Commit fe54d0e3 authored by Robert Ricci's avatar Robert Ricci

Merge remote branch 'cody/tspitools-update'

parents 55419572 9e28cf46
......@@ -11,3 +11,5 @@ all:
libtpm/hmac.c libtpm/keys.c libtpm/migrate.c libtpm/miscfunc.c \
libtpm/oiaposap.c libtpm/owner.c libtpm/pcrs.c libtpm/seal.c \
libtpm/signature.c libtpm/tpmutil.c -Ilibtpm -lcrypto
clean:
rm -f idkey keygen doquote tpm-signoff getpub loadkey fail pcrcomposite ltpmloadkey
......@@ -87,6 +87,7 @@ main(void)
TSS_HTPM hTPM;
UINT32 srklen, bloblen;
BYTE *srkpub, blob[1024];
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
TSS_HPCRS hpcomp;
TSS_VALIDATION valdata;
TSS_HHASH hHash;
......@@ -121,7 +122,7 @@ main(void)
/* srk password */
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
/* owner TPM password */
......
......@@ -58,6 +58,7 @@ main(void)
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
int ret,i;
int plen = 0;
......@@ -78,7 +79,7 @@ main(void)
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
ret = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, myuuid,
......
......@@ -5,6 +5,8 @@
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <err.h>
#include <errno.h>
......@@ -26,7 +28,12 @@
#define FATAL(x) do{printf("**\t");printf(x);printf("\n"); return 1;}while(0);
#define print_error(x,y) do{printf(x);}while(0);
void check(char *msg, int cin){
/*
* This code is hideous because it has never been loved properly.
*/
void check(char *msg, int cin)
{
int in = TSS_ERROR_CODE(cin);
printf("%s: ", msg);
if(in == TSS_SUCCESS)
......@@ -53,7 +60,38 @@ void check(char *msg, int cin){
printf("TSS_E_P_KEY_NOTFOUND\n");
else
printf("Not here: 0x%x\n", in);
return;
}
void check_fail(char *msg, int cin)
{
int in = TSS_ERROR_CODE(cin);
printf("%s: ", msg);
if(in == TSS_SUCCESS) {
printf("TSS_SUCCESS\n");
return;
} else if(in == TSS_E_INVALID_HANDLE)
printf("TSS_E_INVALID_HANDLE\n");
else if(in == TSS_E_INTERNAL_ERROR)
printf("TSS_E_INTERNAL_ERROR\n");
else if(in == TSS_E_BAD_PARAMETER)
printf("TSS_E_BAD_PARAMETER\n");
else if(in == TSS_E_HASH_INVALID_LENGTH)
printf("TSS_E_HASH_INVALID_LENGTH\n");
else if(in == TSS_E_HASH_NO_DATA)
printf("TSS_E_HASH_NO_DATA\n");
else if(in == TSS_E_INVALID_SIGSCHEME)
printf("TSS_E_INVALID_SIGSCHEME\n");
else if(in == TSS_E_HASH_NO_IDENTIFIER)
printf("TSS_E_HASH_NO_IDENTIFIER\n");
else if(in == TSS_E_PS_KEY_NOTFOUND)
printf("TSS_E_PS_KEY_NOTFOUND\n");
else if(in == TSS_E_BAD_PARAMETER)
printf("TSS_E_BAD_PARAMETER\n");
else if(in == TSS_E_PS_KEY_NOTFOUND)
printf("TSS_E_P_KEY_NOTFOUND\n");
else
printf("Not here: 0x%x\n", in);
exit(EXIT_FAILURE);
}
int blob_pubkey(char *out, unsigned int olen, char *in, unsigned int ilen,
......@@ -187,52 +225,75 @@ make_fake_key(TSS_HCONTEXT hContext, TSS_HKEY *hCAKey, RSA **rsa, int padding)
return TSS_SUCCESS;
}
void usage(char *name)
{
printf("\n");
printf("%s -t <tpmpass> -s <srkpass>\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int
main(void)
main(int argc, char **argv)
{
TSS_HCONTEXT hContext;
TSS_HKEY hKey, hSRK, hCAKey;
TSS_HPOLICY hPolicy, hTPMPolicy, hidpol;
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
TSS_HTPM hTPM;
UINT32 idbloblen;
BYTE *labelString = "My Identity Label";
UINT32 labelLen = strlen(labelString) + 1;
BYTE *rgbIdentityLabelData = NULL, *identityReqBlob;
UINT32 ulIdentityReqBlobLen;
int ret,i, blobos, fd;
RSA *rsa = NULL;
BYTE *blobo, *idblob;
RSA *rsa = NULL;
TSS_HCONTEXT hContext;
TSS_HKEY hKey, hSRK, hCAKey;
TSS_HPOLICY hTPMPolicy, hidpol;
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_HPOLICY srkpol;
TSS_HTPM hTPM;
UINT32 idbloblen, ch;
int ret,i, blobos, fd;
BYTE *srkpass, *tpmpass;
BYTE *blobo, *idblob;
srkpass = tpmpass = NULL;
while ((ch = getopt(argc, argv, "hs:t:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 't':
tpmpass = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass || !tpmpass)
usage(argv[0]);
/* create context and connect */
ret = Tspi_Context_Create(&hContext);
check("context create", ret);
check_fail("context create", ret);
ret = Tspi_Context_Connect(hContext, NULL);
check("context connect", ret);
check_fail("context connect", ret);
ret = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, srkUUID,
&hSRK);
check("loadkeybyuuid", ret);
check_fail("loadkeybyuuid", ret);
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
check("policy set secret", ret);
check_fail("get policy object", ret);
//ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN,
strlen(srkpass), srkpass);
check_fail("policy set secret", ret);
ret = Tspi_Context_GetTpmObject(hContext, &hTPM);
check("get policy object", ret);
check_fail("get policy object", ret);
//Insert the owner auth into the TPM's policy
ret = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy);
check("get tpm policy", ret);
check_fail("get tpm policy", ret);
ret = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_PLAIN,
3, "123");
check("set owner secret", ret);
strlen(tpmpass), tpmpass);
check_fail("set owner secret", ret);
ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
//TSS_KEY_TYPE_STORAGE
......@@ -241,14 +302,14 @@ main(void)
| TSS_KEY_SIZE_2048 | TSS_KEY_NO_AUTHORIZATION
| TSS_KEY_NOT_MIGRATABLE | TSS_KEY_VOLATILE
, &hKey);
check("create object - key", ret);
check_fail("create object - key", ret);
ret = Tspi_GetPolicyObject(hKey, TSS_POLICY_USAGE, &hidpol);
check("get id key policy", ret);
check_fail("get id key policy", ret);
ret = Tspi_Policy_SetSecret(hidpol, TSS_SECRET_MODE_PLAIN,
4, "1234");
check("set idkey secret", ret);
strlen(srkpass), srkpass);
check_fail("set idkey secret", ret);
/* We must create this fake privacy CA key in software so that
* Tspi_TPM_CollateIdentityRequest will happily work. It needs it to
......@@ -256,7 +317,7 @@ main(void)
* attestion procedure. It is not needed in our setup though.
*/
ret = make_fake_key(hContext, &hCAKey, &rsa, RSA_PKCS1_OAEP_PADDING);
check("ca nonsense", ret);
check_fail("ca nonsense", ret);
/* We do not care about idblob - that is the certificate request that
* we are supposed to send to our CA in normal remote attestation. The
......@@ -264,14 +325,14 @@ main(void)
*/
ret = Tspi_TPM_CollateIdentityRequest(hTPM, hSRK, hCAKey, 8, "id label",
hKey, TSS_ALG_3DES, &idbloblen, &idblob);
check("collate id", ret);
check_fail("collate id", ret);
blobo = NULL;
/*ret = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, &blobos, &blobo);*/
ret = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB, &blobos, &blobo);
check("get blob", ret);
check_fail("get blob", ret);
if (!blobo) {
Tspi_Context_FreeMemory(hContext, NULL);
......@@ -301,4 +362,3 @@ main(void)
return 0;
}
......@@ -56,6 +56,7 @@ main(void)
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
int ret,i, blobos;
......@@ -72,7 +73,7 @@ main(void)
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
......
......@@ -7,6 +7,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
#include <openssl/ssl.h>
......@@ -121,8 +122,16 @@ void pquote2(TSS_VALIDATION *valdata)
printf("info short %d\n", sizeof(TPM_PCR_INFO_SHORT));
}
void usage(char *name)
{
printf("\n");
printf("%s -t <tpmpass> -s <srkpass> [-f <keyfile>]\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int
main(void)
main(int argc, char **argv)
{
int ret, i, fd, j;
TSS_HCONTEXT hContext;
......@@ -138,23 +147,48 @@ main(void)
TSS_HHASH hHash;
TPM_QUOTE_INFO *qinfo;
TPM_QUOTE_INFO2 *qinfo2;
UINT32 rub1;
UINT32 rub1, ch;
BYTE *rub2;
BYTE *srkpass, *tpmpass, *keyfile;
RSA *rsa;
fd = open("key.blob", O_RDONLY, 0);
srkpass = tpmpass = keyfile = NULL;
while ((ch = getopt(argc, argv, "f:hs:t:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 't':
tpmpass = optarg;
break;
case 'f':
keyfile = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass || !tpmpass)
usage(argv[0]);
if (!keyfile)
keyfile = "key.blob";
fd = open(keyfile, O_RDONLY, 0);
if (fd < 0)
errx(1, "Couldn't open key.blob\n");
errx(1, "Couldn't open %s\n", keyfile);
printf("opened; fd %d\n", fd);
bloblen = read(fd, blob, 1024);
if (bloblen == -1) {
perror(NULL);
errx(1, "error reading key.blob\n");
errx(1, "error reading %s\n", keyfile);
}
printf("read %d bytes from key.blob\n", bloblen);
printf("read %d bytes from %s\n", bloblen, keyfile);
/* create context and connect */
ret = Tspi_Context_Create(&hContext);
......@@ -169,7 +203,8 @@ main(void)
/* srk password */
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN,
strlen(srkpass), srkpass);
check("policy set secret", ret);
/* owner TPM password */
......
......@@ -7,6 +7,7 @@
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
......@@ -18,12 +19,55 @@
#include "libtpm/tpmkeys.h"
/* pcomp is the buffer that we must fill in with our PCR hash/info.
* The hash of this buffer (pcomp) is called the composite hash. After
* we have the composite hash, we stick the composite hash in the next
* buffer (signedhash), fill in the nonce field, and then hash
* signedhash. This hash is what the TPM gives to us but it is signed
* with the requested identity key.
*
* So if we decrypt the blob that the TPM gives us with the identity
* key's public key and it the resulting hash matches our hash with the
* expected PCR(s) and nonce, then the PCRs are indeed what we think
* they are.
*/
struct {
/* big endian */
unsigned short slen;
/* the length of this field is slen - it is 2 on our tpms.
* This field is a bitmask of which PCRS have been included.
* It is little endian. */
unsigned short s;
/* big endian */
uint32_t plen;
/* p will also be plen bytes long. I only request one PCR so
* it will be 20 bytes. */
unsigned char p[20];
} pcomp;
struct {
unsigned char fixed[8];
/* Hash of pcomp */
unsigned char comphash[20];
unsigned char nonce[20];
} signedhash;
void usage(char *name)
{
printf("\n");
printf("%s -s <srkpass> [-f <keyfile>]\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int main(int argc, char **argv)
{
int fd, size, i, ret;
uint32_t kh, pcrs;
unsigned char buf[1024], hash[20];
unsigned char buf[1024], hash[20], pass[20];
char *srkpass, *keyfile, ch;
/* SHA1 hash of TPM's SRK password */
char *tpmhash = "\x71\x10\xed\xa4\xd0\x9e\x06\x2a\xa5\xe4\xa3"
"\x90\xb0\xa5\x72\xac\x0d\x2c\x02\x20";
......@@ -32,42 +76,32 @@ int main(int argc, char **argv)
keydata k;
RSA *rpub;
/* pcomp is the buffer that we must fill in with our PCR hash/info.
* The hash of this buffer (pcomp) is called the composite hash. After
* we have the composite hash, we stick the composite hash in the next
* buffer (signedhash), fill in the nonce field, and then hash
* signedhash. This hash is what the TPM gives to us but it is signed
* with the requested identity key.
*
* So if we decrypt the blob that the TPM gives us with the identity
* key's public key and it the resulting hash matches our hash with the
* expected PCR(s) and nonce, then the PCRs are indeed what we think
* they are.
*/
struct {
/* big endian */
unsigned short slen;
/* the length of this field is slen - it is 2 on our tpms.
* This field is a bitmask of which PCRS have been included.
* It is little endian. */
unsigned short s;
/* big endian */
uint32_t plen;
/* p will also be plen bytes long. I only request one PCR so
* it will be 20 bytes. */
unsigned char p[20];
} pcomp;
struct {
unsigned char fixed[8];
/* Hash of pcomp */
unsigned char comphash[20];
unsigned char nonce[20];
} signedhash;
fd = open("key.blob", O_RDONLY);
srkpass = keyfile = NULL;
while ((ch = getopt(argc, argv, "hs:f:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 'f':
keyfile = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass)
usage(argv[0]);
if (!keyfile)
keyfile = "key.blob";
SHA1(srkpass, strlen(srkpass), pass);
fd = open(keyfile, O_RDONLY);
if (fd == -1)
errx(1, "couldn't open key.blob\n");
errx(1, "couldn't open %s\n", keyfile);
size = read(fd, buf, 1024);
if (size == -1)
......@@ -80,14 +114,14 @@ int main(int argc, char **argv)
printf("loading . . .\n");
/* 0x40000000 is the UID for the SRK */
if (ret = TPM_LoadKey(0x40000000, tpmhash, &k, &kh)) {
if (ret = TPM_LoadKey(0x40000000, pass, &k, &kh)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_LoadKey\n");
}
/* Quote PCR 0 */
printf("quoting . . .\n");
if (ret = TPM_Quote(kh, (0x00000001 << 0), tpmhash, nonce, &pcomp, buf,
if (ret = TPM_Quote(kh, (0x00000001 << 0), pass, nonce, &pcomp, buf,
&size)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_Quote\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment