From 1b582dfec6366e000bf2cebdc648271796d2abb0 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Mon, 19 Aug 2024 15:07:43 -0400 Subject: [PATCH 1/3] removed HIRS_Provisioner --- .github/workflows/package_centos.yml | 64 --- HIRS_Provisioner/TPMModule.properties | 4 - HIRS_Provisioner/build.gradle | 78 ---- .../config/checkstyle/suppressions.xml | 11 - HIRS_Provisioner/create-ek-cert.sh | 110 ----- HIRS_Provisioner/debian/changelog | 5 - HIRS_Provisioner/debian/compat | 1 - HIRS_Provisioner/debian/control | 13 - HIRS_Provisioner/debian/docs | 0 .../debian/hirs-provisioner.install | 8 - .../debian/hirs-provisioner.links | 2 - .../debian/hirs-provisioner.manpages | 1 - .../debian/hirs-provisioner.postinst | 53 --- HIRS_Provisioner/debian/lintian-overrides | 2 - HIRS_Provisioner/debian/rules | 7 - HIRS_Provisioner/debian/source/format | 1 - HIRS_Provisioner/hirs-provisioner-config.sh | 72 ---- HIRS_Provisioner/man/hirs-provisioner.1 | 28 -- .../scripts/install/hirs-provisioner.sh | 165 -------- .../scripts/install/tpm_aca_provision | 3 - .../setup/hirs-provisioner.properties | 15 - HIRS_Provisioner/setup/tpm-module.properties | 4 - .../provisioner/CommandLineArguments.java | 29 -- .../provisioner/ProvisionerApplication.java | 102 ----- .../provisioner/client/ClientProvisioner.java | 20 - .../client/ProvisioningException.java | 19 - .../client/RestfulClientProvisioner.java | 308 -------------- .../hirs/provisioner/client/package-info.java | 5 - .../ProvisionerConfiguration.java | 113 ----- .../configuration/package-info.java | 4 - .../java/hirs/provisioner/package-info.java | 4 - .../src/main/resources/defaults.properties | 29 -- .../src/main/resources/log4j2.xml | 36 -- .../collector/DeviceInfoCollectorTest.java | 376 ----------------- .../client/RestfulClientProvisionerTest.java | 399 ------------------ 35 files changed, 2091 deletions(-) delete mode 100644 .github/workflows/package_centos.yml delete mode 100644 HIRS_Provisioner/TPMModule.properties delete mode 100644 HIRS_Provisioner/build.gradle delete mode 100644 HIRS_Provisioner/config/checkstyle/suppressions.xml delete mode 100755 HIRS_Provisioner/create-ek-cert.sh delete mode 100644 HIRS_Provisioner/debian/changelog delete mode 100644 HIRS_Provisioner/debian/compat delete mode 100644 HIRS_Provisioner/debian/control delete mode 100644 HIRS_Provisioner/debian/docs delete mode 100644 HIRS_Provisioner/debian/hirs-provisioner.install delete mode 100644 HIRS_Provisioner/debian/hirs-provisioner.links delete mode 100644 HIRS_Provisioner/debian/hirs-provisioner.manpages delete mode 100644 HIRS_Provisioner/debian/hirs-provisioner.postinst delete mode 100644 HIRS_Provisioner/debian/lintian-overrides delete mode 100755 HIRS_Provisioner/debian/rules delete mode 100644 HIRS_Provisioner/debian/source/format delete mode 100755 HIRS_Provisioner/hirs-provisioner-config.sh delete mode 100644 HIRS_Provisioner/man/hirs-provisioner.1 delete mode 100755 HIRS_Provisioner/scripts/install/hirs-provisioner.sh delete mode 100755 HIRS_Provisioner/scripts/install/tpm_aca_provision delete mode 100644 HIRS_Provisioner/setup/hirs-provisioner.properties delete mode 100644 HIRS_Provisioner/setup/tpm-module.properties delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/CommandLineArguments.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/client/ClientProvisioner.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/client/ProvisioningException.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/client/RestfulClientProvisioner.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/client/package-info.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/ProvisionerConfiguration.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/package-info.java delete mode 100644 HIRS_Provisioner/src/main/java/hirs/provisioner/package-info.java delete mode 100644 HIRS_Provisioner/src/main/resources/defaults.properties delete mode 100644 HIRS_Provisioner/src/main/resources/log4j2.xml delete mode 100644 HIRS_Provisioner/src/test/java/hirs/client/collector/DeviceInfoCollectorTest.java delete mode 100644 HIRS_Provisioner/src/test/java/hirs/provisioner/client/RestfulClientProvisionerTest.java diff --git a/.github/workflows/package_centos.yml b/.github/workflows/package_centos.yml deleted file mode 100644 index 29107e70..00000000 --- a/.github/workflows/package_centos.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: HIRS packages for centos -on: - push: - branches: - - '*v2*' - - 'master' - workflow_dispatch: - -jobs: - # run the package script for HIRS ACA, Provisioners, tcg_rim_tool, and tcg_eventlog_tool - Package: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 11 - uses: actions/setup-java@v2 - with: - java-version: '8' - distribution: 'adopt' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - package_centos: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - name: directory setup - run: | - mkdir -p artifacts/jars - mkdir -p artifacts/wars - mkdir -p artifacts/rpms - - name: Create HIRS packages - run: | - echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin - docker run --rm \ - -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \ - -c 'pushd /HIRS; \ - sh package/package.centos.sh; \ - cp /HIRS/package/rpm/RPMS/noarch/* /HIRS/artifacts/rpms/.; \ - cp /HIRS/package/rpm/RPMS/x86_64/* /HIRS/artifacts/rpms/.; \ - sh /HIRS/tools/tcg_rim_tool/package.sh; \ - cp /HIRS/tools/tcg_rim_tool/rpmbuild/BUILD/tcg_rim_tool/build/libs/* /HIRS/artifacts/jars/.; \ - cp /HIRS/tools/tcg_rim_tool/rpmbuild/RPMS/x86_64/* /HIRS/artifacts/rpms/.; \ - sh /HIRS/tools/tcg_eventlog_tool/gradlew clean buildRPM; \ - cp /HIRS/tools/tcg_eventlog_tool/build/libs/tools/* /HIRS/artifacts/jars/.; \ - cp /HIRS/tools/tcg_eventlog_tool/build/distributions/* /HIRS/artifacts/rpms/.; \ - popd;' - - name: Archive RPM files - uses: actions/upload-artifact@v2 - with: - name: RPM_Files - path: artifacts/rpms/* - if-no-files-found: error - - name: Archive Jar files - uses: actions/upload-artifact@v2 - with: - name: JAR_Files - path: artifacts/jars/ diff --git a/HIRS_Provisioner/TPMModule.properties b/HIRS_Provisioner/TPMModule.properties deleted file mode 100644 index 8f41b260..00000000 --- a/HIRS_Provisioner/TPMModule.properties +++ /dev/null @@ -1,4 +0,0 @@ -TpmModuleExePath = exe -ExeName = /tpm_module -TrousersMode = False -DebugMode = True diff --git a/HIRS_Provisioner/build.gradle b/HIRS_Provisioner/build.gradle deleted file mode 100644 index ea3111d1..00000000 --- a/HIRS_Provisioner/build.gradle +++ /dev/null @@ -1,78 +0,0 @@ -apply plugin: 'findbugs' -apply plugin: 'checkstyle' -apply plugin: 'application' - -sourceCompatibility = 1.8 - -mainClassName = "hirs.provisioner.ProvisionerApplication" - -dependencies { - compile project(':TPM_Utils') - compile project(':HIRS_Structs') - compile project(':HIRS_Utils') - compile libs.spring_web - compile libs.log_bridge - compile libs.commons_lang - - compileOnly libs.checkstyle - compileOnly libs.findbugs - - testCompile libs.testng - testCompile libs.mockito - testCompile libs.powermock - testCompile libs.spring_test - testCompile libs.checkstyle - testCompile libs.findbugs - testCompile libs.commons_lang -} - -copyVersion.dependsOn compileJava -jar.dependsOn copyVersion - -ext.configDir = new File(projectDir, 'config') -ext.checkstyleConfigDir = "$configDir/checkstyle" -checkstyle { - toolVersion = '5.7' - configFile = checkstyleConfigFile - configProperties.put('basedir', checkstyleConfigDir) - ignoreFailures = false - showViolations = true -} - -ext.findbugsConfigDir = "$configDir/findbugs" - -findbugs { - toolVersion = '3.0.0' - ignoreFailures = false - effort = 'max' -} - -publishing { - publications { - maven(MavenPublication) { - artifactId 'hirs-provisioner' - artifact jar - pom.withXml { - def dependenciesNode = asNode().appendNode('dependencies') - - configurations.runtime.allDependencies.each { - if (it.group != null && it.name != null) { - def dependencyNode = dependenciesNode.appendNode('dependency') - dependencyNode.appendNode('groupId', it.group) - dependencyNode.appendNode('artifactId', it.name) - dependencyNode.appendNode('version', it.version) - - if (it.excludeRules.size() > 0) { - def exclusionsNode = dependencyNode.appendNode('exclusions') - it.excludeRules.each { rule -> - def exclusionNode = exclusionsNode.appendNode('exclusion') - exclusionNode.appendNode('groupId', rule.group) - exclusionNode.appendNode('artifactId', rule.module) - } - } - } - } - } - } - } -} diff --git a/HIRS_Provisioner/config/checkstyle/suppressions.xml b/HIRS_Provisioner/config/checkstyle/suppressions.xml deleted file mode 100644 index 9eb70832..00000000 --- a/HIRS_Provisioner/config/checkstyle/suppressions.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - diff --git a/HIRS_Provisioner/create-ek-cert.sh b/HIRS_Provisioner/create-ek-cert.sh deleted file mode 100755 index a7467fb4..00000000 --- a/HIRS_Provisioner/create-ek-cert.sh +++ /dev/null @@ -1,110 +0,0 @@ -#!/bin/bash - -# Assumes HIRS is already installed -# Dependencies: -# openssl, version 1.0.2 (must download from source) -# tpm_module - -# Download and install latest version of openssl from source, using these steps: -# cd /usr/local/src -# wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz -# tar -zxf openssl-1.0.2-latest.tar.gz -# cd openssl-1.0.2* -# ./config -# make depend -# make -# make install -# mv /usr/bin/openssl /root -# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl - -# The TPM only gives us the public key modulus, not a properly formatted key -PUBEK_MOD=$(tpm_module -m 29 -nr -d -t ek -z -d) -rc=$? -if [ "$rc" != "0" ]; then - echo "Attempt to access the TPM's public Endorsement Key was unsuccessful" - echo "Exiting" - exit $rc; -fi - -# Check user's permissions -if [ ! -w $(pwd) ] ; then - echo "This user does not have permissions to write to this directory: $(pwd)" - echo "Exiting" - exit 1 -fi - -mkdir -p certs -cd certs - -EKCERT_PATH="$(pwd)/ek.crt" -CAKEY_PATH="$(pwd)/ca.key" -CACERT_PATH="$(pwd)/ca.crt" - -# Create the asn.1 definition file used to recreate the public key using the modulus -cat << @EOF > def.asn1 -# Start with a SEQUENCE -asn1=SEQUENCE:pubkeyinfo - -# pubkeyinfo contains an algorithm identifier and the public key wrapped -# in a BIT STRING -[pubkeyinfo] -algorithm=SEQUENCE:rsa_alg -pubkey=BITWRAP,SEQUENCE:rsapubkey - -# algorithm ID for RSA is just an OID and a NULL -[rsa_alg] -algorithm=OID:rsaEncryption -parameter=NULL - -# Actual public key: modulus and exponent -[rsapubkey] -n=INTEGER:0x$PUBEK_MOD - -e=INTEGER:0x010001 -@EOF - -# openssl commands return v1 certificates by default -# create a .ext file to specify that we want v3 -cat << @EOF > v3.ext -authorityKeyIdentifier=keyid,issuer -basicConstraints=CA:FALSE -keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment -@EOF - -# Create endorsement key given the asn1 file (DER is the default) -openssl asn1parse -genconf def.asn1 -out ek.der -noout -rm def.asn1 - -# Convert endorsement key from DER to PEM -openssl rsa -pubin -in ek.der -inform DER -out ek.pem -outform PEM -rm ek.der - -# Create self-signed CA certificate -openssl req -newkey rsa:2048 -nodes -keyout $CAKEY_PATH -x509 -days 365 -out $CACERT_PATH \ --subj "/CN=www.example.com" - -# openssl needs a private key to create a new certificate signing request -# we only have the public endorsement key, so create a temporary key pair here -openssl req -newkey rsa:2048 -out temp.csr -nodes -keyout temp.key -subj "/CN=www.example.com" -rm temp.key - -# Create the certificate here, forcing the use of our endorsement key (this means our temp key isn't used anymore -errormessage=`openssl x509 -req -days 365 -in temp.csr -extfile v3.ext -CAcreateserial -CAkey $CAKEY_PATH -CA $CACERT_PATH -out $EKCERT_PATH -force_pubkey ek.pem 2>&1` -rc=$? -rm v3.ext temp.csr ek.pem -if [ "$rc" != "0" ]; then - echo $errormessage | grep -q "unknown option -force_pubkey" && echo "ERROR: The option 'force_pubkey' is required, but was not found for this installation of openssl x509. Please install a newer version (1.0.2+) from source" || echo $errormessage - echo "Cleaning up..." - rm $CAKEY_PATH $CACERT_PATH - cd .. - rmdir certs --ignore-fail-on-non-empty - exit $rc -fi -rm ca.srl - -openssl x509 -text -in $EKCERT_PATH - -echo "SUCCESS: EK cert created successfully at: $EKCERT_PATH" -echo " CA key found at: $CAKEY_PATH" -echo " self-signed CA cert found at: $CACERT_PATH" -echo diff --git a/HIRS_Provisioner/debian/changelog b/HIRS_Provisioner/debian/changelog deleted file mode 100644 index 34033938..00000000 --- a/HIRS_Provisioner/debian/changelog +++ /dev/null @@ -1,5 +0,0 @@ -hirs-provisioner (VER) RELEASE; urgency=low - - * Initial release - - -- HIRS HIRS Tue, 10 Feb 2015 16:56:18 -0500 \ No newline at end of file diff --git a/HIRS_Provisioner/debian/compat b/HIRS_Provisioner/debian/compat deleted file mode 100644 index ec635144..00000000 --- a/HIRS_Provisioner/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/HIRS_Provisioner/debian/control b/HIRS_Provisioner/debian/control deleted file mode 100644 index fc204056..00000000 --- a/HIRS_Provisioner/debian/control +++ /dev/null @@ -1,13 +0,0 @@ -Source: hirs-provisioner -Section: admin -Priority: optional -Maintainer: HIRS -Build-Depends: debhelper (>= 9) -Standards-Version: 3.9.5 - -Package: hirs-provisioner -Architecture: amd64 -Depends: tpm-module, openjdk-8-jre, wget -Description: HIRS Provisioner for Ubuntu - Host Integrity at Runtime and Startup. Allows provisioning of TPM - for Ubuntu 16.04 Linux clients. \ No newline at end of file diff --git a/HIRS_Provisioner/debian/docs b/HIRS_Provisioner/debian/docs deleted file mode 100644 index e69de29b..00000000 diff --git a/HIRS_Provisioner/debian/hirs-provisioner.install b/HIRS_Provisioner/debian/hirs-provisioner.install deleted file mode 100644 index 2b5b6161..00000000 --- a/HIRS_Provisioner/debian/hirs-provisioner.install +++ /dev/null @@ -1,8 +0,0 @@ -install-provisioner/bin/ usr/share/hirs/provisioner -install-provisioner/lib/ usr/share/hirs/provisioner -install-provisioner/scripts/install/hirs-provisioner.sh usr/share/hirs/provisioner -install-provisioner/scripts/hirs-provisioner-config.sh etc/hirs/provisioner -install-provisioner/logging.properties etc/hirs/provisioner -install-provisioner/setup/provisioner.properties etc/hirs/provisioner -install-provisioner/setup/hirs-provisioner.properties etc/hirs/provisioner/setup -install-provisioner/setup/tpm-module.properties etc/hirs/provisioner/setup diff --git a/HIRS_Provisioner/debian/hirs-provisioner.links b/HIRS_Provisioner/debian/hirs-provisioner.links deleted file mode 100644 index 410ad7f4..00000000 --- a/HIRS_Provisioner/debian/hirs-provisioner.links +++ /dev/null @@ -1,2 +0,0 @@ -/usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner - diff --git a/HIRS_Provisioner/debian/hirs-provisioner.manpages b/HIRS_Provisioner/debian/hirs-provisioner.manpages deleted file mode 100644 index c8dadc32..00000000 --- a/HIRS_Provisioner/debian/hirs-provisioner.manpages +++ /dev/null @@ -1 +0,0 @@ -debian/hirs-provisioner.1 diff --git a/HIRS_Provisioner/debian/hirs-provisioner.postinst b/HIRS_Provisioner/debian/hirs-provisioner.postinst deleted file mode 100644 index 76aa3e7b..00000000 --- a/HIRS_Provisioner/debian/hirs-provisioner.postinst +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -set -e - -case "$1" in - configure) - if [[ $(find /sys/devices -name "tpm0") ]]; then - echo "TPM detected" - if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then - echo "Starting tcsd service" - systemctl start tcsd - ret=$? - if [[ $ret -ne 0 ]]; then - echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE" - fi - echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6" - chkconfig --level 1356 tcsd on - else - echo "Starting tcsd service" - service tcsd start - ret=$? - if [[ $ret -ne 0 ]]; then - echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE" - fi - echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6" - chkconfig --level 1356 tcsd on - fi - if [ ! -d "/sys/kernel/security/tpm0" ]; then - echo "Mounting security fs partition" - sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab - mount -a - if [ -d "/sys/kernel/security/tpm0" ]; then - echo "SUCCESS: security fs partition mounted" - fi - fi - else - echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL" - fi - - # install logging.properties if it doesn't already exist - if ! [[ -f /etc/hirs/logging.properties ]]; then - mv /etc/hirs/provisioner/logging.properties /etc/hirs/ - else - rm /etc/hirs/provisioner/logging.properties - fi - - hirs-provisioner -c - ;; - *) - ;; -esac - -exit 0 diff --git a/HIRS_Provisioner/debian/lintian-overrides b/HIRS_Provisioner/debian/lintian-overrides deleted file mode 100644 index 982ef4f8..00000000 --- a/HIRS_Provisioner/debian/lintian-overrides +++ /dev/null @@ -1,2 +0,0 @@ -# Ignore lintian error about incorrectly formatted copyright file -hirs-provisioner binary: copyright-should-refer-to-common-license-file-for-lgpl \ No newline at end of file diff --git a/HIRS_Provisioner/debian/rules b/HIRS_Provisioner/debian/rules deleted file mode 100755 index d590aa1b..00000000 --- a/HIRS_Provisioner/debian/rules +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/make -f -# -*- makefile -*- - -export DH_VERBOSE=1 - -%: - dh $@ diff --git a/HIRS_Provisioner/debian/source/format b/HIRS_Provisioner/debian/source/format deleted file mode 100644 index 89ae9db8..00000000 --- a/HIRS_Provisioner/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (native) diff --git a/HIRS_Provisioner/hirs-provisioner-config.sh b/HIRS_Provisioner/hirs-provisioner-config.sh deleted file mode 100755 index db86e854..00000000 --- a/HIRS_Provisioner/hirs-provisioner-config.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash - -PROVISIONER_DIR="/etc/hirs/provisioner" -CERTIFICATES="/etc/hirs/certificates/provisioner" -SITE_CONFIG_FILE="/etc/hirs/hirs-site.config" -PROVISIONER_PROPERTIES="$PROVISIONER_DIR/provisioner.properties" -TMP_PROPERTIES="$PROVISIONER_DIR/tmp.properties" -PROVISIONER_LOG_DIR="/var/log/hirs/provisioner" -PROVISIONER_LOG_FILE="$PROVISIONER_LOG_DIR/HIRS_Provisioner.log" - -# ensure log file exists -mkdir -p $PROVISIONER_LOG_DIR -touch $PROVISIONER_LOG_FILE - - -mkdir -p ${CERTIFICATES}/private - -# certificates and key stores generated by this script. -CLIENT_PEM=${CERTIFICATES}/private/hirs.client.pem -CLIENT_CERT=${CERTIFICATES}/hirs.client.cert -INTERNAL_P12=${CERTIFICATES}/hirs.p12 -KEYSTORE_JKS=${CERTIFICATES}/keyStoreClient.jks - -# delete the key store if it exists -if [ -f ${KEYSTORE_JKS} ]; then - echo "----> Deleting existing key store" | tee -a $PROVISIONER_LOG_FILE - rm -f ${KEYSTORE_JKS} -fi - -# Read site config -source ${SITE_CONFIG_FILE} - -# Read a block of raw data bytes from /dev/urandom and convert it to text characters. -P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') - -# generate a key and certificate. The key is the private key used to sign the well known CA cert. -echo 'Creating 2048 bit key' >> $PROVISIONER_LOG_FILE 2>&1 -openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CLIENT_PEM} -out ${CLIENT_CERT} -subj "/C=US/O=HIRS/OU=Provisioner/CN=$CLIENT_HOSTNAME" >> $PROVISIONER_LOG_FILE 2>&1 - -# export the certificate and key as a p12 file -echo 'Exporting key' >> $PROVISIONER_LOG_FILE 2>&1 -openssl pkcs12 -export -in ${CLIENT_CERT} -inkey ${CLIENT_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} >> $PROVISIONER_LOG_FILE 2>&1 - -# create a key store using the pk12 file. -echo 'Configuring key store' >> $PROVISIONER_LOG_FILE 2>&1 -keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt >> $PROVISIONER_LOG_FILE 2>&1 - -if [ ! -f ${KEYSTORE_JKS} ]; then - echo "${KEYSTORE_JKS} was not created" | tee -a $PROVISIONER_LOG_FILE - exit 1; -fi - -grep -v "javax.net.ssl" ${PROVISIONER_PROPERTIES} > ${TMP_PROPERTIES} -mv ${TMP_PROPERTIES} ${PROVISIONER_PROPERTIES} - -echo "javax.net.ssl.keyStore=$KEYSTORE_JKS" >> ${PROVISIONER_PROPERTIES} -echo "javax.net.ssl.trustStore=${CERTIFICATES}/TrustStore.jks" >> ${PROVISIONER_PROPERTIES} -echo "javax.net.ssl.keyStorePassword=$P12_PASSWORD" >> ${PROVISIONER_PROPERTIES} - -# Checking for existing HIRS TrustStore -if [ -f "${CERTIFICATES}/TrustStore.jks" ]; then - rm -f ${CERTIFICATES}/TrustStore.jks -fi - -echo "----> Downloading truststore" | tee -a $PROVISIONER_LOG_FILE -wget https://"$ATTESTATION_CA_FQDN":"$ATTESTATION_CA_PORT"/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate -P ${CERTIFICATES} >/dev/null 2>/dev/null -if [ ! -f "${CERTIFICATES}/TrustStore.jks" ]; then - echo "----> ERROR: Truststore could not be downloaded from $ATTESTATION_CA_FQDN" | tee -a $PROVISIONER_LOG_FILE -fi - -sed -i "s/provisioner\.aca\.host\s*=\s*.*/provisioner.aca.host = $ATTESTATION_CA_FQDN/" $PROVISIONER_PROPERTIES -sed -i "s/provisioner\.aca\.port\s*=\s*.*/provisioner.aca.port = $ATTESTATION_CA_PORT/" $PROVISIONER_PROPERTIES diff --git a/HIRS_Provisioner/man/hirs-provisioner.1 b/HIRS_Provisioner/man/hirs-provisioner.1 deleted file mode 100644 index 86fba886..00000000 --- a/HIRS_Provisioner/man/hirs-provisioner.1 +++ /dev/null @@ -1,28 +0,0 @@ -.TH hirs\-provisioner 1 "January 11, 2018" - -.SH NAME -hirs\-provisioner \- provision the TPM -.SH SYNOPSIS -.B hirs\-provisioner -[\-c] [\-h] [\-p] -.SH DESCRIPTION -Provision the TPM for use with the Host Integrity at Runtime and Startup -(HIRS) framework. - -.B \-c, \-\-config, config -.IP -create /etc/hirs/hirs-site.config template if the file does not already exist. -If it does exist, check that its contents are valid. The template must be -filled out with the relevant fields. -.P -.B \-p, \-\-provision, provision -.IP -provision system with HIRS Attestation Credential Authority. See full HIRS -documentation for an explanation of the provisioning process. -.P -.B \-h, \-\-help, help -.IP -print help output - -.SH SEE ALSO -tpm_module(1) diff --git a/HIRS_Provisioner/scripts/install/hirs-provisioner.sh b/HIRS_Provisioner/scripts/install/hirs-provisioner.sh deleted file mode 100755 index 85d92c81..00000000 --- a/HIRS_Provisioner/scripts/install/hirs-provisioner.sh +++ /dev/null @@ -1,165 +0,0 @@ -#!/bin/bash - -# main driving script for the HIRS Provisioner RPM/DEB. Provides user options -# for creating a default hirs-site.config, used by the provisioner and the HIRS Client RPM, -# as well as initiating HIRS provisioning of the TPM and loading of credentials from the -# HIRS Attestation CA. - -CERTS_DIR="/etc/hirs/provisioner/certs/" -HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" -HIRS_PROVISIONER_CONFIG="/etc/hirs/provisioner/hirs-provisioner-config.sh" -HIRS_PROVISIONER_SCRIPT="/usr/share/hirs/provisioner/bin/HIRS_Provisioner" -HIRS_PROVISIONER_2_0_SCRIPT="/usr/local/bin/hirs-provisioner-tpm2" -HIRS_PROVISIONER_PROPERTIES="/etc/hirs/provisioner/provisioner.properties" - -if [ "$EUID" != "0" ]; then - echo "This script must be run as root" - exit 1 -fi - -function ShowHelp { - echo "hirs provisioner - host integrity at runtime & startup" - echo "" - echo "hirs-provisioner [command]" - echo "" - echo "commands:" - echo "-h, --help, help show this help" - echo "-c, --config, config verify or generate site configuration" - echo "-p, --provision, provision provision TPM/prepare for use with HIRS" - exit 0 -} - -if [ $# -eq 0 ]; then # if no arguments - ShowHelp -fi - - -function CheckHIRSSiteConfig { - - # Check for site config existence - if [ ! -f $HIRS_SITE_CONFIG ]; then - echo "--> ERROR: $HIRS_SITE_CONFIG not found - run \"hirs-provisioner -c\" to generate the file" - exit 1 - fi - - # Read site config - source $HIRS_SITE_CONFIG - - # Verify variable existence - if [[ -z "$CLIENT_HOSTNAME" ]]; then - echo "--> ERROR: CLIENT_HOSTNAME is not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$ATTESTATION_CA_FQDN" ]]; then - echo "--> ERROR: ATTESTATION_CA_FQDN not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$ATTESTATION_CA_PORT" ]]; then - echo "--> ERROR: ATTESTATION_CA_PORT not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$BROKER_FQDN" ]]; then - echo "--> ERROR: BROKER_FQDN not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$BROKER_PORT" ]]; then - echo "--> ERROR: BROKER_PORT not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$PORTAL_FQDN" ]]; then - echo "--> ERROR: PORTAL_FQDN not set in $HIRS_SITE_CONFIG" - exit 1 - fi - - if [[ -z "$PORTAL_PORT" ]]; then - echo "--> ERROR: PORTAL_PORT not set in $HIRS_SITE_CONFIG" - exit 1 - fi -} - -function CheckProvisionPrereqsAndDoProvisioning { - - if [ ! -f $HIRS_SITE_CONFIG ]; then - echo "$HIRS_SITE_CONFIG not found. Run \"hirs-provisioner -c\" to generate." - exit 0 - fi - - # the hirs provisioner script should be verifying - CheckHIRSSiteConfig - - echo "--> Configuring provisioner" - eval $HIRS_PROVISIONER_CONFIG || { echo "----> Failed configuring provisioner"; exit 1; } - - if [ $TPM_ENABLED = "true" ]; then - echo "--> Provisioning" - Provision - else - echo "--> TPM not enabled - skipping provisioning" - fi -} - - -function Provision { - # Provisioner will only retain one {uuid}.cer credential; remove any existing *.cer files. - echo "----> Removing old attestation credentials, if any" - rm -f $CERTS_DIR/*.cer /etc/hirs/ak.cer - echo "----> Provisioning TPM" - - if [ -f $HIRS_PROVISIONER_2_0_SCRIPT ] - then - $HIRS_PROVISIONER_2_0_SCRIPT provision || { echo "----> Failed to provision TPM 2.0"; exit 1; } - else - $HIRS_PROVISIONER_SCRIPT $CLIENT_HOSTNAME || { echo "----> Failed to provision TPM"; exit 1; } - fi -} - - -function WriteDefaultHirsSiteConfigFile { - if [ ! -f $HIRS_SITE_CONFIG ]; then - # Create template site config if it does not exist - cat < $HIRS_SITE_CONFIG -#******************************************* -#* HIRS site configuration properties file -#******************************************* - -# Client configuration -CLIENT_HOSTNAME=$(hostname -f) -TPM_ENABLED= -IMA_ENABLED= - -# Site-specific configuration -ATTESTATION_CA_FQDN= -ATTESTATION_CA_PORT=8443 -BROKER_FQDN= -BROKER_PORT=61616 -PORTAL_FQDN= -PORTAL_PORT=8443 - -DEFAULT_SITE_CONFIG_FILE - - echo "$HIRS_SITE_CONFIG not found - a template has been created" - echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner -p' to provision this system" - fi -} - - -while test $# -gt 0; do # iterate over arguments - case "$1" in - -c|--config|config) - shift - WriteDefaultHirsSiteConfigFile - ;; - -p|--provision|provision) - shift - CheckProvisionPrereqsAndDoProvisioning - ;; - *) - ShowHelp - ;; - esac -done diff --git a/HIRS_Provisioner/scripts/install/tpm_aca_provision b/HIRS_Provisioner/scripts/install/tpm_aca_provision deleted file mode 100755 index 2c904d25..00000000 --- a/HIRS_Provisioner/scripts/install/tpm_aca_provision +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -hirs-provisioner provision diff --git a/HIRS_Provisioner/setup/hirs-provisioner.properties b/HIRS_Provisioner/setup/hirs-provisioner.properties deleted file mode 100644 index 6be6646c..00000000 --- a/HIRS_Provisioner/setup/hirs-provisioner.properties +++ /dev/null @@ -1,15 +0,0 @@ -#TPM Provisioning Data -TpmEndorsmentP12 = endorsement.p12 -EndorsementP12Pass = key_password -EcValidityDays = 3652 -TpmOwnerAuth = 0000000000000000000000000000000000000000 -#HIS Identity Provisioning Data -HisIdentityLabel = HIS Identity Key -HisIdentityIndex = 1 -HisIdentityAuth = 0000000000000000000000000000000000000000 -AttestationCaCertFile = AttestationCA.cer -AttestationCaUrl = https://sampleCAurl:8443/HIRS_AttestationCA -HisRegistrationUrl = https://sampleREGurl:8443/HisWebServices -TrustStore = TrustStore.jks -NtruBypass = true -ClientPath = /etc/hirs diff --git a/HIRS_Provisioner/setup/tpm-module.properties b/HIRS_Provisioner/setup/tpm-module.properties deleted file mode 100644 index 779197cd..00000000 --- a/HIRS_Provisioner/setup/tpm-module.properties +++ /dev/null @@ -1,4 +0,0 @@ -TpmModuleExePath = /usr/bin/ -ExeName = tpm_module -TrousersMode = False -DebugMode = True diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/CommandLineArguments.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/CommandLineArguments.java deleted file mode 100644 index 54ecf64a..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/CommandLineArguments.java +++ /dev/null @@ -1,29 +0,0 @@ -package hirs.provisioner; - -/** - * Class to hold the command line argument values passed to the provisioner. - */ -public final class CommandLineArguments { - - private static String hostName; - - private CommandLineArguments() { - - } - - /** - * - * @return the host name - */ - public static String getHostName() { - return hostName; - } - - /** - * - * @param hostName the host name - */ - public static void setHostName(final String hostName) { - CommandLineArguments.hostName = hostName; - } -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java deleted file mode 100644 index c2f7c494..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java +++ /dev/null @@ -1,102 +0,0 @@ -package hirs.provisioner; - -import org.apache.commons.lang3.StringUtils; -import org.apache.commons.lang3.ArrayUtils; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import hirs.provisioner.configuration.ProvisionerConfiguration; -import hirs.utils.LogConfigurationUtil; -import org.springframework.context.annotation.AnnotationConfigApplicationContext; - -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.file.FileSystems; - -import java.util.Arrays; -import java.util.List; -import java.util.Properties; - -/** - * Defines the application's entry point and the main configuration. - */ -public final class ProvisionerApplication { - private static final String JAVA_PROP_TRUST_STORE = "javax.net.ssl.trustStore"; - private static final String JAVA_PROP_KEY_STORE = "javax.net.ssl.keyStore"; - private static final String JAVA_PROP_KEY_STORE_PASSWORD = "javax.net.ssl.keyStorePassword"; - private static final List SYSTEM_PROPERTIES_TO_SET = Arrays.asList( - JAVA_PROP_KEY_STORE, JAVA_PROP_TRUST_STORE, JAVA_PROP_KEY_STORE_PASSWORD - ); - private static final Logger LOGGER = LogManager.getLogger(ProvisionerApplication.class); - private static final int REQUIRED_ARG_COUNT = 1; - private static final String PROP_FILE_PATH = - "/etc/hirs/provisioner/provisioner.properties"; - - /** - * Hidden default constructor. - */ - private ProvisionerApplication() { - } - - /** - * Application entry point. Uses Spring Boot to bootstrap the application. - * - * @param args not used - */ - public static void main(final String[] args) { - try { - LogConfigurationUtil.applyConfiguration(); - } catch (IOException e) { - LOGGER.error("Error configuring provisioner logger", e); - } - - if (ArrayUtils.isEmpty(args) || args.length != REQUIRED_ARG_COUNT) { - LOGGER.error("Provisioner requires exactly " + REQUIRED_ARG_COUNT - + " args (Host Name)"); - System.exit(-1); - } - - CommandLineArguments.setHostName(args[0]); - - LOGGER.debug("Starting HIRS Provisioner command line application"); - - try { - setTrustStore(); - } catch (IOException ex) { - LOGGER.error("Error provisioning client", ex); - System.exit(-1); - } - - // enable TLS 1.1 and 1.2 - System.setProperty("https.protocols", "TLSv1.2"); - - // initialize the context - new AnnotationConfigApplicationContext(ProvisionerConfiguration.class); - } - - /** - * This method configures the JVM with the trustStore as read from - * provisioner.properties. - * - * @throws IOException if provisioner.properties cannot be read - */ - private static void setTrustStore() throws IOException { - Properties runtimeJVMProperties = new Properties(); - - try (InputStream propertiesFileInputStream = new FileInputStream( - FileSystems.getDefault().getPath(PROP_FILE_PATH) - .toFile())) { - runtimeJVMProperties.load(propertiesFileInputStream); - } - - for (String property : SYSTEM_PROPERTIES_TO_SET) { - String value = runtimeJVMProperties.getProperty(property); - if (StringUtils.isBlank(value)) { - throw new IllegalArgumentException(String.format( - "Cannot start HIRS Provisioner; please set a value for %s in %s", - property, PROP_FILE_PATH)); - } - System.setProperty(property, value); - } - } -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ClientProvisioner.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ClientProvisioner.java deleted file mode 100644 index a8373161..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ClientProvisioner.java +++ /dev/null @@ -1,20 +0,0 @@ -package hirs.provisioner.client; - -/** - * Defines the responsibilities and behavior of a service that provisions clients. That is, to - * take ownership of the machine's TPM, create an identity credential, attest said credential with a - * certificate authority, and activate that credential with the client's TPM. - */ -public interface ClientProvisioner { - - /** - * Takes control of the machine's TPM. Then creates an identity credential using the TPM. That - * credential is then attested by a certificate authority. If that passes, the provisioner - * will activate the credential with the TPM and persist the credential on the client for - * future TPM operations. This method may throw {@link ProvisioningException}s when encountering - * errors dealing with the TPM and/certificate authority. - * - * @return true if provisioning was successful, false otherwise - */ - boolean provision(); -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ProvisioningException.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ProvisioningException.java deleted file mode 100644 index d7151728..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/ProvisioningException.java +++ /dev/null @@ -1,19 +0,0 @@ -package hirs.provisioner.client; - -/** - * Describes exceptions encountered while provisioning a client. - */ -public class ProvisioningException extends RuntimeException { - - /** - * Provisioning exception that includes a root exception, the throwable, as the reason why the - * provisioning process failed. The message provides additional detail as to why the exception - * was encountered. - * - * @param message additional explanation of the failure - * @param throwable root cause for the exception - */ - public ProvisioningException(final String message, final Throwable throwable) { - super(message, throwable); - } -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/RestfulClientProvisioner.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/client/RestfulClientProvisioner.java deleted file mode 100644 index e55ccde3..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/RestfulClientProvisioner.java +++ /dev/null @@ -1,308 +0,0 @@ -package hirs.provisioner.client; - -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; -import org.apache.commons.lang3.ArrayUtils; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.event.ContextRefreshedEvent; -import org.springframework.context.event.EventListener; -import org.springframework.http.HttpEntity; -import org.springframework.http.HttpMethod; -import org.springframework.http.ResponseEntity; -import org.springframework.stereotype.Component; -import org.springframework.util.SerializationUtils; -import org.springframework.web.client.RestTemplate; - -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.interfaces.RSAPublicKey; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.X509EncodedKeySpec; -import java.util.UUID; -import hirs.DeviceInfoReportRequest; -import hirs.client.collector.DeviceInfoCollector; -import hirs.collector.CollectorException; -import hirs.data.persist.DeviceInfoReport; -import hirs.provisioner.CommandLineArguments; -import hirs.structs.converters.SimpleStructBuilder; -import hirs.structs.converters.StructConverter; -import hirs.structs.elements.aca.IdentityRequestEnvelope; -import hirs.structs.elements.aca.IdentityResponseEnvelope; -import hirs.structs.elements.tpm.AsymmetricKeyParams; -import hirs.structs.elements.tpm.AsymmetricPublicKey; -import hirs.structs.elements.tpm.RsaSubParams; -import hirs.structs.elements.tpm.StorePubKey; -import hirs.tpm.tss.Tpm; - -/** - * Client implementation that uses a RestTemplate to communicate - * with the Attestation Certificate Authority. - * - */ -@Component -public class RestfulClientProvisioner implements ClientProvisioner { - - private static final Logger LOG = LogManager.getLogger(RestfulClientProvisioner.class); - - @Autowired - private RestTemplate restTemplate; - - @Autowired - private Tpm tpm; - - @Autowired - private StructConverter structConverter; - - @Value("${provisioner.files.certs}") - private String certificatesPath; - - @Value("${provisioner.aca.url.key}") - private String acaPublicKeyURL; - - @Value("${provisioner.aca.url.identity}") - private String acaIdentityURL; - - /** - * When the application context is initialized, begin provisioning. - * - * @param event ignored - */ - @EventListener - @SuppressFBWarnings(value = "DM_EXIT", - justification = "need to exit app from spring managed class here") - public final void handleContextInitialized(final ContextRefreshedEvent event) { - - // attempt to create the required directory structures before provisioning. - try { - LOG.debug("Creating certificate directory if non existent: " + certificatesPath); - Files.createDirectories(Paths.get(certificatesPath)); - } catch (IOException ex) { - LOG.error("Error creating certificate directories: " + ex.getMessage(), ex); - throw new ProvisioningException(ex.getMessage(), ex); - } - - // initiate provisioning process. If it fails, exit with non-zero so that - // the caller (hirs.sh) can exit and not configure the client due to failure. - if (!this.provision()) { - LOG.debug("Exiting with error due to provisioning failure"); - System.exit(-1); - } - } - - @Override - public boolean provision() { - - // take ownership of the TPM - takeOwnership(); - LOG.debug("took ownership of TPM"); - - // get the public key from the ACA - RSAPublicKey acaPublicKey = getACAPublicKey(); - LOG.debug("received public key from ACA"); - - // create uuid for identity request and response - String uuid = UUID.randomUUID().toString(); - - // create Tpm Key from ACA Public key - AsymmetricPublicKey tpmKey = new SimpleStructBuilder<>(AsymmetricPublicKey.class) - .set("asymmetricKeyParams", new SimpleStructBuilder<>(AsymmetricKeyParams.class) - .set("algorithmId", AsymmetricPublicKey.DEFAULT_RSA_ALG_ID) - .set("encryptionScheme", AsymmetricPublicKey.DEFAULT_RSA_ENCRYPTION_SCHEME) - .set("signatureScheme", AsymmetricPublicKey.DEFAULT_RSA_SIGNATURE_SCHEME) - .set("params", new SimpleStructBuilder<>(RsaSubParams.class) - .set("totalPrimes", AsymmetricPublicKey.DEFAULT_PRIME_TOTAL) - .set("keyLength", AsymmetricPublicKey.DEFAULT_KEY_LENGTH) - .set("exponent", acaPublicKey.getPublicExponent().toByteArray()) - .build()) - .build()) - .set("storePubKey", new SimpleStructBuilder<>(StorePubKey.class) - .set("key", acaPublicKey.getModulus().toByteArray()) - .build()) - .build(); - - // obtain device information required for identity request - DeviceInfoReport deviceInfoReport = getDeviceInfoReport(); - - // create the identity request using the ACA public key and a generated UUID - IdentityRequestEnvelope identityRequest = createIdentityRequest(tpmKey, uuid, - deviceInfoReport); - LOG.debug(String.format("created TPM identity request using UUID %s", uuid)); - - // attest the request with the ACA and obtain it's response - System.out.println("----> Sending Attestation Identity Credential Request"); - IdentityResponseEnvelope response = attestIdentityRequest(identityRequest); - if (null == response) { - LOG.error("Provisioning failed. Please refer to the Attestation CA for details."); - return false; - } - - System.out.println("----> Attestation Identity Provisioning succeeded"); - - // activate the identity with the TPM - byte[] credential = activateCredential(response, uuid); - LOG.debug("activated credential with TPM"); - - // create the AIK file and write the credential to the file. - try { - Path identityFile = Files.createFile(Paths.get(certificatesPath, uuid + ".cer")); - Files.write(identityFile, credential); - LOG.debug(String.format("created credential file: %s", identityFile.toString())); - return true; - } catch (IOException e) { - LOG.error(String.format("Error outputting identity credential to %s: %s", - certificatesPath, e.getMessage()), e); - return false; - } - } - - /** - * Uses the TPM instance to take over the TPM ownership, if possible. - */ - void takeOwnership() { - tpm.takeOwnership(); - } - - /** - * Communicates with the configured ACA to obtain it's public key information. - * - * @return the ACA public key - */ - RSAPublicKey getACAPublicKey() { - // request the public key from the ACA - ResponseEntity response = restTemplate.getForEntity(acaPublicKeyURL, byte[].class); - - try { - // use the public key information to create encoded key specification. then create a - X509EncodedKeySpec keySpec = new X509EncodedKeySpec(response.getBody()); - - // create the public key from that specification - return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(keySpec); - } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { - throw new ProvisioningException("Encountered error while create Public Key from " - + "ACA response: " + e.getMessage(), e); - } - } - - /** - * Creates an identity request using the ACA public certificate and an UUID. - * - * @param asymmetricPublicKey that contains the public key information of the ACA - * @param uuid unique identifier - * @param deviceInfoReport the full device info report used by the ACA for provisioning - * @return identity request that can be sent on ward to the ACA for attestation. - */ - IdentityRequestEnvelope createIdentityRequest(final AsymmetricPublicKey asymmetricPublicKey, - final String uuid, final DeviceInfoReport deviceInfoReport) { - try { - // serialize the tpm key - byte[] asymmetricBlob = structConverter.convert(asymmetricPublicKey); - - // collate identity based upon ACA public key and unique id - byte[] request = tpm.collateIdentityRequest(asymmetricBlob, uuid); - - // obtain the endorsement credential - byte[] endorsementCredentialModulus = tpm.getEndorsementCredentialModulus(); - - // obtain full endorsement credential - byte[] endorsementCredential = getEndorsementCredential(); - - // format device info report - byte[] deviceInfoReportBytes = SerializationUtils.serialize(deviceInfoReport); - - LOG.debug("Sending EC of length: " + endorsementCredential.length); - // build up the ACA request - return new SimpleStructBuilder<>(IdentityRequestEnvelope.class) - .set("endorsementCredentialModulus", endorsementCredentialModulus) - .set("endorsementCredential", endorsementCredential) - .set("request", request) - .set("deviceInfoReport", deviceInfoReportBytes) - .build(); - } catch (Exception e) { - throw new ProvisioningException("Encountered exception while creating identity " - + "credential: " + e.getMessage(), e); - } - } - - /** - * Gets endorsement credential from TPM. - * @return the EK from the TPM, or null if there was an error - */ - private byte[] getEndorsementCredential() { - // initialize to a non-null array so struct builder doesn't consider this null. - byte[] endorsementCredential = new byte[] {1}; - try { - endorsementCredential = tpm.getEndorsementCredential(); - System.out.println("----> Got endorsement credential from TPM"); - LOG.debug("Endorsement credential size: " + endorsementCredential.length); - } catch (Exception e) { - LOG.warn("Failed to get endorsement credential from TPM"); - LOG.debug("EK retrieval error", e); - } - return endorsementCredential; - } - - /** - * Attests a given identity request with the configured Attestation Certificate Authority. - * - * @param identityRequest to be attested - * @return the ACA response - */ - IdentityResponseEnvelope attestIdentityRequest(final IdentityRequestEnvelope identityRequest) { - // create HTTP entity wrapper for the identity request - HttpEntity message = new HttpEntity<>(structConverter.convert(identityRequest)); - - // send the identity request to the ACA and receive the identity response. - ResponseEntity response = - restTemplate.exchange(acaIdentityURL, HttpMethod.POST, message, byte[].class); - - byte[] responseBody = response.getBody(); - if (ArrayUtils.isEmpty(responseBody)) { - return null; - } - - // grab the response from the HTTP response - return structConverter.convert(responseBody, IdentityResponseEnvelope.class); - } - - /** - * Activates a given attested identity with the TPM associated by UUID. This UUID must match up - * with the original identity request. - * - * @param response to be activated - * @param uuid of the original identity request - * @return the raw activated credential - */ - byte[] activateCredential(final IdentityResponseEnvelope response, final String uuid) { - // grab both the symmetric and asymmetric from the identity response - byte[] asymmetricContents = response.getAsymmetricContents(); - byte[] symmetricContents = structConverter.convert(response.getSymmetricAttestation()); - - // active the identity with the TPM - return tpm.activateIdentity(asymmetricContents, symmetricContents, uuid); - } - - /** - * Collects the Device Info Report without TPM information, due to not having an identity - * cert yet. - * @return the Device Info Report - */ - DeviceInfoReport getDeviceInfoReport() { - DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = null; - try { - System.out.println("----> Collecting device information"); - DeviceInfoCollector deviceInfoCollector = new DeviceInfoCollector(null, false, - CommandLineArguments.getHostName()); - report = (DeviceInfoReport) deviceInfoCollector.collect(request); - } catch (CollectorException e) { - LOG.error("Error collecting device information", e); - } - return report; - } -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/package-info.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/client/package-info.java deleted file mode 100644 index 6f40c0e8..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/client/package-info.java +++ /dev/null @@ -1,5 +0,0 @@ -/** - * Defines the interfaces, exceptions, and implementations of classes required to perform client - * provisioning operations. - */ -package hirs.provisioner.client; diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/ProvisionerConfiguration.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/ProvisionerConfiguration.java deleted file mode 100644 index 20c6ae88..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/ProvisionerConfiguration.java +++ /dev/null @@ -1,113 +0,0 @@ -package hirs.provisioner.configuration; - -import org.springframework.beans.factory.BeanInitializationException; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.ComponentScan; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.PropertySource; -import org.springframework.context.annotation.PropertySources; -import org.springframework.context.support.PropertySourcesPlaceholderConfigurer; -import org.springframework.core.io.ClassPathResource; -import org.springframework.web.client.RestTemplate; - -import javax.annotation.PostConstruct; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import hirs.structs.converters.SimpleStructConverter; -import hirs.structs.converters.StructConverter; -import hirs.tpm.tss.Tpm; -import hirs.tpm.tss.command.CommandTpm; -import hirs.utils.LogConfigurationUtil; - -/** - * Spring Java configuration file that prepares beans for the provisioning application. This - * provides an alternative implementation of the traditional Spring XML application context files. - */ -@Configuration -@PropertySources({ - @PropertySource(value = "classpath:defaults.properties"), - - // detects if file exists, if not, ignore errors - @PropertySource(value = "file:/etc/hirs/provisioner/provisioner.properties", - ignoreResourceNotFound = true) -}) -@ComponentScan("hirs.provisioner") -public class ProvisionerConfiguration { - - /** - * Path to the provisioner properties overrides. By default, these properties mirror those that - * are in the classpath. These properties provide a means for the client to customize the - * provisioner - */ - public static final Path PROVISIONER_PROPERTIES_OVERRIDES = - Paths.get("/etc/hirs/provisioner/provisioner.properties"); - - /** - * @return bean to resolve injected annotation.Value - * property expressions for beans. - */ - @Bean - public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() { - return new PropertySourcesPlaceholderConfigurer(); - } - - /** - * Initialization of the ClientProvisioner. Detects environment and runs configuration methods - * as required. This method is intended to be invoked by the Spring application context. - */ - @PostConstruct - final void initialize() { - try { - LogConfigurationUtil.applyConfiguration(); - } catch (IOException e) { - throw new RuntimeException(e); - } - - // if the properties overrides file doesn't exist (or directories), copy it over. capture - // any exception while doing so and log a warning. - if (!Files.exists(PROVISIONER_PROPERTIES_OVERRIDES)) { - try { - // obtain the embedded properties file - ClassPathResource properties = new ClassPathResource("defaults.properties"); - - // create the directories if they do not exist - Files.createDirectories(PROVISIONER_PROPERTIES_OVERRIDES.getParent()); - - // copy the defaults properties to the overrides location. - Files.copy(properties.getInputStream(), PROVISIONER_PROPERTIES_OVERRIDES); - - } catch (IOException e) { - throw new BeanInitializationException( - "Encountered error while initializing ClientProvisioner configuration: " - + e.getMessage(), e); - } - } - } - - /** - * @return configured ready to use RestTemplate. - */ - @Bean - public RestTemplate restTemplate() { - return new RestTemplate(); - } - - /** - * @return configured ready to use {@link Tpm} - */ - @Bean - public Tpm tpm() { - return new CommandTpm(); - } - - /** - * @return configured ready to use {@link StructConverter} - */ - @Bean - public StructConverter structConverter() { - return new SimpleStructConverter(); - } - -} diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/package-info.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/package-info.java deleted file mode 100644 index aa60f9c8..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * Application configuration files pertaining to Spring's application context. - */ -package hirs.provisioner.configuration; diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/package-info.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/package-info.java deleted file mode 100644 index f9f484e2..00000000 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * This package defines the application entry points. - */ -package hirs.provisioner; diff --git a/HIRS_Provisioner/src/main/resources/defaults.properties b/HIRS_Provisioner/src/main/resources/defaults.properties deleted file mode 100644 index 16091a7f..00000000 --- a/HIRS_Provisioner/src/main/resources/defaults.properties +++ /dev/null @@ -1,29 +0,0 @@ -# Client Provisioner configuration - -# ClientProvisioner files -# root: root location of all provisioner files -# certs: location of certificate files that the provisioner may read or write -provisioner.files.root = /etc/hirs/provisioner -provisioner.files.certs = ${provisioner.files.root}/certs - -# ClientProvisioner ACA connection information -# host: hostname of the ACA -# port: the port number that the ACA is listening on -provisioner.aca.host = localhost -provisioner.aca.port = 8443 - -# ClientProvisioner ACA Context paths -# root: the main url path for the ACA -# key: the context path for the public key servlet -# identity: the context path for the identity request processor servlet -provisioner.aca.path.root = /HIRS_AttestationCA -provisioner.aca.path.key = /public-key -provisioner.aca.path.identity = /identity-request/process - -# ClientProvisioner ACA URL paths -# root: the main url -# key: fully qualified URL for getting ACA public key -# identity: fully qualified URL for processing identity requests -provisioner.aca.url.root = https://${provisioner.aca.host}:${provisioner.aca.port}/${provisioner.aca.path.root} -provisioner.aca.url.key = ${provisioner.aca.url.root}/${provisioner.aca.path.key} -provisioner.aca.url.identity = ${provisioner.aca.url.root}/${provisioner.aca.path.identity} diff --git a/HIRS_Provisioner/src/main/resources/log4j2.xml b/HIRS_Provisioner/src/main/resources/log4j2.xml deleted file mode 100644 index 425d98b6..00000000 --- a/HIRS_Provisioner/src/main/resources/log4j2.xml +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - - - %d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/HIRS_Provisioner/src/test/java/hirs/client/collector/DeviceInfoCollectorTest.java b/HIRS_Provisioner/src/test/java/hirs/client/collector/DeviceInfoCollectorTest.java deleted file mode 100644 index ab3bdafa..00000000 --- a/HIRS_Provisioner/src/test/java/hirs/client/collector/DeviceInfoCollectorTest.java +++ /dev/null @@ -1,376 +0,0 @@ -package hirs.client.collector; - -import org.powermock.api.mockito.PowerMockito; -import org.powermock.core.classloader.annotations.PrepareForTest; -import org.powermock.modules.testng.PowerMockTestCase; -import org.testng.Assert; -import org.testng.annotations.BeforeMethod; -import org.testng.annotations.Test; - -import static org.mockito.Matchers.any; -import static org.mockito.Matchers.anyString; -import static org.mockito.Matchers.eq; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.times; -import static org.powermock.api.mockito.PowerMockito.when; - -import java.net.InetAddress; -import java.net.NetworkInterface; -import java.util.Enumeration; -import hirs.DeviceInfoReportRequest; -import hirs.collector.CollectorException; -import hirs.data.persist.DeviceInfoReport; -import hirs.data.persist.enums.OSName; - -/** - * Unit tests for DeviceInfoCollector. - */ -@PrepareForTest(DeviceInfoCollector.class) -public class DeviceInfoCollectorTest extends PowerMockTestCase { - - private DeviceInfoCollector collector; - - /** - * Prepares a test environment for each individual test. - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @BeforeMethod - public void beforeMethod() throws CollectorException { - collector = spy(new DeviceInfoCollector()); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - // mock out serial number collection as it requires root - when(DeviceInfoCollector.collectDmiDecodeValue( - any(OSName.class), anyString())).thenReturn("some string"); - doReturn("Linux").when(collector).getSystemProperty(eq("os.name")); - } - - /** - * Tests that a DeviceInfoCollector will generate a DeviceInfoReport. - * - * @throws Exception if an error occurs creating mocked output - */ - @Test - public final void testCollect() throws Exception { - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - final DeviceInfoReport report = - (DeviceInfoReport) collector.collect(request); - final int numberOfDmiDecodeCalls = 9; - - // the following two lines assert that collectDmiDecodeValue was called 9 times - PowerMockito.verifyStatic(times(numberOfDmiDecodeCalls)); - DeviceInfoCollector.collectDmiDecodeValue(any(OSName.class), anyString()); - - Assert.assertNotNull(report.getNetworkInfo()); - Assert.assertNotNull(report.getOSInfo()); - - // Test the IP address in the report against the system that created it - Enumeration interfaces = - NetworkInterface.getNetworkInterfaces(); - boolean equivalenceFound = false; - while (interfaces.hasMoreElements()) { - NetworkInterface netInt = interfaces.nextElement(); - Enumeration addresses = netInt.getInetAddresses(); - while (addresses.hasMoreElements()) { - InetAddress address = addresses.nextElement(); - if (address.getHostAddress().equals( - report.getNetworkInfo().getIpAddress(). - getHostAddress())) { - equivalenceFound = true; - } - } - } - Assert.assertTrue(equivalenceFound); - } - - - /** - * Tests that hardware and firmware info is set correctly. - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectProperInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn("Product name"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn("Serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn("Version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn("Bios version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn("Bios release date"); - - doReturn("Linux").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - Assert.assertEquals(report.getHardwareInfo().getManufacturer(), - "Manufacturer"); - Assert.assertEquals(report.getHardwareInfo().getProductName(), - "Product name"); - Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(), - "Serial number"); - Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(), - "Chassis serial number"); - Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(), - "Baseboard serial number"); - Assert.assertEquals(report.getHardwareInfo().getVersion(), - "Version"); - Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(), - "Bios vendor"); - Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(), - "Bios version"); - Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(), - "Bios release date"); - - } - - /** - * Tests that null hardware info is set to "Not specified". - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectNullHardwareInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn("Bios version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn("Bios release date"); - - doReturn("Linux").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - - Assert.assertEquals(report.getHardwareInfo().getManufacturer(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getProductName(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getVersion(), - DeviceInfoCollector.NOT_SPECIFIED); - - } - - /** - * Tests that empty hardware info is set to "Not specified". - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectEmptyHardwareInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn("Bios version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn("Bios release date"); - - doReturn("Linux").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - - Assert.assertEquals(report.getHardwareInfo().getManufacturer(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getProductName(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getHardwareInfo().getVersion(), - DeviceInfoCollector.NOT_SPECIFIED); - - } - - /** - * Tests that null firmware info is set to "Not specified". - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectNullFirmwareInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn("Product name"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn("Serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn("Version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn(null); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn(null); - - doReturn("Linux").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - - Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(), - DeviceInfoCollector.NOT_SPECIFIED); - - } - - /** - * Tests that empty firmware info is set to "Not specified". - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectEmptyFirmwareInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn("Product name"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn("Serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn("Version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn(""); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn(""); - - doReturn("Linux").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - - Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(), - DeviceInfoCollector.NOT_SPECIFIED); - - } - - /** - * Tests that null OS info is set to "Not specified". - * - * @throws CollectorException should not be thrown here as all collection is mocked - */ - @Test - public final void testCollectNullOSInfo() throws CollectorException { - DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class); - PowerMockito.mockStatic(DeviceInfoCollector.class); - - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-product-name")).thenReturn("Product name"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-serial-number")).thenReturn("Serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "system-version")).thenReturn("Version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-version")).thenReturn("Bios version"); - when(DeviceInfoCollector.collectDmiDecodeValue( - OSName.LINUX, "bios-release-date")).thenReturn("Bios release date"); - - doReturn("Unknown").when(mockedCollector).getSystemProperty("os.name"); - - final DeviceInfoReportRequest request = new DeviceInfoReportRequest(); - DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request); - - Assert.assertEquals(report.getOSInfo().getDistribution(), - DeviceInfoCollector.NOT_SPECIFIED); - Assert.assertEquals(report.getOSInfo().getDistributionRelease(), - DeviceInfoCollector.NOT_SPECIFIED); - - } - - /** - * Tests that isReportRequestSupported() will return DeviceInfoReportRequest. - */ - @Test - public final void testReportRequestSupported() { - Assert.assertEquals(collector.reportRequestTypeSupported(), DeviceInfoReportRequest.class); - } - -} diff --git a/HIRS_Provisioner/src/test/java/hirs/provisioner/client/RestfulClientProvisionerTest.java b/HIRS_Provisioner/src/test/java/hirs/provisioner/client/RestfulClientProvisionerTest.java deleted file mode 100644 index 70e2309d..00000000 --- a/HIRS_Provisioner/src/test/java/hirs/provisioner/client/RestfulClientProvisionerTest.java +++ /dev/null @@ -1,399 +0,0 @@ -package hirs.provisioner.client; - -import hirs.client.collector.DeviceInfoCollector; -import hirs.data.persist.DeviceInfoReport; -import hirs.data.persist.info.FirmwareInfo; -import hirs.data.persist.info.HardwareInfo; -import hirs.data.persist.info.NetworkInfo; -import hirs.data.persist.info.OSInfo; -import hirs.data.persist.enums.OSName; -import hirs.data.persist.info.TPMInfo; -import hirs.structs.converters.StructConverter; -import hirs.structs.elements.tpm.AsymmetricPublicKey; -import hirs.tpm.tss.Tpm; -import hirs.tpm.tss.command.CommandException; -import hirs.tpm.tss.command.CommandResult; - -import org.mockito.ArgumentCaptor; -import org.mockito.InjectMocks; -import org.mockito.Mock; -import org.mockito.MockitoAnnotations; -import org.powermock.api.mockito.PowerMockito; -import org.powermock.core.classloader.annotations.PrepareForTest; -import org.powermock.modules.testng.PowerMockObjectFactory; -import org.powermock.modules.testng.PowerMockTestCase; -import org.springframework.http.HttpEntity; -import org.springframework.http.HttpMethod; -import org.springframework.http.ResponseEntity; -import org.springframework.test.util.ReflectionTestUtils; -import org.springframework.util.SerializationUtils; -import org.springframework.web.client.RestTemplate; -import org.testng.IObjectFactory; -import org.testng.annotations.ObjectFactory; -import org.testng.annotations.Test; -import org.testng.annotations.BeforeMethod; -import org.testng.annotations.AfterMethod; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.interfaces.RSAPublicKey; -import hirs.structs.elements.aca.IdentityRequestEnvelope; -import hirs.structs.elements.aca.IdentityResponseEnvelope; -import hirs.structs.elements.aca.SymmetricAttestation; - -import static org.mockito.Matchers.any; -import static org.mockito.Matchers.eq; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoMoreInteractions; -import static org.mockito.Mockito.when; -import static org.testng.Assert.assertEquals; -import static org.testng.Assert.assertNotNull; -import static org.testng.Assert.assertTrue; - -/** - * Test suite for the {@link RestfulClientProvisioner}. - */ -@PrepareForTest(DeviceInfoCollector.class) -public class RestfulClientProvisionerTest extends PowerMockTestCase { - - /** - * Sets up PowerMockito. - * - * @return PowerMockObjectFactory - */ - @ObjectFactory - public IObjectFactory getObjectFactory() { - return new PowerMockObjectFactory(); - } - - private static final String ACA_KEY_URL = "acaKeyUrl"; - - private static final String ACA_IDENTITY_URL = "acaIdentityUrl"; - - @Mock - private Tpm mockTpm; - - @Mock - private StructConverter mockStructConverter; - - @Mock - private RestTemplate mockRestTemplate; - - @InjectMocks - private RestfulClientProvisioner provisioner; - - /*** - * Initializes a unique test environment for each test. - */ - @BeforeMethod - public void setup() { - MockitoAnnotations.initMocks(this); - } - - /** - * Verifies that there were no more additional invocations on the mocks after each test has been - * completed. - */ - @AfterMethod - public void verifyMocks() { - verifyNoMoreInteractions(mockStructConverter, mockRestTemplate, mockTpm); - } - - /** - * Tests {@link RestfulClientProvisioner#takeOwnership()}. - */ - @Test - public void testTakeOwnership() { - // perform test - provisioner.takeOwnership(); - - // verify tpm was used appropriately - verify(mockTpm).takeOwnership(); - } - - /** - * Tests {@link RestfulClientProvisioner#getACAPublicKey()}. - * - * @throws Exception while generating key pair - */ - @Test - @SuppressWarnings("unchecked") - public void testGetACAPublicKey() throws Exception { - // create a key pair generator to generate a temporary RSA key - KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); - keyPairGenerator.initialize(512); - - // create the temporary key - KeyPair keyPair = keyPairGenerator.generateKeyPair(); - RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); - - // assign the ACA identity URL - ReflectionTestUtils.setField(provisioner, "acaPublicKeyURL", ACA_KEY_URL); - - // mock response from the ACA - ResponseEntity responseEntity = mock(ResponseEntity.class); - - // when our rest template is called, just return our mocked response - when(mockRestTemplate.getForEntity(ACA_KEY_URL, byte[].class)).thenReturn(responseEntity); - - // when requesting the response, return our test public key - when(responseEntity.getBody()).thenReturn(publicKey.getEncoded()); - - // perform the actual test - RSAPublicKey result = provisioner.getACAPublicKey(); - - // verify that the key is correct - assertEquals(result.getPublicExponent(), publicKey.getPublicExponent()); - assertEquals(result.getModulus(), publicKey.getModulus()); - - // verify mock interactions - verify(mockRestTemplate).getForEntity(ACA_KEY_URL, byte[].class); - verify(responseEntity).getBody(); - } - - /** - * Tests {@link RestfulClientProvisioner#createIdentityRequest(AsymmetricPublicKey, - * String, DeviceInfoReport)}. - * @throws Exception if there is a problem encountered when mocking - * DeviceInfoCollector - */ - @Test - public void createIdentityCredential() throws Exception { - PowerMockito.spy(DeviceInfoCollector.class); - final InetAddress ipAddress = getTestIpAddress(); - final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66}; - - // test parameters - String uuid = "uuid"; - - byte[] asymmetricBlob = new byte[]{1}; - byte[] request = new byte[]{2}; - byte[] ekModulus = new byte[]{3}; - byte[] ek = new byte[]{50}; - - // test specific mocks - AsymmetricPublicKey publicKey = mock(AsymmetricPublicKey.class); - - // when the converter is used to serialize public key, return known blob - when(mockStructConverter.convert(publicKey)).thenReturn(asymmetricBlob); - - // when tpm collate identity is invoked using test blob and uuid, return known request - when(mockTpm.collateIdentityRequest(asymmetricBlob, uuid)).thenReturn(request); - - // return known credential when asked. - when(mockTpm.getEndorsementCredentialModulus()).thenReturn(ekModulus); - when(mockTpm.getEndorsementCredential()).thenReturn(ek); - - - PowerMockito.doReturn("AB12345").when(DeviceInfoCollector.class, - "collectDmiDecodeValue", OSName.LINUX, "system-serial-number"); - - PowerMockito.doReturn("AB12346").when(DeviceInfoCollector.class, - "collectDmiDecodeValue", OSName.LINUX, "chassis-serial-number"); - - // perform test - final DeviceInfoReport deviceInfoReport = new DeviceInfoReport( - new NetworkInfo("test hostname", ipAddress, macAddress), - new OSInfo(), new FirmwareInfo(), new HardwareInfo(), new TPMInfo()); - IdentityRequestEnvelope envelope = provisioner.createIdentityRequest(publicKey, uuid, - deviceInfoReport); - - // validate the identity request - assertEquals(envelope.getEndorsementCredentialModulus(), ekModulus); - assertEquals(envelope.getEndorsementCredentialModulusLength(), ekModulus.length); - assertEquals(envelope.getEndorsementCredential(), ek); - assertEquals(envelope.getEndorsementCredentialLength(), ek.length); - assertEquals(envelope.getRequest(), request); - assertEquals(envelope.getRequestLength(), request.length); - - int deviceInfoReportLength = envelope.getDeviceInfoReportLength(); - assertTrue(deviceInfoReportLength > 0); - assertEquals(envelope.getDeviceInfoReport().length, deviceInfoReportLength); - assertEquals(envelope.getDeviceInfoReport(), - SerializationUtils.serialize(deviceInfoReport)); - - // verify mock interactions - verify(mockStructConverter).convert(publicKey); - verify(mockTpm).collateIdentityRequest(asymmetricBlob, uuid); - verify(mockTpm).getEndorsementCredentialModulus(); - verify(mockTpm).getEndorsementCredential(); - verifyNoMoreInteractions(publicKey); - } - - - /** - * Tests {@link RestfulClientProvisioner#createIdentityRequest(AsymmetricPublicKey, - * String, DeviceInfoReport)}. - * @throws Exception if there is a problem encountered when mocking - * DeviceInfoCollector - */ - @Test - public void createIdentityCredentialEkNotFound() throws Exception { - PowerMockito.spy(DeviceInfoCollector.class); - final InetAddress ipAddress = getTestIpAddress(); - final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66}; - - // test parameters - String uuid = "uuid"; - - byte[] asymmetricBlob = new byte[]{1}; - byte[] request = new byte[]{2}; - byte[] ekModulus = new byte[]{3}; - - // test specific mocks - AsymmetricPublicKey publicKey = mock(AsymmetricPublicKey.class); - - // when the converter is used to serialize public key, return known blob - when(mockStructConverter.convert(publicKey)).thenReturn(asymmetricBlob); - - // when tpm collate identity is invoked using test blob and uuid, return known request - when(mockTpm.collateIdentityRequest(asymmetricBlob, uuid)).thenReturn(request); - - // return known credential when asked. - when(mockTpm.getEndorsementCredentialModulus()).thenReturn(ekModulus); - when(mockTpm.getEndorsementCredential()).thenThrow(new CommandException("no good", - new CommandResult("EK not found", -1))); - - - PowerMockito.doReturn("AB12345").when(DeviceInfoCollector.class, - "collectDmiDecodeValue", OSName.LINUX, "system-serial-number"); - - PowerMockito.doReturn("AB12346").when(DeviceInfoCollector.class, - "collectDmiDecodeValue", OSName.LINUX, "chassis-serial-number"); - - // perform test - final DeviceInfoReport deviceInfoReport = new DeviceInfoReport( - new NetworkInfo("test hostname", ipAddress, macAddress), - new OSInfo(), new FirmwareInfo(), new HardwareInfo(), new TPMInfo()); - IdentityRequestEnvelope envelope = provisioner.createIdentityRequest(publicKey, uuid, - deviceInfoReport); - - // validate the identity request - assertEquals(envelope.getEndorsementCredentialModulus(), ekModulus); - assertEquals(envelope.getEndorsementCredentialModulusLength(), ekModulus.length); - assertNotNull(envelope.getEndorsementCredential()); - assertEquals(envelope.getEndorsementCredentialLength(), 1); - assertEquals(envelope.getRequest(), request); - assertEquals(envelope.getRequestLength(), request.length); - - int deviceInfoReportLength = envelope.getDeviceInfoReportLength(); - assertTrue(deviceInfoReportLength > 0); - assertEquals(envelope.getDeviceInfoReport().length, deviceInfoReportLength); - assertEquals(envelope.getDeviceInfoReport(), - SerializationUtils.serialize(deviceInfoReport)); - - // verify mock interactions - verify(mockStructConverter).convert(publicKey); - verify(mockTpm).collateIdentityRequest(asymmetricBlob, uuid); - verify(mockTpm).getEndorsementCredentialModulus(); - verify(mockTpm).getEndorsementCredential(); - verifyNoMoreInteractions(publicKey); - } - - /** - * Tests {@link RestfulClientProvisioner#attestIdentityRequest(IdentityRequestEnvelope)}. - */ - @Test - @SuppressWarnings("unchecked") - public void testAttestIdentityRequest() { - - // create some test variables - byte[] requestBytes = new byte[]{1}; - byte[] responseBytes = new byte[]{2}; - - // create some test mocks - IdentityRequestEnvelope request = mock(IdentityRequestEnvelope.class); - IdentityResponseEnvelope response = mock(IdentityResponseEnvelope.class); - ResponseEntity responseEntity = mock(ResponseEntity.class); - - // assign the ACA identity URL - ReflectionTestUtils.setField(provisioner, "acaIdentityURL", ACA_IDENTITY_URL); - - // the mock converter should serialize the identity request to bytes and likewise - // deserialize the identity response - when(mockStructConverter.convert(request)).thenReturn(requestBytes); - when(mockStructConverter.convert(responseBytes, IdentityResponseEnvelope.class)) - .thenReturn(response); - - // the template should be used to send a post to the assigned url - when(mockRestTemplate.exchange(eq(ACA_IDENTITY_URL), eq(HttpMethod.POST), - any(HttpEntity.class), eq(byte[].class))).thenReturn(responseEntity); - - // the aca response body should be acquired in order to convert into a response object - when(responseEntity.getBody()).thenReturn(responseBytes); - - // perform the test - provisioner.attestIdentityRequest(request); - - // verify converter mock - verify(mockStructConverter).convert(request); - verify(mockStructConverter).convert(responseBytes, IdentityResponseEnvelope.class); - - // setup captor for rest template verification. - ArgumentCaptor argument = ArgumentCaptor.forClass(HttpEntity.class); - - // verify the rest template and capture the argument for the response entity type - verify(mockRestTemplate).exchange(eq(ACA_IDENTITY_URL), eq(HttpMethod.POST), - argument.capture(), eq(byte[].class)); - - // verify response entity body is acquired - verify(responseEntity).getBody(); - - // assert that the http entity object being sent to the aca contained the request bytes - assertEquals(argument.getValue().getBody(), requestBytes); - - // verify test specific mocks had no other unintended interactions - verifyNoMoreInteractions(request, response, responseEntity); - } - - /** - * Tests {@link RestfulClientProvisioner#activateCredential(IdentityResponseEnvelope, - * String)}. - */ - @Test - public void testActivateCredential() { - // create test parameters - String uuid = "uuid"; - byte[] asymmetricContents = new byte[]{1}; - byte[] symmetricContents = new byte[]{2}; - byte[] response = new byte[]{3}; - - // create test specific mocks - IdentityResponseEnvelope envelope = mock(IdentityResponseEnvelope.class); - SymmetricAttestation attestation = mock(SymmetricAttestation.class); - - // both asymmetric and symmetric contents should be obtained - when(envelope.getAsymmetricContents()).thenReturn(asymmetricContents); - when(envelope.getSymmetricAttestation()).thenReturn(attestation); - - // the tpm should be sent both contents and the specified uuid - when(mockTpm.activateIdentity(asymmetricContents, symmetricContents, uuid)) - .thenReturn(response); - - // the symmetric contents need to be converted - when(mockStructConverter.convert(attestation)).thenReturn(symmetricContents); - - // perform the actual test - provisioner.activateCredential(envelope, uuid); - - // verify mock interactions - verify(mockTpm).activateIdentity(asymmetricContents, symmetricContents, uuid); - verify(envelope).getAsymmetricContents(); - verify(envelope).getSymmetricAttestation(); - verify(mockStructConverter).convert(attestation); - - // ensure test specific mocks have no unintended interactions - verifyNoMoreInteractions(envelope, attestation); - } - - private static InetAddress getTestIpAddress() { - try { - return InetAddress.getByAddress(new byte[] {127, 0, 0, 1}); - } catch (UnknownHostException e) { - return null; - } - } -} From c929ee3bb3502e3ee7f3a95f45f04db5f3e4413e Mon Sep 17 00:00:00 2001 From: "iadgovuser26 iadgovuser26@empire.eclipse.ncsc.mil" Date: Wed, 21 Aug 2024 09:44:27 -0400 Subject: [PATCH 2/3] removed tpm_module --- tpm_module/build.gradle | 15 - tpm_module/debian/changelog | 5 - tpm_module/debian/compat | 1 - tpm_module/debian/control | 13 - tpm_module/debian/docs | 0 tpm_module/debian/files | 1 - tpm_module/debian/lintian-overrides | 2 - tpm_module/debian/rules | 7 - tpm_module/debian/source/format | 1 - tpm_module/debian/tpm-module.install | 1 - tpm_module/debian/tpm-module.manpages | 1 - tpm_module/debian/tpm-module.substvars | 2 - tpm_module/libhis_activateidentity.hpp | 224 -- tpm_module/libhis_bind.hpp | 271 -- tpm_module/libhis_changekeyauth.hpp | 316 -- tpm_module/libhis_changeownership.hpp | 109 - tpm_module/libhis_changesrksecret.hpp | 150 - tpm_module/libhis_clearkey.hpp | 167 - tpm_module/libhis_clearnvdata.hpp | 121 - tpm_module/libhis_clearownership.hpp | 83 - tpm_module/libhis_clearpcr.hpp | 122 - tpm_module/libhis_cli.hpp | 3245 ------------------ tpm_module/libhis_collateidentityrequest.hpp | 278 -- tpm_module/libhis_createek.hpp | 70 - tpm_module/libhis_createkey.hpp | 317 -- tpm_module/libhis_errors.txt | 41 - tpm_module/libhis_exception.hpp | 47 - tpm_module/libhis_extendpcr.hpp | 101 - tpm_module/libhis_getkeyblob.hpp | 292 -- tpm_module/libhis_getkeymodulus.hpp | 439 --- tpm_module/libhis_getnvdata.hpp | 182 - tpm_module/libhis_getpcr.hpp | 106 - tpm_module/libhis_getpubkey.hpp | 166 - tpm_module/libhis_getrandombytes.hpp | 71 - tpm_module/libhis_quote.hpp | 436 --- tpm_module/libhis_seal.hpp | 347 -- tpm_module/libhis_setnvdata.hpp | 131 - tpm_module/libhis_sign.hpp | 236 -- tpm_module/libhis_takeownership.hpp | 168 - tpm_module/libhis_unbind.hpp | 270 -- tpm_module/libhis_unseal.hpp | 157 - tpm_module/libhis_utils.hpp | 367 -- tpm_module/libhis_verifysignature.hpp | 224 -- tpm_module/main.cpp | 31 - tpm_module/makefile | 58 - tpm_module/man/tpm_module.1 | 111 - tpm_module/objects.mk | 8 - tpm_module/sources.mk | 27 - tpm_module/subdir.mk | 24 - 49 files changed, 9562 deletions(-) delete mode 100644 tpm_module/build.gradle delete mode 100644 tpm_module/debian/changelog delete mode 100644 tpm_module/debian/compat delete mode 100644 tpm_module/debian/control delete mode 100644 tpm_module/debian/docs delete mode 100644 tpm_module/debian/files delete mode 100644 tpm_module/debian/lintian-overrides delete mode 100755 tpm_module/debian/rules delete mode 100644 tpm_module/debian/source/format delete mode 100644 tpm_module/debian/tpm-module.install delete mode 100644 tpm_module/debian/tpm-module.manpages delete mode 100644 tpm_module/debian/tpm-module.substvars delete mode 100644 tpm_module/libhis_activateidentity.hpp delete mode 100644 tpm_module/libhis_bind.hpp delete mode 100644 tpm_module/libhis_changekeyauth.hpp delete mode 100644 tpm_module/libhis_changeownership.hpp delete mode 100644 tpm_module/libhis_changesrksecret.hpp delete mode 100644 tpm_module/libhis_clearkey.hpp delete mode 100644 tpm_module/libhis_clearnvdata.hpp delete mode 100644 tpm_module/libhis_clearownership.hpp delete mode 100644 tpm_module/libhis_clearpcr.hpp delete mode 100644 tpm_module/libhis_cli.hpp delete mode 100644 tpm_module/libhis_collateidentityrequest.hpp delete mode 100644 tpm_module/libhis_createek.hpp delete mode 100644 tpm_module/libhis_createkey.hpp delete mode 100644 tpm_module/libhis_errors.txt delete mode 100644 tpm_module/libhis_exception.hpp delete mode 100644 tpm_module/libhis_extendpcr.hpp delete mode 100644 tpm_module/libhis_getkeyblob.hpp delete mode 100644 tpm_module/libhis_getkeymodulus.hpp delete mode 100644 tpm_module/libhis_getnvdata.hpp delete mode 100644 tpm_module/libhis_getpcr.hpp delete mode 100644 tpm_module/libhis_getpubkey.hpp delete mode 100644 tpm_module/libhis_getrandombytes.hpp delete mode 100644 tpm_module/libhis_quote.hpp delete mode 100644 tpm_module/libhis_seal.hpp delete mode 100644 tpm_module/libhis_setnvdata.hpp delete mode 100644 tpm_module/libhis_sign.hpp delete mode 100644 tpm_module/libhis_takeownership.hpp delete mode 100644 tpm_module/libhis_unbind.hpp delete mode 100644 tpm_module/libhis_unseal.hpp delete mode 100644 tpm_module/libhis_utils.hpp delete mode 100644 tpm_module/libhis_verifysignature.hpp delete mode 100644 tpm_module/main.cpp delete mode 100644 tpm_module/makefile delete mode 100644 tpm_module/man/tpm_module.1 delete mode 100644 tpm_module/objects.mk delete mode 100644 tpm_module/sources.mk delete mode 100644 tpm_module/subdir.mk diff --git a/tpm_module/build.gradle b/tpm_module/build.gradle deleted file mode 100644 index 25a43c35..00000000 --- a/tpm_module/build.gradle +++ /dev/null @@ -1,15 +0,0 @@ -task make(type: Exec) { - outputs.file 'tpm_module' - inputs.dir fileTree(dir: '.').include('main.cpp').include('*.hpp') - commandLine 'make' -} - -task cleanUp() { - delete 'tpm_module', 'main.d', 'main.o' -} - -task fullBuild(type: GradleBuild) { - tasks = ['cleanUp', 'make'] -} - -build.dependsOn tasks.fullBuild diff --git a/tpm_module/debian/changelog b/tpm_module/debian/changelog deleted file mode 100644 index 34ce9adc..00000000 --- a/tpm_module/debian/changelog +++ /dev/null @@ -1,5 +0,0 @@ -tpm-module (3.11) trusty; urgency=low - - * Initial release - - -- HIRS Thu, 05 Feb 2015 17:44:25 -0500 diff --git a/tpm_module/debian/compat b/tpm_module/debian/compat deleted file mode 100644 index ec635144..00000000 --- a/tpm_module/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/tpm_module/debian/control b/tpm_module/debian/control deleted file mode 100644 index 39b8d11f..00000000 --- a/tpm_module/debian/control +++ /dev/null @@ -1,13 +0,0 @@ -Source: tpm-module -Section: admin -Priority: optional -Maintainer: HIRS -Build-Depends: debhelper (>= 9) -Standards-Version: 3.9.5 - -Package: tpm-module -Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, tpm-tools, libtspi1 -Description: HIRS TPM Module - Allows for interaction with TPMs. - diff --git a/tpm_module/debian/docs b/tpm_module/debian/docs deleted file mode 100644 index e69de29b..00000000 diff --git a/tpm_module/debian/files b/tpm_module/debian/files deleted file mode 100644 index 97b7ba85..00000000 --- a/tpm_module/debian/files +++ /dev/null @@ -1 +0,0 @@ -tpm-module_3.11_amd64.deb admin optional diff --git a/tpm_module/debian/lintian-overrides b/tpm_module/debian/lintian-overrides deleted file mode 100644 index 1f832eeb..00000000 --- a/tpm_module/debian/lintian-overrides +++ /dev/null @@ -1,2 +0,0 @@ -# Ignore lintian error about incorrectly formatted copyright file -tpm-module binary: copyright-should-refer-to-common-license-file-for-lgpl \ No newline at end of file diff --git a/tpm_module/debian/rules b/tpm_module/debian/rules deleted file mode 100755 index d590aa1b..00000000 --- a/tpm_module/debian/rules +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/make -f -# -*- makefile -*- - -export DH_VERBOSE=1 - -%: - dh $@ diff --git a/tpm_module/debian/source/format b/tpm_module/debian/source/format deleted file mode 100644 index 89ae9db8..00000000 --- a/tpm_module/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (native) diff --git a/tpm_module/debian/tpm-module.install b/tpm_module/debian/tpm-module.install deleted file mode 100644 index 64cb5535..00000000 --- a/tpm_module/debian/tpm-module.install +++ /dev/null @@ -1 +0,0 @@ -src/tpm_module usr/bin diff --git a/tpm_module/debian/tpm-module.manpages b/tpm_module/debian/tpm-module.manpages deleted file mode 100644 index dcac6fc0..00000000 --- a/tpm_module/debian/tpm-module.manpages +++ /dev/null @@ -1 +0,0 @@ -debian/tpm_module.1 diff --git a/tpm_module/debian/tpm-module.substvars b/tpm_module/debian/tpm-module.substvars deleted file mode 100644 index 491e44be..00000000 --- a/tpm_module/debian/tpm-module.substvars +++ /dev/null @@ -1,2 +0,0 @@ -shlibs:Depends=libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.4.0), libtspi1 (>= 0.3.1) -misc:Depends= diff --git a/tpm_module/libhis_activateidentity.hpp b/tpm_module/libhis_activateidentity.hpp deleted file mode 100644 index 77b891fd..00000000 --- a/tpm_module/libhis_activateidentity.hpp +++ /dev/null @@ -1,224 +0,0 @@ -#ifndef libhis_activateidentity_hpp -#define libhis_activateidentity_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_activateidentity -{ -public: - libhis_activateidentity() - { - //set default values - init_ik_size = TSS_KEY_SIZE_DEFAULT; - init_ik_type = TSS_KEY_TYPE_IDENTITY; - init_ik_authorized = TSS_KEY_AUTHORIZATION; - init_ik_migratable = TSS_KEY_NOT_MIGRATABLE; - init_ik_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create IK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result); - } - - void init() - { - //combine the init flags - init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile; - - //Create IK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result); - - binitialized = true; - } - - void activateidentity( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_ik_value, - unsigned long auth_ik_size, - bool auth_ik_sha1, - unsigned char *asym_value, - unsigned long asym_size, - unsigned char *sym_value, - unsigned long sym_size, - unsigned char *uuid_ik_value, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the IK UUID - hextouuid(uuid_ik_value, uuid_ik); - - //Get the IK by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result); - - //set up IK auth - if(auth_ik_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result); - } - - //assign the IK auth - result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result); - - //Unwrap the IK - result = Tspi_Key_LoadKey(hkey_ik, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result); - - //Activate identity - BYTE *value; - UINT32 size; - result = Tspi_TPM_ActivateIdentity(htpm, hkey_ik, asym_size, asym_value, sym_size, sym_value, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Activate identity", result); - - //Copy memory because TSS uses malloc and free, but we're using new and delete - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - { - output_value[i] = value[i]; - } - - //clean up the TSS data -- CANNOT DO THIS; TSS MEMORY LEAK? - //result = Tspi_Context_FreeMemory(hcontext, value); - //if(result != TSS_SUCCESS) throw libhis_exception("Cleanup identity credential", result); - - return; - } - - ~libhis_activateidentity() - { - //clean up IK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result); - - if(binitialized) - { - //clean up IK - result = Tspi_Context_CloseObject(hcontext, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_ik; - TSS_HPOLICY hpolicy_tpm, - hpolicy_srk, - hpolicy_ik; - TSS_UUID uuid_ik; - UINT32 init_ik, - init_ik_size, - init_ik_type, - init_ik_authorized, - init_ik_migratable, - init_ik_volatile; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_bind.hpp b/tpm_module/libhis_bind.hpp deleted file mode 100644 index 251e9379..00000000 --- a/tpm_module/libhis_bind.hpp +++ /dev/null @@ -1,271 +0,0 @@ -#ifndef libhis_bind_hpp -#define libhis_bind_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_bind -{ -public: - libhis_bind() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - init_key_scheme = 0; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - - //Create ENCData object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result); - - //Create ENCData policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result); - } - - void initbind(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the encryption scheme - if(in_scheme == 0) - init_key_scheme = TSS_ES_RSAESPKCSV15; - else if(in_scheme == 1) - init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1; - else if(in_scheme == 2) - init_key_scheme = TSS_ES_SYM_CNT; - else if(in_scheme == 3) - init_key_scheme = TSS_ES_SYM_OFB; - else if(in_scheme == 4) - init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD; - else - init_key_scheme = TSS_ES_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the encryption scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result); - - binitialized = true; - } - - void bind( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *auth_enc_value, - unsigned long auth_enc_size, - bool auth_enc_sha1, - unsigned char *uuid_key_value, - unsigned char *hash_value, - unsigned long hash_size, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //set up ENCData auth - if(auth_enc_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result); - } - - //assign the ENCData auth - result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result); - - //bind data - result = Tspi_Data_Bind(hencdata, hkey_key, hash_size, hash_value); - if(result != TSS_SUCCESS) throw libhis_exception("Bind", result); - - //Get the bound data blob - BYTE *value; - UINT32 size; - result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Get bound data blob", result); - - //copy over memory - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result); - } - - ~libhis_bind() - { - //clean up ENCData policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result); - - //Clean up ENCData - result = Tspi_Context_CloseObject(hcontext, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result); - - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key, - hpolicy_enc; - TSS_UUID uuid_key; - TSS_HENCDATA hencdata; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_changekeyauth.hpp b/tpm_module/libhis_changekeyauth.hpp deleted file mode 100644 index 8a06eaca..00000000 --- a/tpm_module/libhis_changekeyauth.hpp +++ /dev/null @@ -1,316 +0,0 @@ -#ifndef libhis_changekeyauth_hpp -#define libhis_changekeyauth_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_changekeyauth -{ -public: - libhis_changekeyauth() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - - //Create new policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result); - } - - void initidentity() - { - //set the type - init_key_type = TSS_KEY_TYPE_IDENTITY; - - //set the key size - init_key_size = TSS_KEY_SIZE_DEFAULT; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initsign(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initbind(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initstorage(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_STORAGE; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void changekeyauth( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - unsigned char *auth_new_value, - unsigned long auth_new_size, - bool auth_new_sha1) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up Key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set Key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set Key Secret Plain", result); - } - - //assign the Key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign Key Secret", result); - - //set up new auth - if(auth_new_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result); - } - - //change the Key secret - result = Tspi_ChangeAuth(hkey_key, hkey_srk, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Change Key Secret", result); - - try - { - //save key - result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Save key By UUID", result); - } - catch(libhis_exception &e) - { - //Unregister the existing key - result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_unregister); - if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result); - - //Register a new key - result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Resave key By UUID", result); - } - - return; - } - - ~libhis_changekeyauth() - { - //clean up new policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result); - - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key, - hkey_unregister; - TSS_HPOLICY hpolicy_srk, - hpolicy_key, - hpolicy_new; - TSS_UUID uuid_key; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_changeownership.hpp b/tpm_module/libhis_changeownership.hpp deleted file mode 100644 index eb60fa21..00000000 --- a/tpm_module/libhis_changeownership.hpp +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef libhis_changeownership_hpp -#define libhis_changeownership_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_changeownership -{ -public: - libhis_changeownership() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create new policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result); - } - - void changeownership( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *auth_new_value, - unsigned long auth_new_size, - bool auth_new_sha1) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result); - - //set up new auth - if(auth_new_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result); - } - - //change the TPM secret - result = Tspi_ChangeAuth(htpm, 0, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Change TPM Secret", result); - - return; - } - - ~libhis_changeownership() - { - //clean up new policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm, - hpolicy_new; -}; - -#endif diff --git a/tpm_module/libhis_changesrksecret.hpp b/tpm_module/libhis_changesrksecret.hpp deleted file mode 100644 index 27fe2f49..00000000 --- a/tpm_module/libhis_changesrksecret.hpp +++ /dev/null @@ -1,150 +0,0 @@ -#ifndef libhis_changesrksecret_hpp -#define libhis_changesrksecret_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_changesrksecret -{ -public: - libhis_changesrksecret() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create new policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result); - } - - void changesrksecret(unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_new_value, - unsigned long auth_new_size, - bool auth_new_sha1) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //set up new auth - if(auth_new_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result); - } - - //change the SRK secret - result = Tspi_ChangeAuth(hkey_srk, htpm, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Change SRK Secret", result); - - return; - } - - ~libhis_changesrksecret() - { - //clean up new policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_new); - if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result); - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk; - TSS_HPOLICY hpolicy_tpm, - hpolicy_srk, - hpolicy_new; -}; - -#endif diff --git a/tpm_module/libhis_clearkey.hpp b/tpm_module/libhis_clearkey.hpp deleted file mode 100644 index e96b2ece..00000000 --- a/tpm_module/libhis_clearkey.hpp +++ /dev/null @@ -1,167 +0,0 @@ -#ifndef libhis_clearkey_hpp -#define libhis_clearkey_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_clearkey -{ -public: - libhis_clearkey() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - } - - void clearkey( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //Unregister the existing key - result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Unregister uuid", result); - - return; - } - - ~libhis_clearkey() - { - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key; - TSS_UUID uuid_key; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; -}; - -#endif diff --git a/tpm_module/libhis_clearnvdata.hpp b/tpm_module/libhis_clearnvdata.hpp deleted file mode 100644 index 96404047..00000000 --- a/tpm_module/libhis_clearnvdata.hpp +++ /dev/null @@ -1,121 +0,0 @@ -#ifndef libhis_clearnvdata_hpp -#define libhis_clearnvdata_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_clearnvdata -{ -public: - libhis_clearnvdata() - { - //set defaults - nvstore_index = 0; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create NVSTore object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result); - } - - void clearnvdata( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned long nv_index) - { - //set up the index value - if(nv_index == 0) - nvstore_index = TPM_NV_INDEX_EKCert; - else if(nv_index == 1) - nvstore_index = TPM_NV_INDEX_TPM_CC; - else if(nv_index == 2) - nvstore_index = TPM_NV_INDEX_PlatformCert; - else if(nv_index == 3) - nvstore_index = TPM_NV_INDEX_Platform_CC; - else - nvstore_index = nv_index; - - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //assign the TPM auth to the NVStore - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result); - - //force NVData to be readable by the owner only - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE); - if(result != TSS_SUCCESS) throw libhis_exception("Requier owner auth on NVStore read/write", result); - - //set the read address - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index); - if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result); - - //clear the nvstore space - result = Tspi_NV_ReleaseSpace(hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Clear data at NVStore index", result); - } - - ~libhis_clearnvdata() - { - //clean up NVStore - result = Tspi_Context_CloseObject(hcontext, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; - TSS_HNVSTORE hnvstore; - UINT32 nvstore_index; -}; - -#endif diff --git a/tpm_module/libhis_clearownership.hpp b/tpm_module/libhis_clearownership.hpp deleted file mode 100644 index ce7bf1c2..00000000 --- a/tpm_module/libhis_clearownership.hpp +++ /dev/null @@ -1,83 +0,0 @@ -#ifndef libhis_clearownership_hpp -#define libhis_clearownership_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_clearownership -{ -public: - libhis_clearownership() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - } - - void clearownership( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result); - - //clear the TPM owner - result = Tspi_TPM_ClearOwner(htpm, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Clear Ownership", result); - } - - ~libhis_clearownership() - { - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; -}; - -#endif diff --git a/tpm_module/libhis_clearpcr.hpp b/tpm_module/libhis_clearpcr.hpp deleted file mode 100644 index f6feac7f..00000000 --- a/tpm_module/libhis_clearpcr.hpp +++ /dev/null @@ -1,122 +0,0 @@ -#ifndef libhis_clearpcr_hpp -#define libhis_clearpc_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_clearpcr -{ -public: - libhis_clearpcr() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create PCRS object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); - } - - void clearpcr( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *mask) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; - for(unsigned long i = 0; i < 24; i++) - { - if(bitmask[i]) - { - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } - } - - //clear PCR value - result = Tspi_TPM_PcrReset(htpm, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Reset PCRs", result); - - return; - } - - ~libhis_clearpcr() - { - //clean up PCRS - result = Tspi_Context_CloseObject(hcontext, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; - TSS_HPCRS hpcrs; -}; - -#endif diff --git a/tpm_module/libhis_cli.hpp b/tpm_module/libhis_cli.hpp deleted file mode 100644 index 50e49067..00000000 --- a/tpm_module/libhis_cli.hpp +++ /dev/null @@ -1,3245 +0,0 @@ -#ifndef libhis_cli_hpp -#define libhis_cli_hpp - -#include "libhis_takeownership.hpp" -#include "libhis_changeownership.hpp" -#include "libhis_clearownership.hpp" -#include "libhis_createek.hpp" -#include "libhis_changesrksecret.hpp" -#include "libhis_collateidentityrequest.hpp" -#include "libhis_activateidentity.hpp" -#include "libhis_quote.hpp" -#include "libhis_seal.hpp" -#include "libhis_unseal.hpp" -#include "libhis_getrandombytes.hpp" -#include "libhis_createkey.hpp" -#include "libhis_changekeyauth.hpp" -#include "libhis_getkeyblob.hpp" -#include "libhis_getkeymodulus.hpp" -#include "libhis_getpubkey.hpp" -#include "libhis_clearkey.hpp" -#include "libhis_getpcr.hpp" -#include "libhis_extendpcr.hpp" -#include "libhis_clearpcr.hpp" -#include "libhis_setnvdata.hpp" -#include "libhis_getnvdata.hpp" -#include "libhis_clearnvdata.hpp" -#include "libhis_sign.hpp" -#include "libhis_verifysignature.hpp" -#include "libhis_bind.hpp" -#include "libhis_unbind.hpp" - -#include "libhis_exception.hpp" - -#include -#include -#include -#include -#include -#include - -#ifdef LINUX - #include - #include -#endif - -using namespace std; - -/************************************************************************* - GLOBAL CONSTANT BLOCK - *************************************************************************/ -const char cVersion[] = "3.13"; //identify the source revision -const char cTpmVersion[] = "1.2"; //identify the tpm spec level supported - -/** - * - * @param argumentCount - * @param argumentValues - */ -class libhis_cli -{ -/************************************************************************* - PUBLIC FUNCTION BLOCK - *************************************************************************/ -public: - /** - * Constructor tasked with initializing the class. You must run this - * first followed by the cli function. The rest is controlled by command - * inputs. - * @param argumentCount - * @param argumentValues - */ - libhis_cli(int argumentCount, char **argumentValues) - { - //set defaults - bdebug = false; - blog = false; - bhelp = false; - bmode = false; - bversion = false; - bzeros = false; - breadable = false; - imode = 0; - iresult = 0; - - //associate inputs - argc = argumentCount; - argv = argumentValues; - - //populate booleans - for(int i = 0; i < argc; i++) - { - if(strcasecmp(argv[i], "-h") == 0 || strcasecmp(argv[i], "-help") == 0 || strcasecmp(argv[i], "--help") == 0) - bhelp = true; - if(strcasecmp(argv[i], "-r") == 0 || strcasecmp(argv[i], "-readable") == 0 || strcasecmp(argv[i], "--readable") == 0) - breadable = true; - else if(strcasecmp(argv[i], "-d") == 0 || strcasecmp(argv[i], "-debug") == 0 || strcasecmp(argv[i], "--debug") == 0) - bdebug = true; - else if(strcasecmp(argv[i], "-f") == 0 || strcasecmp(argv[i], "-file") == 0 || strcasecmp(argv[i], "--log") == 0) - blog = true; - else if(strcasecmp(argv[i], "-m") == 0 || strcasecmp(argv[i], "-mode") == 0 || strcasecmp(argv[i], "--mode") == 0) - { - i++; //step i forward - if(i < argc && atoi(argv[i]) > 0) //check bounds and positive mode value - { - imode = atoi(argv[i]); - bmode = true; - } - else - bmode = false; - } - else if(strcasecmp(argv[i], "-v") == 0 || strcasecmp(argv[i], "-version") == 0 || strcasecmp(argv[i], "--version") == 0) - bversion = true; - else if(strcasecmp(argv[i], "-z") == 0 || strcasecmp(argv[i], "-zeros") == 0 || strcasecmp(argv[i], "--zeros") == 0) - bzeros = true; - } - } - - /** - * Worker function that actually accomplishes stuff. This function will - * return a result code. - * @return - */ - unsigned long cli() - { - try - { - if(bversion) - cout << cVersion << endl; - else - { - if(bmode) - { - switch(imode) - { - //valid mode handling cases - case 1: - takeownership(); - break; - case 2: - changeownership(); - break; - case 3: - clearownership(); - break; - case 4: - createek(); - break; - case 5: - changesrksecret(); - break; - case 6: - collateidentityrequest(); - break; - case 7: - activateidentity(); - break; - case 8: - quote(); - break; - case 9: - quote2(); - break; - case 10: - seal(); - break; - case 11: - seal2(); - break; - case 12: - unseal(); - break; - case 13: - getrandombytes(); - break; - case 14: - createkey(); - break; - case 15: - changekeyauth(); - break; - case 16: - getkeyblob(); - break; - case 17: - getmodulus(); - break; - case 18: - clearkey(); - break; - case 19: - getpcr(); - break; - case 20: - extendpcr(); - break; - case 21: - clearpcr(); - break; - case 22: - setnvdata(); - break; - case 23: - getnvdata(); - break; - case 24: - clearnvdata(); - break; - case 25: - sign(); - break; - case 26: - verifysignature(); - break; - case 27: - bind(); - break; - case 28: - unbind(); - break; - case 29: - getpubkey(); - break; - - //catch everything else case - default: - throw libhis_exception("Invalid mode argument", 300); - } - } - else - printHelp(); - } - } - catch(libhis_exception &e) - { - iresult = e.result; //update the return code - - if(bdebug) //print out error message if debugging is on - { - cerr << e.what() << ' ' << e.result << endl; - error_helper(e.result); - } - - if(blog) //write error file if logging is on - { - try - { - //set up the output file - fstream file; - file.open("tpm_module.txt", fstream::out | fstream::app); - if(!file.is_open()) throw libhis_exception("Can't open log file", 290); - - //set up a time object to put in the output file - time_t rawtime; - struct tm* timeinfo; - time(&rawtime); - timeinfo = localtime(&rawtime); - - //write exception information - file << e.what() << ' ' << e.result << ' ' << asctime(timeinfo); - - //close output file - file.close(); - } - catch(exception f) - { - //tell the user something went wrong with the output file - cerr << "Output error: " << f.what() << endl; - iresult += 100000; - } - } - } - - return iresult; //careful -- sometimes Linux mucks with this value - } - - /** - * Default destructor. Nothing to do. - */ - ~libhis_cli() - { - } - -/************************************************************************* - PRIVATE VARIABLE BLOCK - *************************************************************************/ -private: - enum authType - { - AUTH_NEW, - AUTH_TPM, - AUTH_SRK, - AUTH_IK, - AUTH_SIGN, - AUTH_BIND, - AUTH_STOR, - AUTH_ENC, - AUTH_KEY - }; - - enum keyType - { - KEY_EK, - KEY_SRK, - KEY_IK, - KEY_STOR, - KEY_BIND, - KEY_SIGN - }; - - bool bdebug, - blog, - bhelp, - bmode, - bversion, - bzeros, - breadable; - int imode, - argc; - char **argv; - - unsigned long iresult; - -/************************************************************************* - PRIVATE FUNCTION BLOCK - *************************************************************************/ - /* - * Print Help - * Tell the user about everything they can do with this program. - */ - void printHelp() - { - cout << "TPM (Trusted Platform Module) Module" << endl - << " Version is " << cVersion << endl - << " TPM spec support level is " << cTpmVersion << endl - << endl - << "Mode List:" << endl - << " 1 Take Ownership of TPM" << endl - << " 2 Change Owner Authorization Data" << endl - << " 3 Clear Ownership (Disables TPM)" << endl - << " 4 Create EK" << endl - << " 5 Change SRK Authorization Data" << endl - << " 6 Collate Identity Request (Create Identity Key)" << endl //check - << " 7 Activate Identity (Create Identity Key Certificate)" << endl //check - << " 8 Quote" << endl - << " 9 Quote 2" << endl - << " 10 Seal Data (Encrypt Data to Current Platform State)" << endl - << " 11 Seal 2 (Seal Against Future PCRs)" << endl - << " 12 Unseal Data" << endl - << " 13 Generate Random Bytes" << endl - << " 14 Create Signing, Binding, or Storage Key" << endl - << " 15 Change Key Authorization Data" << endl - << " 16 Get Keyblob" << endl - << " 17 Get Key Modulus" << endl - << " 18 Clear Key" << endl - << " 19 Get PCR" << endl - << " 20 Extend PCR (Update PCR Value)" << endl - << " 21 Clear PCR" << endl //locality - << " 22 Set NVRAM Data" << endl //check - << " 23 Get NVRAM Data" << endl //check - << " 24 Clear NVRAM Data" << endl //check - << " 25 Sign Data" << endl - << " 26 Verify Signed Data" << endl - << " 27 Bind" << endl - << " 28 Unbind" << endl - << " 29 Get Public Key" << endl - << endl - << "Default Commands List:" << endl - << " -m | -mode Set a mode from list above" << endl - << " -h | -help Display help, can combine with mode" << endl - << " -v | -version Display software version info" << endl - << " -d | -debug Enable console debugging" << endl - << " -f | -file Write debugging info to file" << endl - << " -z | -zeros Automatically fills in auth data with zeros" << endl - << " -r | -readable Make output human-readable with delimeters" << endl - << " -nr | -nonce_random Populate nonce with TPM's random byte generator" << endl - << endl - << "Example Commands:" << endl - << " Take ownership of TPM using a specific nonce and zeros for auth data:" << endl - << " tpm_module -m 1 -n 0123456789012345678901234567890123456789 -z" << endl - << endl - << " Get help with collate identity request" << endl - << " tpm_module -m 6 -h" << endl - << endl - << " Generate a quote2 using the first 16 PCRs, random nonce, identity key with" << endl - << " simple UUID, awful password, and omitted srk auth as zeros:" << endl - << " tpm_module -m 9 -p ffff00 -nr -u 00000000-0000-0000-0000-040000000001" << endl - << " -authp_ik password -z" << endl - << endl; - } - - unsigned char* hexToBin(char *input) - { - //every hex string must have an even number of characters - if((strlen(input) % 2) != 0) throw libhis_exception("Hex to Bin Invalid Length", 310); - - unsigned char *array = new unsigned char[(strlen(input) / 2)]; //new byte array - unsigned long value = 0; //variable to store hex value - - for(unsigned long i = 0; i < (strlen(input) / 2); i++) - { - //check first character - if(input[i*2] >= 48 && input[i*2] <= 57) - { - value = (input[i*2] - 48) * 16; - } - else if(input[i*2] >= 65 && input[i*2] <= 70) - { - value = (input[i*2] - 55) * 16; - } - else if(input[i*2] >= 97 && input[i*2] <= 102) - { - value = (input[i*2] - 87) * 16; - } - else - { //validation failure so return null - delete [] array; - throw libhis_exception("Hex to Bin Character Validation Error", 311); - } - - //check second character - if(input[i*2+1] >= 48 && input[i*2+1] <= 57) - { - value += input[i*2+1] - 48; - } - else if(input[i*2+1] >= 65 && input[i*2+1] <= 70) - { - value += input[i*2+1] - 55; - } - else if(input[i*2+1] >= 97 && input[i*2+1] <= 102) - { - value += input[i*2+1] - 87; - } - else - { //validation failure so return null - delete [] array; - throw libhis_exception("Hex to Bin Character Validation Error", 312); - } - - array[i] = value; //set the byte values - } - - return array; //success! - } - - void setupAuth(unsigned char *&value, unsigned long &size, bool &sha1, authType aType) - { - //loop over the argument array and return when match found - for(int i = 0; i < argc; i++) - { - switch(aType) - { - case AUTH_NEW: - { - if(strcasecmp(argv[i], "-authp_new") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_new") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_TPM: - { - if(strcasecmp(argv[i], "-authp_tpm") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_tpm") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_SRK: - { - if(strcasecmp(argv[i], "-authp_srk") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_srk") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_IK: - { - if(strcasecmp(argv[i], "-authp_ik") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_ik") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_SIGN: - { - if(strcasecmp(argv[i], "-authp_sign") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_sign") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_BIND: - { - if(strcasecmp(argv[i], "-authp_bind") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_bind") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_STOR: - { - if(strcasecmp(argv[i], "-authp_stor") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_stor") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_ENC: - { - if(strcasecmp(argv[i], "-authp_enc") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_enc") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - case AUTH_KEY: - { - if(strcasecmp(argv[i], "-authp_key") == 0 && (i + 1) < argc) - { - value = (unsigned char*)argv[i + 1]; - size = strlen(argv[i + 1]); - sha1 = false; - return; - } - else if(strcasecmp(argv[i], "-auths_key") == 0 && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - value = hexToBin(argv[i + 1]); - size = 20; - sha1 = true; - return; - } - break; - } - } - } - - if(bzeros) - { - //if we made it here then default to well known secret - value = new unsigned char[20]; - for(short i = 0; i < 20; i++) value[i] = 0x00; - size = 20; - sha1 = true; - return; - } - - //if we made it here then auth or zeros wasn't set - throw libhis_exception("Auth argument missing", 320 + aType); - } - - void setupNonce(unsigned char *&nonce) - { - //loop over the argument array and return when match found - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-n") == 0 || strcasecmp(argv[i], "-nonce") == 0) && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - nonce = hexToBin(argv[i + 1]); - return; - } - else if((strcasecmp(argv[i], "-nr") == 0 || strcasecmp(argv[i], "-nonce_random") == 0)) - { - libhis_getrandombytes temp; - temp.getrandombytes(20, nonce); - return; - } - } - - //we got here only if no nonce was provided so throw exception - throw libhis_exception("Nonce argument missing", 330); - } - - void setupOverwrite(bool &boverwrite) - { - for(int i = 0; i < argc; i++) - { - if(strcasecmp(argv[i], "-o") == 0 || strcasecmp(argv[i], "-overwrite") == 0) - boverwrite = true; - } - - return; - } - - void setupUUID(unsigned char *&uuid) - { - //find uuid - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-u") == 0 || strcasecmp(argv[i], "-uuid") == 0)) && i + 1 < argc && strlen(argv[i + 1]) == 36) - { - uuid = (unsigned char*)argv[i + 1]; - return; - } - } - - //can only get here if a UUID is not provided - throw libhis_exception("UUID argument missing", 340); - } - - void setupMask(unsigned char *&mask) - { - //find mask - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-pcrs") == 0)) && i + 1 < argc && strlen(argv[i + 1]) == 6) - { - mask = (unsigned char*)argv[i + 1]; - return; - } - } - - //can only get here if a mask is not provided - throw libhis_exception("PCRS argument missing", 350); - } - - void setupKeyType(int &keytype) - { - //find key type - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-t") == 0 || strcasecmp(argv[i], "-type") == 0) && i + 1 < argc) - { - if(strcasecmp(argv[i+1], "sign") == 0) - keytype = KEY_SIGN; - else if(strcasecmp(argv[i+1], "bind") == 0) - keytype = KEY_BIND; - else if(strcasecmp(argv[i+1], "identity") == 0 || strcasecmp(argv[i+1], "ik") == 0 || strcasecmp(argv[i+1], "aik") == 0) - keytype = KEY_IK; - else if(strcasecmp(argv[i+1], "storage") == 0 || strcasecmp(argv[i+1], "stor") == 0) - keytype = KEY_STOR; - else if(strcasecmp(argv[i+1], "ek") == 0) - keytype = KEY_EK; - else if(strcasecmp(argv[i+1], "srk") == 0) - keytype = KEY_SRK; - else throw libhis_exception("Key type argument invalid", 411); - - return; - } - } - - //can only get here if a key type is not provided - throw libhis_exception("Key type argument missing", 360); - } - - void setupLength(unsigned long &length, int keytype) - { - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-l") == 0 || strcasecmp(argv[i], "-length") == 0) && i + 1 < argc) - { - length = atoi(argv[i + 1]); - return; - } - } - - if(keytype != KEY_IK) - { - //can only get here if a key length is not provided - //throw libhis_exception("Key length argument missing", 370); - length = 2048; //default to 2048 length - } - } - - void setupScheme(unsigned long &scheme, int keytype) - { - //find key scheme - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-s") == 0 || strcasecmp(argv[i], "-scheme") == 0)) && i + 1 < argc) - { - if(keytype == KEY_SIGN) - { - if(strcasecmp(argv[i+1], "sha1") == 0) - scheme = 0; - else if(strcasecmp(argv[i+1], "der") == 0) - scheme = 1; - else - //else throw libhis_exception("Key scheme invalid", 380); - scheme = 0; //default to SHA1 - - return; - } - else if(keytype == KEY_BIND) - { - if(strcasecmp(argv[i+1], "pkcs") == 0) - scheme = 0; - else if(strcasecmp(argv[i+1], "soap") == 0) - scheme = 1; - else if(strcasecmp(argv[i+1], "cnt") == 0) - scheme = 2; - else if(strcasecmp(argv[i+1], "ofb") == 0) - scheme = 3; - else if(strcasecmp(argv[i+1], "pad") == 0) - scheme = 4; - else - //else throw libhis_exception("Key scheme invalid", 380); - scheme = 0; //default to PKCS - - return; - } - else if(keytype == KEY_STOR) - { - if(strcasecmp(argv[i+1], "system") == 0) - scheme = 0; - else if(strcasecmp(argv[i+1], "user") == 0) - scheme = 1; - else - //else throw libhis_exception("Key scheme invalid", 380); - scheme = 0; //default to system storage - - return; - } - } - } - - //can only get here if a key type is not provided - throw libhis_exception("Key scheme argument missing", 380); - } - - void setupNVIndex(unsigned long &index) - { - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-i") == 0 || strcasecmp(argv[i], "-index") == 0) && i + 1 < argc) - { - if(strcasecmp(argv[i+1], "ec") == 0) - index = 0; - else if(strcasecmp(argv[i+1], "cc") == 0) - index = 1; - else if(strcasecmp(argv[i+1], "pc") == 0) - index = 2; - else if(strcasecmp(argv[i+1], "pcc") == 0) - index = 3; - else throw libhis_exception("NV index argument invalid", 391); - return; - } - } - - //can only get here if a key length is not provided - throw libhis_exception("NVRAM index argument missing", 390); - } - - void takeownership() - { - if(bhelp) - { - cout << "Take Ownership Mode" << endl - << " Takes ownership of the TPM if not already taken. Normally returns 8 when already taken." << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -nonce | -nonce_random Nonce data as hex SHA1 hash" << endl - << endl - << "Outputs:" << endl - << " No output." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *nonce = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupNonce(nonce); - - libhis_takeownership temp; - temp.takeownership(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, auth_srk_value, auth_srk_size, auth_srk_sha1, nonce); - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(nonce != 0) delete [] nonce; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(nonce != 0) delete [] nonce; - return; - } - - void changeownership() - { - if(bhelp) - { - cout << "Change Owner Authorization Secret Mode" << endl - << " Changes the owner auth data. Can also switch from sha1 to plain and back." << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -auths_new | -authp_new New owner auth in SHA1 or Plain mode" << endl - << endl - << "Outputs:" << endl - << " No output." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_new_value = 0; - unsigned long auth_new_size = 0; - bool auth_new_sha1 = false; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupAuth(auth_new_value, auth_new_size, auth_new_sha1, AUTH_NEW); - - libhis_changeownership temp; - temp.changeownership(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, auth_new_value, auth_new_size, auth_new_sha1); - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_new_sha1 && auth_new_value != 0) delete [] auth_new_value; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_new_sha1 && auth_new_value != 0) delete [] auth_new_value; - return; - } - - void clearownership() - { - if(bhelp) - { - cout << "Clear Ownership and Disable TPM Mode" << endl - << " Clears the owner authorization data and disables TPM." << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -clr | -clear Required flag confirms intent to clear" << endl - << endl - << "Outputs:" << endl - << " No output." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - bool bConfirmedClear = false; - - try - { - //NIARL_TPM_MODULE has mode 3 as collate identity request, so make sure user didn't accidentally trigger clear here when they intended collate identity request - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-clr") == 0 || strcasecmp(argv[i], "-clear") == 0)) && i + 1 < argc) - { - bConfirmedClear = true; - } - } - - if(!bConfirmedClear) throw new libhis_exception("Clear TPM requires -clr | -clear flag.", 500); - - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - - libhis_clearownership temp; - temp.clearownership(auth_tpm_value, auth_tpm_size, auth_tpm_sha1); - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - return; - } - - void createek() - { - if(bhelp) - { - cout << "Create EK (Endorsement Key) Mode" << endl - << " Creates an EK if it doesn't already exist." << endl - << endl - << "Input:" << endl - << " -nonce | -nonce_random Nonce data as hex SHA1 hash" << endl - << endl - << "Outputs:" << endl - << " No output." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *nonce = 0; - - try - { - setupNonce(nonce); - - libhis_createek temp; - temp.createek(nonce); - } - catch(libhis_exception &e) - { - if(nonce != 0) delete [] nonce; - throw e; - } - - if(nonce != 0) delete [] nonce; - return; - } - - void changesrksecret() - { - if(bhelp) - { - cout << "Change SRK (Storage Root Key) Authorization Secret Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_new | -authp_new New SRK auth in SHA1 or Plain mode" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " No output." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_new_value = 0; - unsigned long auth_new_size = 0; - bool auth_new_sha1 = false; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_new_value, auth_new_size, auth_new_sha1, AUTH_NEW); - - libhis_changesrksecret temp; - temp.changesrksecret(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, auth_srk_value, auth_srk_size, auth_srk_sha1, auth_new_value, auth_new_size, auth_new_sha1); - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_new_sha1 && auth_new_value != 0) delete [] auth_new_value; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_new_sha1 && auth_new_value != 0) delete [] auth_new_value; - return; - } - - void collateidentityrequest() - { - if(bhelp) - { - cout << "Collate Identity Request (Create Idenity Key) Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_ik | -authp_ik IK auth in SHA1 or Plain mode" << endl - << " -p | -acak Attestation CA public Key blob" << endl - << " -l | -label IK creation label" << endl - << " -u | -uuid IK UUID for storage and retrieval" << endl - << " -e | -ekc (optional) Load EKC as hex datablob argument" << endl - << " -pc (optional) Load PC as hex datablob argument" << endl - << " -n | -nvram (optional) Flag to load EKC and/or PC from NVRAM" << endl - << " Note: Do not use -e|-ekc|-pc and -n|-nvram together. Will throw error." << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << " -o | -overwrite Overwrite existing key at same UUID" << endl - << endl - << "Outputs:" << endl - << " Hex[n] identity request" << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_ik_value = 0; - unsigned long auth_ik_size = 0; - bool auth_ik_sha1 = false; - unsigned char *label_ik_value = 0; - unsigned long label_ik_size = 0; - unsigned char *key_acak_value = 0; - unsigned long key_acak_size = 0; - unsigned char *uuid_ik_value = 0; - bool uuid_overwrite = false; - unsigned char *ekc_value = 0; - unsigned long ekc_size = 0; - unsigned char *pc_value = 0; - unsigned long pc_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_ik_value, auth_ik_size, auth_ik_sha1, AUTH_IK); - setupOverwrite(uuid_overwrite); - setupUUID(uuid_ik_value); - - //find acak - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-acak") == 0)) && i + 1 < argc) - { - key_acak_value = hexToBin(argv[i + 1]); - key_acak_size = strlen(argv[i + 1]) / 2; - } - } - if(key_acak_value == 0) throw libhis_exception("ACAK argument", 410); - - //find label - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-l") == 0 || strcasecmp(argv[i], "-label") == 0)) && i + 1 < argc) - { - label_ik_value = (unsigned char*)argv[i + 1]; - label_ik_size = strlen(argv[i + 1]); - } - } - if(label_ik_value == 0) throw libhis_exception("Label argument", 411); - - //get the EKC and PC from NVRAM if desired - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-n") == 0 || strcasecmp(argv[i], "-nvram") == 0)) && i + 1 < argc) - { - libhis_getnvdata temp; - temp.getnvdata(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, 0, ekc_value, ekc_size); - libhis_getnvdata temp2; - temp2.getnvdata(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, 2, pc_value, pc_size); - } - } - - //get the EKC if desired - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-e") == 0 || strcasecmp(argv[i], "-ekc") == 0)) && i + 1 < argc) - { - if(ekc_value != 0) - throw libhis_exception("NVRAM and EKC argument collision.", 412); - - ekc_value = hexToBin(argv[i + 1]); - ekc_size = strlen(argv[i + 1]) / 2; - } - } - - for(int i = 0; i < argc; i++) - { // PC requires EKC - if((ekc_size > 0) && (strcasecmp(argv[i], "-pc") == 0) && i + 1 < argc) - { - if(pc_value != 0) - throw libhis_exception("NVRAM and PC argument collision.", 412); - - pc_value = hexToBin(argv[i + 1]); - pc_size = strlen(argv[i + 1]) / 2; - } else if ((ekc_size <= 0) && (strcasecmp(argv[i], "-pc") == 0) && i + 1 < argc) { - throw libhis_exception("PC expects EKC to be provided", 412); - } - } - - libhis_collateidentityrequest temp; - temp.init(); - temp.collateidentityrequest(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, auth_srk_value, auth_srk_size, auth_srk_sha1, auth_ik_value, auth_ik_size, auth_ik_sha1, label_ik_value, label_ik_size, key_acak_value, key_acak_size, uuid_ik_value, uuid_overwrite, ekc_value, ekc_size, pc_value, pc_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(output_value != 0) delete [] output_value; - if(ekc_value != 0) delete [] ekc_value; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(output_value != 0) delete [] output_value; - if(ekc_value != 0) delete [] ekc_value; - return; - } - - void activateidentity() - { - if(bhelp) - { - cout << "Activiate Identity Request (Create Idenity Key Cert) Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_ik | -authp_ik IK auth in SHA1 or Plain mode" << endl - << " -a | -asym ACA Asymmetric response blob" << endl - << " -s | -sym ACA Symmetric response blob" << endl - << " -u | -uuid IK UUID for storage and retrieval" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " Hex[n] identity credential." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_ik_value = 0; - unsigned long auth_ik_size = 0; - bool auth_ik_sha1 = false; - unsigned char *asym_value = 0; - unsigned long asym_size = 0; - unsigned char *sym_value = 0; - unsigned long sym_size = 0; - unsigned char *uuid_ik_value = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_ik_value, auth_ik_size, auth_ik_sha1, AUTH_IK); - setupUUID(uuid_ik_value); - - //find ASYM - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-a") == 0 || strcasecmp(argv[i], "-asym") == 0)) && i + 1 < argc) - { - asym_value = hexToBin(argv[i + 1]); - asym_size = strlen(argv[i + 1]) / 2; - } - } - if(asym_value == 0) throw libhis_exception("ASYM argument", 410); - - //find SYM - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-s") == 0 || strcasecmp(argv[i], "-sym") == 0)) && i + 1 < argc) - { - sym_value = hexToBin(argv[i + 1]); - sym_size = strlen(argv[i + 1]) / 2; - } - } - if(sym_value == 0) throw libhis_exception("SYM argument", 411); - - libhis_activateidentity temp; - temp.init(); - temp.activateidentity(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, auth_srk_value, auth_srk_size, auth_srk_sha1, auth_ik_value, auth_ik_size, auth_ik_sha1, asym_value, asym_size, sym_value, sym_size, uuid_ik_value, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_tpm_sha1 && auth_tpm_value != 0) delete [] auth_tpm_value; - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(output_value != 0) delete [] output_value; - return; - } - - void quote() - { - if(bhelp) - { - cout << "Quote Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_ik | -authp_ik IK auth in SHA1 or Plain mode" << endl - << " -u | -uuid IK UUID for storage and retrieval" << endl - << " -n | -nonce | -nr Nonce data as hex SHA1 hash" << endl - << " -p | -pcrs PCR selection mask low to high" << endl - << " NOTE: PCR selection mask must be 6 characters (3 bytes). Under Trousers" << endl - << " all data will be properly quoted. NTru will ignore third byte. You" << endl - << " must always provide 6 characters (3 bytes) even for NTru." << endl - << " NOTE: The TCG mask is as follows:" << endl - << " 7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " TPM_QUOTE_INFO hex datablob" << endl - << " Signature Hex Datablob" << endl - << " One PCR SHA1 Hex Datablob Per Line" << endl - << " NOTE: All outputs on same line without delimiters. Use -r to add newlines." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_ik_value = 0; - unsigned long auth_ik_size = 0; - bool auth_ik_sha1 = false; - unsigned char *nonce = 0; - unsigned char *uuid_ik_value = 0; - unsigned char *mask = 0; - unsigned char *output_pcrs_value = 0; - unsigned long output_pcrs_size = 0; - unsigned char *output_quote_value = 0; - unsigned long output_quote_size = 0; - unsigned char *output_sig_value = 0; - unsigned long output_sig_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_ik_value, auth_ik_size, auth_ik_sha1, AUTH_IK); - setupNonce(nonce); - setupUUID(uuid_ik_value); - setupMask(mask); - - libhis_quote temp; - temp.init(false); - temp.quote(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_ik_value, auth_ik_size, auth_ik_sha1, nonce, uuid_ik_value, mask, output_pcrs_value, output_pcrs_size, output_quote_value, output_quote_size, output_sig_value, output_sig_size); - - for(unsigned long i = 0; i < output_quote_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_quote_value[i]; - - if(breadable) cout << endl; - - for(unsigned long i = 0; i < output_sig_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_sig_value[i]; - - if(breadable) cout << endl; - - for(unsigned long i = 0; i < output_pcrs_size; i++) - { - cout << setbase(16) << setw(2) << setfill('0') << (int)output_pcrs_value[i]; - if(breadable && (i + 1) % 20 == 0) cout << endl; - } - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(nonce != 0) delete [] nonce; - if(output_pcrs_value != 0) delete [] output_pcrs_value; - if(output_quote_value != 0) delete [] output_quote_value; - if(output_sig_value != 0) delete [] output_sig_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(nonce != 0) delete [] nonce; - if(output_pcrs_value != 0) delete [] output_pcrs_value; - if(output_quote_value != 0) delete [] output_quote_value; - if(output_sig_value != 0) delete [] output_sig_value; - return; - } - - void quote2() - { - if(bhelp) - { - cout << "Quote 2 Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_ik | -authp_ik IK auth in SHA1 or Plain mode" << endl - << " -u | -uuid IK UUID for storage and retrieval" << endl - << " -n | -nonce | -nr Nonce data as hex SHA1 hash" << endl - << " -p | -pcrs PCR selection mask" << endl - << " -c | -capVerInfo Disable append TPM_CAP_VERSION_INFO to quote" << endl - << " NOTE: TCG mask is as follows:" << endl - << " 7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << " -r | -readable Adds newlines to output" << endl - << endl - << "Outputs:" << endl - << " TPM_QUOTE_INFO2 in hex (concatenated with TSS_CAP_VERSION_INFO if enabled)" << endl - << " Signature Hex Datablob" << endl - << " Sequential listing of PCR values" << endl - << " NOTE: All outputs on same line without delimiters. Use -r to add newlines." << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_ik_value = 0; - unsigned long auth_ik_size = 0; - bool auth_ik_sha1 = false; - unsigned char *nonce = 0; - unsigned char *uuid_ik_value = 0; - unsigned char *mask = 0; - unsigned char *output_pcrs_value = 0; - unsigned long output_pcrs_size = 0; - unsigned char *output_quote_value = 0; - unsigned long output_quote_size = 0; - unsigned char *output_sig_value = 0; - unsigned long output_sig_size = 0; - bool bCapVersion = true; //flipped for backwards compatibility with 3.0x - - try - { - //TPM_CAP_VERSION_INFO can cause Broadcom TPMs to crash and Infineon TPMS to output invalid, non-printing characters - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-c") == 0 || strcasecmp(argv[i], "-capVerInfo") == 0)) - { - bCapVersion = false; - } - } - - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_ik_value, auth_ik_size, auth_ik_sha1, AUTH_IK); - setupNonce(nonce); - setupUUID(uuid_ik_value); - setupMask(mask); - - libhis_quote temp; - temp.init(true); - temp.quote2(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_ik_value, auth_ik_size, auth_ik_sha1, nonce, uuid_ik_value, mask, output_pcrs_value, output_pcrs_size, output_quote_value, output_quote_size, output_sig_value, output_sig_size, bCapVersion); - - for(unsigned long i = 0; i < output_quote_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_quote_value[i]; - - if(breadable) cout << endl; - - for(unsigned long i = 0; i < output_sig_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_sig_value[i]; - - if(breadable) cout << endl; - - for(unsigned long i = 0; i < output_pcrs_size; i++) - { - cout << setbase(16) << setw(2) << setfill('0') << (int)output_pcrs_value[i]; - if(breadable && (i + 1) % 20 == 0) cout << endl; - } - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(nonce != 0) delete [] nonce; - if(output_pcrs_value != 0) delete [] output_pcrs_value; - if(output_quote_value != 0) delete [] output_quote_value; - if(output_sig_value != 0) delete [] output_sig_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_ik_sha1 && auth_ik_value != 0) delete [] auth_ik_value; - if(nonce != 0) delete [] nonce; - if(output_pcrs_value != 0) delete [] output_pcrs_value; - if(output_quote_value != 0) delete [] output_quote_value; - if(output_sig_value != 0) delete [] output_sig_value; - return; - } - - /* - * Seal - * Traditional data sealing mechanism. The SRK and current platform PCR - * values will be used to encrypt data. Encrypted data may only be - * decrypted if the system has the same PCR state and same SRK. - */ - void seal() - { - if(bhelp) - { - cout << "Seal Mode" << endl - << " Uses current PCR state to encrypt data. Can only be decrypted with same PCRS." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_enc | -authp_enc ENCdata auth in SHA1 or Plain mode" << endl - << " NOTE: Windows allows all 24 PCRS. Linux allows only 16 PCRS." << endl - << " -p | -pcrs (Windows) PCR selection mask low to high" << endl - << " -p | -pcrs (Linux) PCR selection mask low to high" << endl - << " NOTE: TCG mask is as follows:" << endl - << " 7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16" << endl - << " -e | -encdata Datablob to be sealed" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " Hex[n] encrypted datablob" << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_enc_value = 0; - unsigned long auth_enc_size = 0; - bool auth_enc_sha1 = false; - unsigned char *mask = 0; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_enc_value, auth_enc_size, auth_enc_sha1, AUTH_ENC); - setupMask(mask); - - //find unencrypted payload - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-e") == 0 || strcasecmp(argv[i], "-encdata") == 0)) && i + 1 < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - } - } - if(payload_value == 0) throw libhis_exception("ENC payload argument", 410); - - libhis_seal temp; - temp.seal(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_enc_value, auth_enc_size, auth_enc_sha1, mask, payload_value, payload_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Seal 2 - * Seals data against PCR values that differ from the present ones. This - * allows encrypted data to be decrypted at some later or different - * platform state. The SRK must remain constant though! Really useful for - * dual boot situations or for keying up "golden" images. - */ - void seal2() - { - if(bhelp) - { - cout << "Seal2 Mode" << endl - << " Seals PCRS against user-defined release values. **Not available on Linux." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_enc | -authp_enc ENCdata auth in SHA1 or Plain mode" << endl - << " -p | -pcrs PCR selection mask low to high" << endl - << " -e | -encdata Datablob to be sealed" << endl - << " -r | -release PCR values at release" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " Hex[n] encrypted datablob" << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_enc_value = 0; - unsigned long auth_enc_size = 0; - bool auth_enc_sha1 = false; - unsigned char *mask = 0; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - unsigned char *release_value = 0; - unsigned long release_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_enc_value, auth_enc_size, auth_enc_sha1, AUTH_ENC); - setupMask(mask); - - //find unencrypted payload - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-e") == 0 || strcasecmp(argv[i], "-encdata") == 0)) && i + 1 < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - } - } - if(payload_value == 0) throw libhis_exception("ENC payload argument", 410); - - //find pcr release state list - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-r") == 0 || strcasecmp(argv[i], "-release") == 0)) && i + 1 < argc && strlen(argv[i+1]) % 20 == 0) - { - //cout << << endl; - release_value = hexToBin(argv[i + 1]); - release_size = strlen(argv[i + 1]) / 2; - } - } - if(release_value == 0) throw libhis_exception("PCR release argument size error", 410); - - //run a size comparison against the mask and release_value - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - unsigned short counter = 0; - for(short i = 0; i < 24; i++) - { - if(bitmask[i]) - counter++; - } - - if(counter * 20 != release_size) throw libhis_exception("PCR release argument count mismatch", 410); - - libhis_seal temp; - temp.seal2(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_enc_value, auth_enc_size, auth_enc_sha1, mask, payload_value, payload_size, release_value, release_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Unseal - * Unseals sealed data. Always uses the current set of PCRs and SRK to - * decrypt with. Supports both Seal and Seal2. - */ - void unseal() - { - if(bhelp) - { - cout << "Unseal Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_enc | -authp_enc ENCdata auth in SHA1 or Plain mode" << endl - << " -e | -encdata Datablob to be unsealed" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Outputs:" << endl - << " Hex[n] decrypted Hex Datablob" << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_enc_value = 0; - unsigned long auth_enc_size = 0; - bool auth_enc_sha1 = false; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_enc_value, auth_enc_size, auth_enc_sha1, AUTH_ENC); - - //find unencrypted payload - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-e") == 0 || strcasecmp(argv[i], "-encdata") == 0)) && i + 1 < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - } - } - if(payload_value == 0) throw libhis_exception("ENC payload argument", 410); - - libhis_unseal temp; - temp.unseal(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_enc_value, auth_enc_size, auth_enc_sha1, payload_value, payload_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Get Random Bytes - * Acquires random data using the TPM's hardware random generator. - */ - void getrandombytes() - { - if(bhelp) - { - cout << "Get Random Bytes Mode" << endl - << endl - << "Input:" << endl - << " -b | -bytes Byte count integer" << endl - << endl - << "Outputs:" << endl - << " Hex[n] random datablob" << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned long bytes_size = 0; - unsigned char *bytes_value = 0; - - try - { - //find the byte count - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-b") == 0 || strcasecmp(argv[i], "-bytes") == 0) && (i + 1) < argc) - { - bytes_size = strtoul(argv[i + 1], 0, 10); - break; - } - } - if(bytes_size == 0) throw libhis_exception("Byte count argument", 410); - - libhis_getrandombytes temp; - temp.getrandombytes(bytes_size, bytes_value); - - for(unsigned long i = 0; i < bytes_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)bytes_value[i]; - } - catch(libhis_exception &e) - { - if(bytes_value != 0) delete [] bytes_value; - throw e; - } - - if(bytes_value != 0) delete [] bytes_value; - return; - } - - /* - * Create Key - * Creates a signing or binding key in multiple sizes. Storage keys are not - * supported since vendor compliance is spotty. All keys are stored under - * the SRK. - */ - void createkey() - { - if(bhelp) - { - cout << "Create Key Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_key | -authp_key New key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -t | -type Key type SIGN, BIND, or STORAGE" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " -s | -scheme Scheme for key functionality" << endl - << " Signing key only: SHA1 [default] or DER signing method" << endl - << " Binding key only: PKCS [default], SOAP, CNT, OFB, or PAD encryption method" << endl - << " Storage key only: SYSTEM [default] or USER key storage location" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << " -o | -overwrite Overwrite existing key at same UUID" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl - << "Note:" << endl - << " Storage keys can be created, manipulated, and cleared. However, they cannot be used to actually" << endl - << " store other keys in this version. Key hierarchies are not supported by all TSS versions. At the" << endl - << " time of development the leading 2 TSS solutions did not support key hierarchies therefore the" << endl - << " ability to use them is not part of this software implementation. See code comments." << endl - /* - * DEVELOPERS -- If TSS solutions are fixed in the future simply allow storage keys to be - * used as alternatives to the SRK in key management functions and also - * signing and binding functions. You can accomplish this by asking for the - * storage UUID. If the user enters SRK use the SRK. If the user enters a - * valid UUID then load the associated storage key. - */ - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - int key_type = 0; - unsigned char *uuid_key_value = 0; - unsigned long key_length = 0; - unsigned long key_scheme = 0; - bool uuid_overwrite = false; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupKeyType(key_type); - setupLength(key_length, key_type); - setupScheme(key_scheme, key_type); - - libhis_createkey temp; - - if(key_type == KEY_SIGN) - temp.initsign(key_length, key_scheme); - else if(key_type == KEY_BIND) - temp.initbind(key_length, key_scheme); - else if(key_type == KEY_STOR) - temp.initstorage(key_length, key_scheme); - - temp.createkey(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, uuid_overwrite); - - } - catch(libhis_exception &e) - { - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - throw e; - } - - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - return; - } - - /* - * Change Key Authorization - * Authorization data can be changed for any identity, signing, binding, - * or storage key excluding the SRK (Note: Storage keys not supported by - * this program due to TSS vendors not always supporting key heirarchies - * for some bizarre reason -- it's part of the 1.2 spec, how is it still - * not supported?). - */ - void changekeyauth() - { - if(bhelp) - { - cout << "Change Key Auth Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_key | -authp_key Key auth in SHA1 or Plain mode" << endl - << " -auths_new | -authp_new New key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -t | -type Key type IDENTITY, SIGN, BIND, or STORAGE" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " NOTE: length not used for identity keys" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *auth_new_value = 0; - unsigned long auth_new_size = 0; - bool auth_new_sha1 = false; - unsigned char *uuid_key_value = 0; - int key_type = 0; - unsigned long key_length = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupAuth(auth_new_value, auth_new_size, auth_new_sha1, AUTH_NEW); - setupUUID(uuid_key_value); - setupKeyType(key_type); - setupLength(key_length, key_type); - - libhis_changekeyauth temp; - - if(key_type == KEY_IK) - temp.initidentity(); - else if(key_type == KEY_SIGN) - temp.initsign(key_length); - else if(key_type == KEY_BIND) - temp.initbind(key_length); - else if(key_type == KEY_STOR) - temp.initstorage(key_length); - - temp.changekeyauth(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, auth_new_value, auth_new_size, auth_new_sha1); - } - catch(libhis_exception &e) - { - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(auth_new_value != 0 && auth_new_sha1) delete [] auth_new_value; - throw e; - } - - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(auth_new_value != 0 && auth_new_sha1) delete [] auth_new_value; - return; - } - - /* - * Get Keyblob - * Gets the keyblob for some binding, signing, and identity keys depending - * on key initialization values. Cannot get the keyblob for EK or SRK. - */ - void getkeyblob() - { - if(bhelp) - { - cout << "Get Key Blob Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_key | -authp_key Key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -t | -type Key type IDENTITY, SIGN, BIND, or STORAGE" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " NOTE: length not used for identity keys" << endl - << " NOTE: You cannot get the keyblob of an EK or SRK!" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] keyblob." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *uuid_key_value = 0; - int key_type = 0; - unsigned long key_length = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupKeyType(key_type); - setupLength(key_length, key_type); - - libhis_getkeyblob temp; - - if(key_type == KEY_IK) - temp.initidentity(); - else if(key_type == KEY_SIGN) - temp.initsign(key_length); - else if(key_type == KEY_BIND) - temp.initbind(key_length); - else if(key_type == KEY_STOR) - temp.initstorage(key_length); - - temp.getkeyblob(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(output_value != 0) delete [] output_value; - } - - /* - * Get Modulus - * Gets the key modulus of TPM and TSS-protected keys. Handles identity, - * signing, and binding keys. For legacy reasons EK and SRK support are - * also provided. EK and SRK return the public key, not the modulus, so - * they are no longer a documented feature of this mode. - */ - void getmodulus() - { - if(bhelp) - { - cout << "Get Key Modulus Mode" << endl - << "Acquires the modulus for an RSA key protected by the TPM. See Get Public Key for" << endl - << "acquiring the EK and SRK public key. EK public key will still be returned by" << endl - << "this function but is deprecated." << endl - << endl - //<< "Input Required For All Keys:" << endl - << " -t | -type Key type IDENTITY, SIGN, BIND, or STORAGE" << endl - //<< endl - //<< "Required Inputs for both EK and SRK" << endl - //<< " -auths_owner | -authp_owner Owner auth in SHA1 or Plain mode" << endl - //<< endl - //<< "Required Inputs for EK only" << endl - //<< " -n | -nonce | -nr Nonce data as hex SHA1 hash" << endl - //<< endl - //<< "Required Inputs For Identity, Sign, and Bind keys" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_key | -authp_key Key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " NOTE: length not used for identity keys" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] key modulus." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *uuid_key_value = 0; - int key_type = 0; - unsigned long key_length = 0; - unsigned char *nonce = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupKeyType(key_type); - - libhis_getkeymodulus temp; - - if(key_type == KEY_IK) - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupLength(key_length, key_type); - - temp.initidentity(); - temp.getkeymodulus(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, output_value, output_size); - } - else if(key_type == KEY_SIGN) - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupLength(key_length, key_type); - - temp.initsign(key_length); - temp.getkeymodulus(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, output_value, output_size); - } - else if(key_type == KEY_BIND) - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupLength(key_length, key_type); - - temp.initbind(key_length); - temp.getkeymodulus(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, output_value, output_size); - } - else if(key_type == KEY_STOR) - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - setupLength(key_length, key_type); - - temp.initstorage(key_length); - temp.getkeymodulus(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, output_value, output_size); - } - else if(key_type == KEY_EK) - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupNonce(nonce); - - temp.getpubek(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, nonce, output_value, output_size); - } - else if(key_type == KEY_SRK) - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - - temp.getpubsrk(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, output_value, output_size); - } - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Clear Key - * Clears a key from the TSS's key hierarchy. Frees up its UUID for another - * use. - */ - void clearkey() - { - if(bhelp) - { - cout << "Clear Key Mode" << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_key | -authp_key Key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *uuid_key_value = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_KEY); - setupUUID(uuid_key_value); - - libhis_clearkey temp; - - temp.clearkey(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value); - } - catch(libhis_exception &e) - { - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - throw e; - } - - if(auth_srk_value != 0 && auth_srk_sha1) delete [] auth_srk_value; - if(auth_key_value != 0 && auth_key_sha1) delete [] auth_key_value; - return; - } - - /* - * Get PCR - * Queries the TPM for PCR values. Similar to a Quote without the signature - * or identity key. Does not give the same assurance value as a Quote, but - * good for a quick glipse of the values. Do NOT use this where a Quote is - * appropriate. Getting PCRs and then signing them is not as strong as a - * Quote. - */ - void getpcr() - { - if(bhelp) - { - cout << "Get PCR Mode" << endl - << " Reads in PCR values and displays them." << endl - << endl - << "Input:" << endl - << " -p | -pcrs PCR selection mask low to high" << endl - << " NOTE: 7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 23 22 21 20 19 18 17 16" << endl - << endl - << "Output:" << endl - << " Hex[n] list of PCRS concatenated on one line. Use -r to delimit PCRs with newlines." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *mask = 0; - unsigned char *output_pcrs_value = 0; - unsigned long output_pcrs_size = 0; - - try - { - setupMask(mask); - - libhis_getpcr temp; - - temp.getpcr(mask, output_pcrs_value, output_pcrs_size); - - for(unsigned long i = 0; i < output_pcrs_size; i++) - { - cout << setbase(16) << setw(2) << setfill('0') << (int)output_pcrs_value[i]; - if(breadable && (i + 1) % 20 == 0) cout << endl; - } - } - catch(libhis_exception &e) - { - if(output_pcrs_value != 0) delete [] output_pcrs_value; - throw e; - } - - if(output_pcrs_value != 0) delete [] output_pcrs_value; - return; - } - - /* - * Extend PCR - * Adds a SHA1 hash to a PCR's measurement log and extends the current - * register value. - */ - void extendpcr() - { - if(bhelp) - { - cout << "Extend PCR Mode" << endl - << " Extend any PCR any time." << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -i | -index Index of PCR to be extended" << endl - << " NOTE: 0 to 23 index number selection. Mask positions are:" << endl - << " 7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 23 22 21 20 19 18 17 16" << endl - << " -p | -payload SHA1 hash to extend into PCR" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[40] new PCR value." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned long index = -1; - unsigned char *hash = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - - //find the index - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-i") == 0 || strcasecmp(argv[i], "-index") == 0) && (i + 1) < argc) - { - index = atoi(argv[i + 1]); - break; - } - } - if(index < 0 || index > 23) throw libhis_exception("Index number argument missing", 410); - - //find the hash - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0) && (i + 1) < argc) - { - hash = hexToBin(argv[i + 1]); - break; - } - } - if(hash == 0) throw libhis_exception("Hash argument missing", 410); - - libhis_extendpcr temp; - - temp.extendpcr(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, index, hash, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(hash != 0) delete [] hash; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(hash != 0) delete [] hash; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Clear PCR - * Attempts to clear a PCR value. Normally PCRs between 0 and 15 cannot be - * cleared due to locality issues. This function does not support locality - * control as it was unclear just how to do that. Probably a good idea to - * implement locality support in future versions of this function. FIXME - */ - void clearpcr() - { - if(bhelp) - { - cout << "Clear PCR Mode" << endl - << " Does not normally work except on the final 8 PCRs." << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -p | -pcrs PCR selection mask low to high" << endl - << " NOTE: 7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 23 22 21 20 19 18 17 16" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned char *mask = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupMask(mask); - - libhis_clearpcr temp; - temp.clearpcr(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, mask); - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - return; - } - - /* - * Set NVDATA - * Writes a block of data to the TPM's non-volatile memory (NVRAM). Auth - * data is required to enforce parity between Windows and Linux. - */ - void setnvdata() - { - if(bhelp) - { - cout << "Set NVData Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -i | -index EK, CC, PC, or PCC sets index" << endl - << " -p | -payload Data to be written" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned long index = -1; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupNVIndex(index); - - //find NVData payload - for(int i = 0; i < argc; i++) - { - if(((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0)) && i + 1 < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - } - } - if(payload_value == 0) throw libhis_exception("NVData payload argument", 410); - - libhis_setnvdata temp; - temp.setnvdata(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, index, payload_value, payload_size); - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(payload_value != 0) delete [] payload_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(payload_value != 0) delete [] payload_value; - return; - } - - /* - * Get NVDATA - * Pulls data from a block of TPM non-volatile memory (NVRAM). Non- - * destructive. - */ - void getnvdata() - { - if(bhelp) - { - cout << "Get NVData Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -i | -index EK, CC, PC, or PCC sets index" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] NVRAM stored data blob." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned long index = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupNVIndex(index); - - libhis_getnvdata temp; - temp.getnvdata(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, index, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Clear NVDATA - * Invalidates a block of NVDATA address space. Some TPMs will immediately - * zero this space, but not all will. Recommended that random garbage data - * be written to the address space and then cleared. - */ - void clearnvdata() - { - if(bhelp) - { - cout << "Clear NVData Mode" << endl - << endl - << "Input:" << endl - << " -auths_tpm | -authp_tpm TPM owner auth in SHA1 or Plain mode" << endl - << " -i | -index EK, CC, PC, or PCC sets index" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - unsigned long index = 0; - - try - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupNVIndex(index); - - libhis_clearnvdata temp; - temp.clearnvdata(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, index); - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - return; - } - - /* - * Sign - * Signs data using a TPM-based signature key. - */ - void sign() - { - if(bhelp) - { - cout << "Sign Data Mode" << endl - << " Sign a hash using a TPM signature key." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_sign | -authp_sign Signing key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " -s | -scheme Signing scheme" << endl - << " Signing key only: SHA1 or DER" << endl - << " -p | -payload Hash to be signed" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] signature value." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *uuid_key_value = 0; - unsigned long key_length = 0; - unsigned long key_scheme = 0; - unsigned char *hash = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_SIGN); - setupUUID(uuid_key_value); - setupLength(key_length, KEY_SIGN); - setupScheme(key_scheme, KEY_SIGN); - - //find the encrypted data blob - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0) && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - hash = hexToBin(argv[i + 1]); - break; - } - } - if(hash == 0) throw libhis_exception("Hash argument", 410); - - libhis_sign temp; - temp.initsign(key_length, key_scheme); - - temp.sign(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, hash, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(hash != 0) delete [] hash; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(hash != 0) delete [] hash; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Verify Signature - * Verifies a signature against a blob of data and provided key. - */ - void verifysignature() - { - if(bhelp) - { - cout << "Verify Signature Mode" << endl - << " Verify a signature using a TPM signing key." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_sign | -authp_sign Signing key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " -s | -scheme SHA1 or DER signing scheme" << endl - << " -o | -original Original hash that was signed" << endl - << " -p | -payload Signature to be verified" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " No output. Check the return value. 0 means success. Non-zero means fail." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *uuid_key_value = 0; - unsigned long key_length = 0; - unsigned long key_scheme = 0; - unsigned char *hash = 0; - unsigned char *signature_value = 0; - unsigned long signature_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_SIGN); - setupUUID(uuid_key_value); - setupLength(key_length, KEY_SIGN); - setupScheme(key_scheme, KEY_SIGN); - - //find the encrypted data blob - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-o") == 0 || strcasecmp(argv[i], "-original") == 0) && (i + 1) < argc && strlen(argv[i + 1]) == 40) - { - hash = hexToBin(argv[i + 1]); - break; - } - } - if(hash == 0) throw libhis_exception("Hash argument missing", 410); - - //find the encrypted data blob - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0) && (i + 1) < argc) - { - signature_value = hexToBin(argv[i + 1]); - signature_size = strlen(argv[i + 1]) / 2; - break; - } - } - if(signature_size == 0) throw libhis_exception("Signature argument", 411); - - libhis_verifysignature temp; - temp.initsign(key_length, key_scheme); - - temp.verifysignature(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, uuid_key_value, hash, signature_value, signature_size); - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(hash != 0) delete [] hash; - if(signature_value != 0) delete [] signature_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(hash != 0) delete [] hash; - if(signature_value != 0) delete [] signature_value; - return; - } - - /* - * Bind - * Uses a binding key protected by the TPM to encrypt data. Protects - * encrypted data with an authorization value. - */ - void bind() - { - if(bhelp) - { - cout << "Bind Data Mode" << endl - << " Uses a TPM binding key to encrypt data." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_bind | -authp_bind Binding key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " -s | -scheme Binding scheme" << endl - << " Binding key only: PKCS, SOAP, CNT, OFB, or PAD" << endl - << " -p | -payload Payload data to be bouund" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] encrypted datablob." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *auth_enc_value = 0; - unsigned long auth_enc_size = 0; - bool auth_enc_sha1 = false; - unsigned char *uuid_key_value = 0; - unsigned long key_length = 0; - unsigned long key_scheme = 0; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_BIND); - setupAuth(auth_enc_value, auth_enc_size, auth_enc_sha1, AUTH_ENC); - setupUUID(uuid_key_value); - setupLength(key_length, KEY_BIND); - setupScheme(key_scheme, KEY_BIND); - - //find the encrypted data blob - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0) && (i + 1) < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - break; - } - } - if(payload_size == 0) throw libhis_exception("Payload argument", 410); - - libhis_bind temp; - temp.initbind(key_length, key_scheme); - - temp.bind(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, auth_enc_value, auth_enc_size, auth_enc_sha1, uuid_key_value, payload_value, payload_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Unbind - * This function will decrypt data encrypted by a TPM-based binding key. - * TCG has their own format for encrypted data blobs controlled by binding - * keys. - */ - void unbind() - { - if(bhelp) - { - cout << "Unbind Data Mode" << endl - << " Decrypt a data blob that was encrypted with a TPM binding key." << endl - << endl - << "Input:" << endl - << " -auths_srk | -authp_srk SRK auth in SHA1 or Plain mode" << endl - << " -auths_bind | -authp_bind Binding key auth in SHA1 or Plain mode" << endl - << " -u Key UUID for storage and retrieval" << endl - << " -l | -length Key length 512, 1024, 2048, 4096, 8192" << endl - << " -s | -scheme Binding scheme" << endl - << " Binding key only: PKCS, SOAP, CNT, OFB, or PAD" << endl - << " -p | -payload Payload data to be unbound" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << endl - << "Output:" << endl - << " Hex[n] decrypted datablob." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_srk_value = 0; - unsigned long auth_srk_size = 0; - bool auth_srk_sha1 = false; - unsigned char *auth_key_value = 0; - unsigned long auth_key_size = 0; - bool auth_key_sha1 = false; - unsigned char *auth_enc_value = 0; - unsigned long auth_enc_size = 0; - bool auth_enc_sha1 = false; - unsigned char *uuid_key_value = 0; - unsigned long key_length = 0; - unsigned long key_scheme = 0; - unsigned char *payload_value = 0; - unsigned long payload_size = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupAuth(auth_srk_value, auth_srk_size, auth_srk_sha1, AUTH_SRK); - setupAuth(auth_key_value, auth_key_size, auth_key_sha1, AUTH_BIND); - setupAuth(auth_enc_value, auth_enc_size, auth_enc_sha1, AUTH_ENC); - setupUUID(uuid_key_value); - setupLength(key_length, KEY_BIND); - setupScheme(key_scheme, KEY_BIND); - - //find the encrypted data blob - for(int i = 0; i < argc; i++) - { - if((strcasecmp(argv[i], "-p") == 0 || strcasecmp(argv[i], "-payload") == 0) && (i + 1) < argc) - { - payload_value = hexToBin(argv[i + 1]); - payload_size = strlen(argv[i + 1]) / 2; - break; - } - } - if(payload_size == 0) throw libhis_exception("Payload argument", 410); - - libhis_unbind temp; - temp.initbind(key_length, key_scheme); - - temp.unbind(auth_srk_value, auth_srk_size, auth_srk_sha1, auth_key_value, auth_key_size, auth_key_sha1, auth_enc_value, auth_enc_size, auth_enc_sha1, uuid_key_value, payload_value, payload_size, output_value, output_size); - - for(unsigned long i = 0; i < output_size; i++) - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - catch(libhis_exception &e) - { - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_srk_sha1 && auth_srk_value != 0) delete [] auth_srk_value; - if(auth_key_sha1 && auth_key_value != 0) delete [] auth_key_value; - if(auth_enc_sha1 && auth_enc_value != 0) delete [] auth_enc_value; - if(payload_value != 0) delete [] payload_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Get Public Key - * This function will acquire public keys for the EK and SRK. Ownership is - * required for getting both keys. - */ - void getpubkey() - { - if(bhelp) - { - cout << "Get Public Key Mode" << endl - << "Acquires the public key (modulus and public exponent) for the EK and SRK." << endl - << endl - << "Input Required For All Keys:" << endl - << " -t | -type Key type EK or SRK" << endl - << " -auths_owner | -authp_owner Owner auth in SHA1 or Plain mode" << endl - << endl - << "Required Inputs for EK Only" << endl - << " -auths_owner | -authp_owner Owner auth in SHA1 or Plain mode" << endl - << " -nonce | -nonce_random Nonce data as hex SHA1 hash" << endl - << endl - << "Optional:" << endl - << " -z | -zeros Set missing auth values to zero hash" << endl - << " -nr | -nonce_random TPM random byte generator nonce" << endl - << endl - << "Output:" << endl - << " Hex[n] public key." << endl - << endl; - throw libhis_exception("Help argument set", 400); - } - - unsigned char *auth_tpm_value = 0; - unsigned long auth_tpm_size = 0; - bool auth_tpm_sha1 = false; - int key_type = 0; - unsigned char *nonce = 0; - unsigned char *output_value = 0; - unsigned long output_size = 0; - - try - { - setupKeyType(key_type); - - libhis_getpubkey temp; - - if(key_type == KEY_EK) - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - setupNonce(nonce); - - temp.getpubek(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, nonce, output_value, output_size); - } - else if(key_type == KEY_SRK) - { - setupAuth(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, AUTH_TPM); - - temp.getpubsrk(auth_tpm_value, auth_tpm_size, auth_tpm_sha1, output_value, output_size); - } - else - { - throw libhis_exception("Key type not valid for this function. Use EK or SRK.", 412); - } - - for(unsigned long i = 0; i < output_size; i++) - { - cout << setbase(16) << setw(2) << setfill('0') << (int)output_value[i]; - } - cout << endl; - } - catch(libhis_exception &e) - { - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(output_value != 0) delete [] output_value; - throw e; - } - - if(auth_tpm_value != 0 && auth_tpm_sha1) delete [] auth_tpm_value; - if(output_value != 0) delete [] output_value; - return; - } - - /* - * Error Helper - * Converts numeric error codes into textual representations. Attempts to - * describe the meaning of error codes and provide clues as to the cause. - */ - void error_helper(int result) - { - switch(result) - { - case 1: - cerr << "TPM_E_AUTHFAIL -- An authorization data value is invalid." << endl; - break; - case 2: - cerr << "TPM_E_BADINDEX" << endl; - break; - case 3: - cerr << "TPM_E_BAD_PARAMETER -- A provided parameter does not meet specification. Normally provided data is not in the correct TCG structure." << endl; - break; - case 4: - cerr << "TPM_E_AUDITFAILURE" << endl; - break; - case 5: - cerr << "TPM_E_CLEAR_DISABLED" << endl; - break; - case 6: - cerr << "TPM_E_DEACTIVATED -- TPM is deactivated. Go to BIOS and reactivate. This could require power cycling." << endl; - break; - case 7: - cerr << "TPM_E_DISABLED -- TPM has been disabled. Go to BIOS and enable TPM. Also remember to active it! This could require power cycling." << endl; - break; - case 8: - cerr << "TPM_E_DISABLED_CMD -- Command disabled because it probably already ran or is no longer applicable. Very common when trying to take ownership when ownership already exists or when trying to get the public EK without owner auth after ownership is established." << endl; - break; - case 9: - cerr << "TPM_E_FAIL" << endl; - break; - case 10: - cerr << "TPM_E_BAD_ORDINAL -- TPM firmware does not support this command." << endl; - break; - case 11: - cerr << "TPM_E_INSTALL_DISABLED" << endl; - break; - case 12: - cerr << "TPM_E_INVALID_KEYHANDLE" << endl; - break; - case 13: - cerr << "TPM_E_KEYNOTFOUND -- No key for this UUID." << endl; - break; - case 14: - cerr << "TPM_E_INAPPROPRIATE_ENC -- Invalid encrypted data or implementation defect in TPM firmware. You may also have told this software to use an encryption scheme not supported this TPM." << endl; - break; - case 15: - cerr << "TPM_E_MIGRATEFAIL" << endl; - break; - case 16: - cerr << "TPM_E_INVALID_PCR_INFO" << endl; - break; - case 17: - cerr << "TPM_E_NOSPACE" << endl; - break; - case 18: - cerr << "TPM_E_NOSRK -- Enable TPM, activate TPM, and take ownership to create SRK. Your TPM is probably not set correctly in the BIOS or you accidentally cleared and disabled it." << endl; - break; - case 19: - cerr << "TPM_E_NOTSEALED_BLOB" << endl; - break; - case 20: - cerr << "TPM_E_OWNER_SET -- Ownership already established for this TPM. Not necessarily an error since you can share ownership with multiple sources." << endl; - break; - case 21: - cerr << "TPM_E_RESOURCES" << endl; - break; - case 22: - cerr << "TPM_E_SHORTRANDOM" << endl; - break; - case 23: - cerr << "TPM_E_SIZE" << endl; - break; - case 24: - cerr << "TPM_E_WRONGPCRVAL" << endl; - break; - case 25: - cerr << "TPM_E_BAD_PARAM_SIZE " << endl; - break; - case 26: - cerr << "TPM_E_SHA_THREAD" << endl; - break; - case 27: - cerr << "TPM_E_SHA_ERROR" << endl; - break; - case 28: - cerr << "TPM_E_FAILEDSELFTEST -- Bad state. Try disabling and then re-enabling TPM." << endl; - break; - case 29: - cerr << "TPM_E_AUTH2FAIL" << endl; - break; - case 30: - cerr << "TPM_E_BADTAG" << endl; - break; - case 31: - cerr << "TPM_E_IOERROR -- Check TPM kernel module or driver. On Linux this is tpm_tis module. This error can also indicate an unsupported TPM function on older TPMs." << endl; - break; - case 32: - cerr << "TPM_E_ENCRYPT_ERROR -- In the case of binding data it is possible this data may be too large. Break it apart. In the case of identity provisioning it is possible the EK and AIK certificates are not valid for the current keys. Make them again." << endl; - break; - case 33: - cerr << "TPM_E_DECRYPT_ERROR -- In the case of binding data it is possible this data might not have been encrypted by a TPM. Use TCG structures next time. In the case of identity provisioning this error can indicate an invalid EK or AIK certificate." << endl; - break; - case 34: - cerr << "TPM_E_INVALID_AUTHHANDLE" << endl; - break; - case 35: - cerr << "TPM_E_NO_ENDORSEMENT -- Create an endorsement key and try again." << endl; - break; - case 36: - cerr << "TPM_E_INVALID_KEYUSAGE -- This key UUID is not valid for this key command." << endl; - break; - case 37: - cerr << "TPM_E_WRONG_ENTITYTYPE" << endl; - break; - case 38: - cerr << "TPM_E_INVALID_POSTINIT" << endl; - break; - case 39: - cerr << "TPM_E_INAPPROPRIATE_SIG" << endl; - break; - case 40: - cerr << "TPM_E_BAD_KEY_PROPERTY" << endl; - break; - case 41: - cerr << "TPM_E_BAD_MIGRATION" << endl; - break; - case 42: - cerr << "TPM_E_BAD_SCHEME" << endl; - break; - case 43: - cerr << "TPM_E_BAD_DATASIZE" << endl; - break; - case 44: - cerr << "TPM_E_BAD_MODE" << endl; - break; - case 45: - cerr << "TPM_E_BAD_PRESENCE" << endl; - break; - case 46: - cerr << "TPM_E_BAD_VERSION" << endl; - break; - case 47: - cerr << "TPM_E_NO_WRAP_TRANSPORT" << endl; - break; - case 48: - cerr << "TPM_E_AUDITFAIL_UNSUCCESSFUL" << endl; - break; - case 49: - cerr << "TPM_E_AUDITFAIL_SUCCESSFUL" << endl; - break; - case 50: - cerr << "TPM_E_NOTRESETABLE" << endl; - break; - case 51: - cerr << "TPM_E_NOTLOCAL" << endl; - break; - case 52: - cerr << "TPM_E_BAD_TYPE" << endl; - break; - case 53: - cerr << "TPM_E_INVALID_RESOURCE" << endl; - break; - case 54: - cerr << "TPM_E_NOTFIPS" << endl; - break; - case 55: - cerr << "TPM_E_INVALID_FAMILY" << endl; - break; - case 56: - cerr << "TPM_E_NO_NV_PERMISSION -- NTrue does not require auth data on NVRAM access. Trousers does. This software _always_requires NVRAM auth data as a result. This error can happen when another program sets NVRAM data without auth." << endl; - break; - case 57: - cerr << "TPM_E_REQUIRES_SIGN" << endl; - break; - case 58: - cerr << "TPM_E_KEY_NOTSUPPORTED" << endl; - break; - case 59: - cerr << "TPM_E_AUTH_CONFLICT" << endl; - break; - case 60: - cerr << "TPM_E_AREA_LOCKED -- TXT will lock parts of NVRAM when enabled. You must disable TXT to unlock the NVRAM for writing of policies and other data. Then you may re-lock with TXT afterwards." << endl; - break; - case 61: - cerr << "TPM_E_BAD_LOCALITY" << endl; - break; - case 62: - cerr << "TPM_E_READ_ONLY" << endl; - break; - case 63: - cerr << "TPM_E_PER_NOWRITE" << endl; - break; - case 64: - cerr << "TPM_E_FAMILYCOUNT" << endl; - break; - case 65: - cerr << "TPM_E_WRITE_LOCKED" << endl; - break; - case 66: - cerr << "TPM_E_BAD_ATTRIBUTES" << endl; - break; - default: - break; - } - - return; - } -}; - -#endif diff --git a/tpm_module/libhis_collateidentityrequest.hpp b/tpm_module/libhis_collateidentityrequest.hpp deleted file mode 100644 index 8228520f..00000000 --- a/tpm_module/libhis_collateidentityrequest.hpp +++ /dev/null @@ -1,278 +0,0 @@ -#ifndef libhis_collateidentityrequest_hpp -#define libhis_collateidentityrequest_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_collateidentityrequest -{ -public: - libhis_collateidentityrequest() - { - //set default values - init_ik_size = TSS_KEY_SIZE_DEFAULT; - init_ik_type = TSS_KEY_TYPE_IDENTITY; - init_ik_authorized = TSS_KEY_AUTHORIZATION; - init_ik_migratable = TSS_KEY_NOT_MIGRATABLE; - init_ik_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create IK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result); - - //Create ACAK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_acak); - if(result != TSS_SUCCESS) throw libhis_exception("Create ACAK", result); - } - - void init() - { - //combine the init flags - init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile; - - //Create IK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result); - - binitialized = true; - } - - void collateidentityrequest( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_ik_value, - unsigned long auth_ik_size, - bool auth_ik_sha1, - unsigned char *label_ik_value, - unsigned long label_ik_size, - unsigned char *key_acak_value, - unsigned long key_acak_size, - unsigned char *uuid_ik_value, - bool uuid_overwrite, - unsigned char *ekc_value, - unsigned long ekc_size, - unsigned char *pc_value, - unsigned long pc_size, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result); - - //assign the TPM auth to the ACAK too - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_acak); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ACAK Secret", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //set up IK auth - if(auth_ik_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result); - } - - //assign the IK auth - result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result); - - //set ACAK blob - result = Tspi_SetAttribData(hkey_acak, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, key_acak_size, key_acak_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ACAK Blob", result); - - if(ekc_size != 0) - { - //set the EK cert - result = Tspi_SetAttribData(htpm, TSS_TSPATTRIB_TPM_CREDENTIAL, TSS_TPMATTRIB_EKCERT, ekc_size, ekc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set EK credential blob", result); - } - - if(pc_size != 0) - { - //set the Platform cert - result = Tspi_SetAttribData(htpm, TSS_TSPATTRIB_TPM_CREDENTIAL, TSS_TPMATTRIB_PLATFORMCERT, pc_size, pc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set Platform credential blob", result); - } - - //Collate identity request - BYTE *value; - UINT32 size; - result = Tspi_TPM_CollateIdentityRequest(htpm, hkey_srk, hkey_acak, label_ik_size, label_ik_value, hkey_ik, TSS_ALG_AES, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Collate identity Request", result); - - //Copy memory because TSS uses malloc and free, but we're using new and delete - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - { - output_value[i] = value[i]; - } - - //clean up the TSS data -- CANNOT DO THIS; TSS MEMORY LEAK? - //result = Tspi_Context_FreeMemory(hcontext, value); - //if(result != TSS_SUCCESS) throw libhis_exception("Cleanup identity request", result); - - //Unwrap the newly generated IK - result = Tspi_Key_LoadKey(hkey_ik, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result); - - //Set up the IK UUID - hextouuid(uuid_ik_value, uuid_ik); - - try - { - //save ik - result = Tspi_Context_RegisterKey(hcontext, hkey_ik, TSS_PS_TYPE_SYSTEM, uuid_ik, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Save IK By UUID", result); - } - catch(libhis_exception &e) - { - if(uuid_overwrite) - { - //Unregister the existing key - result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_unregister); - if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result); - - //Register a new key - result = Tspi_Context_RegisterKey(hcontext, hkey_ik, TSS_PS_TYPE_SYSTEM, uuid_ik, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Resave IK By UUID", result); - } - else throw e; - } - - return; - } - - ~libhis_collateidentityrequest() - { - //clean up ACAK - result = Tspi_Context_CloseObject(hcontext, hkey_acak); - if(result != TSS_SUCCESS) throw libhis_exception("Close ACAK", result); - - //clean up IK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result); - - if(binitialized) - { - //clean up IK - result = Tspi_Context_CloseObject(hcontext, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_ik, - hkey_acak, - hkey_unregister; - TSS_HPOLICY hpolicy_tpm, - hpolicy_srk, - hpolicy_ik; - TSS_UUID uuid_ik; - UINT32 init_ik, - init_ik_size, - init_ik_type, - init_ik_authorized, - init_ik_migratable, - init_ik_volatile; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_createek.hpp b/tpm_module/libhis_createek.hpp deleted file mode 100644 index df9256f7..00000000 --- a/tpm_module/libhis_createek.hpp +++ /dev/null @@ -1,70 +0,0 @@ -#ifndef libhis_createek_hpp -#define libhis_createek_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_createek -{ -public: - libhis_createek() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create EK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Create EK object handle", result); - } - - void createek( - unsigned char *nonce) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //TSS requires external data to be set for EK creation - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - //create EK - result = Tspi_TPM_CreateEndorsementKey(htpm, hkey_ek, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result); - } - - ~libhis_createek() - { - //clean up EK object - result = Tspi_Context_CloseObject(hcontext, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Close EK object handle", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_ek; - TSS_VALIDATION validation; -}; - -#endif diff --git a/tpm_module/libhis_createkey.hpp b/tpm_module/libhis_createkey.hpp deleted file mode 100644 index 46b809de..00000000 --- a/tpm_module/libhis_createkey.hpp +++ /dev/null @@ -1,317 +0,0 @@ -#ifndef libhis_createkey_hpp -#define libhis_createkey_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_createkey -{ -public: - libhis_createkey() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - init_key_scheme = 0; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - } - - void initsign(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the signature scheme - if(in_scheme == 0) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1; - else if(in_scheme == 1) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER; - else - init_key_scheme = TSS_SS_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the signature scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result); - - binitialized = true; - } - - void initbind(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the encryption scheme - if(in_scheme == 0) - init_key_scheme = TSS_ES_RSAESPKCSV15; - else if(in_scheme == 1) - init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1; - else if(in_scheme == 2) - init_key_scheme = TSS_ES_SYM_CNT; - else if(in_scheme == 3) - init_key_scheme = TSS_ES_SYM_OFB; - else if(in_scheme == 4) - init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD; - else - init_key_scheme = TSS_ES_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the encryption scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result); - - binitialized = true; - } - - void initstorage(unsigned int in_size, unsigned int in_location) - { - //set the type - init_key_type = TSS_KEY_TYPE_STORAGE; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the encryption scheme - if(in_location == 0) - init_key_location = TSS_PS_TYPE_SYSTEM; - else - init_key_location = TSS_PS_TYPE_USER; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile | init_key_location; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void createkey( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - bool uuid_overwrite) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //create the key - result = Tspi_Key_CreateKey(hkey_key, hkey_srk, 0); - - //Unwrap the newly generated key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - try - { - //save key - result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Save key By UUID", result); - } - catch(libhis_exception &e) - { - if(uuid_overwrite) - { - //Unregister the existing key - result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_unregister); - if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result); - - //Register a new key - result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Resave key By UUID", result); - } - else throw e; - } - - return; - } - - ~libhis_createkey() - { - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key, - hkey_unregister; - TSS_HPOLICY hpolicy_srk, - hpolicy_key; - TSS_UUID uuid_key; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme, - init_key_location; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_errors.txt b/tpm_module/libhis_errors.txt deleted file mode 100644 index 08f8273d..00000000 --- a/tpm_module/libhis_errors.txt +++ /dev/null @@ -1,41 +0,0 @@ -< 200 TPM ERROR CODE -> 12000 TSS ERROR CODE - -TPM_MODULE ERROR CODES -------------------------- -290 can't open log file -300 invalid mode argument -310 hex to bin invalid length -311 hex to bin character validation error -312 hex to bin character validation error -320 new auth argument missing -321 tpm auth argument missing -322 srk auth argument missing -323 ik auth argument missing -324 sign auth argument missing -325 bind auth argument missing -326 stor auth argument missing -327 enc auth argument missing -328 key auth argument missing -330 nonce argument missing -340 uuid argument missing -350 pcrs argument missing -360 key type argument missing -361 key type argument invalid -370 key length argument missing -380 key scheme argument missing -381 signing scheme invalid -382 binding scheme invalid -390 nvram index missing -391 nvram index invalid -400 help argument set -410 mode-specific argument missing -411 mode-specific argument missing -412 mode-specific argument missing -420 uuid validation failure -421 uuid validation failure -422 uuid validation failure -423 uuid validation failure -424 uuid validation failure -425 uuid validation failure -430 mask validation failure diff --git a/tpm_module/libhis_exception.hpp b/tpm_module/libhis_exception.hpp deleted file mode 100644 index 15a11929..00000000 --- a/tpm_module/libhis_exception.hpp +++ /dev/null @@ -1,47 +0,0 @@ -#ifndef libhis_exception_hpp -#define libhis_exception_hpp - - -#ifdef WINDOWS - #include - using namespace std; - - class libhis_exception : public exception - { - public: - libhis_exception(const char *message, int value) : exception(message) - { - result = value; - } - - int result; - }; -#endif - -#ifdef LINUX - #include - #include - using namespace std; - - class libhis_exception - { - public: - libhis_exception(string inmessage, int value) - { - message = inmessage; - result = value; - } - - ~libhis_exception() {} - - string what() - { - return message; - } - - int result; - string message; - }; -#endif - -#endif diff --git a/tpm_module/libhis_extendpcr.hpp b/tpm_module/libhis_extendpcr.hpp deleted file mode 100644 index 9f2ce17c..00000000 --- a/tpm_module/libhis_extendpcr.hpp +++ /dev/null @@ -1,101 +0,0 @@ -#ifndef libhis_extendpcr_hpp -#define libhis_extendpcr_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_extendpcr -{ -public: - libhis_extendpcr() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - } - - void extendpcr( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned long pcr_index, - unsigned char *hash, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //extend PCR value - UINT32 size; - BYTE *value; - result = Tspi_TPM_PcrExtend(htpm, pcr_index, 20, hash, 0, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Extend PCR", result); - - //convert memory - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //free dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Free dynamic memory", result); - - return; - } - - ~libhis_extendpcr() - { - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; -}; - -#endif diff --git a/tpm_module/libhis_getkeyblob.hpp b/tpm_module/libhis_getkeyblob.hpp deleted file mode 100644 index bf191932..00000000 --- a/tpm_module/libhis_getkeyblob.hpp +++ /dev/null @@ -1,292 +0,0 @@ -#ifndef libhis_getkeyblob_hpp -#define libhis_getkeyblob_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_getkeyblob -{ -public: - libhis_getkeyblob() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Context", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - } - - void initidentity() - { - //set the type - init_key_type = TSS_KEY_TYPE_IDENTITY; - - //set the key size - init_key_size = TSS_KEY_SIZE_DEFAULT; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initsign(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initbind(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initstorage(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_STORAGE; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void getkeyblob( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //get the keyblob - UINT32 size; - BYTE *value; - result = Tspi_GetAttribData(hkey_key, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Get keyblob", result); - - //copy out the results - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Cleanup dynamic memory", result); - - return; - } - - ~libhis_getkeyblob() - { - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key; - TSS_UUID uuid_key; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_getkeymodulus.hpp b/tpm_module/libhis_getkeymodulus.hpp deleted file mode 100644 index 229dacbb..00000000 --- a/tpm_module/libhis_getkeymodulus.hpp +++ /dev/null @@ -1,439 +0,0 @@ -#ifndef libhis_getkeymodulus_hpp -#define libhis_getkeymodulus_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_getkeymodulus -{ -public: - libhis_getkeymodulus() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create EK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - } - - void initidentity() - { - //set the type - init_key_type = TSS_KEY_TYPE_IDENTITY; - - //set the key size - init_key_size = TSS_KEY_SIZE_DEFAULT; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initsign(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initbind(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - void initstorage(unsigned int in_size) - { - //set the type - init_key_type = TSS_KEY_TYPE_STORAGE; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - binitialized = true; - } - - /* - * @Deprecated - */ - void getpubsrk( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //set up key container - UINT32 mod_size; - BYTE *mod_value; - - //get the public EK - result = Tspi_TPM_OwnerGetSRKPubKey(htpm, &mod_size, &mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public SRK", result); - - //copy out the SRK modulus - output_size = mod_size; - output_value = new unsigned char[mod_size]; - for(unsigned long i = 0; i < mod_size; i++) - output_value[i] = mod_value[i]; - - //clean up SRK modulus - result = Tspi_Context_FreeMemory(hcontext, mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result); - } - - /* - * @Deprecated - */ - void getpubek( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *nonce, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //assign the TPM auth to the EK - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result); - - //set up nonce - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - try - { - //get the public EK - result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - } - catch(libhis_exception &e) - { - //get the public EK the Atmel TPM in an Ultrabook way - result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - - //let a second exception make its way upward (should be same error code) - } - - //get the modulus - UINT32 mod_size; - BYTE *mod_value; - result = Tspi_GetAttribData(hkey_ek, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &mod_size, &mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Get EK Blob", result); - - //copy out the EK modulus - output_size = mod_size; - output_value = new unsigned char[mod_size]; - for(unsigned long i = 0; i < mod_size; i++) - output_value[i] = mod_value[i]; - - //clean up ek modulus - result = Tspi_Context_FreeMemory(hcontext, mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result); - } - - void getkeymodulus( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //get the keyblob - UINT32 size; - BYTE *value; - result = Tspi_GetAttribData(hkey_key, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Get modulus", result); - - //copy out the results - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Cleanup dynamic memory", result); - - return; - } - - ~libhis_getkeymodulus() - { - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //clean up EK object - result = Tspi_Context_CloseObject(hcontext, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Close EK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_ek, - hkey_srk, - hkey_key, - hkey_unregister; - TSS_HPOLICY hpolicy_tpm, - hpolicy_srk, - hpolicy_key; - TSS_VALIDATION validation; - TSS_UUID uuid_key; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_getnvdata.hpp b/tpm_module/libhis_getnvdata.hpp deleted file mode 100644 index b5e5714f..00000000 --- a/tpm_module/libhis_getnvdata.hpp +++ /dev/null @@ -1,182 +0,0 @@ -#ifndef libhis_getnvdata_hpp -#define libhis_getnvdata_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include - -class libhis_getnvdata -{ -public: - libhis_getnvdata() - { - //set defaults - nvstore_index = 0; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create NVSTore object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result); - } - - void getnvdata( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned long nv_index, - unsigned char *&nv_value, - unsigned long &nv_size) - { - //set up the index value - bool nv_platform = false; - if(nv_index == 0) - nvstore_index = TPM_NV_INDEX_EKCert; - else if(nv_index == 1) - nvstore_index = TPM_NV_INDEX_TPM_CC; - else if(nv_index == 2) { - nvstore_index = TPM_NV_INDEX_PlatformCert; - nv_platform = true; - } - else if(nv_index == 3) { - nvstore_index = TPM_NV_INDEX_Platform_CC; - nv_platform = true; - } - else - nvstore_index = nv_index; - - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - // Check if the NV area is locked. Must be performed after TPM AUTH. - TSS_BOOL nvLocked; - result = Tspi_TPM_GetStatus(htpm, TSS_TPMSTATUS_NV_LOCK, &nvLocked); - if (result != TSS_SUCCESS) throw libhis_exception("Check TPM NV Lock", result); - - // If locked, set the bit in the index to retrieve the requested data. else, unset that bit. - nvstore_index = ((nvLocked == TRUE) && !nv_platform) ? nvstore_index + TSS_NV_DEFINED : nvstore_index & ~TSS_NV_DEFINED; - - //assign the TPM auth to the NVStore - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result); - - //force NVData to be readable by the owner only - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE); - if(result != TSS_SUCCESS) throw libhis_exception("Requier owner auth on NVStore read/write", result); - - //set the read address - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index); - if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result); - - //get the size - UINT32 size = 0; - BYTE *value = 0; - -#ifdef WINDOWS - //read the size of the data at the index - result = Tspi_GetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_DATASIZE, 0, &size); - if(result != TSS_SUCCESS) throw libhis_exception("WINDOWS: Get size of NVStore object", result); -#endif -#ifdef LINUX - UINT32 ulResultLen; // stores the length of the data returned by GetCapability - // Retrieves a TPM_NV_DATA_PUBLIC structure that indicates the values for the specified NV area. - // The NV area is identified by the nvstore_index. - result = Tspi_TPM_GetCapability(htpm, TSS_TPMCAP_NV_INDEX, sizeof(UINT32), - (BYTE *)&nvstore_index, &ulResultLen, &value); - if(result == TSS_SUCCESS) { - UINT64 off = 0; - // value which is a BYTE* must be converted into its TSS Data Structure - TPM_NV_DATA_PUBLIC *nvDataPublicStruct = new TPM_NV_DATA_PUBLIC(); - // Trousers converts the data blob into the struct - result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, value, nvDataPublicStruct); - if(result != TSS_SUCCESS) { - delete nvDataPublicStruct; - throw libhis_exception("LINUX: Problems converting data blob to NV Public Data object", result); - } - // Save off the size of the data stored in the NV area. - size = nvDataPublicStruct->dataSize; - // Free the memory. - delete nvDataPublicStruct; - } -#endif - - if(size > 0) { - //read the nvdata - result = Tspi_NV_ReadValue(hnvstore, 0, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Read NVStore space", result); - - //copy out the values - nv_size = size; - nv_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - nv_value[i] = value[i]; - } - - //cleanup - result = Tspi_Context_FreeMemory(hcontext, value); - // I'm not sure if this error message is useful. But it was stopping the process unnecessarily. - //if(result != TSS_SUCCESS) throw libhis_exception("Clean memory", result); - } - - ~libhis_getnvdata() - { - //clean up NVStoer - result = Tspi_Context_CloseObject(hcontext, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; - TSS_HNVSTORE hnvstore; - UINT32 nvstore_index; -}; - -#endif diff --git a/tpm_module/libhis_getpcr.hpp b/tpm_module/libhis_getpcr.hpp deleted file mode 100644 index f8610b8e..00000000 --- a/tpm_module/libhis_getpcr.hpp +++ /dev/null @@ -1,106 +0,0 @@ -#ifndef libhis_getpcr_hpp -#define libhis_getpcr_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_getpcr -{ -public: - libhis_getpcr() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create PCRS object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); - } - - void getpcr( - unsigned char *mask, - unsigned char *&output_pcrs_value, - unsigned long &output_pcrs_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //prepare the PCR output array - short counter = 0; - for(short i = 0; i < 24; i++) - if(bitmask[i]) counter++; - output_pcrs_size = counter * 20; - output_pcrs_value = new unsigned char[counter * 20]; - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; - counter = 0; - for(unsigned long i = 0; i < 24; i++) - { - if(bitmask[i]) - { - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - for(unsigned long j = 0; j < 20; j++) - output_pcrs_value[counter * 20 + j] = temp_value[j]; - - counter++; - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } - } - - return; - } - - ~libhis_getpcr() - { - //clean up PCRS - result = Tspi_Context_CloseObject(hcontext, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPCRS hpcrs; -}; - -#endif diff --git a/tpm_module/libhis_getpubkey.hpp b/tpm_module/libhis_getpubkey.hpp deleted file mode 100644 index 138b9304..00000000 --- a/tpm_module/libhis_getpubkey.hpp +++ /dev/null @@ -1,166 +0,0 @@ -#ifndef libhis_getpubkey_hpp -#define libhis_getpubkey_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_getpubkey -{ -public: - libhis_getpubkey() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create EK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - } - - void getpubek( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *nonce, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //assign the TPM auth to the EK - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result); - - //set up nonce - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - try - { - //get the public EK - result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - } - catch(libhis_exception &e) - { - //get the public EK the Atmel TPM in an Ultrabook way - result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - - //let a second exception make its way upward (should be same error code) - } - - //get the modulus - UINT32 mod_size; - BYTE *mod_value; - result = Tspi_GetAttribData(hkey_ek, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &mod_size, &mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Get EK Blob", result); - - //copy out the EK modulus - output_size = mod_size; - output_value = new unsigned char[mod_size]; - for(unsigned long i = 0; i < mod_size; i++) - output_value[i] = mod_value[i]; - - //clean up ek modulus - result = Tspi_Context_FreeMemory(hcontext, mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result); - } - - void getpubsrk( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //set up key container - UINT32 mod_size; - BYTE *mod_value; - - //get the public EK - result = Tspi_TPM_OwnerGetSRKPubKey(htpm, &mod_size, &mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public SRK", result); - - //copy out the SRK modulus - output_size = mod_size; - output_value = new unsigned char[mod_size]; - for(unsigned long i = 0; i < mod_size; i++) - output_value[i] = mod_value[i]; - - //clean up SRK modulus - result = Tspi_Context_FreeMemory(hcontext, mod_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_ek; - TSS_HPOLICY hpolicy_tpm; - TSS_VALIDATION validation; -}; - -#endif diff --git a/tpm_module/libhis_getrandombytes.hpp b/tpm_module/libhis_getrandombytes.hpp deleted file mode 100644 index dce8aef3..00000000 --- a/tpm_module/libhis_getrandombytes.hpp +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef libhis_getrandombytes_hpp -#define libhis_getrandombytes_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_getrandombytes -{ -public: - libhis_getrandombytes() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - } - - void getrandombytes( - unsigned long bytes_size, - unsigned char *&output_value) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //get random bytes - BYTE *bytes_value; - result = Tspi_TPM_GetRandom(htpm, bytes_size, &bytes_value); - if(result != TSS_SUCCESS) throw libhis_exception("Get Random Bytes", result); - - //copy C-style output into C++ format - output_value = new unsigned char[bytes_size]; - for(unsigned long i = 0; i < bytes_size; i++) - { - output_value[i] = bytes_value[i]; - } - - //clean up random bytes - result = Tspi_Context_FreeMemory(hcontext, bytes_value); - if(result != TSS_SUCCESS) throw libhis_exception("Cleanup bytes", result); - - return; - } - - ~libhis_getrandombytes() - { - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; -}; - -#endif diff --git a/tpm_module/libhis_quote.hpp b/tpm_module/libhis_quote.hpp deleted file mode 100644 index 00eb72bb..00000000 --- a/tpm_module/libhis_quote.hpp +++ /dev/null @@ -1,436 +0,0 @@ -#ifndef libhis_quote_hpp -#define libhis_quote_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_quote -{ -public: - libhis_quote() - { - //set default values - init_ik_size = TSS_KEY_SIZE_DEFAULT; - init_ik_type = TSS_KEY_TYPE_IDENTITY; - init_ik_authorized = TSS_KEY_AUTHORIZATION; - init_ik_migratable = TSS_KEY_NOT_MIGRATABLE; - init_ik_volatile = TSS_KEY_VOLATILE; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create IK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result); - } - - void init(bool bshort) - { - if(bshort) - { - //Create PCRS object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); - } - else - { - //Create PCRS object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); - } - - //combine the init flags - init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile; - - //Create IK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result); - - binitialized = true; - } - - void quote( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_ik_value, - unsigned long auth_ik_size, - bool auth_ik_sha1, - unsigned char *nonce, - unsigned char *uuid_ik_value, - unsigned char *mask, - unsigned char *&output_pcrs_value, - unsigned long &output_pcrs_size, - unsigned char *&output_quote_value, - unsigned long &output_quote_size, - unsigned char *&output_sig_value, - unsigned long &output_sig_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the IK UUID - hextouuid(uuid_ik_value, uuid_ik); - - //Get the IK by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result); - - //set up IK auth - if(auth_ik_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result); - } - - //assign the IK auth - result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result); - - //Unwrap the IK - result = Tspi_Key_LoadKey(hkey_ik, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result); - - //set up nonce - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //prepare the PCR output array - short counter = 0; - for(short i = 0; i < 24; i++) - if(bitmask[i]) counter++; - output_pcrs_size = counter * 20; - output_pcrs_value = new unsigned char[counter * 20]; - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; - counter = 0; - for(unsigned long i = 0; i < 24; i++) - { - if(bitmask[i]) - { - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - result = Tspi_PcrComposite_SelectPcrIndex(hpcrs, i); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - for(unsigned long j = 0; j < 20; j++) - output_pcrs_value[counter * 20 + j] = temp_value[j]; - - counter++; - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } - } - - //quote - result = Tspi_TPM_Quote(htpm, hkey_ik, hpcrs, &validation); - if(result != TSS_SUCCESS) throw libhis_exception("Quote", result); - - //copy values - output_quote_size = validation.ulDataLength; - output_quote_value = new unsigned char[validation.ulDataLength]; - for(unsigned long i = 0; i < validation.ulDataLength; i++) - output_quote_value[i] = validation.rgbData[i]; - - result = Tspi_Context_FreeMemory(hcontext, validation.rgbData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up digest", result); - - output_sig_size = validation.ulValidationDataLength; - output_sig_value = new unsigned char [validation.ulValidationDataLength]; - for(unsigned long i = 0; i < validation.ulValidationDataLength; i++) - output_sig_value[i] = validation.rgbValidationData[i]; - - result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up signature", result); - - return; - } - - void quote2( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_ik_value, - unsigned long auth_ik_size, - bool auth_ik_sha1, - unsigned char *nonce, - unsigned char *uuid_ik_value, - unsigned char *mask, - unsigned char *&output_pcrs_value, - unsigned long &output_pcrs_size, - unsigned char *&output_quote_value, - unsigned long &output_quote_size, - unsigned char *&output_sig_value, - unsigned long &output_sig_size, - bool bCapVersion) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the IK UUID - hextouuid(uuid_ik_value, uuid_ik); - - //Get the IK by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result); - - //set up IK auth - if(auth_ik_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result); - } - - //assign the IK auth - result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result); - - //Unwrap the IK - result = Tspi_Key_LoadKey(hkey_ik, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result); - - //set up nonce - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //prepare the PCR output array - short counter = 0; - for(short i = 0; i < 24; i++) - if(bitmask[i]) counter++; - output_pcrs_size = counter * 20; - output_pcrs_value = new unsigned char[counter * 20]; - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; - counter = 0; - for(unsigned long i = 0; i < 24; i++) - { - if(bitmask[i]) - { - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - for(unsigned long j = 0; j < 20; j++) - output_pcrs_value[counter * 20 + j] = temp_value[j]; - - counter++; - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } - } - - //quote2 - BYTE* version_value; - UINT32 version_size; - - //read PCR 10 again right before collecting the quote - if(bitmask[10]) - { - //reread PCR 10 - result = Tspi_TPM_PcrRead(htpm, 10, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - //read quote2 - result = Tspi_TPM_Quote2(htpm, hkey_ik, bCapVersion, hpcrs, &validation, &version_size, &version_value); - if(result != TSS_SUCCESS) throw libhis_exception("Quote2", result); - - //set value of PCR 10 in the PCR Composite - result = Tspi_PcrComposite_SetPcrValue(hpcrs, 10, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - for(unsigned long j = 0; j < 20; j++) - output_pcrs_value[10 * 20 + j] = temp_value[j]; - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } else { - //read quote2 without rereading PCR 10 - result = Tspi_TPM_Quote2(htpm, hkey_ik, bCapVersion, hpcrs, &validation, &version_size, &version_value); - if(result != TSS_SUCCESS) throw libhis_exception("Quote2", result); - } - - //copy values - output_quote_size = validation.ulDataLength; - output_quote_value = new unsigned char[validation.ulDataLength]; - for(unsigned long i = 0; i < validation.ulDataLength; i++) - output_quote_value[i] = validation.rgbData[i]; - - result = Tspi_Context_FreeMemory(hcontext, validation.rgbData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up digest", result); - - output_sig_size = validation.ulValidationDataLength; - output_sig_value = new unsigned char [validation.ulValidationDataLength]; - for(unsigned long i = 0; i < validation.ulValidationDataLength; i++) - output_sig_value[i] = validation.rgbValidationData[i]; - - result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up signature", result); - - result = Tspi_Context_FreeMemory(hcontext, version_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up version info", result); - - return; - } - - ~libhis_quote() - { - //clean up IK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result); - - if(binitialized) - { - //clean up PCRS - result = Tspi_Context_CloseObject(hcontext, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result); - - //clean up IK - result = Tspi_Context_CloseObject(hcontext, hkey_ik); - if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_ik; - TSS_HPOLICY hpolicy_srk, - hpolicy_ik; - TSS_NONCE nonce; - TSS_VALIDATION validation; - TSS_UUID uuid_ik; - TSS_HPCRS hpcrs; - UINT32 init_ik, - init_ik_size, - init_ik_type, - init_ik_authorized, - init_ik_migratable, - init_ik_volatile; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_seal.hpp b/tpm_module/libhis_seal.hpp deleted file mode 100644 index 3689599c..00000000 --- a/tpm_module/libhis_seal.hpp +++ /dev/null @@ -1,347 +0,0 @@ -#ifndef libhis_seal_hpp -#define libhis_seal_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_seal -{ -public: - libhis_seal() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create PCRS object -#ifdef WINDOWS - //Windows and NTru are capable of unsealing all PCRS structures so use 1.2 LONG for full 24 PCR support - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_LONG, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); -#endif -#ifdef LINUX - //Linux and Trousers CANNOT unseal 1.2 LONG or SHORT PCRS structures so use the legacy 1.1 structure with 16 PCR limit - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO, &hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result); -#endif - - //Create ENCData object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL, &hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result); - - //Create ENCData policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result); - } - - void seal( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_enc_value, - unsigned long auth_enc_size, - bool auth_enc_sha1, - unsigned char *mask, - unsigned char *payload_value, - unsigned long payload_size, - unsigned char *&output_enc_value, - unsigned long &output_enc_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //set up ENCData auth - if(auth_enc_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result); - } - - //assign the ENCData auth - result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result); - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; -#ifdef WINDOWS - for(unsigned long i = 0; i < 24; i++) //all PCRs available in SHORT or LONG -#endif -#ifdef LINUX - for(unsigned long i = 0; i < 16; i++) //we cannot use all PCRs in Linux mode due to legacy PCRS structure -#endif - { - if(bitmask[i]) - { - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - //don't do this for regular seal because creation PCRs are meaningless in this context - //result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_CREATION); - //if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at creation", result); - -#ifdef WINDOWS - //use EX functions because we are PCRS LONG - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at release", result); -#endif -#ifdef LINUX - //cannot use EX functions - result = Tspi_PcrComposite_SelectPcrIndex(hpcrs, i); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index legacy mode", result); -#endif - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - } - } - - //Seal data - result = Tspi_Data_Seal(hencdata, hkey_srk, payload_size, payload_value, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Seal data", result); - - //Get the sealed data blob - BYTE *value; - UINT32 size; - result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Get sealed data blob", result); - - //copy over memory - output_enc_size = size; - output_enc_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_enc_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result); - - return; - } - - void seal2( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_enc_value, - unsigned long auth_enc_size, - bool auth_enc_sha1, - unsigned char *mask, - unsigned char *payload_value, - unsigned long payload_size, - unsigned char *release_value, - unsigned long release_size, - unsigned char *&output_enc_value, - unsigned long &output_enc_size) - { -#ifdef LINUX - //don't even let the users do seal2 because TSS_PCRS_STRUCT_INFO_LONG does not work for unsealing in Linux - if(result != TSS_SUCCESS) throw libhis_exception("Command disabled in Linux due to TSS_PCRS_STRUCT_INFO_LONG unseal defect", TPM_E_DISABLED_CMD); -#endif - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //set up ENCData auth - if(auth_enc_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result); - } - - //assign the ENCData auth - result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result); - - //set up mask - bool bitmask[24]; - for(short i = 0; i < 24; i++) - bitmask[i] = 0; - masktobitmask(mask, bitmask); - - //collect the PCR values - UINT32 temp_size; - BYTE *temp_value; - short counter = 0; - for(unsigned long i = 0; i < 24; i++) - { - if(bitmask[i]) - { - //set the creation value - result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result); - - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_CREATION); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at creation", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - result = Tspi_Context_FreeMemory(hcontext, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result); - - //set the release value - temp_value = new unsigned char[20]; - for(short j = 0; j < 20; j++) - temp_value[j] = release_value[j + counter * 20]; - - result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE); - if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at release", result); - - result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value); - if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result); - - delete [] temp_value; - } - } - - //Seal data - result = Tspi_Data_Seal(hencdata, hkey_srk, payload_size, payload_value, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Seal data", result); - - //Get the sealed data blob - BYTE *value; - UINT32 size; - result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Get sealed data blob", result); - - //copy over memory - output_enc_size = size; - output_enc_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_enc_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result); - - return; - } - - ~libhis_seal() - { - //clean up ENCData policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result); - - //Clean up ENCData - result = Tspi_Context_CloseObject(hcontext, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result); - - //clean up PCRS - result = Tspi_Context_CloseObject(hcontext, hpcrs); - if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result); - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk; - TSS_HPOLICY hpolicy_srk, - hpolicy_enc; - TSS_HPCRS hpcrs; - TSS_HENCDATA hencdata; -}; - -#endif diff --git a/tpm_module/libhis_setnvdata.hpp b/tpm_module/libhis_setnvdata.hpp deleted file mode 100644 index 46f64628..00000000 --- a/tpm_module/libhis_setnvdata.hpp +++ /dev/null @@ -1,131 +0,0 @@ -#ifndef libhis_setnvdata_hpp -#define libhis_setnvdata_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_setnvdata -{ -public: - libhis_setnvdata() - { - //set defaults - nvstore_index = 0; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create NVSTore object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result); - } - - void setnvdata( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned long nv_index, - unsigned char *nv_value, - unsigned long nv_size) - { - //set up the index value - if(nv_index == 0) - nvstore_index = TPM_NV_INDEX_EKCert; - else if(nv_index == 1) - nvstore_index = TPM_NV_INDEX_TPM_CC; - else if(nv_index == 2) - nvstore_index = TPM_NV_INDEX_PlatformCert; - else if(nv_index == 3) - nvstore_index = TPM_NV_INDEX_Platform_CC; - else - nvstore_index = nv_index; - - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //assign the TPM auth to the NVStore - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result); - - //set the write address - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index); - if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result); - - //force NVData to be readable by the owner only - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE); - if(result != TSS_SUCCESS) throw libhis_exception("Require owner auth on NVStore read/write", result); - - //set the size - result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_DATASIZE, 0, nv_size); - if(result != TSS_SUCCESS) throw libhis_exception("Set size of NVStore object", result); - - //define the space we need - result = Tspi_NV_DefineSpace(hnvstore, 0, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Define NVStore space", result); - - //write the value using the weird way the TSS does it - result = Tspi_NV_WriteValue(hnvstore, 0, nv_size, nv_value); - if(result != TSS_SUCCESS) throw libhis_exception("Write NVData", result); - } - - ~libhis_setnvdata() - { - //clean up NVStoer - result = Tspi_Context_CloseObject(hcontext, hnvstore); - if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HPOLICY hpolicy_tpm; - TSS_HNVSTORE hnvstore; - UINT32 nvstore_index; -}; - -#endif diff --git a/tpm_module/libhis_sign.hpp b/tpm_module/libhis_sign.hpp deleted file mode 100644 index 5dd20a19..00000000 --- a/tpm_module/libhis_sign.hpp +++ /dev/null @@ -1,236 +0,0 @@ -#ifndef libhis_sign_hpp -#define libhis_sign_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_sign -{ -public: - libhis_sign() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - init_key_scheme = 0; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - - //create hash object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_HASH, TSS_HASH_SHA1, &hhash); - if(result != TSS_SUCCESS) throw libhis_exception("Create hash object", result); - } - - void initsign(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the signature scheme - if(in_scheme == 0) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1; - else if(in_scheme == 1) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER; - else - init_key_scheme = TSS_SS_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the signature scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result); - - binitialized = true; - } - - void sign( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - unsigned char *hash, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //set hash value - result = Tspi_Hash_UpdateHashValue(hhash, 20, hash); - if(result != TSS_SUCCESS) throw libhis_exception("Set hash value", result); - - //sign data - UINT32 size = 0; - BYTE *value = 0; - result = Tspi_Hash_Sign(hhash, hkey_key, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Sign", result); - - //copy dynamic values - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //cleanup - Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Free memory", result); - } - - ~libhis_sign() - { - //clean up hash object - result = Tspi_Context_CloseObject(hcontext, hhash); - if(result != TSS_SUCCESS) throw libhis_exception("Close hash object", result); - - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key; - TSS_UUID uuid_key; - TSS_HHASH hhash; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_takeownership.hpp b/tpm_module/libhis_takeownership.hpp deleted file mode 100644 index 62af7da6..00000000 --- a/tpm_module/libhis_takeownership.hpp +++ /dev/null @@ -1,168 +0,0 @@ -#ifndef libhis_takeownership_hpp -#define libhis_takeownership_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -class libhis_takeownership -{ -public: - libhis_takeownership() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create EK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create TPM policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - } - - void takeownership( - unsigned char *auth_tpm_value, - unsigned long auth_tpm_size, - bool auth_tpm_sha1, - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *nonce) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //set up TPM auth - if(auth_tpm_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result); - } - - //assign the TPM auth to the TPM - result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result); - - //assign the TPM auth to the EK - result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result); - - //set up nonce - validation.ulExternalDataLength = 20; - validation.rgbExternalData = nonce; - - try - { - //get the public EK - result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - } - catch(libhis_exception &e) - { - //get the public EK the Atmel TPM in an Ultrabook way - result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result); - - //let a second exception make its way upward (rare) - } - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //take ownership of the TPM - result = Tspi_TPM_TakeOwnership(htpm, hkey_srk, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Take Ownership", result); - - //clean up validation data - result = Tspi_Context_FreeMemory(hcontext, validation.rgbData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up rgbData", result); - - result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData); - if(result != TSS_SUCCESS) throw libhis_exception("Clean up rgbValidationData", result); - - //test the SRK to make sure it actually works (required for NTru because TakeOwnership sometimes doesn't execute RegisterKey for SRK) - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Test the SRK", result); - - return; - } - - ~libhis_takeownership() - { - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up TPM policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm); - if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //clean up EK object - result = Tspi_Context_CloseObject(hcontext, hkey_ek); - if(result != TSS_SUCCESS) throw libhis_exception("Close EK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_ek, - hkey_srk; - TSS_HPOLICY hpolicy_tpm, - hpolicy_srk; - TSS_VALIDATION validation; -}; - -#endif diff --git a/tpm_module/libhis_unbind.hpp b/tpm_module/libhis_unbind.hpp deleted file mode 100644 index 09a11774..00000000 --- a/tpm_module/libhis_unbind.hpp +++ /dev/null @@ -1,270 +0,0 @@ -#ifndef libhis_unbind_hpp -#define libhis_unbind_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_unbind -{ -public: - libhis_unbind() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - init_key_scheme = 0; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - - //Create ENCData object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result); - - //Create ENCData policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result); - } - - void initbind(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_BIND; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the encryption scheme - if(in_scheme == 0) - init_key_scheme = TSS_ES_RSAESPKCSV15; - else if(in_scheme == 1) - init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1; - else if(in_scheme == 2) - init_key_scheme = TSS_ES_SYM_CNT; - else if(in_scheme == 3) - init_key_scheme = TSS_ES_SYM_OFB; - else if(in_scheme == 4) - init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD; - else - init_key_scheme = TSS_ES_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the encryption scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result); - - binitialized = true; - } - - void unbind( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *auth_enc_value, - unsigned long auth_enc_size, - bool auth_enc_sha1, - unsigned char *uuid_key_value, - unsigned char *payload_value, - unsigned long payload_size, - unsigned char *&output_value, - unsigned long &output_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //install the encrypted data blob into hencdata object - result = Tspi_SetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, payload_size, payload_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set encrypted data blob", result); - - //set up ENCData auth - if(auth_enc_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result); - } - - //assign the ENCData auth - result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result); - - //unseal the data - BYTE *value; - UINT32 size; - result = Tspi_Data_Unbind(hencdata, hkey_key, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Unbind", result); - - output_size = size; - output_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result); - } - - ~libhis_unbind() - { - //clean up ENCData policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result); - - //Clean up ENCData - result = Tspi_Context_CloseObject(hcontext, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result); - - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key, - hpolicy_enc; - TSS_UUID uuid_key; - TSS_HENCDATA hencdata; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; - bool binitialized; -}; - -#endif diff --git a/tpm_module/libhis_unseal.hpp b/tpm_module/libhis_unseal.hpp deleted file mode 100644 index d05b4e23..00000000 --- a/tpm_module/libhis_unseal.hpp +++ /dev/null @@ -1,157 +0,0 @@ -#ifndef libhis_unseal_hpp -#define libhis_unseal_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_unseal -{ -public: - libhis_unseal() - { - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create ENCData object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL, &hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result); - - //Create ENCData policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result); - } - - void unseal( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_enc_value, - unsigned long auth_enc_size, - bool auth_enc_sha1, - unsigned char *payload_value, - unsigned long payload_size, - unsigned char *&output_enc_value, - unsigned long &output_enc_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //install the encrypted data blob into hencdata object - result = Tspi_SetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, payload_size, payload_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set encrypted data blob", result); - - //set up ENCData auth - if(auth_enc_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result); - } - - //assign the ENCData auth - result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result); - - //unseal the data - BYTE *value; - UINT32 size; - result = Tspi_Data_Unseal(hencdata, hkey_srk, &size, &value); - if(result != TSS_SUCCESS) throw libhis_exception("Unseal", result); - - output_enc_size = size; - output_enc_value = new unsigned char[size]; - for(unsigned long i = 0; i < size; i++) - output_enc_value[i] = value[i]; - - //clean up dynamic memory - result = Tspi_Context_FreeMemory(hcontext, value); - if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result); - - return; - } - - ~libhis_unseal() - { - //clean up ENCData policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_enc); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result); - - //Clean up ENCData - result = Tspi_Context_CloseObject(hcontext, hencdata); - if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result); - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk; - TSS_HPOLICY hpolicy_srk, - hpolicy_enc; - TSS_HPCRS hpcrs; - TSS_HENCDATA hencdata; -}; - -#endif diff --git a/tpm_module/libhis_utils.hpp b/tpm_module/libhis_utils.hpp deleted file mode 100644 index ac1f273e..00000000 --- a/tpm_module/libhis_utils.hpp +++ /dev/null @@ -1,367 +0,0 @@ -#ifndef libhis_utils_hpp -#define libhis_utils_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" - -void hextouuid(unsigned char *hex, TSS_UUID &uuid) -{ - //process the unsigned long leading the UUID - for(short i = 0; i < 8; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 420); - } - - uuid.ulTimeLow = hex[0] * 268435456 + hex[1] * 16777216 + hex[2] * 1048576 + - hex[3] * 65536 + hex[4] * 4096 + hex[5] * 256 + hex[6] * 16 + hex[7]; - - //process the unsigned short for midtime - for(short i = 9; i < 13; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 421); - } - - uuid.usTimeMid = hex[9] * 4096 + hex[10] * 256 + hex[11] * 16 + hex[12]; - - //process the unsigned short for hightime - for(short i = 14; i < 18; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 422); - } - - uuid.usTimeHigh = hex[14] * 4096 + hex[15] * 256 + hex[16] * 16 + hex[17]; - - //process bClockSeqHigh - for(short i = 19; i < 21; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 423); - } - - uuid.bClockSeqHigh = hex[19] * 16 + hex[20]; - - //process bClockSeqLow - for(short i = 21; i < 23; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 424); - } - - uuid.bClockSeqLow = hex[21] * 16 + hex[22]; - - //process final 6 byte array - for(short i = 24; i < 36; i++) - { - if(hex[i] >= 48 && hex[i] <= 57) - hex[i] -= 48; - else if(hex[i] >= 65 && hex[i] <= 70) - hex[i] -= 55; - else if(hex[i] >= 97 && hex[i] <= 102) - hex[i] -= 87; - else - throw libhis_exception("UUID validation failure", 425); - } - - uuid.rgbNode[0] = hex[24] * 16 + hex[25]; - uuid.rgbNode[1] = hex[26] * 16 + hex[27]; - uuid.rgbNode[2] = hex[28] * 16 + hex[29]; - uuid.rgbNode[3] = hex[30] * 16 + hex[31]; - uuid.rgbNode[4] = hex[32] * 16 + hex[33]; - uuid.rgbNode[5] = hex[34] * 16 + hex[35]; - - return; -} - -/* - * masktobitmask function that does it the screwed up TCG way - */ -void masktobitmask(unsigned char *mask, bool binarray[24]) -{ - int sequence[] = {1, 0, 3, 2, 5, 4}; - int i; - - //convert hex values to binary values while validating - for(short j = 0; j < 6; j++) - { - i = sequence[j]; - - switch(mask[i]) - { - case 48: //0 - { - break; - } - case 49: //1 - { - binarray[j * 4 + 0] = true; - break; - } - case 50: //2 - { - binarray[j * 4 + 1] = true; - break; - } - case 51: //3 - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 1] = true; - break; - } - case 52: //4 - { - binarray[j * 4 + 2] = true; - break; - } - case 53: //5 - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 2] = true; - break; - } - case 54: //6 - { - binarray[j * 4 + 1] = true; - binarray[j * 4 + 2] = true; - break; - } - case 55: //7 - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 1] = true; - binarray[j * 4 + 2] = true; - break; - } - case 56: //8 - { - binarray[j * 4 + 3] = true; - break; - } - case 57: //9 - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 3] = true; - break; - } - case 65: //a - case 97: //A - { - binarray[j * 4 + 1] = true; - binarray[j * 4 + 3] = true; - break; - } - case 66: //b - case 98: //B - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 1] = true; - binarray[j * 4 + 3] = true; - break; - } - case 67: //c - case 99: //C - { - binarray[j * 4 + 2] = true; - binarray[j * 4 + 3] = true; - break; - } - case 68: //d - case 100: //D - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 2] = true; - binarray[j * 4 + 3] = true; - break; - } - case 69: //e - case 101: //E - { - binarray[j * 4 + 1] = true; - binarray[j * 4 + 2] = true; - binarray[j * 4 + 3] = true; - break; - } - case 70: //f - case 102: //F - { - binarray[j * 4 + 0] = true; - binarray[j * 4 + 1] = true; - binarray[j * 4 + 2] = true; - binarray[j * 4 + 3] = true; - break; - } - default: - { - throw libhis_exception("Mask validation failure", 430); - } - } - } - - return; -} - -/* - * Original masktobitmask function. - */ -/*void masktobitmask(unsigned char *mask, bool binarray[24]) -{ - //convert hex values to binary values while validating - for(short i = 0; i < 6; i++) - { - switch(mask[i]) - { - case 48: //0 - { - break; - } - case 49: //1 - { - binarray[i * 4 + 3] = true; - break; - } - case 50: //2 - { - binarray[i * 4 + 2] = true; - break; - } - case 51: //3 - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 2] = true; - break; - } - case 52: //4 - { - binarray[i * 4 + 1] = true; - break; - } - case 53: //5 - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 1] = true; - break; - } - case 54: //6 - { - binarray[i * 4 + 2] = true; - binarray[i * 4 + 1] = true; - break; - } - case 55: //7 - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 2] = true; - binarray[i * 4 + 1] = true; - break; - } - case 56: //8 - { - binarray[i * 4 + 0] = true; - break; - } - case 57: //9 - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 0] = true; - break; - } - case 65: //a - case 97: //A - { - binarray[i * 4 + 2] = true; - binarray[i * 4 + 0] = true; - break; - } - case 66: //b - case 98: //B - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 2] = true; - binarray[i * 4 + 0] = true; - break; - } - case 67: //c - case 99: //C - { - binarray[i * 4 + 1] = true; - binarray[i * 4 + 0] = true; - break; - } - case 68: //d - case 100: //D - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 1] = true; - binarray[i * 4 + 0] = true; - break; - } - case 69: //e - case 101: //E - { - binarray[i * 4 + 2] = true; - binarray[i * 4 + 1] = true; - binarray[i * 4 + 0] = true; - break; - } - case 70: //f - case 102: //F - { - binarray[i * 4 + 3] = true; - binarray[i * 4 + 2] = true; - binarray[i * 4 + 1] = true; - binarray[i * 4 + 0] = true; - break; - } - default: - { - throw libhis_exception("Mask validation failure", 1); - } - } - } - - return; -}*/ - -#endif diff --git a/tpm_module/libhis_verifysignature.hpp b/tpm_module/libhis_verifysignature.hpp deleted file mode 100644 index e48f0564..00000000 --- a/tpm_module/libhis_verifysignature.hpp +++ /dev/null @@ -1,224 +0,0 @@ -#ifndef libhis_verifysignature_hpp -#define libhis_verifysignature_hpp - -#ifdef WINDOWS - #include "tspi.h" - #include "tss_error.h" - #include "tss_defines.h" -#endif -#ifdef LINUX - #include - #include - #include -#endif - -#include "libhis_exception.hpp" -#include "libhis_utils.hpp" - -class libhis_verifysignature -{ -public: - libhis_verifysignature() - { - //set default values - init_key_size = TSS_KEY_SIZE_DEFAULT; - init_key_type = TSS_KEY_TYPE_DEFAULT; - init_key_authorized = TSS_KEY_AUTHORIZATION; - init_key_migratable = TSS_KEY_NOT_MIGRATABLE; - init_key_volatile = TSS_KEY_VOLATILE; - init_key_scheme = 0; - binitialized = false; - - //create a context object - result = Tspi_Context_Create(&hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result); - - //create an SRK object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result); - - //Create SRK policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result); - - //Create key policy - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result); - - //create hash object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_HASH, TSS_HASH_SHA1, &hhash); - if(result != TSS_SUCCESS) throw libhis_exception("Create hash object", result); - } - - void initsign(unsigned int in_size, unsigned int in_scheme) - { - //set the type - init_key_type = TSS_KEY_TYPE_SIGNING; - - //set the key size - if(in_size == 0) - init_key_size = TSS_KEY_SIZE_DEFAULT; - else if(in_size == 512) - init_key_size = TSS_KEY_SIZE_512; - else if(in_size == 1024) - init_key_size = TSS_KEY_SIZE_1024; - else if(in_size == 2048) - init_key_size = TSS_KEY_SIZE_2048; - else if(in_size == 4096) - init_key_size = TSS_KEY_SIZE_4096; - else if(in_size == 8192) - init_key_size = TSS_KEY_SIZE_8192; - else if(in_size == 16384) - init_key_size = TSS_KEY_SIZE_16384; - else throw libhis_exception("Invalid key size", 400); - - //set the signature scheme - if(in_scheme == 0) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1; - else if(in_scheme == 1) - init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER; - else - init_key_scheme = TSS_SS_NONE; - - //combine the init flags - init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile; - - //Create key object - result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Create key", result); - - //Set the signature scheme - result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme); - if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result); - - binitialized = true; - } - - void verifysignature( - unsigned char *auth_srk_value, - unsigned long auth_srk_size, - bool auth_srk_sha1, - unsigned char *auth_key_value, - unsigned long auth_key_size, - bool auth_key_sha1, - unsigned char *uuid_key_value, - unsigned char *hash, - unsigned char *signature_value, - unsigned long signature_size) - { - //establish a session - result = Tspi_Context_Connect(hcontext, 0); - if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result); - - //get the TPM object - result = Tspi_Context_GetTpmObject(hcontext, &htpm); - if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result); - - //load the SRK - TSS_UUID uuid_srk = TSS_UUID_SRK; - result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result); - - //set up SRK auth - if(auth_srk_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result); - } - - //assign the SRK auth - result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result); - - //Set up the key UUID - hextouuid(uuid_key_value, uuid_key); - - //Get the key by UUID - result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result); - - //set up key auth - if(auth_key_sha1) - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result); - } - else - { - result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value); - if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result); - } - - //assign the key auth - result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result); - - //Unwrap the key - result = Tspi_Key_LoadKey(hkey_key, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result); - - //set hash value - result = Tspi_Hash_UpdateHashValue(hhash, 20, hash); - if(result != TSS_SUCCESS) throw libhis_exception("Set hash value", result); - - //verify signature data - result = Tspi_Hash_VerifySignature(hhash, hkey_key, signature_size, signature_value); - if(result != TSS_SUCCESS) throw libhis_exception("Verify signature", result); - } - - ~libhis_verifysignature() - { - //clean up hash object - result = Tspi_Context_CloseObject(hcontext, hhash); - if(result != TSS_SUCCESS) throw libhis_exception("Close hash object", result); - - //clean up key policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result); - - if(binitialized) - { - //clean up key - result = Tspi_Context_CloseObject(hcontext, hkey_key); - if(result != TSS_SUCCESS) throw libhis_exception("Close key", result); - } - - //clean up SRK policy - result = Tspi_Context_CloseObject(hcontext, hpolicy_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result); - - //clean up SRK object - result = Tspi_Context_CloseObject(hcontext, hkey_srk); - if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result); - - //close context - result = Tspi_Context_Close(hcontext); - if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result); - } - -private: - TSS_RESULT result; - TSS_HCONTEXT hcontext; - TSS_HTPM htpm; - TSS_HKEY hkey_srk, - hkey_key; - TSS_HPOLICY hpolicy_srk, - hpolicy_key; - TSS_UUID uuid_key; - TSS_HHASH hhash; - UINT32 init_key, - init_key_size, - init_key_type, - init_key_authorized, - init_key_migratable, - init_key_volatile, - init_key_scheme; - bool binitialized; -}; - -#endif diff --git a/tpm_module/main.cpp b/tpm_module/main.cpp deleted file mode 100644 index 5669a678..00000000 --- a/tpm_module/main.cpp +++ /dev/null @@ -1,31 +0,0 @@ -/** - * When compiling in Linux define LINUX. When compiling in Windows define - * WINDOWS. This software is designed to be compiled on either platform without - * modification. Simply set the preprocessor definitions and the code will take - * care of the rest. - */ - -/** - * This software was originally implemented as a static library. However, - * requirements changed and it resumed existing as a command line-driven - * executable. The libhis header files are designed such that you could easily - * break them out into their own library. They do not require inclusion of TCG - * headers or the use of TCG data structures. All input is handled with standard - * C++ types. - */ - -#include "libhis_cli.hpp" - -#ifdef LINUX -int main(int argc, char **argv) -#endif -#ifdef WINDOWS -unsigned long main(int argc, char **argv) -#endif -{ - //provide all arguments to our controller class - libhis_cli test(argc, argv); - - //return the integer result from our controller class's execution function - return test.cli(); -} diff --git a/tpm_module/makefile b/tpm_module/makefile deleted file mode 100644 index 9e303a8d..00000000 --- a/tpm_module/makefile +++ /dev/null @@ -1,58 +0,0 @@ -################################################################################ -# Automatically-generated file. Do not edit! -################################################################################ - --include makefile.init - -RM := rm -rf - -# All of the sources participating in the build are defined here --include sources.mk --include subdir.mk --include objects.mk - -ifneq ($(MAKECMDGOALS),clean) -ifneq ($(strip $(C++_DEPS)),) --include $(C++_DEPS) -endif -ifneq ($(strip $(C_DEPS)),) --include $(C_DEPS) -endif -ifneq ($(strip $(CC_DEPS)),) --include $(CC_DEPS) -endif -ifneq ($(strip $(CPP_DEPS)),) --include $(CPP_DEPS) -endif -ifneq ($(strip $(CXX_DEPS)),) --include $(CXX_DEPS) -endif -ifneq ($(strip $(C_UPPER_DEPS)),) --include $(C_UPPER_DEPS) -endif -endif - --include makefile.defs - -# Add inputs and outputs from these tool invocations to the build variables - -# All Target -all: tpm_module - -# Tool invocations -tpm_module: $(OBJS) $(USER_OBJS) - @echo 'Building target: $@' - @echo 'Invoking: GCC C++ Linker' - g++ -o "tpm_module" $(OBJS) $(USER_OBJS) $(LIBS) - @echo 'Finished building target: $@' - @echo ' ' - -# Other Targets -clean: - -$(RM) $(OBJS)$(C++_DEPS)$(C_DEPS)$(CC_DEPS)$(CPP_DEPS)$(EXECUTABLES)$(CXX_DEPS)$(C_UPPER_DEPS) tpm_module - -@echo ' ' - -.PHONY: all clean dependents -.SECONDARY: - --include makefile.targets diff --git a/tpm_module/man/tpm_module.1 b/tpm_module/man/tpm_module.1 deleted file mode 100644 index 4f65b02f..00000000 --- a/tpm_module/man/tpm_module.1 +++ /dev/null @@ -1,111 +0,0 @@ -.TH TPM_MODULE 1 "January 11, 2018" - -.sp 1 -.SH NAME -tpm_module \- interact with the TPM -.SH SYNOPSIS -.B tpm_module -[\-m ] [\-options] -.SH DESCRIPTION -Provide various modes for interacting with the TPM. -.SH MODES -1 Take Ownership of TPM -.br -2 Change Owner Authorization Data -.br -3 Clear Ownership (Disables TPM) -.br -4 Create EK -.br -5 Change SRK Authorization Data -.br -6 Collate Identity Request (Create Identity Key) -.br -7 Activate Identity (Create Identity Key Certificate) -.br -8 Quote -.br -9 Quote 2 -.br -10 Seal Data (Encrypt Data to Current Platform State) -.br -11 Seal 2 (Seal Against Future PCRs) -.br -12 Unseal Data -.br -13 Generate Random Bytes -.br -14 Create Signing, Binding, or Storage Key -.br -15 Change Key Authorization Data -.br -16 Get Keyblob -.br -17 Get Key Modulus -.br -18 Clear Key -.br -19 Get PCR -.br -20 Extend PCR (Update PCR Value) -.br -21 Clear PCR -.br -22 Set NVRAM Data -.br -23 Get NVRAM Data -.br -24 Clear NVRAM Data -.br -25 Sign Data -.br -26 Verify Signed Data -.br -27 Bind -.br -28 Unbind -.br -29 Get Public Key -.SH OPTIONS -.B \-h, \-\-help -.IP -display help, use with -m to see help/options for individual modes -.P -.B \-v, \-\-version -.IP -display software version info -.P -.B \-d, \-\-debug -.IP -enable console debugging -.P -.B \-f, \-\-file -.IP -write debugging info to file -.P -.B \-z, \-\-zeros -.IP -fill in authdata with zeroes -.P -.B \-r, \-\-readable -.IP -make output human-readable with delimiters -.P -.B \-nr, \-\-nonce_random -.IP -populate nonce with TPM's random byte generator -.SH EXAMPLES -Take ownership of TPM using a specific nonce and zeroes for auth data: -.IP -tpm_module \-m 1 \-n 0123456789012345678901234567890123456789 \-z -.P -Get help with collate identity request mode: -.IP -tpm_module \-m 6 \-h -.P -Generate a quote2 using the first 16 PCRs, random nonce, identity key with -simple UUID, and omitted SRK auth as zeroes: -.IP -tpm_module \-m 9 \-p ffff00 \-nr \-u 00000000\-0000\-0000\-0000\-040000000001 \-authp_ik password \-z -.SH SEE ALSO -hirs-provisioner(1) diff --git a/tpm_module/objects.mk b/tpm_module/objects.mk deleted file mode 100644 index 95273fe4..00000000 --- a/tpm_module/objects.mk +++ /dev/null @@ -1,8 +0,0 @@ -################################################################################ -# Automatically-generated file. Do not edit! -################################################################################ - -USER_OBJS := - -LIBS := -ltspi - diff --git a/tpm_module/sources.mk b/tpm_module/sources.mk deleted file mode 100644 index 5b37eadd..00000000 --- a/tpm_module/sources.mk +++ /dev/null @@ -1,27 +0,0 @@ -################################################################################ -# Automatically-generated file. Do not edit! -################################################################################ - -O_SRCS := -CPP_SRCS := -C_UPPER_SRCS := -C_SRCS := -S_UPPER_SRCS := -OBJ_SRCS := -ASM_SRCS := -CXX_SRCS := -C++_SRCS := -CC_SRCS := -OBJS := -C++_DEPS := -C_DEPS := -CC_DEPS := -CPP_DEPS := -EXECUTABLES := -CXX_DEPS := -C_UPPER_DEPS := - -# Every subdirectory with source files must be described here -SUBDIRS := \ -. \ - diff --git a/tpm_module/subdir.mk b/tpm_module/subdir.mk deleted file mode 100644 index 75c898de..00000000 --- a/tpm_module/subdir.mk +++ /dev/null @@ -1,24 +0,0 @@ -################################################################################ -# Automatically-generated file. Do not edit! -################################################################################ - -# Add inputs and outputs from these tool invocations to the build variables -CPP_SRCS += \ -main.cpp - -OBJS += \ -main.o - -CPP_DEPS += \ -main.d - - -# Each subdirectory must supply rules for building sources it contributes -%.o: %.cpp - @echo 'Building file: $<' - @echo 'Invoking: GCC C++ Compiler' - g++ -DLINUX -I"./tpm_module" -O3 -Wall -c -fmessage-length=0 -MMD -MP -MF"$(@:%.o=%.d)" -MT"$(@:%.o=%.d)" -o "$@" "$<" - @echo 'Finished building: $<' - @echo ' ' - - From fd3bbd26a3e31b77a3210d2ddc17f45ba5a3f55f Mon Sep 17 00:00:00 2001 From: "iadgovuser26 iadgovuser26@empire.eclipse.ncsc.mil" Date: Wed, 21 Aug 2024 14:01:36 -0400 Subject: [PATCH 3/3] removed TPM_Utils --- TPM_Utils/build.gradle | 45 ---- TPM_Utils/config/checkstyle/suppressions.xml | 13 - TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java | 60 ----- .../tpm/tss/command/CommandException.java | 28 -- .../hirs/tpm/tss/command/CommandResult.java | 42 --- .../java/hirs/tpm/tss/command/CommandTpm.java | 245 ------------------ .../hirs/tpm/tss/command/package-info.java | 4 - .../main/java/hirs/tpm/tss/package-info.java | 4 - TPM_Utils/src/main/resources/log4j2.xml | 13 - .../hirs/tpm/tss/command/CommandTpmTest.java | 68 ----- .../hirs/tpm/tss/command/package-info.java | 4 - 11 files changed, 526 deletions(-) delete mode 100644 TPM_Utils/build.gradle delete mode 100644 TPM_Utils/config/checkstyle/suppressions.xml delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandException.java delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandResult.java delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandTpm.java delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/command/package-info.java delete mode 100644 TPM_Utils/src/main/java/hirs/tpm/tss/package-info.java delete mode 100644 TPM_Utils/src/main/resources/log4j2.xml delete mode 100644 TPM_Utils/src/test/java/hirs/tpm/tss/command/CommandTpmTest.java delete mode 100644 TPM_Utils/src/test/java/hirs/tpm/tss/command/package-info.java diff --git a/TPM_Utils/build.gradle b/TPM_Utils/build.gradle deleted file mode 100644 index ba924731..00000000 --- a/TPM_Utils/build.gradle +++ /dev/null @@ -1,45 +0,0 @@ -apply plugin: 'java' -apply plugin: 'checkstyle' -apply plugin: 'jacoco' - -sourceCompatibility = 1.8 - -dependencies { - compile libs.log4j2 - compile libs.commons_codec - compile libs.commons_io - compile libs.commons_lang - compile libs.spring_core - - testCompile libs.testng -} - -ext.configDir = new File(projectDir, 'config') -ext.checkstyleConfigDir = "$configDir/checkstyle" - -checkstyle { - toolVersion = '5.7' - configFile = checkstyleConfigFile - configProperties.put('basedir', checkstyleConfigDir) - ignoreFailures = false - showViolations = true -} - -jacocoTestReport { - reports { - xml.enabled true - csv.enabled true - html.enabled true - html.destination "${buildDir}/reports/jacoco/html" - } -} - -publishing { - publications { - maven(MavenPublication) { - artifactId 'hirs-tpm-utils' - from components.java - } - } -} - diff --git a/TPM_Utils/config/checkstyle/suppressions.xml b/TPM_Utils/config/checkstyle/suppressions.xml deleted file mode 100644 index 3693de9b..00000000 --- a/TPM_Utils/config/checkstyle/suppressions.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - - - diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java b/TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java deleted file mode 100644 index d02962b6..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java +++ /dev/null @@ -1,60 +0,0 @@ -package hirs.tpm.tss; - -import java.io.IOException; - -/** - * Defines the functionality of a Tpm as specified in the TCG TSS Specification. - */ -public interface Tpm { - - /** - * Takes ownership of an active but unowned Tpm. - */ - void takeOwnership(); - - /** - * Obtain the public Endorsement Credential modulus. - * - * @return the endorsement credential modulus - * @see #collateIdentityRequest(byte[], String) - */ - byte[] getEndorsementCredentialModulus(); - - /** - * Obtains the full Endorsement Credential stored in the TPM. - * @return the EC on the TPM, if present, otherwise null - * @throws IOException if there's an error writing the EC to a temporary file for processing - */ - byte[] getEndorsementCredential() throws IOException; - - /** - * Instructs the Tpm to collate an identity request as stated in the TSS specification. - * - * @param acaPublicKey non null, ACA PK information. - * @param uuid non null, non empty, UUID for the identity. - * @return the identity request. to be later attested. - */ - byte[] collateIdentityRequest(byte[] acaPublicKey, String uuid); - - /** - * Activates the identity within the TPM given the label and ACA symmetric and asymmetric - * identity response blobs. The return will be the identity credential that is activated within - * the TPM. - * - * @param asymmetricBlob from ACA identity response - * @param symmetricBlob from ACA identity response - * @param uuid of the identity request - * @return the activated identity credential - */ - byte[] activateIdentity(byte[] asymmetricBlob, byte[] symmetricBlob, String uuid); - - /** - * Queries the TPM for quote data given the specified pcrValues using the specified UUID. - * - * @param pcrValues cannot be null or empty - * @param nonce cannot be null or empty - * @param uuid cannot be null or empty - * @return quote data - */ - byte[] getQuote(String pcrValues, String nonce, String uuid); -} diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandException.java b/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandException.java deleted file mode 100644 index b3a71985..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandException.java +++ /dev/null @@ -1,28 +0,0 @@ -package hirs.tpm.tss.command; - -/** - * Exception that is thrown by the {@link CommandTpm} when executing operations. - */ -public class CommandException extends RuntimeException { - - private CommandResult commandResult; - - /** - * Constructs this exception with the specified message and the command result. - * - * @param message as to why this exception occurred - * @param commandResult the result of the command that caused this exception - */ - public CommandException(final String message, final CommandResult commandResult) { - super(message); - - this.commandResult = commandResult; - } - - /** - * @return {@link CommandResult} of the command that caused this exception - */ - public CommandResult getCommandResult() { - return this.commandResult; - } -} diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandResult.java b/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandResult.java deleted file mode 100644 index 9e09fe20..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandResult.java +++ /dev/null @@ -1,42 +0,0 @@ -package hirs.tpm.tss.command; - -/** - * Encapsulates the results of executing a command. - */ -public class CommandResult { - - /** - * The exit status when attempting to take ownership of an already owned TPM. - */ - public static final int TPM_PREVIOUSLY_OWNED_ERROR = 20; - - private String output; - - private int exitStatus; - - /** - * Creates the command result with the specified output and exist status. - * - * @param output of the command - * @param exitStatus of the command - */ - public CommandResult(final String output, final int exitStatus) { - this.output = output; - this.exitStatus = exitStatus; - } - - /** - * @return command output. - */ - public String getOutput() { - return output; - } - - /** - * @return command exit status. - */ - public int getExitStatus() { - return exitStatus; - } - -} diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandTpm.java b/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandTpm.java deleted file mode 100644 index 3155e4a1..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandTpm.java +++ /dev/null @@ -1,245 +0,0 @@ -package hirs.tpm.tss.command; - -import hirs.tpm.tss.Tpm; -import org.apache.commons.codec.DecoderException; -import org.apache.commons.codec.binary.Hex; -import org.apache.commons.io.FileUtils; -import org.apache.commons.io.IOUtils; -import org.apache.commons.lang3.ArrayUtils; -import org.apache.commons.lang3.StringUtils; -import org.springframework.util.Assert; - -import java.io.File; -import java.io.IOException; -import java.io.InputStream; - -/** - * Implementation of a {@link Tpm} that uses the TPM_MODULE command as the interface to the TPM. - */ -public class CommandTpm implements Tpm { - - private static final String TPM_COMMAND = "/usr/bin/tpm_module"; - private static final String TPM_TOOLS_READ_COMMAND = "tpm_nvread"; - private static final String TPM_TOOLS_INFO_COMMAND = "tpm_nvinfo"; - - // The fixed location of the endorsement credential (TPM 1.2 only) - private static final int EC_INDEX = 0xf000; - private static final int EC_INDEX_MASK = 0x0000ffff; - - private static final String IDENTITY_LABEL = "HISIdentityKey"; - - @Override - public void takeOwnership() { - // take ownership if the TPM is currently unowned - try { - sendTPMCommand("-nr -m 1 -z"); - } catch (CommandException ex) { - - // if the error isn't that the TPM is already owned, bubble the exception up. - if (ex.getCommandResult().getExitStatus() != CommandResult.TPM_PREVIOUSLY_OWNED_ERROR) { - throw ex; - } - } - } - - @Override - public byte[] getEndorsementCredentialModulus() { - return sendTPMCommand("-m 17 -z -nr -t ek").getOutput().getBytes(); - } - - @Override - public byte[] getEndorsementCredential() throws IOException { - File tempExtractFile = File.createTempFile("nvread-extract", ".tmp"); - - try { - int ecIndex = findEndorsementCredentialIndex(); - int ecSize = getEndorsementCredentialSize(ecIndex); - // don't care about the stdout from this command. If the command fails, an exception - // is thrown, otherwise, read the temp file content - String argList = "-i " + ecIndex - + " -s " + ecSize + " -z -f " + tempExtractFile.getAbsolutePath(); - - sendCommand(TPM_TOOLS_READ_COMMAND, argList); - return FileUtils.readFileToByteArray(tempExtractFile); - } finally { - FileUtils.deleteQuietly(tempExtractFile); - } - } - - private int findEndorsementCredentialIndex() { - CommandResult command = sendCommand(TPM_TOOLS_INFO_COMMAND, ""); - return parseEcIndexFromNvInfoOutput(command.getOutput()); - } - - /** - * Parses the output from tpm_nvinfo to find the index for the endorsement credential. - * @param commandOutput the output of the tpm_nvinfo command - * @return the index of the EC - */ - static int parseEcIndexFromNvInfoOutput(final String commandOutput) { - String[] lines = commandOutput.trim().split("\\r?\\n"); - - for (String line: lines) { - if (line.startsWith("NVRAM index")) { - String rawIndex = line.split(":")[1].trim(); - String hexIndexStr = rawIndex.split(" ")[0]; - int index = Integer.decode(hexIndexStr); - if ((EC_INDEX_MASK & index) == EC_INDEX) { - return index; - } - } - } - - throw new RuntimeException("Failed to find index for EC"); - } - - private int getEndorsementCredentialSize(final int index) { - try { - String args = "-i " + index; - CommandResult command = sendCommand(TPM_TOOLS_INFO_COMMAND, args); - return parseNvramSizeFromNvInfoOutput(command.getOutput()); - } catch (Exception ex) { - throw new RuntimeException("Failed to get EC size: ", ex); - } - } - - - /** - * Parses the output from tpm_nvinfo for a particular address, returning the size of the - * data at the queried address. - * @param commandOutput the output of a tpm_nvinfo -i [address] command - * @return the size at the address, as a decimal integer - */ - static int parseNvramSizeFromNvInfoOutput(final String commandOutput) { - // trim the ends and split on lines. - String[] lines = commandOutput.trim().split("\\r?\\n"); - - // search lines for the first "Size" line, which contains the # of bytes to - // read at the location - for (String line : lines) { - if (line.startsWith("Size")) { - String rawSizeValue = line.split(":")[1].trim(); - // The value after the ":" contains the decimal and hex values. - // Parse out the decimal portion - String decimalSizeStr = rawSizeValue.split(" ")[0]; - return Integer.parseInt(decimalSizeStr); - } - } - - throw new RuntimeException("Failed to find size from EC's NVRAM area"); - } - - @Override - public byte[] collateIdentityRequest(final byte[] acaPublicKey, final String uuid) { - Assert.notNull(acaPublicKey, "acaPublicKey is null"); - Assert.hasLength(uuid, "uuid must not be empty or null"); - - // encode the aca PK to a hex string. - String hexAcaBlob = Hex.encodeHexString(acaPublicKey); - - // send the collate identity request - String request = sendTPMCommand( - String.format("-nr -z -o -m 6 -p %s -u %s -l %s -nvram -debug", - hexAcaBlob, uuid, IDENTITY_LABEL)).getOutput(); - - try { - // attempt to decode the response - return Hex.decodeHex(request.toCharArray()); - } catch (DecoderException e) { - throw new RuntimeException( - "Encountered error decoding response from tpm_module: " + e.getMessage(), e); - } - } - - @Override - public byte[] activateIdentity(final byte[] asymmetricBlob, final byte[] symmetricBlob, - final String uuid) { - Assert.notNull(asymmetricBlob, "asymmetricBlob is null"); - Assert.notNull(symmetricBlob, "symmetricBlob is null"); - Assert.hasLength(uuid, "uuid must not be empty or null"); - - // encode the blobs into hex strings - String hexAsymmetric = Hex.encodeHexString(asymmetricBlob); - String hexSymmetric = Hex.encodeHexString(symmetricBlob); - - // issue the activate identity command - CommandResult result = sendTPMCommand(String.format("-asym %s -sym %s -u %s -m 7 -z - nr", - hexAsymmetric, hexSymmetric, uuid)); - - try { - return Hex.decodeHex(result.getOutput().toCharArray()); - } catch (DecoderException e) { - throw new RuntimeException( - "Encountered error decoding response from tpm_module: " + e.getMessage(), e); - } - } - - @Override - public byte[] getQuote(final String pcr, final String nonce, final String uuid) { - Assert.hasLength(pcr, "pcr must not be empty or null"); - Assert.hasLength(nonce, "nonce must not be empty or null"); - Assert.hasLength(uuid, "uuid must not be empty or null"); - - // issues the quote 2 command (-m 9) to retrieve the quote for the selected PCR (-p #). - CommandResult result = - sendTPMCommand(String.format("-m 9 -z -n %s -c -u %s -p %s", nonce, uuid, pcr)); - - try { - return Hex.decodeHex(result.getOutput().toCharArray()); - } catch (DecoderException e) { - throw new RuntimeException( - "Encountered error decoding response from tpm_module: " + e.getMessage(), e); - } - } - - private CommandResult sendTPMCommand(final String arguments) { - // always run the tpm_module with debug (-d). - // otherwise the exit status and error messages are squelched. - return sendCommand(TPM_COMMAND, "-d " + arguments); - } - - /** - * Issues the specified command to the tpm_module process. - */ - private CommandResult sendCommand(final String application, final String arguments) { - String[] command = {application}; - - // add the specified arguments to the command - command = ArrayUtils.addAll(command, arguments.split("\\s+")); - - // build up the process - ProcessBuilder processBuilder = new ProcessBuilder(command); - - // merge the error stream into the standard output - processBuilder.redirectErrorStream(true); - - try { - // issue the command - Process process = processBuilder.start(); - - // block and wait for the process to be complete - int returnCode = process.waitFor(); - - try (InputStream processInputStream = process.getInputStream()) { - // grab the command output - String output = IOUtils.toString(processInputStream); - - // construct the command result - CommandResult result = new CommandResult(output, returnCode); - - // if the command wasn't successful, generate an exception with command output - if (returnCode != 0) { - throw new CommandException( - String.format("Encountered error: %s while executing command: %s", - output, StringUtils.join(command, " ")), result); - } - - return result; - } - - - } catch (IOException | InterruptedException e) { - throw new RuntimeException(e.getMessage(), e); - } - } -} diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/command/package-info.java b/TPM_Utils/src/main/java/hirs/tpm/tss/command/package-info.java deleted file mode 100644 index 6a25985e..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/command/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * Defines command line interface to the TPM/TSS. - */ -package hirs.tpm.tss.command; diff --git a/TPM_Utils/src/main/java/hirs/tpm/tss/package-info.java b/TPM_Utils/src/main/java/hirs/tpm/tss/package-info.java deleted file mode 100644 index da775052..00000000 --- a/TPM_Utils/src/main/java/hirs/tpm/tss/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * Defines high level interfaces for communicating and interacting with a TPM. - */ -package hirs.tpm.tss; diff --git a/TPM_Utils/src/main/resources/log4j2.xml b/TPM_Utils/src/main/resources/log4j2.xml deleted file mode 100644 index 3d322ea8..00000000 --- a/TPM_Utils/src/main/resources/log4j2.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - - - - - diff --git a/TPM_Utils/src/test/java/hirs/tpm/tss/command/CommandTpmTest.java b/TPM_Utils/src/test/java/hirs/tpm/tss/command/CommandTpmTest.java deleted file mode 100644 index 3d6699e8..00000000 --- a/TPM_Utils/src/test/java/hirs/tpm/tss/command/CommandTpmTest.java +++ /dev/null @@ -1,68 +0,0 @@ -package hirs.tpm.tss.command; - -import org.testng.Assert; -import org.testng.annotations.Test; - -/** - * Unit tests for {@see CommandTpm}. - */ -public class CommandTpmTest { - - /** - * Tests retrieving the size given a valid output from tpm_nvinfo. - */ - @Test - public void parseSizeValid() { - final int expectedSize = 1129; - - String nvInfoOutput = - "\n" - + "NVRAM index : 0x1000f000 (268496896)\n" - + "PCR read selection:\n" - + " Localities : ALL\n" - + "PCR write selection:\n" - + " Localities : ALL\n" - + "Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)\n" - + "bReadSTClear : FALSE\n" - + "bWriteSTClear : FALSE\n" - + "bWriteDefine : FALSE\n" - + "Size : 1129 (0x469)\n" - + "\n"; - - - int readSize = CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput); - - Assert.assertEquals(readSize, expectedSize); - } - - /** - * Tests failure to get the size given output from tpm_nvinfo with missing size value. - */ - @Test(expectedExceptions = RuntimeException.class) - public void parseSizeMissingSizeValue() { - String nvInfoOutput = - "\n" - + "NVRAM index : 0x1000f000 (268496896)\n" - + "PCR read selection:\n" - + " Localities : ALL\n" - + "PCR write selection:\n" - + " Localities : ALL\n" - + "Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)\n" - + "bReadSTClear : FALSE\n" - + "bWriteSTClear : FALSE\n" - + "bWriteDefine : FALSE\n" - + "Strength : 1129 (0x469)\n" - + "\n"; - - CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput); - } - - /** - * Tests failure to get the EC size given a completely garbage tpm_nvifo output. - */ - @Test(expectedExceptions = RuntimeException.class) - public void parseSizeBadOutput() { - String nvInfoOutput = "bad data here. FAILURE TO READ SOMETHING!"; - CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput); - } -} diff --git a/TPM_Utils/src/test/java/hirs/tpm/tss/command/package-info.java b/TPM_Utils/src/test/java/hirs/tpm/tss/command/package-info.java deleted file mode 100644 index 52095749..00000000 --- a/TPM_Utils/src/test/java/hirs/tpm/tss/command/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * Tests for the TPM command classes. - */ -package hirs.tpm.tss.command;