After some further debugging, without much to show for it, I've found that I had an issue where the tpm emulator was complaining about Tspi_LoadKeyByUUID, which appears to have been due to the key requiring authorisation, as such, GetKeyByUUID and LoadKey has to be used instead, while this has silenced the only error the tpm emulators is giving me, it still leads to tspi_data_unseal producing the return code 1. Making the matter more confusing is that, despite the key apparently not loading properly, tspi_data_seal was and is still working fine. Any support here would be greatly appreciated. Thanks again, Sam Jenkins
On Fri, 24 Jan 2020 at 08:12, Sam Jenkins <[email protected]> wrote: > So I managed to get a program setup to seal data properly (mostly by > following the examples in the trusted guide to secure computing, but with a > bit of fiddling best off of the test-suite) > > So I've gotten to the point where Tspi_seal_data returned success. and > used getattribData to get the blob out and save it somewhere. But was > having problems with unsealing the data later, since I wasnt sure if the > problem was with how I was reading/writing the blob, or with my use of > unseal, I moved unseal into the seal function so it should litterally just > seal the data, then immediatly unseal it. however doing so returns an > error-code, so it appears the problem is with my use of unseal. unseal > itself is returning code 1, which I couldn't find an explanation for > anywhere. And seems to give an empty buffer. I'll put a code extract in > below. Please ignore that main doesnt clear any of this up, it does lower > down in the function, but I only wanted the snippet to have up to where the > problem was occuring. > > Thanks for the help. > Im running this on a TPM emulator and the trace of it seems to indicate > that unseal was succesfull as far as the tpm is concerend. > > test.h > > > #include <tss/tspi.h> > > TSS_RESULT result; > TSS_HCONTEXT hContext; > TSS_HTPM hTPM; > TSS_HKEY kHandle; > BYTE wks[20] = TSS_WELL_KNOWN_SECRET; > > int createKey(); > > int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in, > UINT32 *out_size, BYTE *out); > > int unsealData(TSS_HKEY hKey, UINT32 in_size, BYTE *in, UINT32 *out_size, > BYTE *out); > > _________________________________________________________________________ > test.c > > #include "test.h" > #include <stddef.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <tss/platform.h> > #include <tss/tss_structs.h> > #include <tss/tss_typedef.h> > #include <unistd.h> > > int main() { > TSS_HPCRS pcrs; > UINT32 pcrsToUse[8] = {0, 1, 2, 3, 4, 5, 6, 7}; > UINT32 numOfPcrs = 8, inSize = 0, outSize = 0; > createKey(); > CreatePcrs(numOfPcrs, pcrsToUse, &pcrs); > > // read keyfile > FILE *fin, *fout; > BYTE inBuffer[400] = {0}, outBuffer[400] = {0}; > fin = fopen("/home/bham/Desktop/keyfile", "rb"); > fseek(fin, 0, SEEK_END); > inSize = ftell(fin); > outSize = inSize + 103; > > fseek(fin, 0, SEEK_SET); > fread(inBuffer, inSize, 1, fin); > fclose(fin); > // seal data > SealData(kHandle, pcrs, inSize, inBuffer, &outSize, outBuffer); > > } > > int createKey() { > > TSS_FLAG initFlags; > TSS_HKEY hSRK = 0; > TSS_HKEY hKey; > TSS_UUID key_uuid = {9}; > TSS_UUID SRK_UUID = TSS_UUID_SRK; > TSS_HPOLICY hOwnerPolicy; > Tspi_Context_Create(&hContext); > Tspi_SetAttribUint32(hContext, TSS_TSPATTRIB_CONTEXT_VERSION_MODE, 0, > TSS_TSPATTRIB_CONTEXT_VERSION_V1_2); > Tspi_Context_Connect(hContext, NULL); > // set self to owner > Tspi_Context_GetTpmObject(hContext, &hTPM); > Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hOwnerPolicy); > Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 0, ""); > > Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, > &hSRK); > // set SRK secret to well known secret > Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hOwnerPolicy); > Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 20, wks); > > initFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 | > TSS_KEY_NOT_MIGRATABLE; > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, initFlags, > &hKey); > /* Create the key, not bound to any PCRs. That can be done on* a blob by > blob > * basis */ > Tspi_Key_CreateKey(hKey, hSRK, 0); > result = Tspi_Context_UnregisterKey(hContext, TSS_PS_TYPE_SYSTEM, > key_uuid, > &kHandle); > result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_SYSTEM, > key_uuid, TSS_PS_TYPE_SYSTEM, > SRK_UUID); > result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, > key_uuid, > &kHandle); > return 0; > } > > > int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in, > UINT32 *out_size, BYTE *out) { > TSS_HENCDATA hEncData; > UINT32 keySize, tmp_out_size; > BYTE *tmp_out; > /* Create the encrypted data object in the TSP */ > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA, > TSS_ENCDATA_SEAL, > &hEncData); > Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO, > TSS_TSPATTRIB_KEYINFO_SIZE, > &keySize); > printf("%u is key size\n", keySize); > /* Make sure the data is small enough to be bound by this* > key,taking into account the OAEP padding size (38) and* the > size of the TPM_SEALED_DATA structure (65) */ > if (in_size > 153) { > printf("Data to be encrypted is too big !\n"); > return -1; > } > printf("%u bytes to seal\n", in_size); > printf("%s to seal\n", in); > printf("%u outputsize\n", *out_size); > result = Tspi_Data_Seal(hEncData, hKey, in_size, in, hPcrs); > > // This is the test unseal Im using directly afterwoods, wont be here in > finished program. > BYTE *outputholder; > result = Tspi_Data_Unseal(hEncData, hKey, &in_size, &outputholder); > FILE *fout; > fout = fopen("/home/bham/Desktop/Temp Work/testout", "wb"); > > write(fileno(fout), outputholder, *out_size); > fclose(fout); > > /* Now hEncData contains an encrypted blob, let’s extract * it */ > Tspi_GetAttribData(hEncData, TSS_TSPATTRIB_ENCDATA_BLOB, > TSS_TSPATTRIB_ENCDATABLOB_BLOB, > &tmp_out_size, > &tmp_out); > printf("output of get data: %u\n",result); > > > > printf("result = %i\n", result); > printf("%u = tmp_out_size\n", tmp_out_size); > printf("%s = tmp_out\n", tmp_out); > > memcpy(out, tmp_out, tmp_out_size); > *out_size = tmp_out_size; > > printf("out is :%s\n", out); > /* Free the blob returned by the TSP */ > // Tspi_Context_FreeMemory(hContext, tmp_out); > /* Close the encrypted data object, it will no longer * be used */ > // Tspi_Context_CloseObject(hContext, hEncData); > return 0; > } > -- hello
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
