passptr; TPM_PCR_SELECTION selection; TPM_PCR_INFO_SHORT s1; TPM_QUOTE_INFO2 quoteinfo; STACK_TPM_BUFFER( serQuoteInfo ) uint32_t pcrs; int i; uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1; TPM_BOOL addVersion = FALSE; STACK_TPM_BUFFER(versionblob); static char *keypass = NULL; TPM_setlog(0); /* turn off verbose output from TPM driver */ for (i=1 ; i<argc ; i++) { if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-pwdk")) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter to -pwdk\n"); printUsage(); } } else if (strcmp(argv[i],"-bm") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &pcrmask)) { printf("Invalid -bm argument '%s'\n",argv[i]); exit(2); } } else { printf("-bm option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-vinfo")) { addVersion = TRUE; printf("Adding version info.\n"); } else if (!strcmp(argv[i], "-h")) { printUsage(); } else if (!strcmp(argv[i], "-v")) { TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if ((keyhandle == 0) || (pcrmask == 0)) { printf("Missing argument\n"); printUsage(); } memset(&s1, 0x0, sizeof(s1)); /* ** Parse and process the command line arguments */ /* get the SHA1 hash of the password string for use as the Key Authorization Data */ if (keypass != NULL) { TSS_sha1((unsigned char *)keypass,strlen(keypass),passhash1); passptr = passhash1; } else { passptr = NULL; } /* for testing, use the password hash as the test nonce */ memcpy(data,passhash1,TPM_HASH_SIZE); ret = TPM_GetNumPCRRegisters(&pcrs); if (ret != 0) { printf("Error reading number of PCR registers.\n"); exit(-1); } if (pcrs > TPM_NUM_PCR) { printf("Library does not support that many PCRs.\n"); exit(-1); } memset(&selection, 0x0, sizeof(selection)); selection.sizeOfSelect = pcrs / 8; for (i = 0; i < selection.sizeOfSelect; i++) { selection.pcrSelect[i] = (pcrmask & 0xff); pcrmask >>= 8; } /* ** perform the TPM Quote function */ ret = TPM_Quote2(keyhandle, /* key handle */ &selection, /* specify PCR registers */ addVersion, /* add Version */ passptr, /* Key Password (hashed), or null */ data, /* nonce data */ &s1, /* pointer to pcr info */ &versionblob, /* pointer to TPM_CAP_VERSION_INFO */ &signature); /* buffer to receive result, int to receive result length */ if (ret != 0) { printf("Error '%s' from TPM_Quote2\n",TPM_GetErrMsg(ret)); exit(ret); } /* ** Get the public key and convert to an OpenSSL RSA public key */ ret = TPM_GetPubKey(keyhandle,passptr,&pubkey); if (ret != 0) { printf("Error '%s' from TPM_GetPubKey\n",TPM_GetErrMsg(ret)); exit(ret); } rsa = TSS_convpubkey(&pubkey); /* ** fill the quote info structure and calculate the hashes needed for verification */ quoteinfo.tag = TPM_TAG_QUOTE_INFO2; memcpy(&(quoteinfo.fixed),"QUT2",4); quoteinfo.infoShort = s1; memcpy(&(quoteinfo.externalData),data,TPM_NONCE_SIZE); unsigned char *corey_ptr = (unsigned char *)"einfo; unsigned int x; printf("quote info: \n"); for (x=0;x<128;x++) { if (x != 0 && x % 16 == 0) printf("\n"); printf("%02x ", corey_ptr[x]); } printf("\n"); /* create the hash of the quoteinfo structure for signature verification */ ret = TPM_WriteQuoteInfo2(&serQuoteInfo, "einfo); if ( ( ret & ERR_MASK ) != 0) { exit(-1); } printf("serquoteinfo: \n"); for (x=0;x<128;x++) { if (x != 0 && x % 16 == 0) printf("\n"); printf("%02x ", serQuoteInfo.buffer[x]); } printf("\n"); /* append version information if given in response */ if (addVersion) { printf("addversion is called\n"); memcpy(serQuoteInfo.buffer + serQuoteInfo.used, versionblob.buffer, versionblob.used); serQuoteInfo.used += versionblob.used; } ret = TPM_ValidateSignature(sigscheme, &serQuoteInfo, &signature, rsa); if (ret != 0) { printf("Verification failed\n"); } else { printf("Verification succeeded\n"); } RSA_free(rsa); exit(ret); }
int main(int argc, char *argv[]) { int ret; /* general return value */ uint32_t keyhandle = 0; /* handle of quote key */ unsigned int pcrmask = 0; /* pcr register mask */ unsigned char passhash1[TPM_HASH_SIZE]; /* hash of key password */ unsigned char nonce[TPM_NONCE_SIZE]; /* nonce data */ STACK_TPM_BUFFER(signature); pubkeydata pubkey; /* public key structure */ unsigned char *passptr; TPM_PCR_COMPOSITE tpc; STACK_TPM_BUFFER (ser_tpc); STACK_TPM_BUFFER (ser_tqi); STACK_TPM_BUFFER (response); uint32_t pcrs; int i; uint16_t sigscheme = TPM_SS_RSASSAPKCS1v15_SHA1; TPM_PCR_SELECTION tps; static char *keypass = NULL; const char *certFilename = NULL; int verbose = FALSE; TPM_setlog(0); /* turn off verbose output from TPM driver */ for (i=1 ; i<argc ; i++) { if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } if (keyhandle == 0) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-pwdk")) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter to -pwdk\n"); printUsage(); } } else if (strcmp(argv[i],"-bm") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &pcrmask)) { printf("Invalid -bm argument '%s'\n",argv[i]); exit(2); } } else { printf("-bm option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-cert")) { i++; if (i < argc) { certFilename = argv[i]; } else { printf("Missing parameter to -cert\n"); printUsage(); } } else if (!strcmp(argv[i], "-h")) { printUsage(); } else if (!strcmp(argv[i], "-v")) { verbose = TRUE; TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if ((keyhandle == 0) || (pcrmask == 0)) { printf("Missing argument\n"); printUsage(); } /* get the SHA1 hash of the password string for use as the Key Authorization Data */ if (keypass != NULL) { TSS_sha1((unsigned char *)keypass, strlen(keypass), passhash1); passptr = passhash1; } else { passptr = NULL; } /* for testing, use the password hash as the test nonce */ memcpy(nonce, passhash1, TPM_HASH_SIZE); ret = TPM_GetNumPCRRegisters(&pcrs); if (ret != 0) { printf("Error reading number of PCR registers.\n"); exit(-1); } if (pcrs > TPM_NUM_PCR) { printf("Library does not support that many PCRs.\n"); exit(-1); } tps.sizeOfSelect = pcrs / 8; for (i = 0; i < tps.sizeOfSelect; i++) { tps.pcrSelect[i] = (pcrmask & 0xff); pcrmask >>= 8; } /* ** perform the TPM Quote function */ ret = TPM_Quote(keyhandle, /* KEY handle */ passptr, /* Key Password (hashed), or null */ nonce, /* nonce data */ &tps, /* specify PCR registers */ &tpc, /* pointer to pcr composite */ &signature);/* buffer to receive result, int to receive result length */ if (ret != 0) { printf("Error '%s' from TPM_Quote\n", TPM_GetErrMsg(ret)); exit(ret); } /* ** Get the public key and convert to an OpenSSL RSA public key */ ret = TPM_GetPubKey(keyhandle, passptr, &pubkey); if (ret != 0) { printf("quote: Error '%s' from TPM_GetPubKey\n", TPM_GetErrMsg(ret)); exit(-6); } ret = TPM_ValidatePCRCompositeSignature(&tpc, nonce, &pubkey, &signature, sigscheme); if (ret) { printf("Error %s from validating the signature over the PCR composite.\n", TPM_GetErrMsg(ret)); exit(ret); } printf("Verification against AIK succeeded\n"); /* optionally verify the quote signature against the key certificate */ if (certFilename != NULL) { unsigned char *certStream = NULL; /* freed @1 */ uint32_t certStreamLength; X509 *x509Certificate = NULL; /* freed @2 */ unsigned char *tmpPtr; /* because d2i_X509 moves the ptr */ /* AIK public key parts */ RSA *rsaKey = NULL; /* freed @3 */ if (verbose) printf("quote: verifying the signature against the certificate\n"); /* load the key certificate */ if (ret == 0) { ret = TPM_ReadFile(certFilename, &certStream, /* freed @1 */ &certStreamLength); } /* convert to openssl X509 */ if (ret == 0) { if (verbose) printf("quote: parsing the certificate stream\n"); tmpPtr = certStream; x509Certificate = d2i_X509(NULL, (const unsigned char **)&tmpPtr, certStreamLength); if (x509Certificate == NULL) { printf("Error in certificate deserialization d2i_X509()\n"); ret = -1; } } if (ret == 0) { if (verbose) printf("quote: get the certificate public key\n"); ret = GetRSAKey(&rsaKey, /* freed @3 */ x509Certificate); } if (ret == 0) { if (verbose) printf("quote: quote validate signature\n"); ret = TPM_ValidatePCRCompositeSignatureRSA(&tpc, nonce, rsaKey, &signature, sigscheme); if (ret != 0) { printf("Verification against certificate failed\n"); } } if (ret == 0) { printf("Verification against certificate succeeded\n"); } free(certStream); /* @1 */ X509_free(x509Certificate); /* @2 */ RSA_free(rsaKey); /* @3 */ } exit(ret); }