hi,
could somone please help me with this? I've been trying to get this working
since late december and havn't been able to. I've successfully sealed the
data to the TPM using tspi_data_seal, but tspi_data_unseal if failing.
in debugging the I've found that it fails at authsess_xsap_verify, and it
seems to be something to do with the authorization session, I havn't been
able to figure out any more detail than that.
I've included my code below, if anyone can see what Im missing in terms of
authorization before the call to tspi_data_unseal it really would be
greatly appreciated. Im not sure where else to ask about this. And looking
at the examples of how its used in tpm_tools and in other places (guide to
trusted computing etc.) have got me this far but no further.
#include "test.h"
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tss/platform.h>
#include <tss/tss_structs.h>
#include <tss/tss_typedef.h>
#include <unistd.h>
int main() {
TSS_HPCRS pcrs;
UINT32 pcrsToUse[8] = {0, 1, 2, 3, 4, 5, 6, 7};
UINT32 numOfPcrs = 8;
createKey();
CreatePcrs(numOfPcrs, pcrsToUse, &pcrs);
BYTE outBuffer[400] = {0};
BYTE *inBuffer = readFile();
SealData(kHandle, pcrs, inSize, inBuffer, &outSize, outBuffer);
printf("sealed out %u\n", outSize);
// unsealData(kHandle, inSize, inBuffer, &outSize, outBuffer);
// Tspi_Context_FreeMemory(hContext, NULL);
Tspi_Context_Close(hContext);
free(inBuffer);
printf("result = %u\n", result);
return 0;
}
BYTE *readFile() {
BYTE *inBuffer;
FILE *fin, *fout;
fin = fopen("/home/bham/Desktop/keyfile", "rb");
fseek(fin, 0, SEEK_END);
inSize = ftell(fin);
if (inSize < 400) {
inBuffer = malloc(inSize);
} else {
return NULL;
}
outSize = inSize + 103;
fseek(fin, 0, SEEK_SET);
fread(inBuffer, inSize, 1, fin);
fclose(fin);
return inBuffer;
}
TSS_HKEY initialSetup(TSS_UUID SRK_UUID) {
TSS_HPOLICY hOwnerPolicy;
TSS_HKEY hSRK;
Tspi_Context_Create(&hContext);
Tspi_SetAttribUint32(hContext, TSS_TSPATTRIB_CONTEXT_VERSION_MODE, 0,
TSS_TSPATTRIB_CONTEXT_VERSION_V1_2);
Tspi_Context_Connect(hContext, NULL);
// set self to owner
Tspi_Context_GetTpmObject(hContext, &hTPM);
Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hOwnerPolicy);
Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 4, "bham");
Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSRK);
// set SRK secret to well known secret
Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hOwnerPolicy);
Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 20, wks);
return hSRK;
}
TSS_HKEY newKey(TSS_UUID key_uuid, TSS_UUID SRK_UUID, TSS_HKEY hSRK,
TSS_HKEY hKey) {
TSS_HPOLICY policy;
// set a secret on the key, this will be used as setting a password once
the
// seal/unseal is working
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&policy);
Tspi_Policy_SetSecret(policy, TSS_SECRET_MODE_PLAIN, 4, "bham");
Tspi_Policy_AssignToObject(policy, hKey);
// create the key and register it to storage
result = Tspi_Key_CreateKey(hKey, hSRK, 0);
result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_SYSTEM,
key_uuid, TSS_PS_TYPE_SYSTEM, SRK_UUID);
result = Tspi_Key_LoadKey(hKey, hSRK);
return hKey;
}
int createKey() {
TSS_FLAG initFlags;
TSS_HKEY hSRK, hKey;
TSS_UUID key_uuid = {7}, SRK_UUID = TSS_UUID_SRK;
hSRK = initialSetup(SRK_UUID);
initFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 |
TSS_KEY_NOT_MIGRATABLE;
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, initFlags,
&hKey);
// check that a key has been created, otherwise make one.
if (!(TSS_SUCCESS == Tspi_Context_GetKeyByUUID(hContext,
TSS_PS_TYPE_SYSTEM,
key_uuid, &kHandle))) {
kHandle = newKey(key_uuid, SRK_UUID, hSRK, hKey);
printf("key created result = %u\n", result);
} else {
result = Tspi_Key_LoadKey(kHandle, hSRK);
}
printf("key premade result = %u\n", result);
return 0;
}
int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in,
UINT32 *out_size, BYTE *out) {
TSS_HENCDATA hEncData;
UINT32 keySize, tmp_out_size;
BYTE *tmp_out;
/* Create the encrypted data object in the TSP */
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA,
TSS_ENCDATA_SEAL,
&hEncData);
Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_SIZE,
&keySize);
TSS_HPOLICY policy;
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE,
&policy);
Tspi_Policy_SetSecret(policy, TSS_SECRET_MODE_PLAIN, 4, "bham");
/* Make sure the data is small enough to be bound by this*
key,taking into account the OAEP padding size (38) and* the
size of the TPM_SEALED_DATA structure (65) */
if (in_size > 153) {
printf("Data to be encrypted is too big !\n");
return -1;
}
result = Tspi_Data_Seal(hEncData, hKey, in_size, in, hPcrs);
printf("result of seal = %u\n", result);
// This is the test unseal I'm using directly afterwoods, wont be here in
// finished program.
BYTE *outputholder;
printf("result of policy =%u\n", result);
result = Tspi_Data_Unseal(hEncData, hKey, &in_size, &outputholder);
printf("result of unseal: %u\n", result);
FILE *fout;
fout = fopen("/home/bham/Desktop/Temp Work/testout", "wb");
write(fileno(fout), outputholder, *out_size);
fclose(fout);
/* Now hEncData contains an encrypted blob, let’s extract * it
NORMAL CODE RESUMES HERE*/
Tspi_GetAttribData(hEncData, TSS_TSPATTRIB_ENCDATA_BLOB,
TSS_TSPATTRIB_ENCDATABLOB_BLOB, &tmp_out_size,
&tmp_out);
printf("output of get data: %u\n", result);
printf("result = %i\n", result);
printf("%u = tmp_out_size\n", tmp_out_size);
printf("%s = tmp_out\n", tmp_out);
memcpy(out, tmp_out, tmp_out_size);
*out_size = tmp_out_size;
printf("out is :%s\n", out);
/* Free the blob returned by the TSP */
Tspi_Context_FreeMemory(hContext, tmp_out);
/* Close the encrypted data object, it will no longer * be used */
Tspi_Context_CloseObject(hContext, hEncData);
return 0;
}
int CreatePcrs(UINT32 num_pcrs, UINT32 *pcrs, TSS_HPCRS *hPcrs) {
UINT32 numPcrs, subCap, i;
UINT32 ulPcrValueLength;
BYTE *rgbPcrValue, *rgbNumPcrs;
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, 0, hPcrs);
// Retrieve number of PCRs from the TPM
subCap = TSS_TPMCAP_PROP_PCR;
Tspi_TPM_GetCapability(hTPM, TSS_TPMCAP_PROPERTY, sizeof(UINT32),
(BYTE *)&subCap, &ulPcrValueLength, &rgbNumPcrs);
numPcrs = *(UINT32 *)rgbNumPcrs;
Tspi_Context_FreeMemory(hContext, rgbNumPcrs);
for (i = 0; i < num_pcrs; i++) {
if (pcrs[i] >= numPcrs) {
printf("PCR value %u is too big !\n", pcrs[i]);
Tspi_Context_CloseObject(hContext, *hPcrs);
return -1;
}
Tspi_TPM_PcrRead(hTPM, pcrs[i], &ulPcrValueLength, &rgbPcrValue);
Tspi_PcrComposite_SetPcrValue(*hPcrs, pcrs[i], ulPcrValueLength,
rgbPcrValue);
Tspi_Context_FreeMemory(hContext, rgbPcrValue);
}
return 0;
}
and yes Im aware of flaws in here like fixed and rubbish passwords, this is
all just simple test stuff while I get it working.
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
