static TPM_RESULT execute_TPM_LoadKey(TPM_REQUEST *req, TPM_RESPONSE *rsp)
{
BYTE *ptr;
UINT32 len;
TPM_KEY_HANDLE parentHandle;
TPM_KEY inKey;
TPM_KEY_HANDLE inkeyHandle;
TPM_RESULT res;
/* compute parameter digest */
tpm_compute_in_param_digest(req);
/* unmarshal input */
ptr = req->param;
len = req->paramSize;
if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &parentHandle)
|| tpm_unmarshal_TPM_KEY(&ptr, &len, &inKey)
|| len != 0) return TPM_BAD_PARAMETER;
/* execute command */
res = TPM_LoadKey(parentHandle, &inKey, &req->auth1, &inkeyHandle);
if (res != TPM_SUCCESS) return res;
/* marshal output */
rsp->paramSize = len = 4;
rsp->param = ptr = malloc(len);
if (ptr == NULL
|| tpm_marshal_TPM_KEY_HANDLE(&ptr, &len, inkeyHandle)) {
free(rsp->param);
res = TPM_FAIL;
}
return res;
}
int main(int argc, char **argv)
{
int fd, size, i, ret;
uint32_t kh, pcrs;
unsigned char buf[1024], hash[20], pass[20];
char *srkpass, *keyfile, ch;
/* SHA1 hash of TPM's SRK password */
char *tpmhash = "\x71\x10\xed\xa4\xd0\x9e\x06\x2a\xa5\xe4\xa3"
"\x90\xb0\xa5\x72\xac\x0d\x2c\x02\x20";
char *nonce = "\x80\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0"
"\x0\x0\x0\x0\x1";
keydata k;
RSA *rpub;
srkpass = keyfile = NULL;
while ((ch = getopt(argc, argv, "hs:f:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 'f':
keyfile = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass)
usage(argv[0]);
if (!keyfile)
keyfile = "key.blob";
SHA1(srkpass, strlen(srkpass), pass);
fd = open(keyfile, O_RDONLY);
if (fd == -1)
errx(1, "couldn't open %s\n", keyfile);
size = read(fd, buf, 1024);
if (size == -1)
errx(1, "couldn't read\n");
size = TSS_KeyExtract(buf, &k);
printf("keybuf size: %d\n", size);
close(fd);
printf("loading . . .\n");
/* 0x40000000 is the UID for the SRK */
if (ret = TPM_LoadKey(0x40000000, pass, &k, &kh)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_LoadKey\n");
}
/* Quote PCR 0 */
printf("quoting . . .\n");
if (ret = TPM_Quote(kh, (0x00000001 << 0), pass, nonce, &pcomp, buf,
&size)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_Quote\n");
}
/* TPM will run out of memory if you forget to evict keys. This can be
* fixed with a good ol' reboot.*/
printf("evicting. . .\n");
if (ret = TPM_EvictKey(kh)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_EvictKey\n");
}
/* Compute composite hash */
SHA1((char*)&pcomp, sizeof(pcomp), hash);
printf("slen: %d\n", ntohs(pcomp.slen));
printf("select: 0x%x\n", pcomp.s);
printf("plen %d\n", ntohl(pcomp.plen));
printf("pcr hash: ");
for (i = 0; i < 20; i++)
printf("%02x ", pcomp.p[i]);
printf("\n");
printf("composite hash: ");
for (i = 0; i < 20; i++)
printf("%02x ", hash[i]);
printf("\n");
printf("signed blob len: %d\n", size);
printf("signed blob: ");
for (i = 0; i < size; i++)
printf("%02x ", buf[i]);
printf("\n");
/* See if the signed object matches the composite hash concatenated
* with the nonce */
signedhash.fixed[0] = 1; signedhash.fixed[1] = 1;
signedhash.fixed[2] = 0; signedhash.fixed[3] = 0;
signedhash.fixed[4] = 'Q'; signedhash.fixed[5] = 'U';
signedhash.fixed[6] = 'O'; signedhash.fixed[7] = 'T';
memcpy(&signedhash.comphash, hash, 20);
memcpy(&signedhash.nonce, nonce, 20);
SHA1((char*)&signedhash, sizeof(signedhash), hash);
/* Gives us an RSA public key from the TPM key */
rpub = TSS_convpubkey(&k.pub);
if (!rpub)
errx(1, "TSS_convpubkey\n");
if (!RSA_verify(NID_sha1, hash, 20, buf, size, rpub))
printf("SIGNATURE FAILED\n");
else
printf("Signature is correct\n");
return 0;
}
int main(int argc, char * argv[]) {
uint32_t ret = 0;
int i = 0;
int verbose = FALSE;
uint32_t migkeyhandle = 0;
char * filename = NULL;
unsigned char * buffer = NULL;
unsigned char keypasshash[TPM_HASH_SIZE];
char * keypass = NULL;
uint16_t migscheme = TPM_MS_MIGRATE;
unsigned char * keyhashptr = NULL;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing mandatory parameter for -if.\n");
usage();
}
}
else if (!strcmp("-hp",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&migkeyhandle);
} else {
printf("Missing mandatory parameter for -hp.\n");
usage();
}
}
else if (!strcmp("-pwdp",argv[i])) {
i++;
if (i < argc) {
keypass = argv[i];
} else {
printf("Missing mandatory parameter for -pwdp.\n");
usage();
}
}
else if (!strcmp("-rewrap",argv[i])) {
migscheme = TPM_MS_REWRAP;
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
}
else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
i++;
}
if (0 == migkeyhandle ||
NULL == filename) {
printf("Missing mandatory parameter.\n");
usage();
}
if (NULL != keypass) {
TSS_sha1(keypass,strlen(keypass),keypasshash);
keyhashptr = keypasshash;
} else {
keyhashptr = NULL;
}
buffer = readFile(filename);
if (NULL != buffer) {
int offset = 0;
unsigned char * encblob = NULL;
uint32_t encsize = 0;
unsigned char * rndblob = NULL;
uint32_t rndsize = 0;
uint32_t keysize = 0;
unsigned char * keyblob = NULL;
unsigned char * outblob = NULL;
uint32_t outblen;
keydata newkey;
STACK_TPM_BUFFER( tb );
rndsize = LOAD32(buffer,offset); offset += 4;
rndblob = &buffer[offset]; offset += rndsize;
encsize = LOAD32(buffer,offset); offset += 4;
encblob = &buffer[offset]; offset += encsize;
keysize = LOAD32(buffer,offset); offset += 4;
keyblob = &buffer[offset]; offset += keysize;
SET_TPM_BUFFER(&tb, keyblob, keysize);
TSS_KeyExtract(&tb, 0,&newkey);
outblob = malloc(encsize);
if (NULL == outblob) {
printf("Error allocating memory for decrypted blob.\n");
exit(-1);
}
outblen = encsize;
if (TPM_MS_REWRAP == migscheme || 0 == rndsize) {
memcpy(newkey.encData.buffer,
encblob,
encsize);
newkey.encData.size = outblen;
ret = 0;
} else {
ret = TPM_ConvertMigrationBlob(migkeyhandle,
keyhashptr,
rndblob, rndsize,
encblob, encsize,
outblob, &outblen);
if (0 == ret) {
memcpy(newkey.encData.buffer,
outblob,
outblen);
newkey.encData.size = outblen;
} else {
printf("ConvertMigrationBlob returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
if (0 == ret) {
uint32_t newhandle;
ret = TPM_LoadKey(migkeyhandle,
keyhashptr,
&newkey,
&newhandle);
if (0 == ret) {
printf("Successfully loaded key into TPM.\n"
"New Key Handle = %08X\n",
newhandle);
} else {
printf("LoadKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
}
return ret;
}
