« back to all changes in this revision
Viewing changes to src/tspi/spi_key.c
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Bazaar Package Importer
- Author(s): William Lima
- Date: 2007-04-18 16:39:38 UTC
- Revision ID: james.westby@ubuntu.com-20070418163938-opscl2mvvi76jiec
Tags: upstream-0.2.9.1
ImportĀ upstreamĀ versionĀ 0.2.9.1
- files added:
- autom4te.cache
- dist
- dist/fedora
- doc
- man
- man/man3
- man/man5
- man/man8
- src
- src/include
- src/include/linux
- src/include/trousers
- src/include/tss
- src/tcs
- src/tcs/ps
- src/tcsd
- src/tcsd_api
- src/tddl
- src/trspi
- src/trspi/crypto
- src/trspi/crypto/openssl
- src/tspi
- src/tspi/gtk
- src/tspi/ps
- tools
added
removed
src/tspi/spi_key.c
1
2
/*
3
* Licensed Materials - Property of IBM
4
*
5
* trousers - An open source TCG Software Stack
6
*
7
* (C) Copyright International Business Machines Corp. 2004
8
*
9
*/
10
11
12
#include <stdlib.h>
13
#include <stdio.h>
14
#include <string.h>
15
16
#include "trousers/tss.h"
17
#include "trousers/trousers.h"
18
#include "trousers_types.h"
19
#include "spi_internal_types.h"
20
#include "spi_utils.h"
21
#include "capabilities.h"
22
#include "tsplog.h"
23
#include "obj.h"
24
25
TSS_RESULT
26
Tspi_Key_UnloadKey(TSS_HKEY hKey) /* in */
27
{
28
TSS_HCONTEXT tspContext;
29
TCS_KEY_HANDLE hTcsKey;
30
TSS_RESULT result;
31
32
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
33
return result;
34
35
if ((result = obj_rsakey_get_tcs_handle(hKey, &hTcsKey)))
36
return result;
37
38
return TCSP_EvictKey(tspContext, hTcsKey);
39
}
40
41
TSS_RESULT
42
Tspi_Key_LoadKey(TSS_HKEY hKey, /* in */
43
TSS_HKEY hUnwrappingKey) /* in */
44
{
45
46
TPM_AUTH auth;
47
BYTE blob[1000];
48
UINT64 offset;
49
TCPA_DIGEST digest;
50
TSS_RESULT result;
51
UINT32 keyslot;
52
TSS_HCONTEXT tspContext;
53
TSS_HPOLICY hPolicy;
54
UINT32 keySize;
55
BYTE *keyBlob;
56
TCS_KEY_HANDLE parentTCSKeyHandle, tcsKey;
57
TSS_BOOL usesAuth;
58
TPM_AUTH *pAuth;
59
60
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
61
return result;
62
63
if (!obj_is_rsakey(hUnwrappingKey))
64
return TSPERR(TSS_E_INVALID_HANDLE);
65
66
if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
67
return result;
68
69
if ((result = obj_rsakey_get_tcs_handle(hUnwrappingKey, &parentTCSKeyHandle)))
70
return result;
71
72
if ((result = obj_rsakey_get_policy(hUnwrappingKey, TSS_POLICY_USAGE,
73
&hPolicy, &usesAuth)))
74
return result;
75
76
if (usesAuth) {
77
offset = 0;
78
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
79
Trspi_LoadBlob(&offset, keySize, blob, keyBlob);
80
Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
81
if ((result = secret_PerformAuth_OIAP(hUnwrappingKey,
82
TPM_ORD_LoadKey,
83
hPolicy, &digest,
84
&auth)))
85
return result;
86
pAuth = &auth;
87
} else {
88
pAuth = NULL;
89
}
90
91
if ((result = TCSP_LoadKeyByBlob(tspContext, parentTCSKeyHandle, keySize, keyBlob, pAuth,
92
&tcsKey, &keyslot)))
93
return result;
94
95
if (usesAuth) {
96
offset = 0;
97
Trspi_LoadBlob_UINT32(&offset, result, blob);
98
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
99
Trspi_LoadBlob_UINT32(&offset, keyslot, blob);
100
Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
101
102
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
103
return result;
104
}
105
106
return obj_rsakey_set_tcs_handle(hKey, tcsKey);
107
}
108
109
TSS_RESULT
110
Tspi_Key_GetPubKey(TSS_HKEY hKey, /* in */
111
UINT32 * pulPubKeyLength, /* out */
112
BYTE ** prgbPubKey) /* out */
113
{
114
TSS_HCONTEXT tspContext;
115
TPM_AUTH auth;
116
TPM_AUTH *pAuth;
117
BYTE hashblob[1024];
118
TCPA_DIGEST digest;
119
TCPA_RESULT result;
120
UINT64 offset;
121
TSS_HPOLICY hPolicy;
122
TCS_KEY_HANDLE tcsKeyHandle;
123
TSS_BOOL usesAuth;
124
TCPA_PUBKEY pubKey;
125
126
if (pulPubKeyLength == NULL || prgbPubKey == NULL)
127
return TSPERR(TSS_E_BAD_PARAMETER);
128
129
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
130
return result;
131
132
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
133
&hPolicy, &usesAuth)))
134
return result;
135
136
if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
137
return result;
138
139
if (usesAuth) {
140
offset = 0;
141
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
142
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
143
144
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_GetPubKey,
145
hPolicy, &digest,
146
&auth)))
147
return result;
148
pAuth = &auth;
149
} else {
150
pAuth = NULL;
151
}
152
153
if ((result = TCSP_GetPubKey(tspContext, tcsKeyHandle, pAuth, pulPubKeyLength, prgbPubKey)))
154
return result;
155
156
memset(&pubKey, 0, sizeof(TCPA_PUBKEY));
157
158
if (usesAuth) {
159
offset = 0;
160
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
161
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
162
Trspi_LoadBlob(&offset, *pulPubKeyLength, hashblob, *prgbPubKey);
163
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
164
165
/* goto error here since prgbPubKey has been set */
166
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
167
goto error;
168
}
169
170
/* If the key is the SRK, populate the pubkey data in the TSP object */
171
if (tcsKeyHandle == TPM_KEYHND_SRK)
172
obj_rsakey_set_pubkey(hKey, TRUE, *prgbPubKey);
173
174
return TSS_SUCCESS;
175
error:
176
free_tspi(tspContext, *prgbPubKey);
177
*prgbPubKey = NULL;
178
*pulPubKeyLength = 0;
179
return result;
180
}
181
182
TSS_RESULT
183
Tspi_Key_CertifyKey(TSS_HKEY hKey, /* in */
184
TSS_HKEY hCertifyingKey, /* in */
185
TSS_VALIDATION * pValidationData) /* in, out */
186
{
187
TCPA_RESULT result;
188
TPM_AUTH certAuth;
189
TPM_AUTH keyAuth;
190
UINT64 offset = 0;
191
BYTE hashBlob[1024];
192
TCPA_DIGEST hash;
193
TCPA_NONCE antiReplay;
194
UINT32 CertifyInfoSize;
195
BYTE *CertifyInfo;
196
UINT32 outDataSize;
197
BYTE *outData;
198
TSS_HPOLICY hPolicy;
199
TSS_HPOLICY hCertPolicy;
200
TCS_KEY_HANDLE certifyTCSKeyHandle, keyTCSKeyHandle;
201
BYTE *keyData = NULL;
202
UINT32 keyDataSize;
203
TCPA_KEY keyContainer;
204
TSS_BOOL useAuthCert;
205
TSS_BOOL useAuthKey;
206
TPM_AUTH *pCertAuth = &certAuth;
207
TPM_AUTH *pKeyAuth = &keyAuth;
208
TSS_HCONTEXT tspContext;
209
210
211
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
212
return result;
213
214
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
215
&hPolicy, &useAuthKey)))
216
return result;
217
218
if ((result = obj_rsakey_get_policy(hCertifyingKey, TSS_POLICY_USAGE,
219
&hCertPolicy, &useAuthCert)))
220
return result;
221
222
if ((result = obj_rsakey_get_tcs_handle(hCertifyingKey, &certifyTCSKeyHandle)))
223
return result;
224
225
if ((result = obj_rsakey_get_tcs_handle(hKey, &keyTCSKeyHandle)))
226
return result;
227
228
if (pValidationData == NULL) {
229
LogDebug("Internal Verify");
230
if ((result = internal_GetRandomNonce(tspContext, &antiReplay)))
231
return result;
232
} else {
233
LogDebug("External Verify");
234
if (pValidationData->ulExternalDataLength < sizeof(antiReplay.nonce))
235
return TSPERR(TSS_E_BAD_PARAMETER);
236
237
memcpy(antiReplay.nonce, pValidationData->rgbExternalData,
238
sizeof(antiReplay.nonce));
239
}
240
241
if (useAuthCert && !useAuthKey)
242
return TSPERR(TSS_E_BAD_PARAMETER);
243
244
/* Setup the auths */
245
if (useAuthCert || useAuthKey) {
246
offset = 0;
247
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
248
Trspi_LoadBlob(&offset, 20, hashBlob, antiReplay.nonce);
249
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
250
}
251
252
if (useAuthKey) {
253
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_CertifyKey,
254
hPolicy, &hash,
255
&keyAuth)))
256
return result;
257
} else
258
pKeyAuth = NULL;
259
260
if (useAuthCert) {
261
if ((result = secret_PerformAuth_OIAP(hCertifyingKey,
262
TPM_ORD_CertifyKey,
263
hCertPolicy, &hash,
264
&certAuth)))
265
return result;
266
} else
267
pCertAuth = NULL;
268
269
if ((result = TCSP_CertifyKey(tspContext, certifyTCSKeyHandle, keyTCSKeyHandle, antiReplay,
270
pCertAuth, pKeyAuth, &CertifyInfoSize, &CertifyInfo,
271
&outDataSize, &outData))) {
272
if (useAuthKey)
273
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
274
if (useAuthCert)
275
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
276
return result;
277
}
278
279
/* Validate auth */
280
if (useAuthCert || useAuthKey) {
281
offset = 0;
282
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
283
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
284
Trspi_LoadBlob(&offset, CertifyInfoSize, hashBlob, CertifyInfo);
285
Trspi_LoadBlob_UINT32(&offset, outDataSize, hashBlob);
286
Trspi_LoadBlob(&offset, outDataSize, hashBlob, outData);
287
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
288
if (useAuthKey) {
289
if ((result = obj_policy_validate_auth_oiap(hPolicy, &hash, &keyAuth))) {
290
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
291
if (useAuthCert)
292
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
293
return result;
294
}
295
}
296
if (useAuthCert) {
297
if ((result = obj_policy_validate_auth_oiap(hCertPolicy, &hash, &certAuth))) {
298
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
299
if (useAuthKey)
300
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
301
return result;
302
}
303
}
304
}
305
306
if (pValidationData == NULL) {
307
if ((result = obj_rsakey_get_blob(hCertifyingKey,
308
&keyDataSize, &keyData))) {
309
if (useAuthKey)
310
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
311
if (useAuthCert)
312
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
313
314
LogError("Error in calling GetAttribData internally");
315
return TSPERR(TSS_E_INTERNAL_ERROR);
316
}
317
318
memset(&keyContainer, 0, sizeof(TCPA_KEY));
319
320
offset = 0;
321
if ((result = Trspi_UnloadBlob_KEY(&offset, keyData, &keyContainer)))
322
return result;
323
324
Trspi_Hash(TSS_HASH_SHA1, CertifyInfoSize, CertifyInfo, hash.digest);
325
326
if ((result = Trspi_Verify(TSS_HASH_SHA1, hash.digest, 20,
327
keyContainer.pubKey.key,
328
keyContainer.pubKey.keyLength,
329
outData, outDataSize))) {
330
if (useAuthKey)
331
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
332
if (useAuthCert)
333
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
334
335
free_key_refs(&keyContainer);
336
return TSPERR(TSS_E_VERIFICATION_FAILED);
337
}
338
free_key_refs(&keyContainer);
339
} else {
340
pValidationData->ulDataLength = CertifyInfoSize;
341
pValidationData->rgbData = calloc_tspi(tspContext, CertifyInfoSize);
342
if (pValidationData->rgbData == NULL) {
343
LogError("malloc of %d bytes failed.", CertifyInfoSize);
344
if (useAuthKey)
345
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
346
if (useAuthCert)
347
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
348
349
return TSPERR(TSS_E_OUTOFMEMORY);
350
}
351
memcpy(pValidationData->rgbData, CertifyInfo, CertifyInfoSize);
352
pValidationData->ulValidationDataLength = outDataSize;
353
pValidationData->rgbValidationData = calloc_tspi(tspContext, outDataSize);
354
if (pValidationData->rgbValidationData == NULL) {
355
LogError("malloc of %d bytes failed.", outDataSize);
356
if (useAuthKey)
357
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
358
if (useAuthCert)
359
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
360
361
return TSPERR(TSS_E_OUTOFMEMORY);
362
}
363
memcpy(pValidationData->rgbValidationData, outData, outDataSize);
364
#if 0
365
memcpy(&pValidationData->versionInfo,
366
getCurrentVersion(tspContext), sizeof (TCPA_VERSION));
367
#endif
368
}
369
370
if (useAuthKey)
371
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
372
if (useAuthCert)
373
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
374
375
return TSS_SUCCESS;
376
}
377
378
TSS_RESULT
379
Tspi_Key_CreateKey(TSS_HKEY hKey, /* in */
380
TSS_HKEY hWrappingKey, /* in */
381
TSS_HPCRS hPcrComposite) /* in, may be NULL */
382
{
383
UINT64 offset;
384
BYTE hashBlob[0x1000];
385
BYTE sharedSecret[20];
386
TPM_AUTH auth;
387
TCPA_ENCAUTH encAuthUsage;
388
TCPA_ENCAUTH encAuthMig = { { 0, } };
389
TCPA_DIGEST digest;
390
TCPA_RESULT result;
391
TSS_HPOLICY hUsagePolicy;
392
TSS_HPOLICY hMigPolicy = NULL_HPOLICY;
393
TSS_HPOLICY hWrapPolicy;
394
TCS_KEY_HANDLE parentTCSKeyHandle;
395
BYTE *keyBlob = NULL;
396
UINT32 keySize;
397
TCPA_NONCE nonceEvenOSAP;
398
UINT32 newKeySize;
399
BYTE *newKey;
400
TSS_BOOL usesAuth;
401
TSS_HCONTEXT tspContext;
402
403
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
404
return result;
405
406
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
407
&hUsagePolicy, &usesAuth)))
408
return result;
409
410
if (obj_rsakey_is_migratable(hKey)) {
411
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
412
return result;
413
}
414
415
if ((result = obj_rsakey_get_policy(hWrappingKey, TSS_POLICY_USAGE, &hWrapPolicy, NULL)))
416
return result;
417
418
if (hPcrComposite) {
419
/* its possible that hPcrComposite could be a bad handle here,
420
* or that no indices of it are yet set, which would throw
421
* internal error. Blanket both those codes with bad
422
* parameter to help the user out */
423
if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
424
return TSPERR(TSS_E_BAD_PARAMETER);
425
}
426
427
if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
428
return result;
429
430
if ((result = obj_rsakey_get_tcs_handle(hWrappingKey, &parentTCSKeyHandle)))
431
return result;
432
433
/*****************************************
434
* To create the authorization, the first step is to call
435
* secret_PerformXOR_OSAP, which will call OSAP and do the xorenc of
436
* the secrets. Then, the hashdata is done so that
437
* secret_PerformAuth_OSAP can calculate the HMAC.
438
******************************************/
439
440
/* Do the first part of the OSAP */
441
if ((result =
442
secret_PerformXOR_OSAP(hWrapPolicy, hUsagePolicy, hMigPolicy,
443
hWrappingKey, TCPA_ET_KEYHANDLE,
444
parentTCSKeyHandle, &encAuthUsage,
445
&encAuthMig, sharedSecret, &auth,
446
&nonceEvenOSAP)))
447
return result;
448
449
/* Setup the Hash Data for the HMAC */
450
offset = 0;
451
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
452
Trspi_LoadBlob(&offset, 20, hashBlob, encAuthUsage.authdata);
453
Trspi_LoadBlob(&offset, 20, hashBlob, encAuthMig.authdata);
454
Trspi_LoadBlob(&offset, keySize, hashBlob, keyBlob);
455
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
456
457
/* Complete the Auth Structure */
458
if ((result = secret_PerformAuth_OSAP(hWrappingKey,
459
TPM_ORD_CreateWrapKey,
460
hWrapPolicy, hUsagePolicy,
461
hMigPolicy, sharedSecret, &auth,
462
digest.digest, &nonceEvenOSAP)))
463
return result;
464
465
/* Now call the function */
466
if ((result = TCSP_CreateWrapKey(tspContext, parentTCSKeyHandle, encAuthUsage, encAuthMig,
467
keySize, keyBlob, &newKeySize, &newKey, &auth)))
468
return result;
469
470
/* Validate the Authorization before using the new key */
471
offset = 0;
472
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
473
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
474
Trspi_LoadBlob(&offset, newKeySize, hashBlob, newKey);
475
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
476
if ((result = secret_ValidateAuth_OSAP(hWrappingKey,
477
TPM_ORD_CreateWrapKey,
478
hWrapPolicy, hUsagePolicy,
479
hMigPolicy, sharedSecret, &auth,
480
digest.digest,
481
&nonceEvenOSAP))) {
482
free(newKey);
483
return result;
484
}
485
486
/* Push the new key into the existing object */
487
if ((result = obj_rsakey_set_tcpakey(hKey, newKeySize, newKey))) {
488
free(newKey);
489
return result;
490
}
491
492
free(newKey);
493
return result;
494
}
495
496
TSS_RESULT
497
Tspi_Key_WrapKey(TSS_HKEY hKey, /* in */
498
TSS_HKEY hWrappingKey, /* in */
499
TSS_HPCRS hPcrComposite) /* in, may be NULL */
500
{
501
TSS_HPOLICY hUsePolicy, hMigPolicy;
502
TCPA_SECRET usage, migration;
503
TSS_RESULT result;
504
BYTE *keyPrivBlob = NULL, *wrappingPubKey = NULL, *keyBlob = NULL;
505
UINT32 keyPrivBlobLen, wrappingPubKeyLen, keyBlobLen;
506
BYTE newPrivKey[214]; /* its not magic, see TPM 1.1b spec p.71 */
507
BYTE encPrivKey[256];
508
UINT32 newPrivKeyLen = 214, encPrivKeyLen = 256;
509
UINT64 offset;
510
TCPA_KEY keyContainer;
511
BYTE hashBlob[1024];
512
TCPA_DIGEST digest;
513
TSS_HCONTEXT tspContext;
514
515
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
516
return result;
517
518
if (hPcrComposite) {
519
if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
520
return result;
521
}
522
523
/* get the key to be wrapped's private key */
524
if ((result = obj_rsakey_get_priv_blob(hKey, &keyPrivBlobLen, &keyPrivBlob)))
525
goto done;
526
527
/* get the key to be wrapped's blob */
528
if ((result = obj_rsakey_get_blob(hKey, &keyBlobLen, &keyBlob)))
529
goto done;
530
531
/* get the wrapping key's public key */
532
if ((result = obj_rsakey_get_modulus(hWrappingKey, &wrappingPubKeyLen, &wrappingPubKey)))
533
goto done;
534
535
/* get the key to be wrapped's usage policy */
536
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE, &hUsePolicy, NULL)))
537
goto done;
538
539
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
540
goto done;
541
542
if ((result = obj_policy_get_secret(hUsePolicy, TR_SECRET_CTX_NEW, &usage)))
543
goto done;
544
545
if ((result = obj_policy_get_secret(hMigPolicy, TR_SECRET_CTX_NEW, &migration)))
546
goto done;
547
548
memset(&keyContainer, 0, sizeof(TCPA_KEY));
549
550
/* unload the key to be wrapped's blob */
551
offset = 0;
552
if ((result = Trspi_UnloadBlob_KEY(&offset, keyBlob, &keyContainer)))
553
return result;
554
555
/* load the key's attributes into an object and get its hash value */
556
offset = 0;
557
Trspi_LoadBlob_PRIVKEY_DIGEST(&offset, hashBlob, &keyContainer);
558
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
559
560
free_key_refs(&keyContainer);
561
562
/* create the plaintext private key blob */
563
offset = 0;
564
Trspi_LoadBlob_BYTE(&offset, TCPA_PT_ASYM, newPrivKey);
565
Trspi_LoadBlob(&offset, 20, newPrivKey, usage.authdata);
566
Trspi_LoadBlob(&offset, 20, newPrivKey, migration.authdata);
567
Trspi_LoadBlob(&offset, 20, newPrivKey, digest.digest);
568
Trspi_LoadBlob_UINT32(&offset, keyPrivBlobLen, newPrivKey);
569
Trspi_LoadBlob(&offset, keyPrivBlobLen, newPrivKey, keyPrivBlob);
570
newPrivKeyLen = offset;
571
572
/* encrypt the private key blob */
573
if ((result = Trspi_RSA_Encrypt(newPrivKey, newPrivKeyLen, encPrivKey,
574
&encPrivKeyLen, wrappingPubKey,
575
wrappingPubKeyLen)))
576
goto done;
577
578
/* set the new encrypted private key in the wrapped key object */
579
if ((result = obj_rsakey_set_privkey(hKey, FALSE, encPrivKeyLen, encPrivKey)))
580
goto done;
581
582
done:
583
free_tspi(tspContext, keyPrivBlob);
584
free_tspi(tspContext, keyBlob);
585
free_tspi(tspContext, wrappingPubKey);
586
return result;
587
}
588
#if 0
589
TSS_RESULT
590
create_migration_blob_encdata(TSS_HENCDATA hDataToMigrate,
591
TSS_HKEY hParentKey,
592
UINT32 ulMigTicketLength,
593
BYTE * rgbMigTicket,
594
UINT32 * pulRandomLength,
595
BYTE ** prgbRandom,
596
UINT32 * pulMigrationBlobLength,
597
BYTE ** prgbMigrationBlob)
598
{
599
TCS_CONTEXT_HANDLE tcsContext;
600
TPM_AUTH parentAuth;
601
TPM_AUTH entityAuth;
602
TCPA_RESULT result;
603
UINT16 offset;
604
BYTE hashblob[0x1000];
605
TCPA_DIGEST digest;
606
UINT32 parentKeySize;
607
BYTE *parentKeyBlob;
608
UINT32 dataToMigrateSize;
609
BYTE *dataToMigrateBlob;
610
TSS_HPOLICY hParentPolicy;
611
TSS_HPOLICY hMigratePolicy;
612
TCPA_MIGRATIONKEYAUTH migAuth;
613
TCS_KEY_HANDLE parentHandle;
614
TPM_AUTH *pParentAuth;
615
TSS_BOOL useAuth;
616
UINT32 blobSize;
617
BYTE *blob;
618
TCPA_STORED_DATA storedData;
619
TSS_HCONTEXT tspContext;
620
621
if ((result = obj_encdata_get_tsp_context(hDataToMigrate, &tspContext)))
622
return result;
623
624
if ((result = obj_context_is_connected(tspContext, &tcsContext)))
625
return result;
626
627
if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
628
return result;
629
630
if ((result = obj_encdata_get_data(hDataToMigrate, &dataToMigrateSize, &dataToMigrateBlob)))
631
return result;
632
633
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
634
&useAuth)))
635
return result;
636
637
if ((result = obj_encdata_get_policy(hDataToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy)))
638
return result;
639
640
/* Parsing the migration scheme from the blob and key object */
641
memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
642
643
offset = 0;
644
if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
645
return result;
646
647
/* free these now, since none are used below */
648
free(migAuth.migrationKey.algorithmParms.parms);
649
migAuth.migrationKey.algorithmParms.parmSize = 0;
650
free(migAuth.migrationKey.pubKey.key);
651
migAuth.migrationKey.pubKey.keyLength = 0;
652
#if 1
653
offset = 0;
654
if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, dataToMigrateBlob, &storedData)))
655
return result;
656
#endif
657
/* Generate the Authorization data */
658
offset = 0;
659
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
660
Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
661
Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
662
#if 1
663
Trspi_LoadBlob_UINT32(&offset, storedData.encDataSize, hashblob);
664
Trspi_LoadBlob(&offset, storedData.encDataSize, hashblob, storedData.encData);
665
#else
666
Trspi_LoadBlob_UINT32(&offset, dataToMigrateSize, hashblob);
667
Trspi_LoadBlob(&offset, dataToMigrateSize, hashblob, dataToMigrateBlob);
668
#endif
669
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
670
671
if (useAuth) {
672
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
673
TPM_ORD_CreateMigrationBlob,
674
hParentPolicy, &digest,
675
&parentAuth))) {
676
//free(storedData.sealInfo);
677
//free(storedData.encData);
678
return result;
679
}
680
pParentAuth = &parentAuth;
681
} else
682
pParentAuth = NULL;
683
684
if ((result = secret_PerformAuth_OIAP(hDataToMigrate,
685
TPM_ORD_CreateMigrationBlob,
686
hMigratePolicy, &digest,
687
&entityAuth))) {
688
//free(storedData.sealInfo);
689
//free(storedData.encData);
690
return result;
691
}
692
693
if ((parentHandle = getTCSKeyHandle(hParentKey)) == NULL_HKEY) {
694
//free(storedData.sealInfo);
695
//free(storedData.encData);
696
return TSPERR(TSS_E_KEY_NOT_LOADED);
697
}
698
699
if ((result = TCSP_CreateMigrationBlob(tcsContext, parentHandle, migAuth.migrationScheme,
700
ulMigTicketLength, rgbMigTicket,
701
//storedData.encDataSize, storedData.encData,
702
dataToMigrateSize, dataToMigrateBlob,
703
pParentAuth, &entityAuth, pulRandomLength,
704
prgbRandom, pulMigrationBlobLength,
705
prgbMigrationBlob))) {
706
//free(storedData.sealInfo);
707
//free(storedData.encData);
708
return result;
709
}
710
//free(storedData.sealInfo);
711
//free(storedData.encData);
712
713
offset = 0;
714
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
715
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
716
Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
717
Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
718
Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
719
Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
720
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
721
if (useAuth) {
722
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
723
goto error;
724
}
725
if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
726
goto error;
727
728
if (migAuth.migrationScheme == TSS_MS_REWRAP) {
729
#if 1
730
if ((result = obj_encdata_get_data(hDataToMigrate, &blobSize, &blob)))
731
goto error;
732
733
offset = 0;
734
if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, blob, &storedData)))
735
goto error;
736
737
/* keyContainer.encData = calloc_tspi(tspContext, outDataSize); */
738
storedData.encDataSize = *pulMigrationBlobLength;
739
memcpy(storedData.encData, *prgbMigrationBlob, *pulMigrationBlobLength);
740
741
offset = 0;
742
Trspi_LoadBlob_STORED_DATA(&offset, blob, &storedData);
743
free(storedData.sealInfo);
744
free(storedData.encData);
745
746
if ((result = obj_encdata_set_data(hDataToMigrate, blobSize, blob)))
747
goto error;
748
#else
749
if ((result = obj_encdata_set_data(hDataToMigrate, *pulMigrationBlobLength,
750
*prgbMigrationBlob)))
751
goto error;
752
#endif
753
}
754
755
return result;
756
error:
757
if (*pulRandomLength)
758
free_tspi(tspContext, prgbRandom);
759
free_tspi(tspContext, prgbMigrationBlob);
760
return result;
761
}
762
#endif
763
764
TSS_RESULT
765
create_migration_blob_key(TSS_HKEY hKeyToMigrate,
766
TSS_HKEY hParentKey,
767
UINT32 ulMigTicketLength,
768
BYTE * rgbMigTicket,
769
UINT32 * pulRandomLength,
770
BYTE ** prgbRandom,
771
UINT32 * pulMigrationBlobLength,
772
BYTE ** prgbMigrationBlob)
773
{
774
TPM_AUTH parentAuth, entityAuth;
775
TPM_AUTH *pParentAuth;
776
TCPA_RESULT result;
777
UINT64 offset;
778
BYTE hashblob[0x1000];
779
TCPA_DIGEST digest;
780
UINT32 parentKeySize;
781
BYTE *parentKeyBlob;
782
UINT32 keyToMigrateSize;
783
BYTE *keyToMigrateBlob;
784
TSS_HPOLICY hParentPolicy;
785
TSS_HPOLICY hMigratePolicy;
786
TCPA_MIGRATIONKEYAUTH migAuth;
787
TCPA_KEY tcpaKey;
788
TCS_KEY_HANDLE parentHandle;
789
TSS_BOOL parentUsesAuth;
790
UINT32 blobSize;
791
BYTE *blob;
792
TCPA_KEY keyContainer;
793
TSS_HCONTEXT tspContext;
794
795
if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
796
return result;
797
798
if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
799
return result;
800
801
if ((result = obj_rsakey_get_blob(hKeyToMigrate, &keyToMigrateSize, &keyToMigrateBlob)))
802
return result;
803
804
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
805
&parentUsesAuth)))
806
return result;
807
808
if ((result = obj_rsakey_get_policy(hKeyToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy,
809
NULL)))
810
return result;
811
812
/* Parsing the migration scheme from the blob and key object */
813
memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
814
815
offset = 0;
816
if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
817
return result;
818
819
/* free these now, since none are used below */
820
free(migAuth.migrationKey.algorithmParms.parms);
821
migAuth.migrationKey.algorithmParms.parmSize = 0;
822
free(migAuth.migrationKey.pubKey.key);
823
migAuth.migrationKey.pubKey.keyLength = 0;
824
825
memset(&tcpaKey, 0, sizeof(TCPA_KEY));
826
827
offset = 0;
828
if ((result = Trspi_UnloadBlob_KEY(&offset, keyToMigrateBlob, &tcpaKey)))
829
return result;
830
831
/* Generate the Authorization data */
832
offset = 0;
833
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
834
Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
835
Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
836
Trspi_LoadBlob_UINT32(&offset, tcpaKey.encSize, hashblob);
837
Trspi_LoadBlob(&offset, tcpaKey.encSize, hashblob, tcpaKey.encData);
838
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
839
840
if (parentUsesAuth) {
841
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
842
TPM_ORD_CreateMigrationBlob,
843
hParentPolicy, &digest,
844
&parentAuth))) {
845
free_key_refs(&tcpaKey);
846
return result;
847
}
848
pParentAuth = &parentAuth;
849
} else {
850
pParentAuth = NULL;
851
}
852
853
if ((result = secret_PerformAuth_OIAP(hKeyToMigrate,
854
TPM_ORD_CreateMigrationBlob,
855
hMigratePolicy, &digest,
856
&entityAuth))) {
857
free_key_refs(&tcpaKey);
858
return result;
859
}
860
861
if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
862
return result;
863
864
if ((result = TCSP_CreateMigrationBlob(tspContext, parentHandle, migAuth.migrationScheme,
865
ulMigTicketLength, rgbMigTicket, tcpaKey.encSize,
866
tcpaKey.encData, pParentAuth, &entityAuth,
867
pulRandomLength, prgbRandom, pulMigrationBlobLength,
868
prgbMigrationBlob))) {
869
free_key_refs(&tcpaKey);
870
return result;
871
}
872
free_key_refs(&tcpaKey);
873
874
offset = 0;
875
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
876
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
877
Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
878
Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
879
Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
880
Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
881
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
882
883
if (parentUsesAuth) {
884
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
885
goto error;
886
}
887
888
if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
889
goto error;
890
891
if (migAuth.migrationScheme == TCPA_MS_REWRAP) {
892
if ((result = obj_rsakey_get_blob(hKeyToMigrate, &blobSize, &blob)))
893
goto error;
894
895
memset(&keyContainer, 0, sizeof(TCPA_KEY));
896
897
offset = 0;
898
if ((result = Trspi_UnloadBlob_KEY(&offset, blob, &keyContainer)))
899
goto error;
900
901
if (keyContainer.encSize > 0)
902
free(keyContainer.encData);
903
904
keyContainer.encSize = *pulMigrationBlobLength;
905
keyContainer.encData = *prgbMigrationBlob;
906
907
offset = 0;
908
Trspi_LoadBlob_KEY(&offset, hashblob, &keyContainer);
909
910
/* Free manually here since free_key_refs() would free encData, ugh. */
911
free(keyContainer.algorithmParms.parms);
912
keyContainer.algorithmParms.parms = NULL;
913
keyContainer.algorithmParms.parmSize = 0;
914
915
free(keyContainer.pubKey.key);
916
keyContainer.pubKey.key = NULL;
917
keyContainer.pubKey.keyLength = 0;
918
919
free(keyContainer.PCRInfo);
920
keyContainer.PCRInfo = NULL;
921
keyContainer.PCRInfoSize = 0;
922
923
if ((result = obj_rsakey_set_tcpakey(hKeyToMigrate, offset, hashblob)))
924
goto error;
925
}
926
927
return result;
928
error:
929
if (*pulRandomLength)
930
free_tspi(tspContext, prgbRandom);
931
free_tspi(tspContext, prgbMigrationBlob);
932
return result;
933
}
934
935
936
TSS_RESULT
937
Tspi_Key_CreateMigrationBlob(TSS_HKEY hKeyToMigrate, /* in */
938
TSS_HKEY hParentKey, /* in */
939
UINT32 ulMigTicketLength, /* in */
940
BYTE * rgbMigTicket, /* in */
941
UINT32 * pulRandomLength, /* out */
942
BYTE ** prgbRandom, /* out */
943
UINT32 * pulMigrationBlobLength, /* out */
944
BYTE ** prgbMigrationBlob) /* out */
945
{
946
if (pulRandomLength == NULL || prgbRandom == NULL || rgbMigTicket == NULL ||
947
pulMigrationBlobLength == NULL || prgbMigrationBlob == NULL)
948
return TSPERR(TSS_E_BAD_PARAMETER);
949
950
if (obj_is_rsakey(hKeyToMigrate))
951
return create_migration_blob_key(hKeyToMigrate, hParentKey, ulMigTicketLength,
952
rgbMigTicket, pulRandomLength, prgbRandom,
953
pulMigrationBlobLength, prgbMigrationBlob);
954
955
return TSPERR(TSS_E_INVALID_HANDLE);
956
}
957
958
TSS_RESULT
959
Tspi_Key_ConvertMigrationBlob(TSS_HKEY hKeyToMigrate, /* in */
960
TSS_HKEY hParentKey, /* in */
961
UINT32 ulRandomLength, /* in */
962
BYTE * rgbRandom, /* in */
963
UINT32 ulMigrationBlobLength, /* in */
964
BYTE * rgbMigrationBlob) /* in */
965
{
966
967
TCPA_RESULT result;
968
UINT32 outDataSize;
969
BYTE *outData;
970
TCS_KEY_HANDLE parentHandle;
971
TPM_AUTH parentAuth;
972
TSS_HPOLICY hParentPolicy;
973
UINT64 offset;
974
BYTE hashblob[0x1000];
975
TCPA_DIGEST digest;
976
TSS_BOOL useAuth;
977
TPM_AUTH *pParentAuth;
978
TSS_HCONTEXT tspContext;
979
980
if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
981
return result;
982
983
if (!obj_is_rsakey(hParentKey))
984
return TSPERR(TSS_E_INVALID_HANDLE);
985
986
/* Get the parent key handle */
987
if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
988
return result;
989
990
/* Get the policy */
991
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE,
992
&hParentPolicy, &useAuth)))
993
return result;
994
995
/* Generate the authorization */
996
offset = 0;
997
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
998
Trspi_LoadBlob_UINT32(&offset, ulMigrationBlobLength, hashblob);
999
Trspi_LoadBlob(&offset, ulMigrationBlobLength, hashblob, rgbMigrationBlob);
1000
Trspi_LoadBlob_UINT32(&offset, ulRandomLength, hashblob);
1001
Trspi_LoadBlob(&offset, ulRandomLength, hashblob, rgbRandom);
1002
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1003
1004
if (useAuth) {
1005
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
1006
TPM_ORD_ConvertMigrationBlob,
1007
hParentPolicy, &digest,
1008
&parentAuth)))
1009
return result;
1010
pParentAuth = &parentAuth;
1011
} else {
1012
pParentAuth = NULL;
1013
}
1014
1015
if ((result = TCSP_ConvertMigrationBlob(tspContext, parentHandle, ulMigrationBlobLength,
1016
rgbMigrationBlob, ulRandomLength, rgbRandom,
1017
pParentAuth, &outDataSize, &outData)))
1018
return result;
1019
1020
/* add validation */
1021
offset = 0;
1022
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
1023
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
1024
Trspi_LoadBlob_UINT32(&offset, outDataSize, hashblob);
1025
Trspi_LoadBlob(&offset, outDataSize, hashblob, outData);
1026
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1027
if (useAuth) {
1028
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth))) {
1029
free(outData);
1030
return result;
1031
}
1032
}
1033
1034
result = obj_rsakey_set_privkey(hKeyToMigrate, TRUE, outDataSize, outData);
1035
free(outData);
1036
1037
return result;
1038
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1