uint32_t TPM_HashPubKey(keydata * pubkey, unsigned char *digest) { STACK_TPM_BUFFER(buffer) uint32_t len = TPM_WriteKeyPub(&buffer, pubkey); if ((len & ERR_MASK) == 0) TSS_sha1(buffer.buffer, len, digest); return len; }
int main(int argc, char *argv[]) { unsigned char nonce[TPM_NONCE_SIZE]; unsigned char digest[TPM_DIGEST_SIZE]; unsigned char calcdigest[TPM_DIGEST_SIZE]; uint32_t ret; struct keydata key; STACK_TPM_BUFFER(serKeyData) uint32_t serKeySize; char * pubKeyFile = NULL; uint32_t buffersize; char * buffer = NULL; int index = 1; if (argc >= 3 && 0 == strcmp(argv[index],"-v")) { TPM_setlog(1); index++; } else { TPM_setlog(0); } if (index >= argc) { usage(); exit(-1); } pubKeyFile = argv[index]; if (NULL == pubKeyFile) { usage(); exit(-1); } TSS_gennonce(nonce); ret = TPM_ReadKeyfile(pubKeyFile, &key); if ( ( ret & ERR_MASK ) != 0 ) { printf("Error - could not read key file.\n"); exit (-1); } ret = TPM_WriteKeyPub(&serKeyData, &key); if ( ( ret & ERR_MASK ) != 0 ) { exit (-1); } serKeySize = ret; ret = TPM_ReadManuMaintPub(nonce, digest); if ( 0 != ret ) { printf("Error %s from ReadManuMainPub.\n", TPM_GetErrMsg(ret)); exit(ret); } /* * Now check the digest against the serialized public key * and the hash. */ buffersize = serKeySize + sizeof(nonce); buffer = malloc(buffersize); if (NULL == buffer) { exit (-1); } memcpy(buffer, serKeyData.buffer, serKeySize); memcpy(&buffer[serKeySize], nonce, sizeof(nonce)); TSS_sha1(buffer, buffersize, calcdigest); free(buffer); if (0 == memcmp(calcdigest, digest, sizeof(digest))) { printf("The same public key is in the TPM.\n"); ret = 0; } else { printf("Another public key is in the TPM.\n"); ret = -1; } exit(ret); }
int main(int argc, char * argv[]) { char * ownerpass = NULL; char * migpass = NULL; char * parpass = NULL; char * filename = NULL; char * migkeyfile = NULL; char * migkeypass = NULL; uint32_t parhandle = -1; /* handle of parent key */ unsigned char * passptr1 = NULL; unsigned char passhash1[20]; unsigned char hashpass1[20]; /* hash of new key password */ unsigned char hashpass3[20]; /* hash of parent key password */ unsigned char hashpass4[20]; /* hash of migration key pwd */ uint32_t ret = 0; int i = 0; keydata keyparms; keydata idkey; unsigned char *aptr1 = NULL; unsigned char *aptr3 = NULL; unsigned char *aptr4 = NULL; keydata migkey; uint16_t migscheme = TPM_MS_RESTRICT_MIGRATE; uint32_t sigTicketSize = 0; char * msa_list_filename = NULL; TPM_MSA_COMPOSITE msaList = {0, NULL}; char * keyfile = NULL; keydata q; uint32_t sigkeyhandle = -1; char * sigkeypass = NULL; unsigned char sigkeypasshash[TPM_HASH_SIZE]; unsigned char * sigkeypassptr = NULL; unsigned char sigTicket[TPM_HASH_SIZE]; TPM_CMK_AUTH restrictTicket; TPM_CMK_AUTH *restrictTicketParameter; /* parameter to command function call */ unsigned char resTicketHash[TPM_HASH_SIZE]; memset(&keyparms, 0x0, sizeof(keyparms)); memset(&idkey , 0x0, sizeof(idkey)); memset(&restrictTicket, 0x0, sizeof(restrictTicket)); i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-hp",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&parhandle); } else { printf("Missing parameter for -hp.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdp",argv[i])) { i++; if (i < argc) { parpass = argv[i]; } else { printf("Missing parameter for -pwdp.\n"); usage(); exit(-1); } } else if (!strcmp("-ok",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -ok.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdo",argv[i])) { i++; if (i < argc) { ownerpass = argv[i]; } else { printf("Missing parameter for -pwdo.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdm",argv[i])) { i++; if (i < argc) { migpass = argv[i]; } else { printf("Missing parameter for -pwdm.\n"); usage(); exit(-1); } } else if (!strcmp("-msa",argv[i])) { i++; if (i < argc) { msa_list_filename = argv[i]; } else { printf("Missing parameter for -msa.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { keyfile = argv[i]; } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-im",argv[i])) { i++; if (i < argc) { migkeyfile = argv[i]; } else { printf("Missing parameter for -im.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdk",argv[i])) { i++; if (i < argc) { migkeypass = argv[i]; } else { printf("Missing parameter for -pwdk.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { TPM_setlog(1); } else if (!strcmp("-hs",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&sigkeyhandle); } else { printf("Missing mandatory parameter for -hs.\n"); usage(); exit(-1); } } else if (!strcmp("-pwds",argv[i])) { i++; if (i < argc) { sigkeypass = argv[i]; } else { printf("Missing mandatory parameter for -pwds.\n"); usage(); exit(-1); } } else if (!strcmp("-double",argv[i])) { migscheme = TPM_MS_RESTRICT_APPROVE; } else { printf("Unknown option '%s'.",argv[i]); usage(); exit(-1); } i++; } if (NULL == keyfile || NULL == ownerpass || -1 == (int)parhandle || NULL == migkeyfile || NULL == msa_list_filename) { printf("Missing or wrong parameter.\n"); usage(); exit(-1); } if (TPM_MS_RESTRICT_APPROVE == migscheme) { if (-1 == (int)sigkeyhandle) { printf("Must provide signing key data when '-double' has been selected.\n"); exit(-1); } } if (NULL != ownerpass) { TSS_sha1(ownerpass,strlen(ownerpass),passhash1); passptr1 = passhash1; } else { passptr1 = NULL; } if (NULL !=sigkeypass) { TSS_sha1(sigkeypass, strlen(sigkeypass), sigkeypasshash); sigkeypassptr = sigkeypasshash; } else { sigkeypassptr = NULL; } /* ** use the SHA1 hash of the password string as the Parent Key Authorization Data */ if (parpass != NULL) { TSS_sha1(parpass,strlen(parpass),hashpass1); aptr1 = hashpass1; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migpass != NULL) { TSS_sha1(migpass,strlen(migpass),hashpass3); aptr3 = hashpass3; } /* ** use the SHA1 hash of the password string as the Key Migration Authorization Data */ if (migkeypass != NULL) { TSS_sha1(migkeypass,strlen(migkeypass),hashpass4); aptr4 = hashpass4; } /* * * - Create an RSA key pair. * - Call TPM_AuthorizeMigrationKey for the RSA public key authorization * - Call TPM_CreateMigrationBlob with the result from AuthorizeMigrationKey * and the encrypted TPM_STORE_ASYMKEY structure * */ /* * readthe msa list from the file. */ ret = TPM_ReadMSAFile(msa_list_filename, &msaList); if ( ( ret & ERR_MASK ) != 0) { printf("Error while reading msa list file.\n"); exit(-1); } /* ** create and wrap an asymmetric key and get back the ** resulting keydata structure with the public and encrypted ** private keys filled in by the TPM */ /* * q is the key that we want to migrate. Create one such key. * migkey is the (public) key part from another TPM that we want to use * to migrate q. Since I am not loading a public key from another TPM, * I create a migration key here as well. I must never refer to this * key via any handle or load it into the TPM */ printf("Loading the (public) key to use for migration...\n"); if (0 == ret) { printf("Migration key is: %s\n",migkeyfile); ret = TPM_ReadKeyfile(migkeyfile, &migkey); if ((ret & ERR_MASK)) { ret = TPM_ReadPubKeyfile(migkeyfile, &migkey.pub); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s as a " "key or a pubkey.\n", migkeyfile); exit(-1); } } ret = TPM_ReadKeyfile(keyfile, &q); if ((ret & ERR_MASK)) { printf("Could not read the keyfile %s.\n", keyfile); } } /* * Create a ticket if needed. */ if (migscheme == TPM_MS_RESTRICT_APPROVE) { keydata signingkey; unsigned char signatureValue[2048]; uint32_t signatureValueSize = sizeof(signatureValue); STACK_TPM_BUFFER(sigkey) /* * Get the public key part of the signing key. */ ret = TPM_GetPubKey(sigkeyhandle, sigkeypassptr, &signingkey.pub); if ( 0 != ret ) { printf("Error %s while retrieving public signing key.\n", TPM_GetErrMsg(ret)); exit(-1); } /* * Build the restrictTicket!!! */ restrictTicketParameter = &restrictTicket; /* command needs restrictTicket */ ret = TPM_HashPubKey(&q, restrictTicket.sourceKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the key to be migrated.\n"); exit(ret); } ret = TPM_HashPubKey(&migkey, restrictTicket.destinationKeyDigest); if ( ( ret & ERR_MASK ) != 0) { printf("Could not calculate hash over the public key of the migration key.\n"); exit(ret); } ret = TPM_HashCMKAuth(&restrictTicket, resTicketHash); ret = TPM_Sign(sigkeyhandle, sigkeypassptr, resTicketHash, sizeof(resTicketHash), signatureValue, &signatureValueSize); if ( 0 != ret) { printf("Error %s while sigining.\n", TPM_GetErrMsg(ret)); exit(ret); } ret = TPM_CMK_CreateTicket(&signingkey, resTicketHash, signatureValue, signatureValueSize, passptr1, sigTicket); sigTicketSize = TPM_DIGEST_SIZE; } else { /* TPM_MS_RESTRICT_MIGRATE */ restrictTicketParameter = NULL; /* command does not need restrictTicket */ } if (0 == ret) { if (0 == ret) { STACK_TPM_BUFFER( keyblob) STACK_TPM_BUFFER( migblob); keydata keyd; memset(&keyd, 0x0, sizeof(keyd)); ret = TPM_WriteKeyPub(&keyblob, &migkey); if ((ret & ERR_MASK) != 0) { printf("Could not serialize the keydata: %s\n", TPM_GetErrMsg(ret)); exit(-1); } ret = TPM_AuthorizeMigrationKey(passptr1, migscheme, // migration scheme &keyblob, // public key to be authorized &migblob); if (0 == ret) { unsigned char rndblob[1024]; uint32_t rndblen = sizeof(rndblob); unsigned char outblob[1024]; uint32_t outblen = sizeof(outblob); unsigned char sourceKeyDigest[TPM_DIGEST_SIZE]; unsigned char encblob[1024]; uint32_t encblen; memcpy(encblob, q.encData.buffer, q.encData.size); encblen = q.encData.size; if (0!= ret) { printf("Error occurred while creating encrypted blob.\n"); exit (-1); } TPM_HashPubKey(&q,sourceKeyDigest); printf("parhandle = %x\n",parhandle); /* * Now call the TPM_CreateMigrationBlob function. */ ret = TPM_CMK_CreateBlob(parhandle, // handle of a key that can decrypt the encblob below aptr1, // password for that parent key migscheme, &migblob, sourceKeyDigest, &msaList, restrictTicketParameter, /* either NULL or restrictTicket */ sigTicket, sigTicketSize, encblob, encblen, // encrypted private key that will show up re-encrypted in outblob rndblob, &rndblen, // output: used for xor encryption outblob, &outblen);// output: re-encrypted private key if (0 == ret) { if (NULL != filename) { STACK_TPM_BUFFER(keybuf) // serialize the key in 'q' ret = TPM_WriteKey(&keybuf,&q); if (ret > 0) { unsigned int keybuflen = ret; FILE * f = fopen(filename,"wb"); if (NULL != f) { struct tpm_buffer * filebuf = TSS_AllocTPMBuffer(10240); if (NULL != filebuf) { int l; l = TSS_buildbuff("@ @ @",filebuf, rndblen, rndblob, outblen, outblob, keybuflen, keybuf.buffer); fwrite(filebuf->buffer, l, 1, f); fclose(f); TSS_FreeTPMBuffer(filebuf); printf("Wrote migration blob and associated data to file.\n"); ret = 0; } else { printf("Error. Could not allocate memory.\n"); ret = -1; } } else { printf("Error. Could not write blob to file.\n"); ret = -1; } } else { printf("Error while serializing key!\n"); } } else { } } else { printf("CMK_CreateBlob returned '%s' (%d).\n", TPM_GetErrMsg(ret), ret); } } else { printf("AuthorizeMigrationKey returned '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } } else { } } else { } return ret; }
int main(int argc, char *argv[]) { unsigned char passhash1[20]; char * ownpass = NULL; int ret; char * filename = NULL; uint32_t keyhandle = 0; STACK_TPM_BUFFER(keybuf); keydata k; int i = 1; memset(&k, 0x0, sizeof(k)); TPM_setlog(0); for (i=1 ; i<argc ; i++) { if (!strcmp(argv[i], "-pwdo")) { i++; if (i < argc) { ownpass = argv[i]; } else { printf("Missing parameter to -pwdo\n"); printUsage(); } } else if (strcmp(argv[i],"-hk") == 0) { i++; if (i < argc) { /* convert key handle from hex */ if (1 != sscanf(argv[i], "%x", &keyhandle)) { printf("Invalid -hk argument '%s'\n",argv[i]); exit(2); } } else { printf("-hk option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-of") == 0) { i++; if (i < argc) { filename = argv[i]; } else { printf("-of option needs a value\n"); printUsage(); } } else if (!strcmp(argv[i], "-h")) { printUsage(); } else if (!strcmp(argv[i], "-v")) { TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if ((ownpass == NULL) || (keyhandle == 0) || (filename == NULL)) { printf("Missing argument\n"); printUsage(); exit(2); } TSS_sha1(ownpass,strlen(ownpass),passhash1); ret = TPM_OwnerReadInternalPub(keyhandle, passhash1, &k.pub); if (0 != ret) { printf("OwnerReadInternalPub returned error '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } else { uint32_t ret; FILE * f = fopen(filename, "wb"); ret = TPM_WriteKeyPub(&keybuf, &k); if (NULL != f) { fwrite(keybuf.buffer,keybuf.used,1,f); fclose(f); } } exit(ret); }
int main(int argc, char * argv[]) { char * migrationkeyfile = NULL; char * filename = NULL; char * migrationKeyPassword = NULL; unsigned char migrationkeyUsageAuth[TPM_DIGEST_SIZE]; unsigned char * passptr = NULL; uint32_t ret = 0; int i = 0; keydata migrationkey; int verbose = FALSE; uint32_t migrationkeyhandle = 0; unsigned char * buffer = NULL; uint32_t bufferSize = 0; i = 1; TPM_setlog(0); while (i < argc) { if (!strcmp("-if",argv[i])) { i++; if (i < argc) { filename = argv[i]; } else { printf("Missing parameter for -if.\n"); usage(); exit(-1); } } else if (!strcmp("-pwdm",argv[i])) { i++; if (i < argc) { migrationKeyPassword = argv[i]; } else { printf("Missing parameter for -pwdm.\n"); usage(); exit(-1); } } else if (!strcmp("-hm",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&migrationkeyhandle); } else { printf("Missing parameter for -hm.\n"); usage(); exit(-1); } } else if (!strcmp("-ik",argv[i])) { i++; if (i < argc) { migrationkeyfile = argv[i]; } else { printf("Missing parameter for -ik.\n"); usage(); exit(-1); } } else if (!strcmp("-v",argv[i])) { verbose = TRUE; TPM_setlog(1); } else if (!strcmp("-h",argv[i])) { usage(); exit(-1); } else { printf("\n%s is not a valid option\n", argv[i]); usage(); exit(-1); } i++; } if (NULL == migrationkeyfile || NULL == filename || -1 == (int)migrationkeyhandle) { printf("Missing or wrong parameter.\n"); usage(); exit(-1); } if (NULL != migrationKeyPassword) { TSS_sha1(migrationKeyPassword, strlen(migrationKeyPassword), migrationkeyUsageAuth); passptr = migrationkeyUsageAuth; } /* * load the key to be migrated from a file. */ ret = 0; buffer = readFile(filename, &bufferSize); if (NULL != buffer) { unsigned int offset = 0; unsigned char * encblob = NULL; uint32_t encsize = 0; unsigned char * rndblob = NULL; uint32_t rndsize = 0; uint32_t keysize = 0; unsigned char * keyblob = NULL; keydata tobemigkey; STACK_TPM_BUFFER(tb) rndsize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } rndblob = &buffer[offset]; offset += rndsize; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } encsize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } encblob = &buffer[offset]; offset += encsize; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } keysize = LOAD32(buffer,offset); offset += 4; if (offset > bufferSize) { printf("Bad input file. Exiting.\n"); return -1; } keyblob = &buffer[offset]; offset += keysize; if (offset != bufferSize) { printf("Bad input file. Exiting"); return -1; } SET_TPM_BUFFER(&tb, keyblob, keysize); TSS_KeyExtract(&tb,0,&tobemigkey); /* * load the migration key from the destination * TPM from a file. Need the public key part of * that key. */ ret = loadKey(migrationkeyfile, &migrationkey); if (0 == ret) { STACK_TPM_BUFFER(keyblob) uint32_t keyblen = 0; unsigned char * reencData = malloc(encsize); uint32_t reencDataSize = encsize; if (NULL == encblob || NULL == reencData) { printf("Could not get memory for encryted private key blob.\n"); exit (-1); } ret = TPM_WriteKeyPub(&keyblob, &migrationkey); if (ret & ERR_MASK) { printf("Could not serialize the keydata!\n"); free(reencData); exit(-1); } keyblen = ret; ret = TPM_MigrateKey(migrationkeyhandle, passptr, keyblob.buffer, keyblen, encblob, encsize, reencData, &reencDataSize); if (0 == ret) { STACK_TPM_BUFFER(keybuf) // serialize the key to be migrated ret = TPM_WriteKey(&keybuf,&tobemigkey); if (ret > 0) { unsigned int keybuflen = ret; FILE * f = fopen(filename,"wb"); if (NULL != f) { struct tpm_buffer *filebuf = TSS_AllocTPMBuffer(10240); if (NULL != filebuf) { int l; l = TSS_buildbuff("@ @ @",filebuf, rndsize, rndblob, reencDataSize, reencData, keybuflen, keybuf.buffer); fwrite(filebuf->buffer, l, 1, f); fclose(f); printf("Wrote migration blob and associated data to file.\n"); ret = 0; TSS_FreeTPMBuffer(filebuf); } else { printf("Error. Could not allocate memory.\n"); ret = -1; } } } } else { printf("MigrateKey returned '%s' (0x%x).\n", TPM_GetErrMsg(ret), ret); } free(reencData); } else { printf("Error. Could not load the migration key."); } } else { printf("Error. Could not load the blob from file '%s'.\n", filename); } return ret; }