TSS2_RC EncryptCFB( SESSION *session, TPM2B_MAX_BUFFER *encryptedData, TPM2B_MAX_BUFFER *clearData, TPM2B_AUTH *authValue )
{
TSS2_RC rval = TSS2_RC_SUCCESS;
TPM2B_MAX_BUFFER encryptKey;
TPM2B_IV ivIn, ivOut;
TPM_HANDLE keyHandle;
TPM2B_NAME keyName;
TSS2_SYS_CONTEXT *sysContext;
// Authorization structure for command.
TPMS_AUTH_COMMAND sessionData;
// Create and init authorization area for command:
// only 1 authorization area.
TPMS_AUTH_COMMAND *sessionDataArray[1] = { &sessionData };
// Authorization array for command (only has one auth structure).
TSS2_SYS_CMD_AUTHS sessionsData = { 1, &sessionDataArray[0] };
sysContext = InitSysContext( 1000, resMgrTctiContext, &abiVersion );
if( sysContext == 0 )
{
TeardownSysContext( &sysContext );
return TSS2_APP_RC_TEARDOWN_SYS_CONTEXT_FAILED;
}
rval = GenerateSessionEncryptDecryptKey( session, &encryptKey, &ivIn, authValue );
if( rval == TSS2_RC_SUCCESS )
{
rval = LoadSessionEncryptDecryptKey( &session->symmetric, &encryptKey, &keyHandle, &keyName );
if( rval == TSS2_RC_SUCCESS )
{
// Encrypt the data.
sessionData.sessionHandle = TPM_RS_PW;
sessionData.nonce.t.size = 0;
*( (UINT8 *)((void *)&sessionData.sessionAttributes ) ) = 0;
sessionData.hmac.t.size = 0;
encryptedData->t.size = sizeof( *encryptedData ) - 1;
ivOut.t.size = sizeof( ivOut ) - 2;
rval = Tss2_Sys_EncryptDecrypt( sysContext, keyHandle, &sessionsData, NO, TPM_ALG_CFB, &ivIn,
clearData, encryptedData, &ivOut, 0 );
if( rval == TSS2_RC_SUCCESS )
{
rval = Tss2_Sys_FlushContext( sysContext, keyHandle );
}
}
}
TeardownSysContext( &sysContext );
return rval;
}
int makeCredential()
{
UINT32 rval;
TPMS_AUTH_RESPONSE sessionDataOut;
TSS2_SYS_RSP_AUTHS sessionsDataOut;
TPMS_AUTH_RESPONSE *sessionDataOutArray[1];
TPM2B_NAME nameExt = { { sizeof(TPM2B_NAME)-2, } };
TPM2B_ID_OBJECT credentialBlob = { { 0 }, };
TPM2B_ENCRYPTED_SECRET secret;
sessionDataOutArray[0] = &sessionDataOut;
sessionsDataOut.rspAuths = &sessionDataOutArray[0];
sessionsDataOut.rspAuthsCount = 1;
rval = Tss2_Sys_LoadExternal(sysContext, 0, NULL , &inPublic,TPM_RH_NULL,&handle2048rsa, &nameExt, &sessionsDataOut);
if(rval != TPM_RC_SUCCESS)
{
printf("\n......LoadExternal failed. TPM Error:0x%x......\n", rval);
return -1;
}
printf("LoadExternal succ.\n");
rval = Tss2_Sys_MakeCredential(sysContext, handle2048rsa, 0, &inCredential, &objectName,&credentialBlob, &secret, &sessionsDataOut);
if(rval != TPM_RC_SUCCESS)
{
printf("\n......MakeCredential failed. TPM Error:0x%x......\n", rval);
return -2;
}
printf("MakeCredential succ.\n");
rval = Tss2_Sys_FlushContext(sysContext, handle2048rsa);
if( rval != TPM_RC_SUCCESS )
{
printf("\n......Flush loaded key failed. TPM Error:0x%x......\n", rval);
return -3;
}
printf("Flush loaded key succ.\n");
if(writeCrtSecToFile(outFilePath,&credentialBlob,&secret))
return -4;
printf("OutFile: %s completed!\n\n",outFilePath);
return 0;
}
int createEKHandle()
{
UINT32 rval;
TPMS_AUTH_COMMAND sessionData;
TPMS_AUTH_RESPONSE sessionDataOut;
TSS2_SYS_CMD_AUTHS sessionsData;
TSS2_SYS_RSP_AUTHS sessionsDataOut;
TPMS_AUTH_COMMAND *sessionDataArray[1];
TPMS_AUTH_RESPONSE *sessionDataOutArray[1];
TPM2B_SENSITIVE_CREATE inSensitive = { { sizeof(TPM2B_SENSITIVE_CREATE) - 2, } };
TPM2B_PUBLIC inPublic = { { sizeof(TPM2B_PUBLIC) - 2, } };
TPM2B_DATA outsideInfo = { { 0, } };
TPML_PCR_SELECTION creationPCR;
TPM2B_NAME name = { { sizeof(TPM2B_NAME) - 2, } };
TPM2B_PUBLIC outPublic = { { 0, } };
TPM2B_CREATION_DATA creationData = { { 0, } };
TPM2B_DIGEST creationHash = { { sizeof(TPM2B_DIGEST) - 2, } };
TPMT_TK_CREATION creationTicket = { 0, };
TPM_HANDLE handle2048ek;
sessionDataArray[0] = &sessionData;
sessionDataOutArray[0] = &sessionDataOut;
sessionsDataOut.rspAuths = &sessionDataOutArray[0];
sessionsData.cmdAuths = &sessionDataArray[0];
sessionsDataOut.rspAuthsCount = 1;
sessionsData.cmdAuthsCount = 1;
sessionData.sessionHandle = TPM_RS_PW;
sessionData.nonce.t.size = 0;
sessionData.hmac.t.size = 0;
*((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0;
// use enAuth in Tss2_Sys_CreatePrimary
if (strlen(endorsePasswd) > 0 && !hexPasswd)
{
sessionData.hmac.t.size = strlen(endorsePasswd);
memcpy( &sessionData.hmac.t.buffer[0], endorsePasswd, sessionData.hmac.t.size );
}
else if (strlen(endorsePasswd) > 0 && hexPasswd)
{
sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2;
if (hex2ByteStructure(endorsePasswd, &sessionData.hmac.t.size,
sessionData.hmac.t.buffer) != 0)
{
printf( "Failed to convert Hex format password for endorsePasswd.\n");
return -1;
}
}
if (strlen(ekPasswd) > 0 && !hexPasswd)
{
sessionData.hmac.t.size = strlen(ekPasswd);
memcpy( &sessionData.hmac.t.buffer[0], ekPasswd, sessionData.hmac.t.size );
}
else if (strlen(ekPasswd) > 0 && hexPasswd)
{
inSensitive.t.sensitive.userAuth.t.size = sizeof(inSensitive.t.sensitive.userAuth) - 2;
if (hex2ByteStructure(ekPasswd,
&inSensitive.t.sensitive.userAuth.t.size,
inSensitive.t.sensitive.userAuth.t.buffer) != 0)
{
printf( "Failed to convert Hex format password for ekPasswd.\n");
return -1;
}
}
inSensitive.t.sensitive.data.t.size = 0;
inSensitive.t.size = inSensitive.t.sensitive.userAuth.b.size + 2;
if ( setKeyAlgorithm(algorithmType, inSensitive, inPublic) )
return -1;
creationPCR.count = 0;
/*To Create EK*/
rval = Tss2_Sys_CreatePrimary(sysContext, TPM_RH_ENDORSEMENT, &sessionsData, &inSensitive, &inPublic,
&outsideInfo, &creationPCR, &handle2048ek, &outPublic, &creationData, &creationHash,
&creationTicket, &name, &sessionsDataOut);
if ( rval != TPM_RC_SUCCESS )
{
printf("\n......TPM2_CreatePrimary Error. TPM Error:0x%x......\n", rval);
return -2;
}
printf("\nEK create succ.. Handle: 0x%8.8x\n", handle2048ek);
if (!nonPersistentRead)
{
// To make EK persistent, use own auth
sessionData.hmac.t.size = 0;
if (strlen(ownerPasswd) > 0 && !hexPasswd)
{
sessionData.hmac.t.size = strlen(ownerPasswd);
memcpy( &sessionData.hmac.t.buffer[0], ownerPasswd, sessionData.hmac.t.size );
}
else if (strlen(ownerPasswd) > 0 && hexPasswd)
{
sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2;
if (hex2ByteStructure(ownerPasswd, &sessionData.hmac.t.size,
sessionData.hmac.t.buffer) != 0)
{
printf( "Failed to convert Hex format password for ownerPasswd.\n");
return -1;
}
}
rval = Tss2_Sys_EvictControl(sysContext, TPM_RH_OWNER, handle2048ek, &sessionsData, persistentHandle, &sessionsDataOut);
if ( rval != TPM_RC_SUCCESS )
{
printf("\n......EvictControl:Make EK persistent Error. TPM Error:0x%x......\n", rval);
return -3;
}
printf("EvictControl EK persistent succ.\n");
}
rval = Tss2_Sys_FlushContext(sysContext, handle2048ek);
if ( rval != TPM_RC_SUCCESS )
{
printf("\n......Flush transient EK failed. TPM Error:0x%x......\n", rval);
return -4;
}
printf("Flush transient EK succ.\n");
// save ek public
if ( saveDataToFile(outputFile, (UINT8 *)&outPublic, sizeof(outPublic)) )
{
printf("\n......Failed to save EK pub key into file(%s)......\n", outputFile);
return -5;
}
return 0;
}
//
// This function does an HMAC on a null-terminated list of input buffers.
//
UINT32 TpmHmac( TPMI_ALG_HASH hashAlg, TPM2B *key, TPM2B **bufferList, TPM2B_DIGEST *result )
{
TPM2B_AUTH nullAuth;
TPMI_DH_OBJECT sequenceHandle;
int i;
TPM2B emptyBuffer;
TPMT_TK_HASHCHECK validation;
TPMS_AUTH_COMMAND *sessionDataArray[1];
TPMS_AUTH_COMMAND sessionData;
TSS2_SYS_CMD_AUTHS sessionsData;
TPM2B_AUTH hmac;
TPM2B_NONCE nonce;
TPMS_AUTH_RESPONSE *sessionDataOutArray[1];
TPMS_AUTH_RESPONSE sessionDataOut;
TSS2_SYS_RSP_AUTHS sessionsDataOut;
UINT32 rval;
TPM_HANDLE keyHandle;
TPM2B_NAME keyName;
TPM2B keyAuth;
TSS2_SYS_CONTEXT *sysContext;
sessionDataArray[0] = &sessionData;
sessionDataOutArray[0] = &sessionDataOut;
// Set result size to 0, in case any errors occur
result->b.size = 0;
keyAuth.size = 0;
nullAuth.t.size = 0;
rval = LoadExternalHMACKey( hashAlg, key, &keyHandle, &keyName );
if( rval != TPM_RC_SUCCESS )
{
return( rval );
}
// Init input sessions struct
sessionData.sessionHandle = TPM_RS_PW;
nonce.t.size = 0;
sessionData.nonce = nonce;
CopySizedByteBuffer( &(hmac.b), &keyAuth );
sessionData.hmac = hmac;
*( (UINT8 *)((void *)&( sessionData.sessionAttributes ) ) ) = 0;
sessionsData.cmdAuthsCount = 1;
sessionsData.cmdAuths = &sessionDataArray[0];
// Init sessions out struct
sessionsDataOut.rspAuthsCount = 1;
sessionsDataOut.rspAuths = &sessionDataOutArray[0];
emptyBuffer.size = 0;
sysContext = InitSysContext( 3000, resMgrTctiContext, &abiVersion );
if( sysContext == 0 )
return TSS2_APP_ERROR_LEVEL + TPM_RC_FAILURE;
rval = Tss2_Sys_HMAC_Start( sysContext, keyHandle, &sessionsData, &nullAuth, hashAlg, &sequenceHandle, 0 );
if( rval != TPM_RC_SUCCESS )
return( rval );
hmac.t.size = 0;
sessionData.hmac = hmac;
for( i = 0; bufferList[i] != 0; i++ )
{
rval = Tss2_Sys_SequenceUpdate ( sysContext, sequenceHandle, &sessionsData, (TPM2B_MAX_BUFFER *)( bufferList[i] ), &sessionsDataOut );
if( rval != TPM_RC_SUCCESS )
return( rval );
}
result->t.size = sizeof( TPM2B_DIGEST ) - 2;
rval = Tss2_Sys_SequenceComplete ( sysContext, sequenceHandle, &sessionsData, ( TPM2B_MAX_BUFFER *)&emptyBuffer,
TPM_RH_PLATFORM, result, &validation, &sessionsDataOut );
if( rval != TPM_RC_SUCCESS )
return( rval );
rval = Tss2_Sys_FlushContext( sysContext, keyHandle );
TeardownSysContext( &sysContext );
return rval;
}
int activateCredential()
{
UINT32 rval;
TPM2B_DIGEST certInfoData = { { sizeof(certInfoData)-2, } };
printf("\nACTIVATE CREDENTIAL TESTS:\n");
cmdAuth.sessionHandle = TPM_RS_PW;
cmdAuth2.sessionHandle = TPM_RS_PW;
*((UINT8 *)((void *)&cmdAuth.sessionAttributes)) = 0;
*((UINT8 *)((void *)&cmdAuth2.sessionAttributes)) = 0;
*((UINT8 *)((void *)&cmdAuth3.sessionAttributes)) = 0;
TPMS_AUTH_COMMAND *cmdSessionArray[2] = { &cmdAuth, &cmdAuth3 };
TSS2_SYS_CMD_AUTHS cmdAuthArray = { 2, &cmdSessionArray[0] };
TPMS_AUTH_COMMAND *cmdSessionArray1[1] = { &cmdAuth2 };
TSS2_SYS_CMD_AUTHS cmdAuthArray1 = { 1, &cmdSessionArray1[0] };
SESSION *session;
TPM2B_ENCRYPTED_SECRET encryptedSalt = { { 0, } };
TPM2B_NONCE nonceCaller = { { 0, } };
TPMT_SYM_DEF symmetric;
symmetric.algorithm = TPM_ALG_NULL;
if (cmdAuth.hmac.t.size > 0 && hexPasswd)
{
cmdAuth.hmac.t.size = sizeof(cmdAuth.hmac) - 2;
if (hex2ByteStructure((char *)cmdAuth.hmac.t.buffer,
&cmdAuth.hmac.t.size,
cmdAuth.hmac.t.buffer) != 0)
{
printf( "Failed to convert Hex format password for handlePasswd.\n");
return -1;
}
}
if (cmdAuth2.hmac.t.size > 0 && hexPasswd)
{
cmdAuth2.hmac.t.size = sizeof(cmdAuth2.hmac) - 2;
if (hex2ByteStructure((char *)cmdAuth2.hmac.t.buffer,
&cmdAuth2.hmac.t.size,
cmdAuth2.hmac.t.buffer) != 0)
{
printf( "Failed to convert Hex format password for endorsePasswd.\n");
return -1;
}
}
rval = StartAuthSessionWithParams( &session, TPM_RH_NULL, 0, TPM_RH_NULL,
0, &nonceCaller, &encryptedSalt, TPM_SE_POLICY, &symmetric, TPM_ALG_SHA256 );
if( rval != TPM_RC_SUCCESS )
{
printf("\n......StartAuthSessionWithParams Error. TPM Error:0x%x......\n", rval);
return -1;
}
printf("\nStartAuthSessionWithParams succ.......\n");
rval = Tss2_Sys_PolicySecret(sysContext, TPM_RH_ENDORSEMENT, session->sessionHandle, &cmdAuthArray1, 0, 0, 0, 0, 0, 0, 0);
if( rval != TPM_RC_SUCCESS )
{
printf("\n......Tss2_Sys_PolicySecret Error. TPM Error:0x%x......\n", rval);
return -2;
}
printf("\nTss2_Sys_PolicySecret succ.......\n");
cmdAuth3.sessionHandle = session->sessionHandle;
cmdAuth3.sessionAttributes.continueSession = 1;
cmdAuth3.hmac.t.size = 0;
rval = Tss2_Sys_ActivateCredential(sysContext, activateHandle, keyHandle, &cmdAuthArray, &credentialBlob, &secret, &certInfoData, 0);
if(rval != TPM_RC_SUCCESS)
{
printf("\n......ActivateCredential failed. TPM Error:0x%x......\n", rval);
return -3;
}
printf("\nActivate Credential succ.\n");
// Need to flush the session here.
rval = Tss2_Sys_FlushContext( sysContext, session->sessionHandle );
if( rval != TPM_RC_SUCCESS )
{
printf("\n......TPM2_Sys_FlushContext Error. TPM Error:0x%x......\n", rval);
return -4;
}
// And remove the session from sessions table.
rval = EndAuthSession( session );
if( rval != TPM_RC_SUCCESS )
{
printf("\n......EndAuthSession Error. TPM Error:0x%x......\n", rval);
return -5;
}
printf("\nCertInfoData :\n");
for (int k = 0; k<certInfoData.t.size; k++)
{
printf("0x%.2x ", certInfoData.t.buffer[k]);
}
printf("\n\n");
if(saveDataToFile(outFilePath, certInfoData.t.buffer, certInfoData.t.size) == 0)
printf("OutFile %s completed!\n",outFilePath);
else
return -6;
return 0;
}
