My understanding from earlier similar questions is that to seal/unseal data using tspi_data_seal/unseal I need to have ownership of the TPM, a key wrapped by the root storage key, and an ENCDATA object with the same secret as the key, but my program is still failing on authsess_xsap_verify within the unseal algorithm after having successfully sealed the data. I am not however getting the Auth failed error code, just error code 1.
On Tue, 25 Feb 2020 at 20:20, Sam Jenkins <[email protected]> wrote: > Just to clarify, Im aware that the problem appears to be to do with an > OSAP session not being properly setup, so what do I need to do for it to be > setup properly? > > On Tue, 25 Feb 2020 at 20:12, Sam Jenkins <[email protected]> > wrote: > >> hi, >> could somone please help me with this? I've been trying to get this >> working since late december and havn't been able to. I've successfully >> sealed the data to the TPM using tspi_data_seal, but tspi_data_unseal if >> failing. >> >> in debugging the I've found that it fails at authsess_xsap_verify, and it >> seems to be something to do with the authorization session, I havn't been >> able to figure out any more detail than that. >> >> I've included my code below, if anyone can see what Im missing in terms >> of authorization before the call to tspi_data_unseal it really would be >> greatly appreciated. Im not sure where else to ask about this. And looking >> at the examples of how its used in tpm_tools and in other places (guide to >> trusted computing etc.) have got me this far but no further. >> >> #include "test.h" >> #include <stddef.h> >> #include <stdio.h> >> #include <stdlib.h> >> #include <string.h> >> #include <tss/platform.h> >> #include <tss/tss_structs.h> >> #include <tss/tss_typedef.h> >> #include <unistd.h> >> >> int main() { >> TSS_HPCRS pcrs; >> UINT32 pcrsToUse[8] = {0, 1, 2, 3, 4, 5, 6, 7}; >> UINT32 numOfPcrs = 8; >> createKey(); >> CreatePcrs(numOfPcrs, pcrsToUse, &pcrs); >> >> BYTE outBuffer[400] = {0}; >> BYTE *inBuffer = readFile(); >> >> SealData(kHandle, pcrs, inSize, inBuffer, &outSize, outBuffer); >> printf("sealed out %u\n", outSize); >> // unsealData(kHandle, inSize, inBuffer, &outSize, outBuffer); >> >> // Tspi_Context_FreeMemory(hContext, NULL); >> Tspi_Context_Close(hContext); >> free(inBuffer); >> printf("result = %u\n", result); >> return 0; >> } >> >> BYTE *readFile() { >> BYTE *inBuffer; >> >> FILE *fin, *fout; >> fin = fopen("/home/bham/Desktop/keyfile", "rb"); >> fseek(fin, 0, SEEK_END); >> inSize = ftell(fin); >> if (inSize < 400) { >> inBuffer = malloc(inSize); >> } else { >> return NULL; >> } >> outSize = inSize + 103; >> fseek(fin, 0, SEEK_SET); >> fread(inBuffer, inSize, 1, fin); >> fclose(fin); >> return inBuffer; >> } >> >> TSS_HKEY initialSetup(TSS_UUID SRK_UUID) { >> TSS_HPOLICY hOwnerPolicy; >> >> TSS_HKEY hSRK; >> Tspi_Context_Create(&hContext); >> Tspi_SetAttribUint32(hContext, TSS_TSPATTRIB_CONTEXT_VERSION_MODE, 0, >> TSS_TSPATTRIB_CONTEXT_VERSION_V1_2); >> Tspi_Context_Connect(hContext, NULL); >> // set self to owner >> Tspi_Context_GetTpmObject(hContext, &hTPM); >> Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hOwnerPolicy); >> Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 4, "bham"); >> >> Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, >> &hSRK); >> // set SRK secret to well known secret >> Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hOwnerPolicy); >> Tspi_Policy_SetSecret(hOwnerPolicy, TSS_SECRET_MODE_SHA1, 20, wks); >> return hSRK; >> } >> >> TSS_HKEY newKey(TSS_UUID key_uuid, TSS_UUID SRK_UUID, TSS_HKEY hSRK, >> TSS_HKEY hKey) { >> TSS_HPOLICY policy; >> // set a secret on the key, this will be used as setting a password >> once the >> // seal/unseal is working >> Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY, >> TSS_POLICY_USAGE, >> &policy); >> Tspi_Policy_SetSecret(policy, TSS_SECRET_MODE_PLAIN, 4, "bham"); >> Tspi_Policy_AssignToObject(policy, hKey); >> >> // create the key and register it to storage >> result = Tspi_Key_CreateKey(hKey, hSRK, 0); >> result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_SYSTEM, >> key_uuid, TSS_PS_TYPE_SYSTEM, >> SRK_UUID); >> >> result = Tspi_Key_LoadKey(hKey, hSRK); >> return hKey; >> } >> >> int createKey() { >> TSS_FLAG initFlags; >> TSS_HKEY hSRK, hKey; >> TSS_UUID key_uuid = {7}, SRK_UUID = TSS_UUID_SRK; >> >> hSRK = initialSetup(SRK_UUID); >> >> initFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 | >> TSS_KEY_NOT_MIGRATABLE; >> Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, initFlags, >> &hKey); >> >> // check that a key has been created, otherwise make one. >> if (!(TSS_SUCCESS == Tspi_Context_GetKeyByUUID(hContext, >> TSS_PS_TYPE_SYSTEM, >> key_uuid, &kHandle))) { >> kHandle = newKey(key_uuid, SRK_UUID, hSRK, hKey); >> printf("key created result = %u\n", result); >> } else { >> result = Tspi_Key_LoadKey(kHandle, hSRK); >> } >> printf("key premade result = %u\n", result); >> return 0; >> } >> >> int SealData(TSS_HKEY hKey, TSS_HPCRS hPcrs, UINT32 in_size, BYTE *in, >> UINT32 *out_size, BYTE *out) { >> TSS_HENCDATA hEncData; >> UINT32 keySize, tmp_out_size; >> BYTE *tmp_out; >> /* Create the encrypted data object in the TSP */ >> Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA, >> TSS_ENCDATA_SEAL, >> &hEncData); >> Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO, >> TSS_TSPATTRIB_KEYINFO_SIZE, >> &keySize); >> >> TSS_HPOLICY policy; >> >> Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY, >> TSS_POLICY_USAGE, >> &policy); >> Tspi_Policy_SetSecret(policy, TSS_SECRET_MODE_PLAIN, 4, "bham"); >> >> /* Make sure the data is small enough to be bound by this* >> key,taking into account the OAEP padding size (38) and* the >> size of the TPM_SEALED_DATA structure (65) */ >> if (in_size > 153) { >> printf("Data to be encrypted is too big !\n"); >> return -1; >> } >> >> result = Tspi_Data_Seal(hEncData, hKey, in_size, in, hPcrs); >> >> printf("result of seal = %u\n", result); >> // This is the test unseal I'm using directly afterwoods, wont be here >> in >> // finished program. >> BYTE *outputholder; >> printf("result of policy =%u\n", result); >> result = Tspi_Data_Unseal(hEncData, hKey, &in_size, &outputholder); >> printf("result of unseal: %u\n", result); >> FILE *fout; >> fout = fopen("/home/bham/Desktop/Temp Work/testout", "wb"); >> write(fileno(fout), outputholder, *out_size); >> fclose(fout); >> >> /* Now hEncData contains an encrypted blob, let’s extract * it >> NORMAL CODE RESUMES HERE*/ >> Tspi_GetAttribData(hEncData, TSS_TSPATTRIB_ENCDATA_BLOB, >> TSS_TSPATTRIB_ENCDATABLOB_BLOB, &tmp_out_size, >> &tmp_out); >> printf("output of get data: %u\n", result); >> >> printf("result = %i\n", result); >> printf("%u = tmp_out_size\n", tmp_out_size); >> printf("%s = tmp_out\n", tmp_out); >> >> memcpy(out, tmp_out, tmp_out_size); >> *out_size = tmp_out_size; >> >> printf("out is :%s\n", out); >> /* Free the blob returned by the TSP */ >> Tspi_Context_FreeMemory(hContext, tmp_out); >> /* Close the encrypted data object, it will no longer * be used */ >> Tspi_Context_CloseObject(hContext, hEncData); >> return 0; >> } >> >> int CreatePcrs(UINT32 num_pcrs, UINT32 *pcrs, TSS_HPCRS *hPcrs) { >> UINT32 numPcrs, subCap, i; >> UINT32 ulPcrValueLength; >> BYTE *rgbPcrValue, *rgbNumPcrs; >> Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, 0, hPcrs); >> // Retrieve number of PCRs from the TPM >> subCap = TSS_TPMCAP_PROP_PCR; >> Tspi_TPM_GetCapability(hTPM, TSS_TPMCAP_PROPERTY, sizeof(UINT32), >> (BYTE *)&subCap, &ulPcrValueLength, &rgbNumPcrs); >> numPcrs = *(UINT32 *)rgbNumPcrs; >> Tspi_Context_FreeMemory(hContext, rgbNumPcrs); >> for (i = 0; i < num_pcrs; i++) { >> if (pcrs[i] >= numPcrs) { >> printf("PCR value %u is too big !\n", pcrs[i]); >> Tspi_Context_CloseObject(hContext, *hPcrs); >> return -1; >> } >> Tspi_TPM_PcrRead(hTPM, pcrs[i], &ulPcrValueLength, &rgbPcrValue); >> Tspi_PcrComposite_SetPcrValue(*hPcrs, pcrs[i], ulPcrValueLength, >> rgbPcrValue); >> Tspi_Context_FreeMemory(hContext, rgbPcrValue); >> } >> return 0; >> } >> >> and yes Im aware of flaws in here like fixed and rubbish passwords, this >> is all just simple test stuff while I get it working. >> > > > -- > hello > -- hello
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
