← Back to branch summary

~ubuntu-branches/ubuntu/jaunty/trousers/jaunty

« back to all changes in this revision

Viewing changes to src/tspi/tspi_key.c

  • Committer: Bazaar Package Importer
  • Author(s): Daniel Baumann
  • Date: 2008-01-23 22:03:00 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20080123220300-fhtqja3c0oq0gp6z
Tags: 0.3.1-4
http://bugs.debian.org/457400
http://bugs.debian.org/459682
* Added patch from Aaron M. Ucko <ucko@debian.org> to allow trousers to
  build successfully on amd64, and presumably also other 64-bit
  architectures (Closes: #457400).
* Including udev rule for /dev/tpm from William Lima
  <wlima.amadeus@gmail.com> as suggested by David Smith <dds@google.com>
  (Closes: #459682).
* Added lintian overrides.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/tspi/tspi_key.c
 
1
 
 
2
/*
 
3
 * Licensed Materials - Property of IBM
 
4
 *
 
5
 * trousers - An open source TCG Software Stack
 
6
 *
 
7
 * (C) Copyright International Business Machines Corp. 2004-2007
 
8
 *
 
9
 */
 
10
 
 
11
 
 
12
#include <stdlib.h>
 
13
#include <stdio.h>
 
14
#include <string.h>
 
15
 
 
16
#include "trousers/tss.h"
 
17
#include "trousers/trousers.h"
 
18
#include "trousers_types.h"
 
19
#include "trousers_types.h"
 
20
#include "spi_utils.h"
 
21
#include "capabilities.h"
 
22
#include "tsplog.h"
 
23
#include "obj.h"
 
24
#include "authsess.h"
 
25
 
 
26
 
 
27
TSS_RESULT
 
28
Tspi_Key_UnloadKey(TSS_HKEY hKey)       /* in */
 
29
{
 
30
        TSS_HCONTEXT tspContext;
 
31
        TCS_KEY_HANDLE hTcsKey;
 
32
        TSS_RESULT result;
 
33
 
 
34
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
 
35
                return result;
 
36
 
 
37
        if ((result = obj_rsakey_get_tcs_handle(hKey, &hTcsKey)))
 
38
                return result;
 
39
 
 
40
        return free_resource(tspContext, hTcsKey, TPM_RT_KEY);
 
41
}
 
42
 
 
43
TSS_RESULT
 
44
Tspi_Key_LoadKey(TSS_HKEY hKey,                 /* in */
 
45
                 TSS_HKEY hUnwrappingKey)       /* in */
 
46
{
 
47
        TPM_AUTH auth;
 
48
        TCPA_DIGEST digest;
 
49
        TSS_RESULT result;
 
50
        UINT32 keyslot;
 
51
        TSS_HCONTEXT tspContext;
 
52
        TSS_HPOLICY hPolicy;
 
53
        UINT32 keySize;
 
54
        BYTE *keyBlob;
 
55
        TCS_KEY_HANDLE tcsKey, tcsParentHandle;
 
56
        TSS_BOOL usesAuth;
 
57
        TPM_AUTH *pAuth;
 
58
        Trspi_HashCtx hashCtx;
 
59
        TPM_COMMAND_CODE ordinal;
 
60
 
 
61
        if (!obj_is_rsakey(hUnwrappingKey))
 
62
                return TSPERR(TSS_E_INVALID_HANDLE);
 
63
 
 
64
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
 
65
                return result;
 
66
 
 
67
        if ((result = obj_context_get_loadkey_ordinal(tspContext, &ordinal)))
 
68
                return result;
 
69
 
 
70
        if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
 
71
                return result;
 
72
 
 
73
        if ((result = obj_rsakey_get_tcs_handle(hUnwrappingKey, &tcsParentHandle)))
 
74
                return result;
 
75
 
 
76
        if ((result = obj_rsakey_get_policy(hUnwrappingKey, TSS_POLICY_USAGE, &hPolicy,
 
77
                                            &usesAuth))) {
 
78
                free_tspi(tspContext, keyBlob);
 
79
                return result;
 
80
        }
 
81
 
 
82
        if (usesAuth) {
 
83
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
84
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
85
                result |= Trspi_HashUpdate(&hashCtx, keySize, keyBlob);
 
86
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest))) {
 
87
                        free_tspi(tspContext, keyBlob);
 
88
                        return result;
 
89
                }
 
90
 
 
91
                if ((result = secret_PerformAuth_OIAP(hUnwrappingKey, ordinal, hPolicy, FALSE,
 
92
                                                      &digest, &auth))) {
 
93
                        free_tspi(tspContext, keyBlob);
 
94
                        return result;
 
95
                }
 
96
                pAuth = &auth;
 
97
        } else {
 
98
                pAuth = NULL;
 
99
        }
 
100
 
 
101
        if ((result = TCS_API(tspContext)->LoadKeyByBlob(tspContext, tcsParentHandle, keySize,
 
102
                                                         keyBlob, pAuth, &tcsKey, &keyslot))) {
 
103
                free_tspi(tspContext, keyBlob);
 
104
                return result;
 
105
        }
 
106
 
 
107
        free_tspi(tspContext, keyBlob);
 
108
 
 
109
        if (usesAuth) {
 
110
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
111
                result |= Trspi_Hash_UINT32(&hashCtx, result);
 
112
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
113
                if (ordinal == TPM_ORD_LoadKey)
 
114
                        result |= Trspi_Hash_UINT32(&hashCtx, keyslot);
 
115
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
116
                        return result;
 
117
 
 
118
                if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
 
119
                        return result;
 
120
        }
 
121
 
 
122
        return obj_rsakey_set_tcs_handle(hKey, tcsKey);
 
123
}
 
124
 
 
125
TSS_RESULT
 
126
Tspi_Key_GetPubKey(TSS_HKEY hKey,               /* in */
 
127
                   UINT32 * pulPubKeyLength,    /* out */
 
128
                   BYTE ** prgbPubKey)          /* out */
 
129
{
 
130
        TPM_AUTH auth;
 
131
        TPM_AUTH *pAuth;
 
132
        TCPA_DIGEST digest;
 
133
        TCPA_RESULT result;
 
134
        TSS_HCONTEXT tspContext;
 
135
        TSS_HPOLICY hPolicy;
 
136
        TCS_KEY_HANDLE tcsKeyHandle;
 
137
        TSS_BOOL usesAuth;
 
138
        Trspi_HashCtx hashCtx;
 
139
 
 
140
        if (pulPubKeyLength == NULL || prgbPubKey == NULL)
 
141
                return TSPERR(TSS_E_BAD_PARAMETER);
 
142
 
 
143
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
 
144
                return result;
 
145
 
 
146
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
 
147
                                            &hPolicy, &usesAuth)))
 
148
                return result;
 
149
 
 
150
        if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
 
151
                return result;
 
152
 
 
153
        if (usesAuth) {
 
154
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
155
                result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_GetPubKey);
 
156
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
157
                        return result;
 
158
 
 
159
                if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_GetPubKey, hPolicy, FALSE,
 
160
                                                      &digest, &auth)))
 
161
                        return result;
 
162
                pAuth = &auth;
 
163
        } else {
 
164
                pAuth = NULL;
 
165
        }
 
166
 
 
167
        if ((result = TCS_API(tspContext)->GetPubKey(tspContext, tcsKeyHandle, pAuth,
 
168
                                                     pulPubKeyLength, prgbPubKey)))
 
169
                return result;
 
170
 
 
171
        if (usesAuth) {
 
172
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
173
                result |= Trspi_Hash_UINT32(&hashCtx, result);
 
174
                result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_GetPubKey);
 
175
                result |= Trspi_HashUpdate(&hashCtx, *pulPubKeyLength, *prgbPubKey);
 
176
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
177
                        goto error;
 
178
 
 
179
                /* goto error here since prgbPubKey has been set */
 
180
                if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
 
181
                        goto error;
 
182
        }
 
183
 
 
184
        if ((result = add_mem_entry(tspContext, *prgbPubKey)))
 
185
                goto error;
 
186
 
 
187
        if (tcsKeyHandle == TPM_KEYHND_SRK)
 
188
                obj_rsakey_set_pubkey(hKey, TRUE, *prgbPubKey);
 
189
 
 
190
        return TSS_SUCCESS;
 
191
error:
 
192
        free(*prgbPubKey);
 
193
        *prgbPubKey = NULL;
 
194
        *pulPubKeyLength = 0;
 
195
        return result;
 
196
}
 
197
 
 
198
TSS_RESULT
 
199
Tspi_Key_CreateKey(TSS_HKEY hKey,               /* in */
 
200
                   TSS_HKEY hWrappingKey,       /* in */
 
201
                   TSS_HPCRS hPcrComposite)     /* in, may be NULL */
 
202
{
 
203
        TCPA_DIGEST digest;
 
204
        TCPA_RESULT result;
 
205
        TCS_KEY_HANDLE parentTCSKeyHandle;
 
206
        BYTE *keyBlob = NULL;
 
207
        UINT32 keySize;
 
208
        UINT32 newKeySize;
 
209
        BYTE *newKey = NULL;
 
210
        TSS_BOOL isCmk = FALSE;
 
211
        UINT32 blobSize;
 
212
        BYTE *blob;
 
213
        TPM_HMAC msaApproval;
 
214
        TPM_DIGEST msaDigest;
 
215
        UINT32 ordinal;
 
216
        TSS_HCONTEXT tspContext;
 
217
        Trspi_HashCtx hashCtx;
 
218
        struct authsess *xsap = NULL;
 
219
 
 
220
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
 
221
                return result;
 
222
 
 
223
        if (hPcrComposite) {
 
224
                /* its possible that hPcrComposite could be a bad handle here,
 
225
                 * or that no indices of it are yet set, which would throw
 
226
                 * internal error. Blanket both those codes with bad
 
227
                 * parameter to help the user out */
 
228
                if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
 
229
                        return TSPERR(TSS_E_BAD_PARAMETER);
 
230
        }
 
231
 
 
232
        if ((result = obj_rsakey_get_tcs_handle(hWrappingKey, &parentTCSKeyHandle)))
 
233
                return result;
 
234
 
 
235
        if ((result = obj_rsakey_get_blob(hKey, &keySize, &keyBlob)))
 
236
                return result;
 
237
 
 
238
#ifdef TSS_BUILD_CMK
 
239
        isCmk = obj_rsakey_is_cmk(hKey);
 
240
        if (isCmk) {
 
241
                if ((result = obj_rsakey_get_msa_approval(hKey, &blobSize, &blob)))
 
242
                        goto done;
 
243
                memcpy(msaApproval.digest, blob, sizeof(msaApproval.digest));
 
244
                free_tspi(tspContext, blob);
 
245
 
 
246
                if ((result = obj_rsakey_get_msa_digest(hKey, &blobSize, &blob)))
 
247
                        goto done;
 
248
                memcpy(msaDigest.digest, blob, sizeof(msaDigest.digest));
 
249
                free_tspi(tspContext, blob);
 
250
        }
 
251
#endif
 
252
 
 
253
        ordinal = isCmk ? TPM_ORD_CMK_CreateKey : TPM_ORD_CreateWrapKey;
 
254
        if ((result = authsess_xsap_init(tspContext, hWrappingKey, hKey, TSS_AUTH_POLICY_REQUIRED,
 
255
                                         ordinal, TPM_ET_KEYHANDLE, &xsap)))
 
256
                return result;
 
257
 
 
258
        /* Setup the Hash Data for the HMAC */
 
259
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
260
        if (isCmk) {
 
261
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
262
                result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
 
263
                result |= Trspi_HashUpdate(&hashCtx, keySize, keyBlob);
 
264
                result |= Trspi_Hash_HMAC(&hashCtx, msaApproval.digest);
 
265
                result |= Trspi_Hash_DIGEST(&hashCtx, msaDigest.digest);
 
266
        } else {
 
267
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
268
                result |= Trspi_Hash_DIGEST(&hashCtx, xsap->encAuthUse.authdata);
 
269
                result |= Trspi_Hash_DIGEST(&hashCtx, xsap->encAuthMig.authdata);
 
270
                result |= Trspi_HashUpdate(&hashCtx, keySize, keyBlob);
 
271
        }
 
272
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
273
                goto done;
 
274
 
 
275
        if ((result = authsess_xsap_hmac(xsap, &digest)))
 
276
                goto done;
 
277
 
 
278
        /* Now call the function */
 
279
        if (isCmk) {
 
280
                if ((newKey = malloc(keySize)) == NULL) {
 
281
                        LogError("malloc of %u bytes failed.", keySize);
 
282
                        result = TSPERR(TSS_E_OUTOFMEMORY);
 
283
                        goto done;
 
284
                }
 
285
                memcpy(newKey, keyBlob, keySize);
 
286
                newKeySize = keySize;
 
287
 
 
288
                if ((result = RPC_CMK_CreateKey(tspContext, parentTCSKeyHandle,
 
289
                                                (TPM_ENCAUTH *)&xsap->encAuthUse,
 
290
                                                &msaApproval, &msaDigest, &newKeySize, &newKey,
 
291
                                                xsap->pAuth)))
 
292
                        goto done;
 
293
        } else {
 
294
                if ((result = TCS_API(tspContext)->CreateWrapKey(tspContext, parentTCSKeyHandle,
 
295
                                                                 (TPM_ENCAUTH *)&xsap->encAuthUse,
 
296
                                                                 (TPM_ENCAUTH *)&xsap->encAuthMig,
 
297
                                                                 keySize, keyBlob, &newKeySize,
 
298
                                                                 &newKey, xsap->pAuth)))
 
299
                        goto done;
 
300
        }
 
301
 
 
302
        /* Validate the Authorization before using the new key */
 
303
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
304
        result |= Trspi_Hash_UINT32(&hashCtx, result);
 
305
        result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
306
        result |= Trspi_HashUpdate(&hashCtx, newKeySize, newKey);
 
307
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
308
                goto done;
 
309
 
 
310
        if (authsess_xsap_verify(xsap, &digest)) {
 
311
                result = TSPERR(TSS_E_TSP_AUTHFAIL);
 
312
                goto done;
 
313
        }
 
314
 
 
315
        /* Push the new key into the existing object */
 
316
        result = obj_rsakey_set_tcpakey(hKey, newKeySize, newKey);
 
317
 
 
318
done:
 
319
        authsess_free(xsap);
 
320
        free_tspi(tspContext, keyBlob);
 
321
        free(newKey);
 
322
 
 
323
        return result;
 
324
}
 
325
 
 
326
TSS_RESULT
 
327
Tspi_Key_WrapKey(TSS_HKEY hKey,                 /* in */
 
328
                 TSS_HKEY hWrappingKey,         /* in */
 
329
                 TSS_HPCRS hPcrComposite)       /* in, may be NULL */
 
330
{
 
331
        TSS_HPOLICY hUsePolicy, hMigPolicy;
 
332
        TCPA_SECRET usage, migration;
 
333
        TSS_RESULT result;
 
334
        BYTE *keyPrivBlob = NULL, *wrappingPubKey = NULL, *keyBlob = NULL;
 
335
        UINT32 keyPrivBlobLen, wrappingPubKeyLen, keyBlobLen;
 
336
        BYTE newPrivKey[214]; /* its not magic, see TPM 1.1b spec p.71 */
 
337
        BYTE encPrivKey[256];
 
338
        UINT32 newPrivKeyLen = 214, encPrivKeyLen = 256;
 
339
        UINT64 offset;
 
340
        TSS_KEY keyContainer;
 
341
        TCPA_DIGEST digest;
 
342
        TSS_HCONTEXT tspContext;
 
343
        Trspi_HashCtx hashCtx;
 
344
 
 
345
        if ((result = obj_rsakey_get_tsp_context(hKey, &tspContext)))
 
346
                return result;
 
347
 
 
348
        if (hPcrComposite) {
 
349
                if ((result = obj_rsakey_set_pcr_data(hKey, hPcrComposite)))
 
350
                        return result;
 
351
        }
 
352
 
 
353
        /* get the key to be wrapped's private key */
 
354
        if ((result = obj_rsakey_get_priv_blob(hKey, &keyPrivBlobLen, &keyPrivBlob)))
 
355
                goto done;
 
356
 
 
357
        /* get the key to be wrapped's blob */
 
358
        if ((result = obj_rsakey_get_blob(hKey, &keyBlobLen, &keyBlob)))
 
359
                goto done;
 
360
 
 
361
        /* get the wrapping key's public key */
 
362
        if ((result = obj_rsakey_get_modulus(hWrappingKey, &wrappingPubKeyLen, &wrappingPubKey)))
 
363
                goto done;
 
364
 
 
365
        /* get the key to be wrapped's usage policy */
 
366
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE, &hUsePolicy, NULL)))
 
367
                goto done;
 
368
 
 
369
        if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_MIGRATION, &hMigPolicy, NULL)))
 
370
                goto done;
 
371
 
 
372
        if ((result = obj_policy_get_secret(hUsePolicy, TR_SECRET_CTX_NEW, &usage)))
 
373
                goto done;
 
374
 
 
375
        if ((result = obj_policy_get_secret(hMigPolicy, TR_SECRET_CTX_NEW, &migration)))
 
376
                goto done;
 
377
 
 
378
        memset(&keyContainer, 0, sizeof(TSS_KEY));
 
379
 
 
380
        /* unload the key to be wrapped's blob */
 
381
        offset = 0;
 
382
        if ((result = UnloadBlob_TSS_KEY(&offset, keyBlob, &keyContainer)))
 
383
                return result;
 
384
 
 
385
        /* load the key's attributes into an object and get its hash value */
 
386
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
387
        result |= Hash_TSS_PRIVKEY_DIGEST(&hashCtx, &keyContainer);
 
388
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
389
                return result;
 
390
 
 
391
        free_key_refs(&keyContainer);
 
392
 
 
393
        /* create the plaintext private key blob */
 
394
        offset = 0;
 
395
        Trspi_LoadBlob_BYTE(&offset, TCPA_PT_ASYM, newPrivKey);
 
396
        Trspi_LoadBlob(&offset, 20, newPrivKey, usage.authdata);
 
397
        Trspi_LoadBlob(&offset, 20, newPrivKey, migration.authdata);
 
398
        Trspi_LoadBlob(&offset, 20, newPrivKey, digest.digest);
 
399
        Trspi_LoadBlob_UINT32(&offset, keyPrivBlobLen, newPrivKey);
 
400
        Trspi_LoadBlob(&offset, keyPrivBlobLen, newPrivKey, keyPrivBlob);
 
401
        newPrivKeyLen = offset;
 
402
 
 
403
        /* encrypt the private key blob */
 
404
        if ((result = Trspi_RSA_Encrypt(newPrivKey, newPrivKeyLen, encPrivKey,
 
405
                                        &encPrivKeyLen, wrappingPubKey,
 
406
                                        wrappingPubKeyLen)))
 
407
                goto done;
 
408
 
 
409
        /* set the new encrypted private key in the wrapped key object */
 
410
        if ((result = obj_rsakey_set_privkey(hKey, FALSE, encPrivKeyLen, encPrivKey)))
 
411
                goto done;
 
412
 
 
413
done:
 
414
        free_tspi(tspContext, keyPrivBlob);
 
415
        free_tspi(tspContext, keyBlob);
 
416
        free_tspi(tspContext, wrappingPubKey);
 
417
        return result;
 
418
}
 
419
 
 
420
TSS_RESULT
 
421
Tspi_Context_LoadKeyByBlob(TSS_HCONTEXT tspContext,     /* in */
 
422
                           TSS_HKEY hUnwrappingKey,     /* in */
 
423
                           UINT32 ulBlobLength,         /* in */
 
424
                           BYTE * rgbBlobData,          /* in */
 
425
                           TSS_HKEY * phKey)            /* out */
 
426
{
 
427
        TPM_AUTH auth;
 
428
        UINT64 offset;
 
429
        TCPA_DIGEST digest;
 
430
        TSS_RESULT result;
 
431
        UINT32 keyslot;
 
432
        TSS_HPOLICY hPolicy;
 
433
        TCS_KEY_HANDLE tcsParentHandle, myTCSKeyHandle;
 
434
        TSS_KEY keyContainer;
 
435
        TSS_BOOL useAuth;
 
436
        TPM_AUTH *pAuth;
 
437
        TSS_FLAG initFlags;
 
438
        UINT16 realKeyBlobSize;
 
439
        TCPA_KEY_USAGE keyUsage;
 
440
        UINT32 pubLen;
 
441
        Trspi_HashCtx hashCtx;
 
442
        TPM_COMMAND_CODE ordinal;
 
443
 
 
444
        if (phKey == NULL || rgbBlobData == NULL )
 
445
                return TSPERR(TSS_E_BAD_PARAMETER);
 
446
 
 
447
        if (!obj_is_rsakey(hUnwrappingKey))
 
448
                return TSPERR(TSS_E_INVALID_HANDLE);
 
449
 
 
450
        if ((result = obj_context_get_loadkey_ordinal(tspContext, &ordinal)))
 
451
                return result;
 
452
 
 
453
        if ((result = obj_rsakey_get_tcs_handle(hUnwrappingKey, &tcsParentHandle)))
 
454
                return result;
 
455
 
 
456
        offset = 0;
 
457
        if ((result = UnloadBlob_TSS_KEY(&offset, rgbBlobData, &keyContainer)))
 
458
                return result;
 
459
        realKeyBlobSize = offset;
 
460
        pubLen = keyContainer.pubKey.keyLength;
 
461
        keyUsage = keyContainer.keyUsage;
 
462
        /* free these now, since they're not used below */
 
463
        free_key_refs(&keyContainer);
 
464
 
 
465
        if ((result = obj_rsakey_get_policy(hUnwrappingKey, TSS_POLICY_USAGE, &hPolicy, &useAuth)))
 
466
                return result;
 
467
 
 
468
        if (useAuth) {
 
469
                /* Create the Authorization */
 
470
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
471
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
472
                result |= Trspi_HashUpdate(&hashCtx, ulBlobLength, rgbBlobData);
 
473
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
474
                        return result;
 
475
 
 
476
                if ((result = secret_PerformAuth_OIAP(hUnwrappingKey, ordinal, hPolicy, FALSE,
 
477
                                                      &digest, &auth)))
 
478
                        return result;
 
479
 
 
480
                pAuth = &auth;
 
481
        } else {
 
482
                pAuth = NULL;
 
483
        }
 
484
 
 
485
        if ((result = TCS_API(tspContext)->LoadKeyByBlob(tspContext, tcsParentHandle, ulBlobLength,
 
486
                                                         rgbBlobData, pAuth, &myTCSKeyHandle,
 
487
                                                         &keyslot)))
 
488
                return result;
 
489
 
 
490
        if (useAuth) {
 
491
                /* ---  Validate return auth */
 
492
                result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
493
                result |= Trspi_Hash_UINT32(&hashCtx, result);
 
494
                result |= Trspi_Hash_UINT32(&hashCtx, ordinal);
 
495
                if (ordinal == TPM_ORD_LoadKey)
 
496
                        result |= Trspi_Hash_UINT32(&hashCtx, keyslot);
 
497
                if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
498
                        return result;
 
499
 
 
500
                if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
 
501
                        return result;
 
502
        }
 
503
 
 
504
        /* ---  Create a new Object */
 
505
        initFlags = 0;
 
506
        if (pubLen == 0x100)
 
507
                initFlags |= TSS_KEY_SIZE_2048;
 
508
        else if (pubLen == 0x80)
 
509
                initFlags |= TSS_KEY_SIZE_1024;
 
510
        else if (pubLen == 0x40)
 
511
                initFlags |= TSS_KEY_SIZE_512;
 
512
 
 
513
        /* clear the key type field */
 
514
        initFlags &= ~TSS_KEY_TYPE_MASK;
 
515
 
 
516
        if (keyUsage == TPM_KEY_STORAGE)
 
517
                initFlags |= TSS_KEY_TYPE_STORAGE;
 
518
        else
 
519
                initFlags |= TSS_KEY_TYPE_SIGNING;      /* loading the blob
 
520
                                                           will fix this
 
521
                                                           back to what it
 
522
                                                           should be. */
 
523
 
 
524
        if ((result = obj_rsakey_add(tspContext, initFlags, phKey))) {
 
525
                LogDebug("Failed create object");
 
526
                return TSPERR(TSS_E_INTERNAL_ERROR);
 
527
        }
 
528
 
 
529
        if ((result = obj_rsakey_set_tcpakey(*phKey,realKeyBlobSize, rgbBlobData))) {
 
530
                LogDebug("Key loaded but failed to setup the key object"
 
531
                          "correctly");
 
532
                return TSPERR(TSS_E_INTERNAL_ERROR);
 
533
        }
 
534
 
 
535
        return obj_rsakey_set_tcs_handle(*phKey, myTCSKeyHandle);
 
536
}
 
537
 
 
538
TSS_RESULT
 
539
Tspi_TPM_OwnerGetSRKPubKey(TSS_HTPM hTPM,               /* in */
 
540
                           UINT32 * pulPuKeyLength,     /* out */
 
541
                           BYTE ** prgbPubKey)          /* out */
 
542
{
 
543
        TSS_RESULT result;
 
544
        TSS_HPOLICY hPolicy;
 
545
        TSS_HCONTEXT tspContext;
 
546
        TCS_KEY_HANDLE hKey;
 
547
        TPM_AUTH auth;
 
548
        Trspi_HashCtx hashCtx;
 
549
        TCPA_DIGEST digest;
 
550
 
 
551
        if (pulPuKeyLength == NULL || prgbPubKey == NULL)
 
552
                return TSPERR(TSS_E_BAD_PARAMETER);
 
553
 
 
554
        if ((result = obj_tpm_get_tsp_context(hTPM, &tspContext)))
 
555
                return result;
 
556
 
 
557
        hKey = TPM_KEYHND_SRK;
 
558
 
 
559
        if ((result = obj_tpm_get_policy(hTPM, TSS_POLICY_USAGE, &hPolicy)))
 
560
                return result;
 
561
 
 
562
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
563
        result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_OwnerReadInternalPub);
 
564
        result |= Trspi_Hash_UINT32(&hashCtx, hKey);
 
565
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
566
                return result;
 
567
 
 
568
        if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_OwnerReadInternalPub,
 
569
                                              hPolicy, FALSE, &digest, &auth)))
 
570
                return result;
 
571
 
 
572
        if ((result = TCS_API(tspContext)->OwnerReadInternalPub(tspContext, hKey, &auth,
 
573
                                                                pulPuKeyLength, prgbPubKey)))
 
574
                return result;
 
575
 
 
576
        /* Validate return auth */
 
577
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
578
        result |= Trspi_Hash_UINT32(&hashCtx, TSS_SUCCESS);
 
579
        result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_OwnerReadInternalPub);
 
580
        result |= Trspi_HashUpdate(&hashCtx, *pulPuKeyLength, *prgbPubKey);
 
581
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
582
                goto error;
 
583
 
 
584
        if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth)))
 
585
                goto error;
 
586
 
 
587
        /* Call a special SRK-seeking command to transparently add the public data to the object */
 
588
        if ((result = obj_rsakey_set_srk_pubkey(*prgbPubKey))) {
 
589
                LogError("Error setting SRK public data, SRK key object may not exist");
 
590
        }
 
591
 
 
592
        if ((result = add_mem_entry(tspContext, *prgbPubKey)))
 
593
                goto error;
 
594
 
 
595
        return result;
 
596
 
 
597
error:
 
598
        free(*prgbPubKey);
 
599
        pulPuKeyLength = 0;
 
600
        return result;
 
601
}
 
602
 
 
603
/* TSS 1.2-only interfaces */
 
604
#ifdef TSS_BUILD_TSS12
 
605
TSS_RESULT
 
606
Tspi_TPM_KeyControlOwner(TSS_HTPM hTPM,         /* in */
 
607
                         TSS_HKEY hTssKey,      /* in */
 
608
                         UINT32 attribName,     /* in */
 
609
                         TSS_BOOL attribValue,  /* in */
 
610
                         TSS_UUID* pUuidData)   /* out */
 
611
{
 
612
        TSS_RESULT result;
 
613
        TSS_HPOLICY hPolicy;
 
614
        TSS_HCONTEXT tspContext;
 
615
        TCS_KEY_HANDLE hTcsKey;
 
616
        BYTE *pubKey = NULL;
 
617
        UINT32 pubKeyLen;
 
618
        TPM_KEY_CONTROL tpmAttribName;
 
619
        Trspi_HashCtx hashCtx;
 
620
        TCPA_DIGEST digest;
 
621
        TPM_AUTH ownerAuth;
 
622
 
 
623
        LogDebugFn("Enter");
 
624
 
 
625
        /* Check valid TPM context, get TSP context */
 
626
        if ((result = obj_tpm_get_tsp_context(hTPM, &tspContext)))
 
627
                return result;
 
628
 
 
629
        /* Get Tcs KeyHandle */
 
630
        if ((result = obj_rsakey_get_tcs_handle(hTssKey, &hTcsKey)))
 
631
                return result;
 
632
 
 
633
        /* Validate/convert attribName */
 
634
        switch (attribName) {
 
635
                case TSS_TSPATTRIB_KEYCONTROL_OWNEREVICT:
 
636
                        tpmAttribName = TPM_KEY_CONTROL_OWNER_EVICT;
 
637
                        break;
 
638
                default:
 
639
                        return TSPERR(TSS_E_BAD_PARAMETER);
 
640
        }
 
641
 
 
642
        /* Begin Auth - get TPM Policy Handler */
 
643
        if ((result = obj_tpm_get_policy(hTPM, TSS_POLICY_USAGE, &hPolicy)))
 
644
                return result;
 
645
 
 
646
        /* Get associated pubKey */
 
647
        if ((result = obj_rsakey_get_pub_blob(hTssKey, &pubKeyLen, &pubKey)))
 
648
                return result;
 
649
 
 
650
        /* Create hash digest */
 
651
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
652
        result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_KeyControlOwner);
 
653
        LogDebugData(pubKeyLen, pubKey);
 
654
        result |= Trspi_HashUpdate(&hashCtx, pubKeyLen, pubKey);
 
655
        result |= Trspi_Hash_UINT32(&hashCtx, tpmAttribName);
 
656
        result |= Trspi_Hash_BOOL(&hashCtx, attribValue);
 
657
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest))) {
 
658
                free_tspi(tspContext, pubKey);
 
659
                return result;
 
660
        }
 
661
 
 
662
        if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_KeyControlOwner, hPolicy, FALSE,
 
663
                                              &digest, &ownerAuth))) {
 
664
                free_tspi(tspContext, pubKey);
 
665
                return result;
 
666
        }
 
667
 
 
668
        if ((result = RPC_KeyControlOwner(tspContext, hTcsKey, pubKeyLen, pubKey, tpmAttribName,
 
669
                                          attribValue, &ownerAuth, pUuidData))) {
 
670
                free_tspi(tspContext, pubKey);
 
671
                return result;
 
672
        }
 
673
 
 
674
        /* Validate return auth */
 
675
        result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
 
676
        result |= Trspi_Hash_UINT32(&hashCtx, TSS_SUCCESS);
 
677
        result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_KeyControlOwner);
 
678
        if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
 
679
                return result;
 
680
 
 
681
        if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &ownerAuth)))
 
682
                return result;
 
683
 
 
684
        /* change hKey internal flag, according to attrib[Name|Value] */
 
685
        switch (attribName) {
 
686
                case TSS_TSPATTRIB_KEYCONTROL_OWNEREVICT:
 
687
                        result = obj_rsakey_set_ownerevict(hTssKey, attribValue);
 
688
                        break;
 
689
                default:
 
690
                        /* NOT-REACHED */
 
691
                        result = TSPERR(TSS_E_BAD_PARAMETER);
 
692
        }
 
693
 
 
694
        return result;
 
695
}
 
696
#endif