← Back to branch summary

~ubuntu-branches/ubuntu/hardy/trousers/hardy-proposed

« back to all changes in this revision

Viewing changes to src/tspi/spi_key.c

  • Committer: Bazaar Package Importer
  • Author(s): Daniel Baumann
  • Date: 2008-01-23 22:03:00 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20080123220300-fhtqja3c0oq0gp6z
Tags: 0.3.1-4
http://bugs.debian.org/457400
http://bugs.debian.org/459682
* Added patch from Aaron M. Ucko <ucko@debian.org> to allow trousers to
  build successfully on amd64, and presumably also other 64-bit
  architectures (Closes: #457400).
* Including udev rule for /dev/tpm from William Lima
  <wlima.amadeus@gmail.com> as suggested by David Smith <dds@google.com>
  (Closes: #459682).
* Added lintian overrides.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/tspi/spi_key.c
1
 
 
2
 
/*
3
 
 * Licensed Materials - Property of IBM
4
 
 *
5
 
 * trousers - An open source TCG Software Stack
6
 
 *
7
 
 * (C) Copyright International Business Machines Corp. 2004
8
 
 *
9
 
 */
10
 
 
11
 
 
12
 
#include <stdlib.h>
13
 
#include <stdio.h>
14
 
#include <string.h>
15
 
 
16
 
#include "trousers/tss.h"
17
 
#include "trousers/trousers.h"
18
 
#include "trousers_types.h"
19
 
#include "spi_internal_types.h"
20
 
#include "spi_utils.h"
21
 
#include "capabilities.h"
22
 
#include "tsplog.h"
23
 
#include "obj.h"
24
 
 
25
 
TSS_RESULT
26
 
Tspi_Key_UnloadKey(TSS_HKEY hKey)       /* in */
27
 
{
28
 
        TSS_HCONTEXT tspContext;
29
 
        TCS_KEY_HANDLE hTcsKey;
30
 
        TSS_RESULT result;
31
 
 
32
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
33
 
                return result;
34
 
 
35
 
        if ((result = obj_rsakey_get_tcs_handle(hKey, &hTcsKey)))
36
 
                return result;
37
 
 
38
 
        return TCSP_EvictKey(tspContext, hTcsKey);
39
 
}
40
 
 
41
 
TSS_RESULT
42
 
Tspi_Key_LoadKey(TSS_HKEY hKey,                 /* in */
43
 
                 TSS_HKEY hUnwrappingKey)       /* in */
44
 
{
45
 
 
46
 
        TPM_AUTH auth;
47
 
        BYTE blob[1000];
48
 
        UINT64 offset;
49
 
        TCPA_DIGEST digest;
50
 
        TSS_RESULT result;
51
 
        UINT32 keyslot;
52
 
        TSS_HCONTEXT tspContext;
53
 
        TSS_HPOLICY hPolicy;
54
 
        UINT32 keySize;
55
 
        BYTE *keyBlob;
56
 
        TCS_KEY_HANDLE parentTCSKeyHandle, tcsKey;
57
 
        TSS_BOOL usesAuth;
58
 
        TPM_AUTH *pAuth;
59
 
 
60
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
61
 
                return result;
62
 
 
63
 
        if (!obj_is_rsakey(hUnwrappingKey))
64
 
                return TSPERR(TSS_E_INVALID_HANDLE);
65
 
 
66
 
        if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
67
 
                return result;
68
 
 
69
 
        if ((result = obj_rsakey_get_tcs_handle(hUnwrappingKey, &parentTCSKeyHandle)))
70
 
                return result;
71
 
 
72
 
        if ((result = obj_rsakey_get_policy(hUnwrappingKey, TSS_POLICY_USAGE,
73
 
                                            &hPolicy, &usesAuth)))
74
 
                return result;
75
 
 
76
 
        if (usesAuth) {
77
 
                offset = 0;
78
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
79
 
                Trspi_LoadBlob(&offset, keySize, blob, keyBlob);
80
 
                Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
81
 
                if ((result = secret_PerformAuth_OIAP(hUnwrappingKey,
82
 
                                                      TPM_ORD_LoadKey,
83
 
                                                      hPolicy, &digest,
84
 
                                                      &auth)))
85
 
                        return result;
86
 
                pAuth = &auth;
87
 
        } else {
88
 
                pAuth = NULL;
89
 
        }
90
 
 
91
 
        if ((result = TCSP_LoadKeyByBlob(tspContext, parentTCSKeyHandle, keySize, keyBlob, pAuth,
92
 
                                         &tcsKey, &keyslot)))
93
 
                return result;
94
 
 
95
 
        if (usesAuth) {
96
 
                offset = 0;
97
 
                Trspi_LoadBlob_UINT32(&offset, result, blob);
98
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
99
 
                Trspi_LoadBlob_UINT32(&offset, keyslot, blob);
100
 
                Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
101
 
 
102
 
                if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
103
 
                        return result;
104
 
        }
105
 
 
106
 
        return obj_rsakey_set_tcs_handle(hKey, tcsKey);
107
 
}
108
 
 
109
 
TSS_RESULT
110
 
Tspi_Key_GetPubKey(TSS_HKEY hKey,               /* in */
111
 
                   UINT32 * pulPubKeyLength,    /* out */
112
 
                   BYTE ** prgbPubKey)          /* out */
113
 
{
114
 
        TSS_HCONTEXT tspContext;
115
 
        TPM_AUTH auth;
116
 
        TPM_AUTH *pAuth;
117
 
        BYTE hashblob[1024];
118
 
        TCPA_DIGEST digest;
119
 
        TCPA_RESULT result;
120
 
        UINT64 offset;
121
 
        TSS_HPOLICY hPolicy;
122
 
        TCS_KEY_HANDLE tcsKeyHandle;
123
 
        TSS_BOOL usesAuth;
124
 
        TCPA_PUBKEY pubKey;
125
 
 
126
 
        if (pulPubKeyLength == NULL || prgbPubKey == NULL)
127
 
                return TSPERR(TSS_E_BAD_PARAMETER);
128
 
 
129
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
130
 
                return result;
131
 
 
132
 
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
133
 
                                            &hPolicy, &usesAuth)))
134
 
                return result;
135
 
 
136
 
        if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
137
 
                return result;
138
 
 
139
 
        if (usesAuth) {
140
 
                offset = 0;
141
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
142
 
                Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
143
 
 
144
 
                if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_GetPubKey,
145
 
                                                      hPolicy, &digest,
146
 
                                                      &auth)))
147
 
                        return result;
148
 
                pAuth = &auth;
149
 
        } else {
150
 
                pAuth = NULL;
151
 
        }
152
 
 
153
 
        if ((result = TCSP_GetPubKey(tspContext, tcsKeyHandle, pAuth, pulPubKeyLength, prgbPubKey)))
154
 
                return result;
155
 
 
156
 
        memset(&pubKey, 0, sizeof(TCPA_PUBKEY));
157
 
 
158
 
        if (usesAuth) {
159
 
                offset = 0;
160
 
                Trspi_LoadBlob_UINT32(&offset, result, hashblob);
161
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
162
 
                Trspi_LoadBlob(&offset, *pulPubKeyLength, hashblob, *prgbPubKey);
163
 
                Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
164
 
 
165
 
                /* goto error here since prgbPubKey has been set */
166
 
                if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
167
 
                        goto error;
168
 
        }
169
 
 
170
 
        /* If the key is the SRK, populate the pubkey data in the TSP object */
171
 
        if (tcsKeyHandle == TPM_KEYHND_SRK)
172
 
                obj_rsakey_set_pubkey(hKey, TRUE, *prgbPubKey);
173
 
 
174
 
        return TSS_SUCCESS;
175
 
error:
176
 
        free_tspi(tspContext, *prgbPubKey);
177
 
        *prgbPubKey = NULL;
178
 
        *pulPubKeyLength = 0;
179
 
        return result;
180
 
}
181
 
 
182
 
TSS_RESULT
183
 
Tspi_Key_CertifyKey(TSS_HKEY hKey,                      /* in */
184
 
                    TSS_HKEY hCertifyingKey,            /* in */
185
 
                    TSS_VALIDATION * pValidationData)   /* in, out */
186
 
{
187
 
        TCPA_RESULT result;
188
 
        TPM_AUTH certAuth;
189
 
        TPM_AUTH keyAuth;
190
 
        UINT64 offset = 0;
191
 
        BYTE hashBlob[1024];
192
 
        TCPA_DIGEST hash;
193
 
        TCPA_NONCE antiReplay;
194
 
        UINT32 CertifyInfoSize;
195
 
        BYTE *CertifyInfo;
196
 
        UINT32 outDataSize;
197
 
        BYTE *outData;
198
 
        TSS_HPOLICY hPolicy;
199
 
        TSS_HPOLICY hCertPolicy;
200
 
        TCS_KEY_HANDLE certifyTCSKeyHandle, keyTCSKeyHandle;
201
 
        BYTE *keyData = NULL;
202
 
        UINT32 keyDataSize;
203
 
        TCPA_KEY keyContainer;
204
 
        TSS_BOOL useAuthCert;
205
 
        TSS_BOOL useAuthKey;
206
 
        TPM_AUTH *pCertAuth = &certAuth;
207
 
        TPM_AUTH *pKeyAuth = &keyAuth;
208
 
        TSS_HCONTEXT tspContext;
209
 
 
210
 
 
211
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
212
 
                return result;
213
 
 
214
 
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
215
 
                                            &hPolicy, &useAuthKey)))
216
 
                return result;
217
 
 
218
 
        if ((result = obj_rsakey_get_policy(hCertifyingKey, TSS_POLICY_USAGE,
219
 
                                            &hCertPolicy, &useAuthCert)))
220
 
                return result;
221
 
 
222
 
        if ((result = obj_rsakey_get_tcs_handle(hCertifyingKey, &certifyTCSKeyHandle)))
223
 
                return result;
224
 
 
225
 
        if ((result = obj_rsakey_get_tcs_handle(hKey, &keyTCSKeyHandle)))
226
 
                return result;
227
 
 
228
 
        if (pValidationData == NULL) {
229
 
                LogDebug("Internal Verify");
230
 
                if ((result = internal_GetRandomNonce(tspContext, &antiReplay)))
231
 
                        return result;
232
 
        } else {
233
 
                LogDebug("External Verify");
234
 
                if (pValidationData->ulExternalDataLength < sizeof(antiReplay.nonce))
235
 
                        return TSPERR(TSS_E_BAD_PARAMETER);
236
 
 
237
 
                memcpy(antiReplay.nonce, pValidationData->rgbExternalData,
238
 
                       sizeof(antiReplay.nonce));
239
 
        }
240
 
 
241
 
        if (useAuthCert && !useAuthKey)
242
 
                return TSPERR(TSS_E_BAD_PARAMETER);
243
 
 
244
 
        /* Setup the auths */
245
 
        if (useAuthCert || useAuthKey) {
246
 
                offset = 0;
247
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
248
 
                Trspi_LoadBlob(&offset, 20, hashBlob, antiReplay.nonce);
249
 
                Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
250
 
        }
251
 
 
252
 
        if (useAuthKey) {
253
 
                if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_CertifyKey,
254
 
                                                      hPolicy, &hash,
255
 
                                                      &keyAuth)))
256
 
                        return result;
257
 
        } else
258
 
                pKeyAuth = NULL;
259
 
 
260
 
        if (useAuthCert) {
261
 
                if ((result = secret_PerformAuth_OIAP(hCertifyingKey,
262
 
                                                      TPM_ORD_CertifyKey,
263
 
                                                      hCertPolicy, &hash,
264
 
                                                      &certAuth)))
265
 
                        return result;
266
 
        } else
267
 
                pCertAuth = NULL;
268
 
 
269
 
        if ((result = TCSP_CertifyKey(tspContext, certifyTCSKeyHandle, keyTCSKeyHandle, antiReplay,
270
 
                                      pCertAuth, pKeyAuth, &CertifyInfoSize, &CertifyInfo,
271
 
                                      &outDataSize, &outData))) {
272
 
                if (useAuthKey)
273
 
                        TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
274
 
                if (useAuthCert)
275
 
                        TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
276
 
                return result;
277
 
        }
278
 
 
279
 
        /* Validate auth */
280
 
        if (useAuthCert || useAuthKey) {
281
 
                offset = 0;
282
 
                Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
283
 
                Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
284
 
                Trspi_LoadBlob(&offset, CertifyInfoSize, hashBlob, CertifyInfo);
285
 
                Trspi_LoadBlob_UINT32(&offset, outDataSize, hashBlob);
286
 
                Trspi_LoadBlob(&offset, outDataSize, hashBlob, outData);
287
 
                Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
288
 
                if (useAuthKey) {
289
 
                        if ((result = obj_policy_validate_auth_oiap(hPolicy, &hash, &keyAuth))) {
290
 
                                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
291
 
                                if (useAuthCert)
292
 
                                        TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
293
 
                                return result;
294
 
                        }
295
 
                }
296
 
                if (useAuthCert) {
297
 
                        if ((result = obj_policy_validate_auth_oiap(hCertPolicy, &hash, &certAuth))) {
298
 
                                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
299
 
                                if (useAuthKey)
300
 
                                        TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
301
 
                                return result;
302
 
                        }
303
 
                }
304
 
        }
305
 
 
306
 
        if (pValidationData == NULL) {
307
 
                if ((result = obj_rsakey_get_blob(hCertifyingKey,
308
 
                                                        &keyDataSize, &keyData))) {
309
 
                        if (useAuthKey)
310
 
                                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
311
 
                        if (useAuthCert)
312
 
                                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
313
 
 
314
 
                        LogError("Error in calling GetAttribData internally");
315
 
                        return TSPERR(TSS_E_INTERNAL_ERROR);
316
 
                }
317
 
 
318
 
                memset(&keyContainer, 0, sizeof(TCPA_KEY));
319
 
 
320
 
                offset = 0;
321
 
                if ((result = Trspi_UnloadBlob_KEY(&offset, keyData, &keyContainer)))
322
 
                        return result;
323
 
 
324
 
                Trspi_Hash(TSS_HASH_SHA1, CertifyInfoSize, CertifyInfo, hash.digest);
325
 
 
326
 
                if ((result = Trspi_Verify(TSS_HASH_SHA1, hash.digest, 20,
327
 
                                           keyContainer.pubKey.key,
328
 
                                           keyContainer.pubKey.keyLength,
329
 
                                           outData, outDataSize))) {
330
 
                        if (useAuthKey)
331
 
                                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
332
 
                        if (useAuthCert)
333
 
                                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
334
 
 
335
 
                        free_key_refs(&keyContainer);
336
 
                        return TSPERR(TSS_E_VERIFICATION_FAILED);
337
 
                }
338
 
                free_key_refs(&keyContainer);
339
 
        } else {
340
 
                pValidationData->ulDataLength = CertifyInfoSize;
341
 
                pValidationData->rgbData = calloc_tspi(tspContext, CertifyInfoSize);
342
 
                if (pValidationData->rgbData == NULL) {
343
 
                        LogError("malloc of %d bytes failed.", CertifyInfoSize);
344
 
                        if (useAuthKey)
345
 
                                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
346
 
                        if (useAuthCert)
347
 
                                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
348
 
 
349
 
                        return TSPERR(TSS_E_OUTOFMEMORY);
350
 
                }
351
 
                memcpy(pValidationData->rgbData, CertifyInfo, CertifyInfoSize);
352
 
                pValidationData->ulValidationDataLength = outDataSize;
353
 
                pValidationData->rgbValidationData = calloc_tspi(tspContext, outDataSize);
354
 
                if (pValidationData->rgbValidationData == NULL) {
355
 
                        LogError("malloc of %d bytes failed.", outDataSize);
356
 
                        if (useAuthKey)
357
 
                                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
358
 
                        if (useAuthCert)
359
 
                                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
360
 
 
361
 
                        return TSPERR(TSS_E_OUTOFMEMORY);
362
 
                }
363
 
                memcpy(pValidationData->rgbValidationData, outData, outDataSize);
364
 
#if 0
365
 
                memcpy(&pValidationData->versionInfo,
366
 
                       getCurrentVersion(tspContext), sizeof (TCPA_VERSION));
367
 
#endif
368
 
        }
369
 
 
370
 
        if (useAuthKey)
371
 
                TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
372
 
        if (useAuthCert)
373
 
                TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
374
 
 
375
 
        return TSS_SUCCESS;
376
 
}
377
 
 
378
 
TSS_RESULT
379
 
Tspi_Key_CreateKey(TSS_HKEY hKey,               /* in */
380
 
                   TSS_HKEY hWrappingKey,       /* in */
381
 
                   TSS_HPCRS hPcrComposite)     /* in, may be NULL */
382
 
{
383
 
        UINT64 offset;
384
 
        BYTE hashBlob[0x1000];
385
 
        BYTE sharedSecret[20];
386
 
        TPM_AUTH auth;
387
 
        TCPA_ENCAUTH encAuthUsage;
388
 
        TCPA_ENCAUTH encAuthMig = { { 0, } };
389
 
        TCPA_DIGEST digest;
390
 
        TCPA_RESULT result;
391
 
        TSS_HPOLICY hUsagePolicy;
392
 
        TSS_HPOLICY hMigPolicy = NULL_HPOLICY;
393
 
        TSS_HPOLICY hWrapPolicy;
394
 
        TCS_KEY_HANDLE parentTCSKeyHandle;
395
 
        BYTE *keyBlob = NULL;
396
 
        UINT32 keySize;
397
 
        TCPA_NONCE nonceEvenOSAP;
398
 
        UINT32 newKeySize;
399
 
        BYTE *newKey;
400
 
        TSS_BOOL usesAuth;
401
 
        TSS_HCONTEXT tspContext;
402
 
 
403
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
404
 
                return result;
405
 
 
406
 
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
407
 
                                            &hUsagePolicy, &usesAuth)))
408
 
                return result;
409
 
 
410
 
        if (obj_rsakey_is_migratable(hKey)) {
411
 
                if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
412
 
                        return result;
413
 
        }
414
 
 
415
 
        if ((result = obj_rsakey_get_policy(hWrappingKey, TSS_POLICY_USAGE, &hWrapPolicy, NULL)))
416
 
                return result;
417
 
 
418
 
        if (hPcrComposite) {
419
 
                /* its possible that hPcrComposite could be a bad handle here,
420
 
                 * or that no indices of it are yet set, which would throw
421
 
                 * internal error. Blanket both those codes with bad
422
 
                 * parameter to help the user out */
423
 
                if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
424
 
                        return TSPERR(TSS_E_BAD_PARAMETER);
425
 
        }
426
 
 
427
 
        if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
428
 
                return result;
429
 
 
430
 
        if ((result = obj_rsakey_get_tcs_handle(hWrappingKey, &parentTCSKeyHandle)))
431
 
                return result;
432
 
 
433
 
        /*****************************************
434
 
         * To create the authorization, the first step is to call
435
 
         * secret_PerformXOR_OSAP, which will call OSAP and do the xorenc of
436
 
         * the secrets.  Then, the hashdata is done so that
437
 
         * secret_PerformAuth_OSAP can calculate the HMAC.
438
 
         ******************************************/
439
 
 
440
 
        /* Do the first part of the OSAP */
441
 
        if ((result =
442
 
            secret_PerformXOR_OSAP(hWrapPolicy, hUsagePolicy, hMigPolicy,
443
 
                                   hWrappingKey, TCPA_ET_KEYHANDLE,
444
 
                                   parentTCSKeyHandle, &encAuthUsage,
445
 
                                   &encAuthMig, sharedSecret, &auth,
446
 
                                   &nonceEvenOSAP)))
447
 
                return result;
448
 
 
449
 
        /* Setup the Hash Data for the HMAC */
450
 
        offset = 0;
451
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
452
 
        Trspi_LoadBlob(&offset, 20, hashBlob, encAuthUsage.authdata);
453
 
        Trspi_LoadBlob(&offset, 20, hashBlob, encAuthMig.authdata);
454
 
        Trspi_LoadBlob(&offset, keySize, hashBlob, keyBlob);
455
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
456
 
 
457
 
        /* Complete the Auth Structure */
458
 
        if ((result = secret_PerformAuth_OSAP(hWrappingKey,
459
 
                                              TPM_ORD_CreateWrapKey,
460
 
                                              hWrapPolicy, hUsagePolicy,
461
 
                                              hMigPolicy, sharedSecret, &auth,
462
 
                                              digest.digest, &nonceEvenOSAP)))
463
 
                return result;
464
 
 
465
 
        /* Now call the function */
466
 
        if ((result = TCSP_CreateWrapKey(tspContext, parentTCSKeyHandle, encAuthUsage, encAuthMig,
467
 
                                         keySize, keyBlob, &newKeySize, &newKey, &auth)))
468
 
                return result;
469
 
 
470
 
        /* Validate the Authorization before using the new key */
471
 
        offset = 0;
472
 
        Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
473
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
474
 
        Trspi_LoadBlob(&offset, newKeySize, hashBlob, newKey);
475
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
476
 
        if ((result = secret_ValidateAuth_OSAP(hWrappingKey,
477
 
                                               TPM_ORD_CreateWrapKey,
478
 
                                               hWrapPolicy, hUsagePolicy,
479
 
                                               hMigPolicy, sharedSecret, &auth,
480
 
                                               digest.digest,
481
 
                                               &nonceEvenOSAP))) {
482
 
                free(newKey);
483
 
                return result;
484
 
        }
485
 
 
486
 
        /* Push the new key into the existing object */
487
 
        if ((result = obj_rsakey_set_tcpakey(hKey, newKeySize, newKey))) {
488
 
                free(newKey);
489
 
                return result;
490
 
        }
491
 
 
492
 
        free(newKey);
493
 
        return result;
494
 
}
495
 
 
496
 
TSS_RESULT
497
 
Tspi_Key_WrapKey(TSS_HKEY hKey,                 /* in */
498
 
                 TSS_HKEY hWrappingKey,         /* in */
499
 
                 TSS_HPCRS hPcrComposite)       /* in, may be NULL */
500
 
{
501
 
        TSS_HPOLICY hUsePolicy, hMigPolicy;
502
 
        TCPA_SECRET usage, migration;
503
 
        TSS_RESULT result;
504
 
        BYTE *keyPrivBlob = NULL, *wrappingPubKey = NULL, *keyBlob = NULL;
505
 
        UINT32 keyPrivBlobLen, wrappingPubKeyLen, keyBlobLen;
506
 
        BYTE newPrivKey[214]; /* its not magic, see TPM 1.1b spec p.71 */
507
 
        BYTE encPrivKey[256];
508
 
        UINT32 newPrivKeyLen = 214, encPrivKeyLen = 256;
509
 
        UINT64 offset;
510
 
        TCPA_KEY keyContainer;
511
 
        BYTE hashBlob[1024];
512
 
        TCPA_DIGEST digest;
513
 
        TSS_HCONTEXT tspContext;
514
 
 
515
 
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
516
 
                return result;
517
 
 
518
 
        if (hPcrComposite) {
519
 
                if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
520
 
                        return result;
521
 
        }
522
 
 
523
 
        /* get the key to be wrapped's private key */
524
 
        if ((result = obj_rsakey_get_priv_blob(hKey, &keyPrivBlobLen, &keyPrivBlob)))
525
 
                goto done;
526
 
 
527
 
        /* get the key to be wrapped's blob */
528
 
        if ((result = obj_rsakey_get_blob(hKey, &keyBlobLen, &keyBlob)))
529
 
                goto done;
530
 
 
531
 
        /* get the wrapping key's public key */
532
 
        if ((result = obj_rsakey_get_modulus(hWrappingKey, &wrappingPubKeyLen, &wrappingPubKey)))
533
 
                goto done;
534
 
 
535
 
        /* get the key to be wrapped's usage policy */
536
 
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE, &hUsePolicy, NULL)))
537
 
                goto done;
538
 
 
539
 
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
540
 
                goto done;
541
 
 
542
 
        if ((result = obj_policy_get_secret(hUsePolicy, TR_SECRET_CTX_NEW, &usage)))
543
 
                goto done;
544
 
 
545
 
        if ((result = obj_policy_get_secret(hMigPolicy, TR_SECRET_CTX_NEW, &migration)))
546
 
                goto done;
547
 
 
548
 
        memset(&keyContainer, 0, sizeof(TCPA_KEY));
549
 
 
550
 
        /* unload the key to be wrapped's blob */
551
 
        offset = 0;
552
 
        if ((result = Trspi_UnloadBlob_KEY(&offset, keyBlob, &keyContainer)))
553
 
                return result;
554
 
 
555
 
        /* load the key's attributes into an object and get its hash value */
556
 
        offset = 0;
557
 
        Trspi_LoadBlob_PRIVKEY_DIGEST(&offset, hashBlob, &keyContainer);
558
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
559
 
 
560
 
        free_key_refs(&keyContainer);
561
 
 
562
 
        /* create the plaintext private key blob */
563
 
        offset = 0;
564
 
        Trspi_LoadBlob_BYTE(&offset, TCPA_PT_ASYM, newPrivKey);
565
 
        Trspi_LoadBlob(&offset, 20, newPrivKey, usage.authdata);
566
 
        Trspi_LoadBlob(&offset, 20, newPrivKey, migration.authdata);
567
 
        Trspi_LoadBlob(&offset, 20, newPrivKey, digest.digest);
568
 
        Trspi_LoadBlob_UINT32(&offset, keyPrivBlobLen, newPrivKey);
569
 
        Trspi_LoadBlob(&offset, keyPrivBlobLen, newPrivKey, keyPrivBlob);
570
 
        newPrivKeyLen = offset;
571
 
 
572
 
        /* encrypt the private key blob */
573
 
        if ((result = Trspi_RSA_Encrypt(newPrivKey, newPrivKeyLen, encPrivKey,
574
 
                                        &encPrivKeyLen, wrappingPubKey,
575
 
                                        wrappingPubKeyLen)))
576
 
                goto done;
577
 
 
578
 
        /* set the new encrypted private key in the wrapped key object */
579
 
        if ((result = obj_rsakey_set_privkey(hKey, FALSE, encPrivKeyLen, encPrivKey)))
580
 
                goto done;
581
 
 
582
 
done:
583
 
        free_tspi(tspContext, keyPrivBlob);
584
 
        free_tspi(tspContext, keyBlob);
585
 
        free_tspi(tspContext, wrappingPubKey);
586
 
        return result;
587
 
}
588
 
#if 0
589
 
TSS_RESULT
590
 
create_migration_blob_encdata(TSS_HENCDATA hDataToMigrate,
591
 
                              TSS_HKEY hParentKey,
592
 
                              UINT32 ulMigTicketLength,
593
 
                              BYTE * rgbMigTicket,
594
 
                              UINT32 * pulRandomLength,
595
 
                              BYTE ** prgbRandom,
596
 
                              UINT32 * pulMigrationBlobLength,
597
 
                              BYTE ** prgbMigrationBlob)
598
 
{
599
 
        TCS_CONTEXT_HANDLE tcsContext;
600
 
        TPM_AUTH parentAuth;
601
 
        TPM_AUTH entityAuth;
602
 
        TCPA_RESULT result;
603
 
        UINT16 offset;
604
 
        BYTE hashblob[0x1000];
605
 
        TCPA_DIGEST digest;
606
 
        UINT32 parentKeySize;
607
 
        BYTE *parentKeyBlob;
608
 
        UINT32 dataToMigrateSize;
609
 
        BYTE *dataToMigrateBlob;
610
 
        TSS_HPOLICY hParentPolicy;
611
 
        TSS_HPOLICY hMigratePolicy;
612
 
        TCPA_MIGRATIONKEYAUTH migAuth;
613
 
        TCS_KEY_HANDLE parentHandle;
614
 
        TPM_AUTH *pParentAuth;
615
 
        TSS_BOOL useAuth;
616
 
        UINT32 blobSize;
617
 
        BYTE *blob;
618
 
        TCPA_STORED_DATA storedData;
619
 
        TSS_HCONTEXT tspContext;
620
 
 
621
 
        if ((result = obj_encdata_get_tsp_context(hDataToMigrate, &tspContext)))
622
 
                return result;
623
 
 
624
 
        if ((result = obj_context_is_connected(tspContext, &tcsContext)))
625
 
                return result;
626
 
 
627
 
        if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
628
 
                return result;
629
 
 
630
 
        if ((result = obj_encdata_get_data(hDataToMigrate, &dataToMigrateSize, &dataToMigrateBlob)))
631
 
                return result;
632
 
 
633
 
        if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
634
 
                                            &useAuth)))
635
 
                return result;
636
 
 
637
 
        if ((result = obj_encdata_get_policy(hDataToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy)))
638
 
                return result;
639
 
 
640
 
        /*  Parsing the migration scheme from the blob and key object */
641
 
        memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
642
 
 
643
 
        offset = 0;
644
 
        if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
645
 
                return result;
646
 
 
647
 
        /* free these now, since none are used below */
648
 
        free(migAuth.migrationKey.algorithmParms.parms);
649
 
        migAuth.migrationKey.algorithmParms.parmSize = 0;
650
 
        free(migAuth.migrationKey.pubKey.key);
651
 
        migAuth.migrationKey.pubKey.keyLength = 0;
652
 
#if 1
653
 
        offset = 0;
654
 
        if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, dataToMigrateBlob, &storedData)))
655
 
                return result;
656
 
#endif
657
 
        /* Generate the Authorization data */
658
 
        offset = 0;
659
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
660
 
        Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
661
 
        Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
662
 
#if 1
663
 
        Trspi_LoadBlob_UINT32(&offset, storedData.encDataSize, hashblob);
664
 
        Trspi_LoadBlob(&offset, storedData.encDataSize, hashblob, storedData.encData);
665
 
#else
666
 
        Trspi_LoadBlob_UINT32(&offset, dataToMigrateSize, hashblob);
667
 
        Trspi_LoadBlob(&offset, dataToMigrateSize, hashblob, dataToMigrateBlob);
668
 
#endif
669
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
670
 
 
671
 
        if (useAuth) {
672
 
                if ((result = secret_PerformAuth_OIAP(hParentPolicy,
673
 
                                                      TPM_ORD_CreateMigrationBlob,
674
 
                                                      hParentPolicy, &digest,
675
 
                                                      &parentAuth))) {
676
 
                        //free(storedData.sealInfo);
677
 
                        //free(storedData.encData);
678
 
                        return result;
679
 
                }
680
 
                pParentAuth = &parentAuth;
681
 
        } else
682
 
                pParentAuth = NULL;
683
 
 
684
 
        if ((result = secret_PerformAuth_OIAP(hDataToMigrate,
685
 
                                              TPM_ORD_CreateMigrationBlob,
686
 
                                              hMigratePolicy, &digest,
687
 
                                              &entityAuth))) {
688
 
                //free(storedData.sealInfo);
689
 
                //free(storedData.encData);
690
 
                return result;
691
 
        }
692
 
 
693
 
        if ((parentHandle = getTCSKeyHandle(hParentKey)) == NULL_HKEY) {
694
 
                //free(storedData.sealInfo);
695
 
                //free(storedData.encData);
696
 
                return TSPERR(TSS_E_KEY_NOT_LOADED);
697
 
        }
698
 
 
699
 
        if ((result = TCSP_CreateMigrationBlob(tcsContext, parentHandle, migAuth.migrationScheme,
700
 
                                               ulMigTicketLength, rgbMigTicket,
701
 
                                               //storedData.encDataSize, storedData.encData,
702
 
                                               dataToMigrateSize, dataToMigrateBlob,
703
 
                                               pParentAuth, &entityAuth, pulRandomLength,
704
 
                                               prgbRandom, pulMigrationBlobLength,
705
 
                                               prgbMigrationBlob))) {
706
 
                //free(storedData.sealInfo);
707
 
                //free(storedData.encData);
708
 
                return result;
709
 
        }
710
 
        //free(storedData.sealInfo);
711
 
        //free(storedData.encData);
712
 
 
713
 
        offset = 0;
714
 
        Trspi_LoadBlob_UINT32(&offset, result, hashblob);
715
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
716
 
        Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
717
 
        Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
718
 
        Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
719
 
        Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
720
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
721
 
        if (useAuth) {
722
 
                if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
723
 
                        goto error;
724
 
        }
725
 
        if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
726
 
                goto error;
727
 
 
728
 
        if (migAuth.migrationScheme == TSS_MS_REWRAP) {
729
 
#if 1
730
 
                if ((result = obj_encdata_get_data(hDataToMigrate, &blobSize, &blob)))
731
 
                        goto error;
732
 
 
733
 
                offset = 0;
734
 
                if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, blob, &storedData)))
735
 
                        goto error;
736
 
 
737
 
                /* keyContainer.encData = calloc_tspi(tspContext, outDataSize); */
738
 
                storedData.encDataSize = *pulMigrationBlobLength;
739
 
                memcpy(storedData.encData, *prgbMigrationBlob, *pulMigrationBlobLength);
740
 
 
741
 
                offset = 0;
742
 
                Trspi_LoadBlob_STORED_DATA(&offset, blob, &storedData);
743
 
                free(storedData.sealInfo);
744
 
                free(storedData.encData);
745
 
 
746
 
                if ((result = obj_encdata_set_data(hDataToMigrate, blobSize, blob)))
747
 
                        goto error;
748
 
#else
749
 
                if ((result = obj_encdata_set_data(hDataToMigrate, *pulMigrationBlobLength,
750
 
                                                   *prgbMigrationBlob)))
751
 
                        goto error;
752
 
#endif
753
 
        }
754
 
 
755
 
        return result;
756
 
error:
757
 
        if (*pulRandomLength)
758
 
                free_tspi(tspContext, prgbRandom);
759
 
        free_tspi(tspContext, prgbMigrationBlob);
760
 
        return result;
761
 
}
762
 
#endif
763
 
 
764
 
TSS_RESULT
765
 
create_migration_blob_key(TSS_HKEY hKeyToMigrate,
766
 
                          TSS_HKEY hParentKey,
767
 
                          UINT32 ulMigTicketLength,
768
 
                          BYTE * rgbMigTicket,
769
 
                          UINT32 * pulRandomLength,
770
 
                          BYTE ** prgbRandom,
771
 
                          UINT32 * pulMigrationBlobLength,
772
 
                          BYTE ** prgbMigrationBlob)
773
 
{
774
 
        TPM_AUTH parentAuth, entityAuth;
775
 
        TPM_AUTH *pParentAuth;
776
 
        TCPA_RESULT result;
777
 
        UINT64 offset;
778
 
        BYTE hashblob[0x1000];
779
 
        TCPA_DIGEST digest;
780
 
        UINT32 parentKeySize;
781
 
        BYTE *parentKeyBlob;
782
 
        UINT32 keyToMigrateSize;
783
 
        BYTE *keyToMigrateBlob;
784
 
        TSS_HPOLICY hParentPolicy;
785
 
        TSS_HPOLICY hMigratePolicy;
786
 
        TCPA_MIGRATIONKEYAUTH migAuth;
787
 
        TCPA_KEY tcpaKey;
788
 
        TCS_KEY_HANDLE parentHandle;
789
 
        TSS_BOOL parentUsesAuth;
790
 
        UINT32 blobSize;
791
 
        BYTE *blob;
792
 
        TCPA_KEY keyContainer;
793
 
        TSS_HCONTEXT tspContext;
794
 
 
795
 
        if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
796
 
                return result;
797
 
 
798
 
        if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
799
 
                return result;
800
 
 
801
 
        if ((result = obj_rsakey_get_blob(hKeyToMigrate, &keyToMigrateSize, &keyToMigrateBlob)))
802
 
                return result;
803
 
 
804
 
        if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
805
 
                                            &parentUsesAuth)))
806
 
                return result;
807
 
 
808
 
        if ((result = obj_rsakey_get_policy(hKeyToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy,
809
 
                                            NULL)))
810
 
                return result;
811
 
 
812
 
        /*  Parsing the migration scheme from the blob and key object */
813
 
        memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
814
 
 
815
 
        offset = 0;
816
 
        if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
817
 
                return result;
818
 
 
819
 
        /* free these now, since none are used below */
820
 
        free(migAuth.migrationKey.algorithmParms.parms);
821
 
        migAuth.migrationKey.algorithmParms.parmSize = 0;
822
 
        free(migAuth.migrationKey.pubKey.key);
823
 
        migAuth.migrationKey.pubKey.keyLength = 0;
824
 
 
825
 
        memset(&tcpaKey, 0, sizeof(TCPA_KEY));
826
 
 
827
 
        offset = 0;
828
 
        if ((result = Trspi_UnloadBlob_KEY(&offset, keyToMigrateBlob, &tcpaKey)))
829
 
                return result;
830
 
 
831
 
        /* Generate the Authorization data */
832
 
        offset = 0;
833
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
834
 
        Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
835
 
        Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
836
 
        Trspi_LoadBlob_UINT32(&offset, tcpaKey.encSize, hashblob);
837
 
        Trspi_LoadBlob(&offset, tcpaKey.encSize, hashblob, tcpaKey.encData);
838
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
839
 
 
840
 
        if (parentUsesAuth) {
841
 
                if ((result = secret_PerformAuth_OIAP(hParentPolicy,
842
 
                                                      TPM_ORD_CreateMigrationBlob,
843
 
                                                      hParentPolicy, &digest,
844
 
                                                      &parentAuth))) {
845
 
                        free_key_refs(&tcpaKey);
846
 
                        return result;
847
 
                }
848
 
                pParentAuth = &parentAuth;
849
 
        } else {
850
 
                pParentAuth = NULL;
851
 
        }
852
 
 
853
 
        if ((result = secret_PerformAuth_OIAP(hKeyToMigrate,
854
 
                                              TPM_ORD_CreateMigrationBlob,
855
 
                                              hMigratePolicy, &digest,
856
 
                                              &entityAuth))) {
857
 
                free_key_refs(&tcpaKey);
858
 
                return result;
859
 
        }
860
 
 
861
 
        if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
862
 
                return result;
863
 
 
864
 
        if ((result = TCSP_CreateMigrationBlob(tspContext, parentHandle, migAuth.migrationScheme,
865
 
                                               ulMigTicketLength, rgbMigTicket, tcpaKey.encSize,
866
 
                                               tcpaKey.encData, pParentAuth, &entityAuth,
867
 
                                               pulRandomLength, prgbRandom, pulMigrationBlobLength,
868
 
                                               prgbMigrationBlob))) {
869
 
                free_key_refs(&tcpaKey);
870
 
                return result;
871
 
        }
872
 
        free_key_refs(&tcpaKey);
873
 
 
874
 
        offset = 0;
875
 
        Trspi_LoadBlob_UINT32(&offset, result, hashblob);
876
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
877
 
        Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
878
 
        Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
879
 
        Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
880
 
        Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
881
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
882
 
 
883
 
        if (parentUsesAuth) {
884
 
                if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
885
 
                        goto error;
886
 
        }
887
 
 
888
 
        if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
889
 
                goto error;
890
 
 
891
 
        if (migAuth.migrationScheme == TCPA_MS_REWRAP) {
892
 
                if ((result = obj_rsakey_get_blob(hKeyToMigrate, &blobSize, &blob)))
893
 
                        goto error;
894
 
 
895
 
                memset(&keyContainer, 0, sizeof(TCPA_KEY));
896
 
 
897
 
                offset = 0;
898
 
                if ((result = Trspi_UnloadBlob_KEY(&offset, blob, &keyContainer)))
899
 
                        goto error;
900
 
 
901
 
                if (keyContainer.encSize > 0)
902
 
                        free(keyContainer.encData);
903
 
 
904
 
                keyContainer.encSize = *pulMigrationBlobLength;
905
 
                keyContainer.encData = *prgbMigrationBlob;
906
 
 
907
 
                offset = 0;
908
 
                Trspi_LoadBlob_KEY(&offset, hashblob, &keyContainer);
909
 
 
910
 
                /* Free manually here since free_key_refs() would free encData, ugh. */
911
 
                free(keyContainer.algorithmParms.parms);
912
 
                keyContainer.algorithmParms.parms = NULL;
913
 
                keyContainer.algorithmParms.parmSize = 0;
914
 
 
915
 
                free(keyContainer.pubKey.key);
916
 
                keyContainer.pubKey.key = NULL;
917
 
                keyContainer.pubKey.keyLength = 0;
918
 
 
919
 
                free(keyContainer.PCRInfo);
920
 
                keyContainer.PCRInfo = NULL;
921
 
                keyContainer.PCRInfoSize = 0;
922
 
 
923
 
                if ((result = obj_rsakey_set_tcpakey(hKeyToMigrate, offset, hashblob)))
924
 
                        goto error;
925
 
        }
926
 
 
927
 
        return result;
928
 
error:
929
 
        if (*pulRandomLength)
930
 
                free_tspi(tspContext, prgbRandom);
931
 
        free_tspi(tspContext, prgbMigrationBlob);
932
 
        return result;
933
 
}
934
 
 
935
 
 
936
 
TSS_RESULT
937
 
Tspi_Key_CreateMigrationBlob(TSS_HKEY hKeyToMigrate,            /* in */
938
 
                             TSS_HKEY hParentKey,               /* in */
939
 
                             UINT32 ulMigTicketLength,          /* in */
940
 
                             BYTE * rgbMigTicket,               /* in */
941
 
                             UINT32 * pulRandomLength,          /* out */
942
 
                             BYTE ** prgbRandom,                /* out */
943
 
                             UINT32 * pulMigrationBlobLength,   /* out */
944
 
                             BYTE ** prgbMigrationBlob)         /* out */
945
 
{
946
 
        if (pulRandomLength == NULL || prgbRandom == NULL || rgbMigTicket == NULL ||
947
 
            pulMigrationBlobLength == NULL || prgbMigrationBlob == NULL)
948
 
                return TSPERR(TSS_E_BAD_PARAMETER);
949
 
 
950
 
        if (obj_is_rsakey(hKeyToMigrate))
951
 
                return create_migration_blob_key(hKeyToMigrate, hParentKey, ulMigTicketLength,
952
 
                                                 rgbMigTicket, pulRandomLength, prgbRandom,
953
 
                                                 pulMigrationBlobLength, prgbMigrationBlob);
954
 
 
955
 
        return TSPERR(TSS_E_INVALID_HANDLE);
956
 
}
957
 
 
958
 
TSS_RESULT
959
 
Tspi_Key_ConvertMigrationBlob(TSS_HKEY hKeyToMigrate,           /* in */
960
 
                              TSS_HKEY hParentKey,              /* in */
961
 
                              UINT32 ulRandomLength,            /* in */
962
 
                              BYTE * rgbRandom,                 /* in */
963
 
                              UINT32 ulMigrationBlobLength,     /* in */
964
 
                              BYTE * rgbMigrationBlob)          /* in */
965
 
{
966
 
 
967
 
        TCPA_RESULT result;
968
 
        UINT32 outDataSize;
969
 
        BYTE *outData;
970
 
        TCS_KEY_HANDLE parentHandle;
971
 
        TPM_AUTH parentAuth;
972
 
        TSS_HPOLICY hParentPolicy;
973
 
        UINT64 offset;
974
 
        BYTE hashblob[0x1000];
975
 
        TCPA_DIGEST digest;
976
 
        TSS_BOOL useAuth;
977
 
        TPM_AUTH *pParentAuth;
978
 
        TSS_HCONTEXT tspContext;
979
 
 
980
 
        if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
981
 
                return result;
982
 
 
983
 
        if (!obj_is_rsakey(hParentKey))
984
 
                return TSPERR(TSS_E_INVALID_HANDLE);
985
 
 
986
 
        /* Get the parent key handle */
987
 
        if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
988
 
                return result;
989
 
 
990
 
        /* Get the policy */
991
 
        if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE,
992
 
                                        &hParentPolicy, &useAuth)))
993
 
                return result;
994
 
 
995
 
        /* Generate the authorization */
996
 
        offset = 0;
997
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
998
 
        Trspi_LoadBlob_UINT32(&offset, ulMigrationBlobLength, hashblob);
999
 
        Trspi_LoadBlob(&offset, ulMigrationBlobLength, hashblob, rgbMigrationBlob);
1000
 
        Trspi_LoadBlob_UINT32(&offset, ulRandomLength, hashblob);
1001
 
        Trspi_LoadBlob(&offset, ulRandomLength, hashblob, rgbRandom);
1002
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1003
 
 
1004
 
        if (useAuth) {
1005
 
                if ((result = secret_PerformAuth_OIAP(hParentPolicy,
1006
 
                                                      TPM_ORD_ConvertMigrationBlob,
1007
 
                                                      hParentPolicy, &digest,
1008
 
                                                      &parentAuth)))
1009
 
                        return result;
1010
 
                pParentAuth = &parentAuth;
1011
 
        } else {
1012
 
                pParentAuth = NULL;
1013
 
        }
1014
 
 
1015
 
        if ((result = TCSP_ConvertMigrationBlob(tspContext, parentHandle, ulMigrationBlobLength,
1016
 
                                                rgbMigrationBlob, ulRandomLength, rgbRandom,
1017
 
                                                pParentAuth, &outDataSize, &outData)))
1018
 
                return result;
1019
 
 
1020
 
        /* add validation */
1021
 
        offset = 0;
1022
 
        Trspi_LoadBlob_UINT32(&offset, result, hashblob);
1023
 
        Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
1024
 
        Trspi_LoadBlob_UINT32(&offset, outDataSize, hashblob);
1025
 
        Trspi_LoadBlob(&offset, outDataSize, hashblob, outData);
1026
 
        Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1027
 
        if (useAuth) {
1028
 
                if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth))) {
1029
 
                        free(outData);
1030
 
                        return result;
1031
 
                }
1032
 
        }
1033
 
 
1034
 
        result = obj_rsakey_set_privkey(hKeyToMigrate, TRUE, outDataSize, outData);
1035
 
        free(outData);
1036
 
 
1037
 
        return result;
1038
 
}