3
* Licensed Materials - Property of IBM
5
* trousers - An open source TCG Software Stack
7
* (C) Copyright International Business Machines Corp. 2004
16
#include "trousers/tss.h"
17
#include "trousers/trousers.h"
18
#include "trousers_types.h"
19
#include "spi_internal_types.h"
20
#include "spi_utils.h"
21
#include "capabilities.h"
26
Tspi_Key_UnloadKey(TSS_HKEY hKey) /* in */
28
TSS_HCONTEXT tspContext;
29
TCS_KEY_HANDLE hTcsKey;
32
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
35
if ((result = obj_rsakey_get_tcs_handle(hKey, &hTcsKey)))
38
return TCSP_EvictKey(tspContext, hTcsKey);
42
Tspi_Key_LoadKey(TSS_HKEY hKey, /* in */
43
TSS_HKEY hUnwrappingKey) /* in */
52
TSS_HCONTEXT tspContext;
56
TCS_KEY_HANDLE parentTCSKeyHandle, tcsKey;
60
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
63
if (!obj_is_rsakey(hUnwrappingKey))
64
return TSPERR(TSS_E_INVALID_HANDLE);
66
if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
69
if ((result = obj_rsakey_get_tcs_handle(hUnwrappingKey, &parentTCSKeyHandle)))
72
if ((result = obj_rsakey_get_policy(hUnwrappingKey, TSS_POLICY_USAGE,
73
&hPolicy, &usesAuth)))
78
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
79
Trspi_LoadBlob(&offset, keySize, blob, keyBlob);
80
Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
81
if ((result = secret_PerformAuth_OIAP(hUnwrappingKey,
91
if ((result = TCSP_LoadKeyByBlob(tspContext, parentTCSKeyHandle, keySize, keyBlob, pAuth,
97
Trspi_LoadBlob_UINT32(&offset, result, blob);
98
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_LoadKey, blob);
99
Trspi_LoadBlob_UINT32(&offset, keyslot, blob);
100
Trspi_Hash(TSS_HASH_SHA1, offset, blob, digest.digest);
102
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
106
return obj_rsakey_set_tcs_handle(hKey, tcsKey);
110
Tspi_Key_GetPubKey(TSS_HKEY hKey, /* in */
111
UINT32 * pulPubKeyLength, /* out */
112
BYTE ** prgbPubKey) /* out */
114
TSS_HCONTEXT tspContext;
122
TCS_KEY_HANDLE tcsKeyHandle;
126
if (pulPubKeyLength == NULL || prgbPubKey == NULL)
127
return TSPERR(TSS_E_BAD_PARAMETER);
129
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
132
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
133
&hPolicy, &usesAuth)))
136
if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
141
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
142
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
144
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_GetPubKey,
153
if ((result = TCSP_GetPubKey(tspContext, tcsKeyHandle, pAuth, pulPubKeyLength, prgbPubKey)))
156
memset(&pubKey, 0, sizeof(TCPA_PUBKEY));
160
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
161
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_GetPubKey, hashblob);
162
Trspi_LoadBlob(&offset, *pulPubKeyLength, hashblob, *prgbPubKey);
163
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
165
/* goto error here since prgbPubKey has been set */
166
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
170
/* If the key is the SRK, populate the pubkey data in the TSP object */
171
if (tcsKeyHandle == TPM_KEYHND_SRK)
172
obj_rsakey_set_pubkey(hKey, TRUE, *prgbPubKey);
176
free_tspi(tspContext, *prgbPubKey);
178
*pulPubKeyLength = 0;
183
Tspi_Key_CertifyKey(TSS_HKEY hKey, /* in */
184
TSS_HKEY hCertifyingKey, /* in */
185
TSS_VALIDATION * pValidationData) /* in, out */
193
TCPA_NONCE antiReplay;
194
UINT32 CertifyInfoSize;
199
TSS_HPOLICY hCertPolicy;
200
TCS_KEY_HANDLE certifyTCSKeyHandle, keyTCSKeyHandle;
201
BYTE *keyData = NULL;
203
TCPA_KEY keyContainer;
204
TSS_BOOL useAuthCert;
206
TPM_AUTH *pCertAuth = &certAuth;
207
TPM_AUTH *pKeyAuth = &keyAuth;
208
TSS_HCONTEXT tspContext;
211
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
214
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
215
&hPolicy, &useAuthKey)))
218
if ((result = obj_rsakey_get_policy(hCertifyingKey, TSS_POLICY_USAGE,
219
&hCertPolicy, &useAuthCert)))
222
if ((result = obj_rsakey_get_tcs_handle(hCertifyingKey, &certifyTCSKeyHandle)))
225
if ((result = obj_rsakey_get_tcs_handle(hKey, &keyTCSKeyHandle)))
228
if (pValidationData == NULL) {
229
LogDebug("Internal Verify");
230
if ((result = internal_GetRandomNonce(tspContext, &antiReplay)))
233
LogDebug("External Verify");
234
if (pValidationData->ulExternalDataLength < sizeof(antiReplay.nonce))
235
return TSPERR(TSS_E_BAD_PARAMETER);
237
memcpy(antiReplay.nonce, pValidationData->rgbExternalData,
238
sizeof(antiReplay.nonce));
241
if (useAuthCert && !useAuthKey)
242
return TSPERR(TSS_E_BAD_PARAMETER);
244
/* Setup the auths */
245
if (useAuthCert || useAuthKey) {
247
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
248
Trspi_LoadBlob(&offset, 20, hashBlob, antiReplay.nonce);
249
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
253
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_CertifyKey,
261
if ((result = secret_PerformAuth_OIAP(hCertifyingKey,
269
if ((result = TCSP_CertifyKey(tspContext, certifyTCSKeyHandle, keyTCSKeyHandle, antiReplay,
270
pCertAuth, pKeyAuth, &CertifyInfoSize, &CertifyInfo,
271
&outDataSize, &outData))) {
273
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
275
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
280
if (useAuthCert || useAuthKey) {
282
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
283
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CertifyKey, hashBlob);
284
Trspi_LoadBlob(&offset, CertifyInfoSize, hashBlob, CertifyInfo);
285
Trspi_LoadBlob_UINT32(&offset, outDataSize, hashBlob);
286
Trspi_LoadBlob(&offset, outDataSize, hashBlob, outData);
287
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, hash.digest);
289
if ((result = obj_policy_validate_auth_oiap(hPolicy, &hash, &keyAuth))) {
290
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
292
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
297
if ((result = obj_policy_validate_auth_oiap(hCertPolicy, &hash, &certAuth))) {
298
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
300
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
306
if (pValidationData == NULL) {
307
if ((result = obj_rsakey_get_blob(hCertifyingKey,
308
&keyDataSize, &keyData))) {
310
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
312
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
314
LogError("Error in calling GetAttribData internally");
315
return TSPERR(TSS_E_INTERNAL_ERROR);
318
memset(&keyContainer, 0, sizeof(TCPA_KEY));
321
if ((result = Trspi_UnloadBlob_KEY(&offset, keyData, &keyContainer)))
324
Trspi_Hash(TSS_HASH_SHA1, CertifyInfoSize, CertifyInfo, hash.digest);
326
if ((result = Trspi_Verify(TSS_HASH_SHA1, hash.digest, 20,
327
keyContainer.pubKey.key,
328
keyContainer.pubKey.keyLength,
329
outData, outDataSize))) {
331
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
333
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
335
free_key_refs(&keyContainer);
336
return TSPERR(TSS_E_VERIFICATION_FAILED);
338
free_key_refs(&keyContainer);
340
pValidationData->ulDataLength = CertifyInfoSize;
341
pValidationData->rgbData = calloc_tspi(tspContext, CertifyInfoSize);
342
if (pValidationData->rgbData == NULL) {
343
LogError("malloc of %d bytes failed.", CertifyInfoSize);
345
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
347
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
349
return TSPERR(TSS_E_OUTOFMEMORY);
351
memcpy(pValidationData->rgbData, CertifyInfo, CertifyInfoSize);
352
pValidationData->ulValidationDataLength = outDataSize;
353
pValidationData->rgbValidationData = calloc_tspi(tspContext, outDataSize);
354
if (pValidationData->rgbValidationData == NULL) {
355
LogError("malloc of %d bytes failed.", outDataSize);
357
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
359
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
361
return TSPERR(TSS_E_OUTOFMEMORY);
363
memcpy(pValidationData->rgbValidationData, outData, outDataSize);
365
memcpy(&pValidationData->versionInfo,
366
getCurrentVersion(tspContext), sizeof (TCPA_VERSION));
371
TCSP_TerminateHandle(tspContext, keyAuth.AuthHandle);
373
TCSP_TerminateHandle(tspContext, certAuth.AuthHandle);
379
Tspi_Key_CreateKey(TSS_HKEY hKey, /* in */
380
TSS_HKEY hWrappingKey, /* in */
381
TSS_HPCRS hPcrComposite) /* in, may be NULL */
384
BYTE hashBlob[0x1000];
385
BYTE sharedSecret[20];
387
TCPA_ENCAUTH encAuthUsage;
388
TCPA_ENCAUTH encAuthMig = { { 0, } };
391
TSS_HPOLICY hUsagePolicy;
392
TSS_HPOLICY hMigPolicy = NULL_HPOLICY;
393
TSS_HPOLICY hWrapPolicy;
394
TCS_KEY_HANDLE parentTCSKeyHandle;
395
BYTE *keyBlob = NULL;
397
TCPA_NONCE nonceEvenOSAP;
401
TSS_HCONTEXT tspContext;
403
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
406
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
407
&hUsagePolicy, &usesAuth)))
410
if (obj_rsakey_is_migratable(hKey)) {
411
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
415
if ((result = obj_rsakey_get_policy(hWrappingKey, TSS_POLICY_USAGE, &hWrapPolicy, NULL)))
419
/* its possible that hPcrComposite could be a bad handle here,
420
* or that no indices of it are yet set, which would throw
421
* internal error. Blanket both those codes with bad
422
* parameter to help the user out */
423
if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
424
return TSPERR(TSS_E_BAD_PARAMETER);
427
if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
430
if ((result = obj_rsakey_get_tcs_handle(hWrappingKey, &parentTCSKeyHandle)))
433
/*****************************************
434
* To create the authorization, the first step is to call
435
* secret_PerformXOR_OSAP, which will call OSAP and do the xorenc of
436
* the secrets. Then, the hashdata is done so that
437
* secret_PerformAuth_OSAP can calculate the HMAC.
438
******************************************/
440
/* Do the first part of the OSAP */
442
secret_PerformXOR_OSAP(hWrapPolicy, hUsagePolicy, hMigPolicy,
443
hWrappingKey, TCPA_ET_KEYHANDLE,
444
parentTCSKeyHandle, &encAuthUsage,
445
&encAuthMig, sharedSecret, &auth,
449
/* Setup the Hash Data for the HMAC */
451
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
452
Trspi_LoadBlob(&offset, 20, hashBlob, encAuthUsage.authdata);
453
Trspi_LoadBlob(&offset, 20, hashBlob, encAuthMig.authdata);
454
Trspi_LoadBlob(&offset, keySize, hashBlob, keyBlob);
455
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
457
/* Complete the Auth Structure */
458
if ((result = secret_PerformAuth_OSAP(hWrappingKey,
459
TPM_ORD_CreateWrapKey,
460
hWrapPolicy, hUsagePolicy,
461
hMigPolicy, sharedSecret, &auth,
462
digest.digest, &nonceEvenOSAP)))
465
/* Now call the function */
466
if ((result = TCSP_CreateWrapKey(tspContext, parentTCSKeyHandle, encAuthUsage, encAuthMig,
467
keySize, keyBlob, &newKeySize, &newKey, &auth)))
470
/* Validate the Authorization before using the new key */
472
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
473
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateWrapKey, hashBlob);
474
Trspi_LoadBlob(&offset, newKeySize, hashBlob, newKey);
475
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
476
if ((result = secret_ValidateAuth_OSAP(hWrappingKey,
477
TPM_ORD_CreateWrapKey,
478
hWrapPolicy, hUsagePolicy,
479
hMigPolicy, sharedSecret, &auth,
486
/* Push the new key into the existing object */
487
if ((result = obj_rsakey_set_tcpakey(hKey, newKeySize, newKey))) {
497
Tspi_Key_WrapKey(TSS_HKEY hKey, /* in */
498
TSS_HKEY hWrappingKey, /* in */
499
TSS_HPCRS hPcrComposite) /* in, may be NULL */
501
TSS_HPOLICY hUsePolicy, hMigPolicy;
502
TCPA_SECRET usage, migration;
504
BYTE *keyPrivBlob = NULL, *wrappingPubKey = NULL, *keyBlob = NULL;
505
UINT32 keyPrivBlobLen, wrappingPubKeyLen, keyBlobLen;
506
BYTE newPrivKey[214]; /* its not magic, see TPM 1.1b spec p.71 */
507
BYTE encPrivKey[256];
508
UINT32 newPrivKeyLen = 214, encPrivKeyLen = 256;
510
TCPA_KEY keyContainer;
513
TSS_HCONTEXT tspContext;
515
if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
519
if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
523
/* get the key to be wrapped's private key */
524
if ((result = obj_rsakey_get_priv_blob(hKey, &keyPrivBlobLen, &keyPrivBlob)))
527
/* get the key to be wrapped's blob */
528
if ((result = obj_rsakey_get_blob(hKey, &keyBlobLen, &keyBlob)))
531
/* get the wrapping key's public key */
532
if ((result = obj_rsakey_get_modulus(hWrappingKey, &wrappingPubKeyLen, &wrappingPubKey)))
535
/* get the key to be wrapped's usage policy */
536
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE, &hUsePolicy, NULL)))
539
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
542
if ((result = obj_policy_get_secret(hUsePolicy, TR_SECRET_CTX_NEW, &usage)))
545
if ((result = obj_policy_get_secret(hMigPolicy, TR_SECRET_CTX_NEW, &migration)))
548
memset(&keyContainer, 0, sizeof(TCPA_KEY));
550
/* unload the key to be wrapped's blob */
552
if ((result = Trspi_UnloadBlob_KEY(&offset, keyBlob, &keyContainer)))
555
/* load the key's attributes into an object and get its hash value */
557
Trspi_LoadBlob_PRIVKEY_DIGEST(&offset, hashBlob, &keyContainer);
558
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
560
free_key_refs(&keyContainer);
562
/* create the plaintext private key blob */
564
Trspi_LoadBlob_BYTE(&offset, TCPA_PT_ASYM, newPrivKey);
565
Trspi_LoadBlob(&offset, 20, newPrivKey, usage.authdata);
566
Trspi_LoadBlob(&offset, 20, newPrivKey, migration.authdata);
567
Trspi_LoadBlob(&offset, 20, newPrivKey, digest.digest);
568
Trspi_LoadBlob_UINT32(&offset, keyPrivBlobLen, newPrivKey);
569
Trspi_LoadBlob(&offset, keyPrivBlobLen, newPrivKey, keyPrivBlob);
570
newPrivKeyLen = offset;
572
/* encrypt the private key blob */
573
if ((result = Trspi_RSA_Encrypt(newPrivKey, newPrivKeyLen, encPrivKey,
574
&encPrivKeyLen, wrappingPubKey,
578
/* set the new encrypted private key in the wrapped key object */
579
if ((result = obj_rsakey_set_privkey(hKey, FALSE, encPrivKeyLen, encPrivKey)))
583
free_tspi(tspContext, keyPrivBlob);
584
free_tspi(tspContext, keyBlob);
585
free_tspi(tspContext, wrappingPubKey);
590
create_migration_blob_encdata(TSS_HENCDATA hDataToMigrate,
592
UINT32 ulMigTicketLength,
594
UINT32 * pulRandomLength,
596
UINT32 * pulMigrationBlobLength,
597
BYTE ** prgbMigrationBlob)
599
TCS_CONTEXT_HANDLE tcsContext;
604
BYTE hashblob[0x1000];
606
UINT32 parentKeySize;
608
UINT32 dataToMigrateSize;
609
BYTE *dataToMigrateBlob;
610
TSS_HPOLICY hParentPolicy;
611
TSS_HPOLICY hMigratePolicy;
612
TCPA_MIGRATIONKEYAUTH migAuth;
613
TCS_KEY_HANDLE parentHandle;
614
TPM_AUTH *pParentAuth;
618
TCPA_STORED_DATA storedData;
619
TSS_HCONTEXT tspContext;
621
if ((result = obj_encdata_get_tsp_context(hDataToMigrate, &tspContext)))
624
if ((result = obj_context_is_connected(tspContext, &tcsContext)))
627
if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
630
if ((result = obj_encdata_get_data(hDataToMigrate, &dataToMigrateSize, &dataToMigrateBlob)))
633
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
637
if ((result = obj_encdata_get_policy(hDataToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy)))
640
/* Parsing the migration scheme from the blob and key object */
641
memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
644
if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
647
/* free these now, since none are used below */
648
free(migAuth.migrationKey.algorithmParms.parms);
649
migAuth.migrationKey.algorithmParms.parmSize = 0;
650
free(migAuth.migrationKey.pubKey.key);
651
migAuth.migrationKey.pubKey.keyLength = 0;
654
if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, dataToMigrateBlob, &storedData)))
657
/* Generate the Authorization data */
659
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
660
Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
661
Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
663
Trspi_LoadBlob_UINT32(&offset, storedData.encDataSize, hashblob);
664
Trspi_LoadBlob(&offset, storedData.encDataSize, hashblob, storedData.encData);
666
Trspi_LoadBlob_UINT32(&offset, dataToMigrateSize, hashblob);
667
Trspi_LoadBlob(&offset, dataToMigrateSize, hashblob, dataToMigrateBlob);
669
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
672
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
673
TPM_ORD_CreateMigrationBlob,
674
hParentPolicy, &digest,
676
//free(storedData.sealInfo);
677
//free(storedData.encData);
680
pParentAuth = &parentAuth;
684
if ((result = secret_PerformAuth_OIAP(hDataToMigrate,
685
TPM_ORD_CreateMigrationBlob,
686
hMigratePolicy, &digest,
688
//free(storedData.sealInfo);
689
//free(storedData.encData);
693
if ((parentHandle = getTCSKeyHandle(hParentKey)) == NULL_HKEY) {
694
//free(storedData.sealInfo);
695
//free(storedData.encData);
696
return TSPERR(TSS_E_KEY_NOT_LOADED);
699
if ((result = TCSP_CreateMigrationBlob(tcsContext, parentHandle, migAuth.migrationScheme,
700
ulMigTicketLength, rgbMigTicket,
701
//storedData.encDataSize, storedData.encData,
702
dataToMigrateSize, dataToMigrateBlob,
703
pParentAuth, &entityAuth, pulRandomLength,
704
prgbRandom, pulMigrationBlobLength,
705
prgbMigrationBlob))) {
706
//free(storedData.sealInfo);
707
//free(storedData.encData);
710
//free(storedData.sealInfo);
711
//free(storedData.encData);
714
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
715
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
716
Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
717
Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
718
Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
719
Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
720
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
722
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
725
if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
728
if (migAuth.migrationScheme == TSS_MS_REWRAP) {
730
if ((result = obj_encdata_get_data(hDataToMigrate, &blobSize, &blob)))
734
if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, blob, &storedData)))
737
/* keyContainer.encData = calloc_tspi(tspContext, outDataSize); */
738
storedData.encDataSize = *pulMigrationBlobLength;
739
memcpy(storedData.encData, *prgbMigrationBlob, *pulMigrationBlobLength);
742
Trspi_LoadBlob_STORED_DATA(&offset, blob, &storedData);
743
free(storedData.sealInfo);
744
free(storedData.encData);
746
if ((result = obj_encdata_set_data(hDataToMigrate, blobSize, blob)))
749
if ((result = obj_encdata_set_data(hDataToMigrate, *pulMigrationBlobLength,
750
*prgbMigrationBlob)))
757
if (*pulRandomLength)
758
free_tspi(tspContext, prgbRandom);
759
free_tspi(tspContext, prgbMigrationBlob);
765
create_migration_blob_key(TSS_HKEY hKeyToMigrate,
767
UINT32 ulMigTicketLength,
769
UINT32 * pulRandomLength,
771
UINT32 * pulMigrationBlobLength,
772
BYTE ** prgbMigrationBlob)
774
TPM_AUTH parentAuth, entityAuth;
775
TPM_AUTH *pParentAuth;
778
BYTE hashblob[0x1000];
780
UINT32 parentKeySize;
782
UINT32 keyToMigrateSize;
783
BYTE *keyToMigrateBlob;
784
TSS_HPOLICY hParentPolicy;
785
TSS_HPOLICY hMigratePolicy;
786
TCPA_MIGRATIONKEYAUTH migAuth;
788
TCS_KEY_HANDLE parentHandle;
789
TSS_BOOL parentUsesAuth;
792
TCPA_KEY keyContainer;
793
TSS_HCONTEXT tspContext;
795
if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
798
if ((result = obj_rsakey_get_blob(hParentKey, &parentKeySize, &parentKeyBlob)))
801
if ((result = obj_rsakey_get_blob(hKeyToMigrate, &keyToMigrateSize, &keyToMigrateBlob)))
804
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE, &hParentPolicy,
808
if ((result = obj_rsakey_get_policy(hKeyToMigrate, TSS_POLICY_MIGRATION, &hMigratePolicy,
812
/* Parsing the migration scheme from the blob and key object */
813
memset(&migAuth, 0, sizeof(TCPA_MIGRATIONKEYAUTH));
816
if ((result = Trspi_UnloadBlob_MigrationKeyAuth(&offset, rgbMigTicket, &migAuth)))
819
/* free these now, since none are used below */
820
free(migAuth.migrationKey.algorithmParms.parms);
821
migAuth.migrationKey.algorithmParms.parmSize = 0;
822
free(migAuth.migrationKey.pubKey.key);
823
migAuth.migrationKey.pubKey.keyLength = 0;
825
memset(&tcpaKey, 0, sizeof(TCPA_KEY));
828
if ((result = Trspi_UnloadBlob_KEY(&offset, keyToMigrateBlob, &tcpaKey)))
831
/* Generate the Authorization data */
833
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
834
Trspi_LoadBlob_UINT16(&offset, migAuth.migrationScheme, hashblob);
835
Trspi_LoadBlob(&offset, ulMigTicketLength, hashblob, rgbMigTicket);
836
Trspi_LoadBlob_UINT32(&offset, tcpaKey.encSize, hashblob);
837
Trspi_LoadBlob(&offset, tcpaKey.encSize, hashblob, tcpaKey.encData);
838
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
840
if (parentUsesAuth) {
841
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
842
TPM_ORD_CreateMigrationBlob,
843
hParentPolicy, &digest,
845
free_key_refs(&tcpaKey);
848
pParentAuth = &parentAuth;
853
if ((result = secret_PerformAuth_OIAP(hKeyToMigrate,
854
TPM_ORD_CreateMigrationBlob,
855
hMigratePolicy, &digest,
857
free_key_refs(&tcpaKey);
861
if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
864
if ((result = TCSP_CreateMigrationBlob(tspContext, parentHandle, migAuth.migrationScheme,
865
ulMigTicketLength, rgbMigTicket, tcpaKey.encSize,
866
tcpaKey.encData, pParentAuth, &entityAuth,
867
pulRandomLength, prgbRandom, pulMigrationBlobLength,
868
prgbMigrationBlob))) {
869
free_key_refs(&tcpaKey);
872
free_key_refs(&tcpaKey);
875
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
876
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_CreateMigrationBlob, hashblob);
877
Trspi_LoadBlob_UINT32(&offset, *pulRandomLength, hashblob);
878
Trspi_LoadBlob(&offset, *pulRandomLength, hashblob, *prgbRandom);
879
Trspi_LoadBlob_UINT32(&offset, *pulMigrationBlobLength, hashblob);
880
Trspi_LoadBlob(&offset, *pulMigrationBlobLength, hashblob, *prgbMigrationBlob);
881
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
883
if (parentUsesAuth) {
884
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth)))
888
if ((result = obj_policy_validate_auth_oiap(hMigratePolicy, &digest, &entityAuth)))
891
if (migAuth.migrationScheme == TCPA_MS_REWRAP) {
892
if ((result = obj_rsakey_get_blob(hKeyToMigrate, &blobSize, &blob)))
895
memset(&keyContainer, 0, sizeof(TCPA_KEY));
898
if ((result = Trspi_UnloadBlob_KEY(&offset, blob, &keyContainer)))
901
if (keyContainer.encSize > 0)
902
free(keyContainer.encData);
904
keyContainer.encSize = *pulMigrationBlobLength;
905
keyContainer.encData = *prgbMigrationBlob;
908
Trspi_LoadBlob_KEY(&offset, hashblob, &keyContainer);
910
/* Free manually here since free_key_refs() would free encData, ugh. */
911
free(keyContainer.algorithmParms.parms);
912
keyContainer.algorithmParms.parms = NULL;
913
keyContainer.algorithmParms.parmSize = 0;
915
free(keyContainer.pubKey.key);
916
keyContainer.pubKey.key = NULL;
917
keyContainer.pubKey.keyLength = 0;
919
free(keyContainer.PCRInfo);
920
keyContainer.PCRInfo = NULL;
921
keyContainer.PCRInfoSize = 0;
923
if ((result = obj_rsakey_set_tcpakey(hKeyToMigrate, offset, hashblob)))
929
if (*pulRandomLength)
930
free_tspi(tspContext, prgbRandom);
931
free_tspi(tspContext, prgbMigrationBlob);
937
Tspi_Key_CreateMigrationBlob(TSS_HKEY hKeyToMigrate, /* in */
938
TSS_HKEY hParentKey, /* in */
939
UINT32 ulMigTicketLength, /* in */
940
BYTE * rgbMigTicket, /* in */
941
UINT32 * pulRandomLength, /* out */
942
BYTE ** prgbRandom, /* out */
943
UINT32 * pulMigrationBlobLength, /* out */
944
BYTE ** prgbMigrationBlob) /* out */
946
if (pulRandomLength == NULL || prgbRandom == NULL || rgbMigTicket == NULL ||
947
pulMigrationBlobLength == NULL || prgbMigrationBlob == NULL)
948
return TSPERR(TSS_E_BAD_PARAMETER);
950
if (obj_is_rsakey(hKeyToMigrate))
951
return create_migration_blob_key(hKeyToMigrate, hParentKey, ulMigTicketLength,
952
rgbMigTicket, pulRandomLength, prgbRandom,
953
pulMigrationBlobLength, prgbMigrationBlob);
955
return TSPERR(TSS_E_INVALID_HANDLE);
959
Tspi_Key_ConvertMigrationBlob(TSS_HKEY hKeyToMigrate, /* in */
960
TSS_HKEY hParentKey, /* in */
961
UINT32 ulRandomLength, /* in */
962
BYTE * rgbRandom, /* in */
963
UINT32 ulMigrationBlobLength, /* in */
964
BYTE * rgbMigrationBlob) /* in */
970
TCS_KEY_HANDLE parentHandle;
972
TSS_HPOLICY hParentPolicy;
974
BYTE hashblob[0x1000];
977
TPM_AUTH *pParentAuth;
978
TSS_HCONTEXT tspContext;
980
if ((result = obj_rsakey_get_tsp_context(hKeyToMigrate, &tspContext)))
983
if (!obj_is_rsakey(hParentKey))
984
return TSPERR(TSS_E_INVALID_HANDLE);
986
/* Get the parent key handle */
987
if ((result = obj_rsakey_get_tcs_handle(hParentKey, &parentHandle)))
991
if ((result = obj_rsakey_get_policy(hParentKey, TSS_POLICY_USAGE,
992
&hParentPolicy, &useAuth)))
995
/* Generate the authorization */
997
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
998
Trspi_LoadBlob_UINT32(&offset, ulMigrationBlobLength, hashblob);
999
Trspi_LoadBlob(&offset, ulMigrationBlobLength, hashblob, rgbMigrationBlob);
1000
Trspi_LoadBlob_UINT32(&offset, ulRandomLength, hashblob);
1001
Trspi_LoadBlob(&offset, ulRandomLength, hashblob, rgbRandom);
1002
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1005
if ((result = secret_PerformAuth_OIAP(hParentPolicy,
1006
TPM_ORD_ConvertMigrationBlob,
1007
hParentPolicy, &digest,
1010
pParentAuth = &parentAuth;
1015
if ((result = TCSP_ConvertMigrationBlob(tspContext, parentHandle, ulMigrationBlobLength,
1016
rgbMigrationBlob, ulRandomLength, rgbRandom,
1017
pParentAuth, &outDataSize, &outData)))
1020
/* add validation */
1022
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
1023
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_ConvertMigrationBlob, hashblob);
1024
Trspi_LoadBlob_UINT32(&offset, outDataSize, hashblob);
1025
Trspi_LoadBlob(&offset, outDataSize, hashblob, outData);
1026
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
1028
if ((result = obj_policy_validate_auth_oiap(hParentPolicy, &digest, &parentAuth))) {
1034
result = obj_rsakey_set_privkey(hKeyToMigrate, TRUE, outDataSize, outData);