So I managed to get a program setup to seal data properly (mostly by
following the examples in the trusted guide to secure computing, but with a
bit of fiddling best off of the test-suite)
So I've gotten to the point where Tspi_seal_data returned success. and used
getattribData to get the blob out and save it somewhere. But was having
problems with unsealing the data later, since I wasnt sure if the problem
was with how I was reading/writing the blob, or with my use of unseal, I
moved unseal into the seal function so it should litterally just seal the
data, then immediatly unseal it. however doing so returns an error-code, so
it appears the problem is with my use of unseal. unseal itself is returning
code 1, which I couldn't find an explanation for anywhere. And seems to
give an empty buffer. I'll put a code extract in below. Please ignore that
main doesnt clear any of this up, it does lower down in the function, but I
only wanted the snippet to have up to where the problem was occuring.
Thanks for the help.
Im running this on a TPM emulator and the trace of it seems to indicate
that unseal was succesfull as far as the tpm is concerend.
test.h
#include <tss/tspi.h>
TSS_RESULT result;
TSS_HCONTEXT hContext;
TSS_HTPM hTPM;
TSS_HKEY kHandle;
BYTE wks[20] = TSS_WELL_KNOWN_SECRET;
int createKey();
int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in,
UINT32 *out_size, BYTE *out);
int unsealData(TSS_HKEY hKey, UINT32 in_size, BYTE *in, UINT32 *out_size,
BYTE *out);
_________________________________________________________________________
test.c
#include "test.h"
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tss/platform.h>
#include <tss/tss_structs.h>
#include <tss/tss_typedef.h>
#include <unistd.h>
int main() {
TSS_HPCRS pcrs;
UINT32 pcrsToUse[8] = {0, 1, 2, 3, 4, 5, 6, 7};
UINT32 numOfPcrs = 8, inSize = 0, outSize = 0;
createKey();
CreatePcrs(numOfPcrs, pcrsToUse, &pcrs);
// read keyfile
FILE *fin, *fout;
BYTE inBuffer[400] = {0}, outBuffer[400] = {0};
fin = fopen("/home/bham/Desktop/keyfile", "rb");
fseek(fin, 0, SEEK_END);
inSize = ftell(fin);
outSize = inSize + 103;
fseek(fin, 0, SEEK_SET);
fread(inBuffer, inSize, 1, fin);
fclose(fin);
// seal data
SealData(kHandle, pcrs, inSize, inBuffer, &outSize, outBuffer);
}
int createKey() {
TSS_FLAG initFlags;
TSS_HKEY hSRK = 0;
TSS_HKEY hKey;
TSS_UUID key_uuid = {9};
TSS_UUID SRK_UUID = TSS_UUID_SRK;
TSS_HPOLICY hOwnerPolicy;
Tspi_Context_Create(&hContext);
Tspi_SetAttribUint32(hContext, TSS_TSPATTRIB_CONTEXT_VERSION_MODE, 0,
TSS_TSPATTRIB_CONTEXT_VERSION_V1_2);
Tspi_Context_Connect(hContext, NULL);
// set self to owner
Tspi_Context_GetTpmObject(hContext, &hTPM);
Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hOwnerPolicy);
Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 0, "");
Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSRK);
// set SRK secret to well known secret
Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hOwnerPolicy);
Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 20, wks);
initFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 |
TSS_KEY_NOT_MIGRATABLE;
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, initFlags,
&hKey);
/* Create the key, not bound to any PCRs. That can be done on* a blob by
blob
* basis */
Tspi_Key_CreateKey(hKey, hSRK, 0);
result = Tspi_Context_UnregisterKey(hContext, TSS_PS_TYPE_SYSTEM,
key_uuid,
&kHandle);
result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_SYSTEM,
key_uuid, TSS_PS_TYPE_SYSTEM, SRK_UUID);
result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM,
key_uuid,
&kHandle);
return 0;
}
int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in,
UINT32 *out_size, BYTE *out) {
TSS_HENCDATA hEncData;
UINT32 keySize, tmp_out_size;
BYTE *tmp_out;
/* Create the encrypted data object in the TSP */
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA,
TSS_ENCDATA_SEAL,
&hEncData);
Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_SIZE,
&keySize);
printf("%u is key size\n", keySize);
/* Make sure the data is small enough to be bound by this*
key,taking into account the OAEP padding size (38) and* the
size of the TPM_SEALED_DATA structure (65) */
if (in_size > 153) {
printf("Data to be encrypted is too big !\n");
return -1;
}
printf("%u bytes to seal\n", in_size);
printf("%s to seal\n", in);
printf("%u outputsize\n", *out_size);
result = Tspi_Data_Seal(hEncData, hKey, in_size, in, hPcrs);
// This is the test unseal Im using directly afterwoods, wont be here in
finished program.
BYTE *outputholder;
result = Tspi_Data_Unseal(hEncData, hKey, &in_size, &outputholder);
FILE *fout;
fout = fopen("/home/bham/Desktop/Temp Work/testout", "wb");
write(fileno(fout), outputholder, *out_size);
fclose(fout);
/* Now hEncData contains an encrypted blob, let’s extract * it */
Tspi_GetAttribData(hEncData, TSS_TSPATTRIB_ENCDATA_BLOB,
TSS_TSPATTRIB_ENCDATABLOB_BLOB, &tmp_out_size,
&tmp_out);
printf("output of get data: %u\n",result);
printf("result = %i\n", result);
printf("%u = tmp_out_size\n", tmp_out_size);
printf("%s = tmp_out\n", tmp_out);
memcpy(out, tmp_out, tmp_out_size);
*out_size = tmp_out_size;
printf("out is :%s\n", out);
/* Free the blob returned by the TSP */
// Tspi_Context_FreeMemory(hContext, tmp_out);
/* Close the encrypted data object, it will no longer * be used */
// Tspi_Context_CloseObject(hContext, hEncData);
return 0;
}
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
