ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #824 from nsacyber/v3_issue_813

Browse Source 
Removed HIRS_Provisioner
This commit is contained in:
iadgovuser26 2024-08-21 15:16:59 -04:00 committed by GitHub
commit 059cb5f1bf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
95 changed files with 0 additions and 12179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
.github/workflows/package_centos.yml vendored
View File

@ -1,64 +0,0 @@
name: HIRS packages for centos
on:
push:
branches:
- '*v2*'
- 'master'
workflow_dispatch:
jobs:
# run the package script for HIRS ACA, Provisioners, tcg_rim_tool, and tcg_eventlog_tool
Package:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
package_centos:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- name: directory setup
run: |
mkdir -p artifacts/jars
mkdir -p artifacts/wars
mkdir -p artifacts/rpms
- name: Create HIRS packages
run: |
echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
docker run --rm \
-v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \
-c 'pushd /HIRS; \
sh package/package.centos.sh; \
cp /HIRS/package/rpm/RPMS/noarch/* /HIRS/artifacts/rpms/.; \
cp /HIRS/package/rpm/RPMS/x86_64/* /HIRS/artifacts/rpms/.; \
sh /HIRS/tools/tcg_rim_tool/package.sh; \
cp /HIRS/tools/tcg_rim_tool/rpmbuild/BUILD/tcg_rim_tool/build/libs/* /HIRS/artifacts/jars/.; \
cp /HIRS/tools/tcg_rim_tool/rpmbuild/RPMS/x86_64/* /HIRS/artifacts/rpms/.; \
sh /HIRS/tools/tcg_eventlog_tool/gradlew clean buildRPM; \
cp /HIRS/tools/tcg_eventlog_tool/build/libs/tools/* /HIRS/artifacts/jars/.; \
cp /HIRS/tools/tcg_eventlog_tool/build/distributions/* /HIRS/artifacts/rpms/.; \
popd;'
- name: Archive RPM files
uses: actions/upload-artifact@v2
with:
name: RPM_Files
path: artifacts/rpms/*
if-no-files-found: error
- name: Archive Jar files
uses: actions/upload-artifact@v2
with:
name: JAR_Files
path: artifacts/jars/

4
HIRS_Provisioner/TPMModule.properties
View File

@ -1,4 +0,0 @@
TpmModuleExePath = exe
ExeName = /tpm_module
TrousersMode = False
DebugMode = True

78
HIRS_Provisioner/build.gradle
View File

@ -1,78 +0,0 @@
apply plugin: 'findbugs'
apply plugin: 'checkstyle'
apply plugin: 'application'
sourceCompatibility = 1.8
mainClassName = "hirs.provisioner.ProvisionerApplication"
dependencies {
compile project(':TPM_Utils')
compile project(':HIRS_Structs')
compile project(':HIRS_Utils')
compile libs.spring_web
compile libs.log_bridge
compile libs.commons_lang
compileOnly libs.checkstyle
compileOnly libs.findbugs
testCompile libs.testng
testCompile libs.mockito
testCompile libs.powermock
testCompile libs.spring_test
testCompile libs.checkstyle
testCompile libs.findbugs
testCompile libs.commons_lang
}
copyVersion.dependsOn compileJava
jar.dependsOn copyVersion
ext.configDir = new File(projectDir, 'config')
ext.checkstyleConfigDir = "$configDir/checkstyle"
checkstyle {
toolVersion = '5.7'
configFile = checkstyleConfigFile
configProperties.put('basedir', checkstyleConfigDir)
ignoreFailures = false
showViolations = true
}
ext.findbugsConfigDir = "$configDir/findbugs"
findbugs {
toolVersion = '3.0.0'
ignoreFailures = false
effort = 'max'
}
publishing {
publications {
maven(MavenPublication) {
artifactId 'hirs-provisioner'
artifact jar
pom.withXml {
def dependenciesNode = asNode().appendNode('dependencies')
configurations.runtime.allDependencies.each {
if (it.group != null && it.name != null) {
def dependencyNode = dependenciesNode.appendNode('dependency')
dependencyNode.appendNode('groupId', it.group)
dependencyNode.appendNode('artifactId', it.name)
dependencyNode.appendNode('version', it.version)
if (it.excludeRules.size() > 0) {
def exclusionsNode = dependencyNode.appendNode('exclusions')
it.excludeRules.each { rule ->
def exclusionNode = exclusionsNode.appendNode('exclusion')
exclusionNode.appendNode('groupId', rule.group)
exclusionNode.appendNode('artifactId', rule.module)
}
}
}
}
}
}
}
}

11
HIRS_Provisioner/config/checkstyle/suppressions.xml
View File

@ -1,11 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.1//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_1.dtd">
<suppressions>
<suppress checks="MagicNumber" files=".*[/\\]src[/\\]test[/\\]+" />
<suppress checks="FinalParameters" files=".*[/\\]src[/\\]test[/\\]+" />
<suppress checks="JavadocPackage" files=".*[/\\]src[/\\]test[/\\]+" />
</suppressions>

110
HIRS_Provisioner/create-ek-cert.sh
View File

@ -1,110 +0,0 @@
#!/bin/bash
# Assumes HIRS is already installed
# Dependencies:
# openssl, version 1.0.2 (must download from source)
# tpm_module
# Download and install latest version of openssl from source, using these steps:
# cd /usr/local/src
# wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
# tar -zxf openssl-1.0.2-latest.tar.gz
# cd openssl-1.0.2*
# ./config
# make depend
# make
# make install
# mv /usr/bin/openssl /root
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# The TPM only gives us the public key modulus, not a properly formatted key
PUBEK_MOD=$(tpm_module -m 29 -nr -d -t ek -z -d)
rc=$?
if [ "$rc" != "0" ]; then
echo "Attempt to access the TPM's public Endorsement Key was unsuccessful"
echo "Exiting"
exit $rc;
fi
# Check user's permissions
if [ ! -w $(pwd) ] ; then
echo "This user does not have permissions to write to this directory: $(pwd)"
echo "Exiting"
exit 1
fi
mkdir -p certs
cd certs
EKCERT_PATH="$(pwd)/ek.crt"
CAKEY_PATH="$(pwd)/ca.key"
CACERT_PATH="$(pwd)/ca.crt"
# Create the asn.1 definition file used to recreate the public key using the modulus
cat << @EOF > def.asn1
# Start with a SEQUENCE
asn1=SEQUENCE:pubkeyinfo
# pubkeyinfo contains an algorithm identifier and the public key wrapped
# in a BIT STRING
[pubkeyinfo]
algorithm=SEQUENCE:rsa_alg
pubkey=BITWRAP,SEQUENCE:rsapubkey
# algorithm ID for RSA is just an OID and a NULL
[rsa_alg]
algorithm=OID:rsaEncryption
parameter=NULL
# Actual public key: modulus and exponent
[rsapubkey]
n=INTEGER:0x$PUBEK_MOD
e=INTEGER:0x010001
@EOF
# openssl commands return v1 certificates by default
# create a .ext file to specify that we want v3
cat << @EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
@EOF
# Create endorsement key given the asn1 file (DER is the default)
openssl asn1parse -genconf def.asn1 -out ek.der -noout
rm def.asn1
# Convert endorsement key from DER to PEM
openssl rsa -pubin -in ek.der -inform DER -out ek.pem -outform PEM
rm ek.der
# Create self-signed CA certificate
openssl req -newkey rsa:2048 -nodes -keyout $CAKEY_PATH -x509 -days 365 -out $CACERT_PATH \
-subj "/CN=www.example.com"
# openssl needs a private key to create a new certificate signing request
# we only have the public endorsement key, so create a temporary key pair here
openssl req -newkey rsa:2048 -out temp.csr -nodes -keyout temp.key -subj "/CN=www.example.com"
rm temp.key
# Create the certificate here, forcing the use of our endorsement key (this means our temp key isn't used anymore
errormessage=`openssl x509 -req -days 365 -in temp.csr -extfile v3.ext -CAcreateserial -CAkey $CAKEY_PATH -CA $CACERT_PATH -out $EKCERT_PATH -force_pubkey ek.pem 2>&1`
rc=$?
rm v3.ext temp.csr ek.pem
if [ "$rc" != "0" ]; then
echo $errormessage | grep -q "unknown option -force_pubkey" && echo "ERROR: The option 'force_pubkey' is required, but was not found for this installation of openssl x509. Please install a newer version (1.0.2+) from source" || echo $errormessage
echo "Cleaning up..."
rm $CAKEY_PATH $CACERT_PATH
cd ..
rmdir certs --ignore-fail-on-non-empty
exit $rc
fi
rm ca.srl
openssl x509 -text -in $EKCERT_PATH
echo "SUCCESS: EK cert created successfully at: $EKCERT_PATH"
echo " CA key found at: $CAKEY_PATH"
echo " self-signed CA cert found at: $CACERT_PATH"
echo

5
HIRS_Provisioner/debian/changelog
View File

@ -1,5 +0,0 @@
hirs-provisioner (VER) RELEASE; urgency=low
* Initial release
-- HIRS HIRS <hirs@hirs.hirs> Tue, 10 Feb 2015 16:56:18 -0500

1
HIRS_Provisioner/debian/compat
View File

@ -1 +0,0 @@
9

13
HIRS_Provisioner/debian/control
View File

@ -1,13 +0,0 @@
Source: hirs-provisioner
Section: admin
Priority: optional
Maintainer: HIRS <HIRS@HIRS.HIRS>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.5
Package: hirs-provisioner
Architecture: amd64
Depends: tpm-module, openjdk-8-jre, wget
Description: HIRS Provisioner for Ubuntu
Host Integrity at Runtime and Startup. Allows provisioning of TPM
for Ubuntu 16.04 Linux clients.

0
HIRS_Provisioner/debian/docs
View File

8
HIRS_Provisioner/debian/hirs-provisioner.install
View File

@ -1,8 +0,0 @@
install-provisioner/bin/ usr/share/hirs/provisioner
install-provisioner/lib/ usr/share/hirs/provisioner
install-provisioner/scripts/install/hirs-provisioner.sh usr/share/hirs/provisioner
install-provisioner/scripts/hirs-provisioner-config.sh etc/hirs/provisioner
install-provisioner/logging.properties etc/hirs/provisioner
install-provisioner/setup/provisioner.properties etc/hirs/provisioner
install-provisioner/setup/hirs-provisioner.properties etc/hirs/provisioner/setup
install-provisioner/setup/tpm-module.properties etc/hirs/provisioner/setup

2
HIRS_Provisioner/debian/hirs-provisioner.links
View File

@ -1,2 +0,0 @@
/usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner

1
HIRS_Provisioner/debian/hirs-provisioner.manpages
View File

@ -1 +0,0 @@
debian/hirs-provisioner.1

53
HIRS_Provisioner/debian/hirs-provisioner.postinst
View File

@ -1,53 +0,0 @@
#!/bin/bash
set -e
case "$1" in
configure)
if [[ $(find /sys/devices -name "tpm0") ]]; then
echo "TPM detected"
if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then
echo "Starting tcsd service"
systemctl start tcsd
ret=$?
if [[ $ret -ne 0 ]]; then
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
fi
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
chkconfig --level 1356 tcsd on
else
echo "Starting tcsd service"
service tcsd start
ret=$?
if [[ $ret -ne 0 ]]; then
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
fi
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
chkconfig --level 1356 tcsd on
fi
if [ ! -d "/sys/kernel/security/tpm0" ]; then
echo "Mounting security fs partition"
sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab
mount -a
if [ -d "/sys/kernel/security/tpm0" ]; then
echo "SUCCESS: security fs partition mounted"
fi
fi
else
echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL"
fi
# install logging.properties if it doesn't already exist
if ! [[ -f /etc/hirs/logging.properties ]]; then
mv /etc/hirs/provisioner/logging.properties /etc/hirs/
else
rm /etc/hirs/provisioner/logging.properties
fi
hirs-provisioner -c
;;
*)
;;
esac
exit 0

2
HIRS_Provisioner/debian/lintian-overrides
View File

@ -1,2 +0,0 @@
# Ignore lintian error about incorrectly formatted copyright file
hirs-provisioner binary: copyright-should-refer-to-common-license-file-for-lgpl

7
HIRS_Provisioner/debian/rules
View File

@ -1,7 +0,0 @@
#!/usr/bin/make -f
# -*- makefile -*-
export DH_VERBOSE=1
%:
dh $@

1
HIRS_Provisioner/debian/source/format
View File

@ -1 +0,0 @@
3.0 (native)

72
HIRS_Provisioner/hirs-provisioner-config.sh
View File

@ -1,72 +0,0 @@
#!/bin/bash
PROVISIONER_DIR="/etc/hirs/provisioner"
CERTIFICATES="/etc/hirs/certificates/provisioner"
SITE_CONFIG_FILE="/etc/hirs/hirs-site.config"
PROVISIONER_PROPERTIES="$PROVISIONER_DIR/provisioner.properties"
TMP_PROPERTIES="$PROVISIONER_DIR/tmp.properties"
PROVISIONER_LOG_DIR="/var/log/hirs/provisioner"
PROVISIONER_LOG_FILE="$PROVISIONER_LOG_DIR/HIRS_Provisioner.log"
# ensure log file exists
mkdir -p $PROVISIONER_LOG_DIR
touch $PROVISIONER_LOG_FILE
mkdir -p ${CERTIFICATES}/private
# certificates and key stores generated by this script.
CLIENT_PEM=${CERTIFICATES}/private/hirs.client.pem
CLIENT_CERT=${CERTIFICATES}/hirs.client.cert
INTERNAL_P12=${CERTIFICATES}/hirs.p12
KEYSTORE_JKS=${CERTIFICATES}/keyStoreClient.jks
# delete the key store if it exists
if [ -f ${KEYSTORE_JKS} ]; then
echo "----> Deleting existing key store" | tee -a $PROVISIONER_LOG_FILE
rm -f ${KEYSTORE_JKS}
fi
# Read site config
source ${SITE_CONFIG_FILE}
# Read a block of raw data bytes from /dev/urandom and convert it to text characters.
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
# generate a key and certificate. The key is the private key used to sign the well known CA cert.
echo 'Creating 2048 bit key' >> $PROVISIONER_LOG_FILE 2>&1
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CLIENT_PEM} -out ${CLIENT_CERT} -subj "/C=US/O=HIRS/OU=Provisioner/CN=$CLIENT_HOSTNAME" >> $PROVISIONER_LOG_FILE 2>&1
# export the certificate and key as a p12 file
echo 'Exporting key' >> $PROVISIONER_LOG_FILE 2>&1
openssl pkcs12 -export -in ${CLIENT_CERT} -inkey ${CLIENT_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} >> $PROVISIONER_LOG_FILE 2>&1
# create a key store using the pk12 file.
echo 'Configuring key store' >> $PROVISIONER_LOG_FILE 2>&1
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt >> $PROVISIONER_LOG_FILE 2>&1
if [ ! -f ${KEYSTORE_JKS} ]; then
echo "${KEYSTORE_JKS} was not created" | tee -a $PROVISIONER_LOG_FILE
exit 1;
fi
grep -v "javax.net.ssl" ${PROVISIONER_PROPERTIES} > ${TMP_PROPERTIES}
mv ${TMP_PROPERTIES} ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.keyStore=$KEYSTORE_JKS" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.trustStore=${CERTIFICATES}/TrustStore.jks" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.keyStorePassword=$P12_PASSWORD" >> ${PROVISIONER_PROPERTIES}
# Checking for existing HIRS TrustStore
if [ -f "${CERTIFICATES}/TrustStore.jks" ]; then
rm -f ${CERTIFICATES}/TrustStore.jks
fi
echo "----> Downloading truststore" | tee -a $PROVISIONER_LOG_FILE
wget https://"$ATTESTATION_CA_FQDN":"$ATTESTATION_CA_PORT"/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate -P ${CERTIFICATES} >/dev/null 2>/dev/null
if [ ! -f "${CERTIFICATES}/TrustStore.jks" ]; then
echo "----> ERROR: Truststore could not be downloaded from $ATTESTATION_CA_FQDN" | tee -a $PROVISIONER_LOG_FILE
fi
sed -i "s/provisioner\.aca\.host\s*=\s*.*/provisioner.aca.host = $ATTESTATION_CA_FQDN/" $PROVISIONER_PROPERTIES
sed -i "s/provisioner\.aca\.port\s*=\s*.*/provisioner.aca.port = $ATTESTATION_CA_PORT/" $PROVISIONER_PROPERTIES

28
HIRS_Provisioner/man/hirs-provisioner.1
View File

@ -1,28 +0,0 @@
.TH hirs\-provisioner 1 "January 11, 2018"
.SH NAME
hirs\-provisioner \- provision the TPM
.SH SYNOPSIS
.B hirs\-provisioner
[\-c] [\-h] [\-p]
.SH DESCRIPTION
Provision the TPM for use with the Host Integrity at Runtime and Startup
(HIRS) framework.
.B \-c, \-\-config, config
.IP
create /etc/hirs/hirs-site.config template if the file does not already exist.
If it does exist, check that its contents are valid. The template must be
filled out with the relevant fields.
.P
.B \-p, \-\-provision, provision
.IP
provision system with HIRS Attestation Credential Authority. See full HIRS
documentation for an explanation of the provisioning process.
.P
.B \-h, \-\-help, help
.IP
print help output
.SH SEE ALSO
tpm_module(1)

165
HIRS_Provisioner/scripts/install/hirs-provisioner.sh
View File

@ -1,165 +0,0 @@
#!/bin/bash
# main driving script for the HIRS Provisioner RPM/DEB. Provides user options
# for creating a default hirs-site.config, used by the provisioner and the HIRS Client RPM,
# as well as initiating HIRS provisioning of the TPM and loading of credentials from the
# HIRS Attestation CA.
CERTS_DIR="/etc/hirs/provisioner/certs/"
HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
HIRS_PROVISIONER_CONFIG="/etc/hirs/provisioner/hirs-provisioner-config.sh"
HIRS_PROVISIONER_SCRIPT="/usr/share/hirs/provisioner/bin/HIRS_Provisioner"
HIRS_PROVISIONER_2_0_SCRIPT="/usr/local/bin/hirs-provisioner-tpm2"
HIRS_PROVISIONER_PROPERTIES="/etc/hirs/provisioner/provisioner.properties"
if [ "$EUID" != "0" ]; then
echo "This script must be run as root"
exit 1
fi
function ShowHelp {
echo "hirs provisioner - host integrity at runtime & startup"
echo ""
echo "hirs-provisioner [command]"
echo ""
echo "commands:"
echo "-h, --help, help show this help"
echo "-c, --config, config verify or generate site configuration"
echo "-p, --provision, provision provision TPM/prepare for use with HIRS"
exit 0
}
if [ $# -eq 0 ]; then # if no arguments
ShowHelp
fi
function CheckHIRSSiteConfig {
# Check for site config existence
if [ ! -f $HIRS_SITE_CONFIG ]; then
echo "--> ERROR: $HIRS_SITE_CONFIG not found - run \"hirs-provisioner -c\" to generate the file"
exit 1
fi
# Read site config
source $HIRS_SITE_CONFIG
# Verify variable existence
if [[ -z "$CLIENT_HOSTNAME" ]]; then
echo "--> ERROR: CLIENT_HOSTNAME is not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$ATTESTATION_CA_FQDN" ]]; then
echo "--> ERROR: ATTESTATION_CA_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$ATTESTATION_CA_PORT" ]]; then
echo "--> ERROR: ATTESTATION_CA_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$BROKER_FQDN" ]]; then
echo "--> ERROR: BROKER_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$BROKER_PORT" ]]; then
echo "--> ERROR: BROKER_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$PORTAL_FQDN" ]]; then
echo "--> ERROR: PORTAL_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$PORTAL_PORT" ]]; then
echo "--> ERROR: PORTAL_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
}
function CheckProvisionPrereqsAndDoProvisioning {
if [ ! -f $HIRS_SITE_CONFIG ]; then
echo "$HIRS_SITE_CONFIG not found. Run \"hirs-provisioner -c\" to generate."
exit 0
fi
# the hirs provisioner script should be verifying
CheckHIRSSiteConfig
echo "--> Configuring provisioner"
eval $HIRS_PROVISIONER_CONFIG || { echo "----> Failed configuring provisioner"; exit 1; }
if [ $TPM_ENABLED = "true" ]; then
echo "--> Provisioning"
Provision
else
echo "--> TPM not enabled - skipping provisioning"
fi
}
function Provision {
# Provisioner will only retain one {uuid}.cer credential; remove any existing *.cer files.
echo "----> Removing old attestation credentials, if any"
rm -f $CERTS_DIR/*.cer /etc/hirs/ak.cer
echo "----> Provisioning TPM"
if [ -f $HIRS_PROVISIONER_2_0_SCRIPT ]
then
$HIRS_PROVISIONER_2_0_SCRIPT provision || { echo "----> Failed to provision TPM 2.0"; exit 1; }
else
$HIRS_PROVISIONER_SCRIPT $CLIENT_HOSTNAME || { echo "----> Failed to provision TPM"; exit 1; }
fi
}
function WriteDefaultHirsSiteConfigFile {
if [ ! -f $HIRS_SITE_CONFIG ]; then
# Create template site config if it does not exist
cat <<DEFAULT_SITE_CONFIG_FILE > $HIRS_SITE_CONFIG
#*******************************************
#* HIRS site configuration properties file
#*******************************************
# Client configuration
CLIENT_HOSTNAME=$(hostname -f)
TPM_ENABLED=
IMA_ENABLED=
# Site-specific configuration
ATTESTATION_CA_FQDN=
ATTESTATION_CA_PORT=8443
BROKER_FQDN=
BROKER_PORT=61616
PORTAL_FQDN=
PORTAL_PORT=8443
DEFAULT_SITE_CONFIG_FILE
echo "$HIRS_SITE_CONFIG not found - a template has been created"
echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner -p' to provision this system"
fi
}
while test $# -gt 0; do # iterate over arguments
case "$1" in
-c|--config|config)
shift
WriteDefaultHirsSiteConfigFile
;;
-p|--provision|provision)
shift
CheckProvisionPrereqsAndDoProvisioning
;;
*)
ShowHelp
;;
esac
done

3
HIRS_Provisioner/scripts/install/tpm_aca_provision
View File

@ -1,3 +0,0 @@
#!/bin/bash
hirs-provisioner provision

15
HIRS_Provisioner/setup/hirs-provisioner.properties
View File

@ -1,15 +0,0 @@
#TPM Provisioning Data
TpmEndorsmentP12 = endorsement.p12
EndorsementP12Pass = key_password
EcValidityDays = 3652
TpmOwnerAuth = 0000000000000000000000000000000000000000
#HIS Identity Provisioning Data
HisIdentityLabel = HIS Identity Key
HisIdentityIndex = 1
HisIdentityAuth = 0000000000000000000000000000000000000000
AttestationCaCertFile = AttestationCA.cer
AttestationCaUrl = https://sampleCAurl:8443/HIRS_AttestationCA
HisRegistrationUrl = https://sampleREGurl:8443/HisWebServices
TrustStore = TrustStore.jks
NtruBypass = true
ClientPath = /etc/hirs

4
HIRS_Provisioner/setup/tpm-module.properties
View File

@ -1,4 +0,0 @@
TpmModuleExePath = /usr/bin/
ExeName = tpm_module
TrousersMode = False
DebugMode = True

29
HIRS_Provisioner/src/main/java/hirs/provisioner/CommandLineArguments.java
View File

@ -1,29 +0,0 @@
package hirs.provisioner;
/**
* Class to hold the command line argument values passed to the provisioner.
*/
public final class CommandLineArguments {
private static String hostName;
private CommandLineArguments() {
}
/**
*
* @return the host name
*/
public static String getHostName() {
return hostName;
}
/**
*
* @param hostName the host name
*/
public static void setHostName(final String hostName) {
CommandLineArguments.hostName = hostName;
}
}

102
HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
View File

@ -1,102 +0,0 @@
package hirs.provisioner;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import hirs.provisioner.configuration.ProvisionerConfiguration;
import hirs.utils.LogConfigurationUtil;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.FileSystems;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
/**
* Defines the application's entry point and the main configuration.
*/
public final class ProvisionerApplication {
private static final String JAVA_PROP_TRUST_STORE = "javax.net.ssl.trustStore";
private static final String JAVA_PROP_KEY_STORE = "javax.net.ssl.keyStore";
private static final String JAVA_PROP_KEY_STORE_PASSWORD = "javax.net.ssl.keyStorePassword";
private static final List<String> SYSTEM_PROPERTIES_TO_SET = Arrays.asList(
JAVA_PROP_KEY_STORE, JAVA_PROP_TRUST_STORE, JAVA_PROP_KEY_STORE_PASSWORD
);
private static final Logger LOGGER = LogManager.getLogger(ProvisionerApplication.class);
private static final int REQUIRED_ARG_COUNT = 1;
private static final String PROP_FILE_PATH =
"/etc/hirs/provisioner/provisioner.properties";
/**
* Hidden default constructor.
*/
private ProvisionerApplication() {
}
/**
* Application entry point. Uses Spring Boot to bootstrap the application.
*
* @param args not used
*/
public static void main(final String[] args) {
try {
LogConfigurationUtil.applyConfiguration();
} catch (IOException e) {
LOGGER.error("Error configuring provisioner logger", e);
}
if (ArrayUtils.isEmpty(args) || args.length != REQUIRED_ARG_COUNT) {
LOGGER.error("Provisioner requires exactly " + REQUIRED_ARG_COUNT
+ " args (Host Name)");
System.exit(-1);
}
CommandLineArguments.setHostName(args[0]);
LOGGER.debug("Starting HIRS Provisioner command line application");
try {
setTrustStore();
} catch (IOException ex) {
LOGGER.error("Error provisioning client", ex);
System.exit(-1);
}
// enable TLS 1.1 and 1.2
System.setProperty("https.protocols", "TLSv1.2");
// initialize the context
new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
}
/**
* This method configures the JVM with the trustStore as read from
* provisioner.properties.
*
* @throws IOException if provisioner.properties cannot be read
*/
private static void setTrustStore() throws IOException {
Properties runtimeJVMProperties = new Properties();
try (InputStream propertiesFileInputStream = new FileInputStream(
FileSystems.getDefault().getPath(PROP_FILE_PATH)
.toFile())) {
runtimeJVMProperties.load(propertiesFileInputStream);
}
for (String property : SYSTEM_PROPERTIES_TO_SET) {
String value = runtimeJVMProperties.getProperty(property);
if (StringUtils.isBlank(value)) {
throw new IllegalArgumentException(String.format(
"Cannot start HIRS Provisioner; please set a value for %s in %s",
property, PROP_FILE_PATH));
}
System.setProperty(property, value);
}
}
}

20
HIRS_Provisioner/src/main/java/hirs/provisioner/client/ClientProvisioner.java
View File

@ -1,20 +0,0 @@
package hirs.provisioner.client;
/**
* Defines the responsibilities and behavior of a service that provisions clients. That is, to
* take ownership of the machine's TPM, create an identity credential, attest said credential with a
* certificate authority, and activate that credential with the client's TPM.
*/
public interface ClientProvisioner {
/**
* Takes control of the machine's TPM. Then creates an identity credential using the TPM. That
* credential is then attested by a certificate authority. If that passes, the provisioner
* will activate the credential with the TPM and persist the credential on the client for
* future TPM operations. This method may throw {@link ProvisioningException}s when encountering
* errors dealing with the TPM and/certificate authority.
*
* @return true if provisioning was successful, false otherwise
*/
boolean provision();
}

19
HIRS_Provisioner/src/main/java/hirs/provisioner/client/ProvisioningException.java
View File

@ -1,19 +0,0 @@
package hirs.provisioner.client;
/**
* Describes exceptions encountered while provisioning a client.
*/
public class ProvisioningException extends RuntimeException {
/**
* Provisioning exception that includes a root exception, the throwable, as the reason why the
* provisioning process failed. The message provides additional detail as to why the exception
* was encountered.
*
* @param message additional explanation of the failure
* @param throwable root cause for the exception
*/
public ProvisioningException(final String message, final Throwable throwable) {
super(message, throwable);
}
}

308
HIRS_Provisioner/src/main/java/hirs/provisioner/client/RestfulClientProvisioner.java
View File

@ -1,308 +0,0 @@
package hirs.provisioner.client;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.context.event.EventListener;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Component;
import org.springframework.util.SerializationUtils;
import org.springframework.web.client.RestTemplate;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.UUID;
import hirs.DeviceInfoReportRequest;
import hirs.client.collector.DeviceInfoCollector;
import hirs.collector.CollectorException;
import hirs.data.persist.DeviceInfoReport;
import hirs.provisioner.CommandLineArguments;
import hirs.structs.converters.SimpleStructBuilder;
import hirs.structs.converters.StructConverter;
import hirs.structs.elements.aca.IdentityRequestEnvelope;
import hirs.structs.elements.aca.IdentityResponseEnvelope;
import hirs.structs.elements.tpm.AsymmetricKeyParams;
import hirs.structs.elements.tpm.AsymmetricPublicKey;
import hirs.structs.elements.tpm.RsaSubParams;
import hirs.structs.elements.tpm.StorePubKey;
import hirs.tpm.tss.Tpm;
/**
* Client implementation that uses a RestTemplate to communicate
* with the Attestation Certificate Authority.
*
*/
@Component
public class RestfulClientProvisioner implements ClientProvisioner {
private static final Logger LOG = LogManager.getLogger(RestfulClientProvisioner.class);
@Autowired
private RestTemplate restTemplate;
@Autowired
private Tpm tpm;
@Autowired
private StructConverter structConverter;
@Value("${provisioner.files.certs}")
private String certificatesPath;
@Value("${provisioner.aca.url.key}")
private String acaPublicKeyURL;
@Value("${provisioner.aca.url.identity}")
private String acaIdentityURL;
/**
* When the application context is initialized, begin provisioning.
*
* @param event ignored
*/
@EventListener
@SuppressFBWarnings(value = "DM_EXIT",
justification = "need to exit app from spring managed class here")
public final void handleContextInitialized(final ContextRefreshedEvent event) {
// attempt to create the required directory structures before provisioning.
try {
LOG.debug("Creating certificate directory if non existent: " + certificatesPath);
Files.createDirectories(Paths.get(certificatesPath));
} catch (IOException ex) {
LOG.error("Error creating certificate directories: " + ex.getMessage(), ex);
throw new ProvisioningException(ex.getMessage(), ex);
}
// initiate provisioning process. If it fails, exit with non-zero so that
// the caller (hirs.sh) can exit and not configure the client due to failure.
if (!this.provision()) {
LOG.debug("Exiting with error due to provisioning failure");
System.exit(-1);
}
}
@Override
public boolean provision() {
// take ownership of the TPM
takeOwnership();
LOG.debug("took ownership of TPM");
// get the public key from the ACA
RSAPublicKey acaPublicKey = getACAPublicKey();
LOG.debug("received public key from ACA");
// create uuid for identity request and response
String uuid = UUID.randomUUID().toString();
// create Tpm Key from ACA Public key
AsymmetricPublicKey tpmKey = new SimpleStructBuilder<>(AsymmetricPublicKey.class)
.set("asymmetricKeyParams", new SimpleStructBuilder<>(AsymmetricKeyParams.class)
.set("algorithmId", AsymmetricPublicKey.DEFAULT_RSA_ALG_ID)
.set("encryptionScheme", AsymmetricPublicKey.DEFAULT_RSA_ENCRYPTION_SCHEME)
.set("signatureScheme", AsymmetricPublicKey.DEFAULT_RSA_SIGNATURE_SCHEME)
.set("params", new SimpleStructBuilder<>(RsaSubParams.class)
.set("totalPrimes", AsymmetricPublicKey.DEFAULT_PRIME_TOTAL)
.set("keyLength", AsymmetricPublicKey.DEFAULT_KEY_LENGTH)
.set("exponent", acaPublicKey.getPublicExponent().toByteArray())
.build())
.build())
.set("storePubKey", new SimpleStructBuilder<>(StorePubKey.class)
.set("key", acaPublicKey.getModulus().toByteArray())
.build())
.build();
// obtain device information required for identity request
DeviceInfoReport deviceInfoReport = getDeviceInfoReport();
// create the identity request using the ACA public key and a generated UUID
IdentityRequestEnvelope identityRequest = createIdentityRequest(tpmKey, uuid,
deviceInfoReport);
LOG.debug(String.format("created TPM identity request using UUID %s", uuid));
// attest the request with the ACA and obtain it's response
System.out.println("----> Sending Attestation Identity Credential Request");
IdentityResponseEnvelope response = attestIdentityRequest(identityRequest);
if (null == response) {
LOG.error("Provisioning failed. Please refer to the Attestation CA for details.");
return false;
}
System.out.println("----> Attestation Identity Provisioning succeeded");
// activate the identity with the TPM
byte[] credential = activateCredential(response, uuid);
LOG.debug("activated credential with TPM");
// create the AIK file and write the credential to the file.
try {
Path identityFile = Files.createFile(Paths.get(certificatesPath, uuid + ".cer"));
Files.write(identityFile, credential);
LOG.debug(String.format("created credential file: %s", identityFile.toString()));
return true;
} catch (IOException e) {
LOG.error(String.format("Error outputting identity credential to %s: %s",
certificatesPath, e.getMessage()), e);
return false;
}
}
/**
* Uses the TPM instance to take over the TPM ownership, if possible.
*/
void takeOwnership() {
tpm.takeOwnership();
}
/**
* Communicates with the configured ACA to obtain it's public key information.
*
* @return the ACA public key
*/
RSAPublicKey getACAPublicKey() {
// request the public key from the ACA
ResponseEntity<byte[]> response = restTemplate.getForEntity(acaPublicKeyURL, byte[].class);
try {
// use the public key information to create encoded key specification. then create a
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(response.getBody());
// create the public key from that specification
return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(keySpec);
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
throw new ProvisioningException("Encountered error while create Public Key from "
+ "ACA response: " + e.getMessage(), e);
}
}
/**
* Creates an identity request using the ACA public certificate and an UUID.
*
* @param asymmetricPublicKey that contains the public key information of the ACA
* @param uuid unique identifier
* @param deviceInfoReport the full device info report used by the ACA for provisioning
* @return identity request that can be sent on ward to the ACA for attestation.
*/
IdentityRequestEnvelope createIdentityRequest(final AsymmetricPublicKey asymmetricPublicKey,
final String uuid, final DeviceInfoReport deviceInfoReport) {
try {
// serialize the tpm key
byte[] asymmetricBlob = structConverter.convert(asymmetricPublicKey);
// collate identity based upon ACA public key and unique id
byte[] request = tpm.collateIdentityRequest(asymmetricBlob, uuid);
// obtain the endorsement credential
byte[] endorsementCredentialModulus = tpm.getEndorsementCredentialModulus();
// obtain full endorsement credential
byte[] endorsementCredential = getEndorsementCredential();
// format device info report
byte[] deviceInfoReportBytes = SerializationUtils.serialize(deviceInfoReport);
LOG.debug("Sending EC of length: " + endorsementCredential.length);
// build up the ACA request
return new SimpleStructBuilder<>(IdentityRequestEnvelope.class)
.set("endorsementCredentialModulus", endorsementCredentialModulus)
.set("endorsementCredential", endorsementCredential)
.set("request", request)
.set("deviceInfoReport", deviceInfoReportBytes)
.build();
} catch (Exception e) {
throw new ProvisioningException("Encountered exception while creating identity "
+ "credential: " + e.getMessage(), e);
}
}
/**
* Gets endorsement credential from TPM.
* @return the EK from the TPM, or null if there was an error
*/
private byte[] getEndorsementCredential() {
// initialize to a non-null array so struct builder doesn't consider this null.
byte[] endorsementCredential = new byte[] {1};
try {
endorsementCredential = tpm.getEndorsementCredential();
System.out.println("----> Got endorsement credential from TPM");
LOG.debug("Endorsement credential size: " + endorsementCredential.length);
} catch (Exception e) {
LOG.warn("Failed to get endorsement credential from TPM");
LOG.debug("EK retrieval error", e);
}
return endorsementCredential;
}
/**
* Attests a given identity request with the configured Attestation Certificate Authority.
*
* @param identityRequest to be attested
* @return the ACA response
*/
IdentityResponseEnvelope attestIdentityRequest(final IdentityRequestEnvelope identityRequest) {
// create HTTP entity wrapper for the identity request
HttpEntity<byte[]> message = new HttpEntity<>(structConverter.convert(identityRequest));
// send the identity request to the ACA and receive the identity response.
ResponseEntity<byte[]> response =
restTemplate.exchange(acaIdentityURL, HttpMethod.POST, message, byte[].class);
byte[] responseBody = response.getBody();
if (ArrayUtils.isEmpty(responseBody)) {
return null;
}
// grab the response from the HTTP response
return structConverter.convert(responseBody, IdentityResponseEnvelope.class);
}
/**
* Activates a given attested identity with the TPM associated by UUID. This UUID must match up
* with the original identity request.
*
* @param response to be activated
* @param uuid of the original identity request
* @return the raw activated credential
*/
byte[] activateCredential(final IdentityResponseEnvelope response, final String uuid) {
// grab both the symmetric and asymmetric from the identity response
byte[] asymmetricContents = response.getAsymmetricContents();
byte[] symmetricContents = structConverter.convert(response.getSymmetricAttestation());
// active the identity with the TPM
return tpm.activateIdentity(asymmetricContents, symmetricContents, uuid);
}
/**
* Collects the Device Info Report without TPM information, due to not having an identity
* cert yet.
* @return the Device Info Report
*/
DeviceInfoReport getDeviceInfoReport() {
DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = null;
try {
System.out.println("----> Collecting device information");
DeviceInfoCollector deviceInfoCollector = new DeviceInfoCollector(null, false,
CommandLineArguments.getHostName());
report = (DeviceInfoReport) deviceInfoCollector.collect(request);
} catch (CollectorException e) {
LOG.error("Error collecting device information", e);
}
return report;
}
}

5
HIRS_Provisioner/src/main/java/hirs/provisioner/client/package-info.java
View File

@ -1,5 +0,0 @@
/**
* Defines the interfaces, exceptions, and implementations of classes required to perform client
* provisioning operations.
*/
package hirs.provisioner.client;

113
HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/ProvisionerConfiguration.java
View File

@ -1,113 +0,0 @@
package hirs.provisioner.configuration;
import org.springframework.beans.factory.BeanInitializationException;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.PropertySources;
import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
import org.springframework.core.io.ClassPathResource;
import org.springframework.web.client.RestTemplate;
import javax.annotation.PostConstruct;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import hirs.structs.converters.SimpleStructConverter;
import hirs.structs.converters.StructConverter;
import hirs.tpm.tss.Tpm;
import hirs.tpm.tss.command.CommandTpm;
import hirs.utils.LogConfigurationUtil;
/**
* Spring Java configuration file that prepares beans for the provisioning application. This
* provides an alternative implementation of the traditional Spring XML application context files.
*/
@Configuration
@PropertySources({
@PropertySource(value = "classpath:defaults.properties"),
// detects if file exists, if not, ignore errors
@PropertySource(value = "file:/etc/hirs/provisioner/provisioner.properties",
ignoreResourceNotFound = true)
})
@ComponentScan("hirs.provisioner")
public class ProvisionerConfiguration {
/**
* Path to the provisioner properties overrides. By default, these properties mirror those that
* are in the classpath. These properties provide a means for the client to customize the
* provisioner
*/
public static final Path PROVISIONER_PROPERTIES_OVERRIDES =
Paths.get("/etc/hirs/provisioner/provisioner.properties");
/**
* @return bean to resolve injected annotation.Value
* property expressions for beans.
*/
@Bean
public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
return new PropertySourcesPlaceholderConfigurer();
}
/**
* Initialization of the ClientProvisioner. Detects environment and runs configuration methods
* as required. This method is intended to be invoked by the Spring application context.
*/
@PostConstruct
final void initialize() {
try {
LogConfigurationUtil.applyConfiguration();
} catch (IOException e) {
throw new RuntimeException(e);
}
// if the properties overrides file doesn't exist (or directories), copy it over. capture
// any exception while doing so and log a warning.
if (!Files.exists(PROVISIONER_PROPERTIES_OVERRIDES)) {
try {
// obtain the embedded properties file
ClassPathResource properties = new ClassPathResource("defaults.properties");
// create the directories if they do not exist
Files.createDirectories(PROVISIONER_PROPERTIES_OVERRIDES.getParent());
// copy the defaults properties to the overrides location.
Files.copy(properties.getInputStream(), PROVISIONER_PROPERTIES_OVERRIDES);
} catch (IOException e) {
throw new BeanInitializationException(
"Encountered error while initializing ClientProvisioner configuration: "
+ e.getMessage(), e);
}
}
}
/**
* @return configured ready to use RestTemplate.
*/
@Bean
public RestTemplate restTemplate() {
return new RestTemplate();
}
/**
* @return configured ready to use {@link Tpm}
*/
@Bean
public Tpm tpm() {
return new CommandTpm();
}
/**
* @return configured ready to use {@link StructConverter}
*/
@Bean
public StructConverter structConverter() {
return new SimpleStructConverter();
}
}

4
HIRS_Provisioner/src/main/java/hirs/provisioner/configuration/package-info.java
View File

@ -1,4 +0,0 @@
/**
* Application configuration files pertaining to Spring's application context.
*/
package hirs.provisioner.configuration;

4
HIRS_Provisioner/src/main/java/hirs/provisioner/package-info.java
View File

@ -1,4 +0,0 @@
/**
* This package defines the application entry points.
*/
package hirs.provisioner;

29
HIRS_Provisioner/src/main/resources/defaults.properties
View File

@ -1,29 +0,0 @@
# Client Provisioner configuration
# ClientProvisioner files
# root: root location of all provisioner files
# certs: location of certificate files that the provisioner may read or write
provisioner.files.root = /etc/hirs/provisioner
provisioner.files.certs = ${provisioner.files.root}/certs
# ClientProvisioner ACA connection information
# host: hostname of the ACA
# port: the port number that the ACA is listening on
provisioner.aca.host = localhost
provisioner.aca.port = 8443
# ClientProvisioner ACA Context paths
# root: the main url path for the ACA
# key: the context path for the public key servlet
# identity: the context path for the identity request processor servlet
provisioner.aca.path.root = /HIRS_AttestationCA
provisioner.aca.path.key = /public-key
provisioner.aca.path.identity = /identity-request/process
# ClientProvisioner ACA URL paths
# root: the main url
# key: fully qualified URL for getting ACA public key
# identity: fully qualified URL for processing identity requests
provisioner.aca.url.root = https://${provisioner.aca.host}:${provisioner.aca.port}/${provisioner.aca.path.root}
provisioner.aca.url.key = ${provisioner.aca.url.root}/${provisioner.aca.path.key}
provisioner.aca.url.identity = ${provisioner.aca.url.root}/${provisioner.aca.path.identity}

36
HIRS_Provisioner/src/main/resources/log4j2.xml
View File

@ -1,36 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="----> %m%n"/>
</Console>
<RollingFile name="FILE" fileName="/var/log/hirs/provisioner/HIRS_Provisioner.log"
filePattern="/var/log/hirs/provisioner/HIRS_Provisioner.log-%d{yyyy-MM-dd}-%i.log" >
<PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>
</PatternLayout>
<Policies>
<SizeBasedTriggeringPolicy size="10 MB" />
</Policies>
<DefaultRolloverStrategy max="10"/>
</RollingFile>
</Appenders>
<Loggers>
<logger name="hirs" level="WARN" additivity="false">
<AppenderRef ref="STDOUT"/>
<AppenderRef ref="FILE"/>
</logger>
<!-- log spring and activemq logs at the warn level only to all appenders-->
<logger name="org.springframework" level="WARN" additivity="false">
<AppenderRef ref="STDOUT"/>
<AppenderRef ref="FILE"/>
</logger>
<logger name="org.apache.activemq" level="WARN" additivity="false">
<AppenderRef ref="STDOUT"/>
<AppenderRef ref="FILE"/>
</logger>
<Root level = "WARN">
<AppenderRef ref="FILE"/>
</Root>
</Loggers>
</Configuration>

376
HIRS_Provisioner/src/test/java/hirs/client/collector/DeviceInfoCollectorTest.java
View File

@ -1,376 +0,0 @@
package hirs.client.collector;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.testng.PowerMockTestCase;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.powermock.api.mockito.PowerMockito.when;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.util.Enumeration;
import hirs.DeviceInfoReportRequest;
import hirs.collector.CollectorException;
import hirs.data.persist.DeviceInfoReport;
import hirs.data.persist.enums.OSName;
/**
* Unit tests for <code>DeviceInfoCollector</code>.
*/
@PrepareForTest(DeviceInfoCollector.class)
public class DeviceInfoCollectorTest extends PowerMockTestCase {
private DeviceInfoCollector collector;
/**
* Prepares a test environment for each individual test.
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@BeforeMethod
public void beforeMethod() throws CollectorException {
collector = spy(new DeviceInfoCollector());
PowerMockito.mockStatic(DeviceInfoCollector.class);
// mock out serial number collection as it requires root
when(DeviceInfoCollector.collectDmiDecodeValue(
any(OSName.class), anyString())).thenReturn("some string");
doReturn("Linux").when(collector).getSystemProperty(eq("os.name"));
}
/**
* Tests that a DeviceInfoCollector will generate a DeviceInfoReport.
*
* @throws Exception if an error occurs creating mocked output
*/
@Test
public final void testCollect() throws Exception {
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
final DeviceInfoReport report =
(DeviceInfoReport) collector.collect(request);
final int numberOfDmiDecodeCalls = 9;
// the following two lines assert that collectDmiDecodeValue was called 9 times
PowerMockito.verifyStatic(times(numberOfDmiDecodeCalls));
DeviceInfoCollector.collectDmiDecodeValue(any(OSName.class), anyString());
Assert.assertNotNull(report.getNetworkInfo());
Assert.assertNotNull(report.getOSInfo());
// Test the IP address in the report against the system that created it
Enumeration<NetworkInterface> interfaces =
NetworkInterface.getNetworkInterfaces();
boolean equivalenceFound = false;
while (interfaces.hasMoreElements()) {
NetworkInterface netInt = interfaces.nextElement();
Enumeration<InetAddress> addresses = netInt.getInetAddresses();
while (addresses.hasMoreElements()) {
InetAddress address = addresses.nextElement();
if (address.getHostAddress().equals(
report.getNetworkInfo().getIpAddress().
getHostAddress())) {
equivalenceFound = true;
}
}
}
Assert.assertTrue(equivalenceFound);
}
/**
* Tests that hardware and firmware info is set correctly.
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectProperInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn("Product name");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn("Serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn("Version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn("Bios version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn("Bios release date");
doReturn("Linux").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getHardwareInfo().getManufacturer(),
"Manufacturer");
Assert.assertEquals(report.getHardwareInfo().getProductName(),
"Product name");
Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(),
"Serial number");
Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(),
"Chassis serial number");
Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(),
"Baseboard serial number");
Assert.assertEquals(report.getHardwareInfo().getVersion(),
"Version");
Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(),
"Bios vendor");
Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(),
"Bios version");
Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(),
"Bios release date");
}
/**
* Tests that null hardware info is set to "Not specified".
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectNullHardwareInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn("Bios version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn("Bios release date");
doReturn("Linux").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getHardwareInfo().getManufacturer(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getProductName(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getVersion(),
DeviceInfoCollector.NOT_SPECIFIED);
}
/**
* Tests that empty hardware info is set to "Not specified".
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectEmptyHardwareInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn("Bios version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn("Bios release date");
doReturn("Linux").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getHardwareInfo().getManufacturer(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getProductName(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getSystemSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getChassisSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getBaseboardSerialNumber(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getHardwareInfo().getVersion(),
DeviceInfoCollector.NOT_SPECIFIED);
}
/**
* Tests that null firmware info is set to "Not specified".
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectNullFirmwareInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn("Product name");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn("Serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn("Version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn(null);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn(null);
doReturn("Linux").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(),
DeviceInfoCollector.NOT_SPECIFIED);
}
/**
* Tests that empty firmware info is set to "Not specified".
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectEmptyFirmwareInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn("Product name");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn("Serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn("Version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn("");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn("");
doReturn("Linux").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getFirmwareInfo().getBiosVendor(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getFirmwareInfo().getBiosVersion(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getFirmwareInfo().getBiosReleaseDate(),
DeviceInfoCollector.NOT_SPECIFIED);
}
/**
* Tests that null OS info is set to "Not specified".
*
* @throws CollectorException should not be thrown here as all collection is mocked
*/
@Test
public final void testCollectNullOSInfo() throws CollectorException {
DeviceInfoCollector mockedCollector = spy(DeviceInfoCollector.class);
PowerMockito.mockStatic(DeviceInfoCollector.class);
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-manufacturer")).thenReturn("Manufacturer");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-product-name")).thenReturn("Product name");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-serial-number")).thenReturn("Serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "chassis-serial-number")).thenReturn("Chassis serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "baseboard-serial-number")).thenReturn("Baseboard serial number");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "system-version")).thenReturn("Version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-vendor")).thenReturn("Bios vendor");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-version")).thenReturn("Bios version");
when(DeviceInfoCollector.collectDmiDecodeValue(
OSName.LINUX, "bios-release-date")).thenReturn("Bios release date");
doReturn("Unknown").when(mockedCollector).getSystemProperty("os.name");
final DeviceInfoReportRequest request = new DeviceInfoReportRequest();
DeviceInfoReport report = (DeviceInfoReport) mockedCollector.doCollect(request);
Assert.assertEquals(report.getOSInfo().getDistribution(),
DeviceInfoCollector.NOT_SPECIFIED);
Assert.assertEquals(report.getOSInfo().getDistributionRelease(),
DeviceInfoCollector.NOT_SPECIFIED);
}
/**
* Tests that isReportRequestSupported() will return DeviceInfoReportRequest.
*/
@Test
public final void testReportRequestSupported() {
Assert.assertEquals(collector.reportRequestTypeSupported(), DeviceInfoReportRequest.class);
}
}

399
HIRS_Provisioner/src/test/java/hirs/provisioner/client/RestfulClientProvisionerTest.java
View File

@ -1,399 +0,0 @@
package hirs.provisioner.client;
import hirs.client.collector.DeviceInfoCollector;
import hirs.data.persist.DeviceInfoReport;
import hirs.data.persist.info.FirmwareInfo;
import hirs.data.persist.info.HardwareInfo;
import hirs.data.persist.info.NetworkInfo;
import hirs.data.persist.info.OSInfo;
import hirs.data.persist.enums.OSName;
import hirs.data.persist.info.TPMInfo;
import hirs.structs.converters.StructConverter;
import hirs.structs.elements.tpm.AsymmetricPublicKey;
import hirs.tpm.tss.Tpm;
import hirs.tpm.tss.command.CommandException;
import hirs.tpm.tss.command.CommandResult;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.testng.PowerMockObjectFactory;
import org.powermock.modules.testng.PowerMockTestCase;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.SerializationUtils;
import org.springframework.web.client.RestTemplate;
import org.testng.IObjectFactory;
import org.testng.annotations.ObjectFactory;
import org.testng.annotations.Test;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.AfterMethod;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPublicKey;
import hirs.structs.elements.aca.IdentityRequestEnvelope;
import hirs.structs.elements.aca.IdentityResponseEnvelope;
import hirs.structs.elements.aca.SymmetricAttestation;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertNotNull;
import static org.testng.Assert.assertTrue;
/**
* Test suite for the {@link RestfulClientProvisioner}.
*/
@PrepareForTest(DeviceInfoCollector.class)
public class RestfulClientProvisionerTest extends PowerMockTestCase {
/**
* Sets up PowerMockito.
*
* @return PowerMockObjectFactory
*/
@ObjectFactory
public IObjectFactory getObjectFactory() {
return new PowerMockObjectFactory();
}
private static final String ACA_KEY_URL = "acaKeyUrl";
private static final String ACA_IDENTITY_URL = "acaIdentityUrl";
@Mock
private Tpm mockTpm;
@Mock
private StructConverter mockStructConverter;
@Mock
private RestTemplate mockRestTemplate;
@InjectMocks
private RestfulClientProvisioner provisioner;
/***
* Initializes a unique test environment for each test.
*/
@BeforeMethod
public void setup() {
MockitoAnnotations.initMocks(this);
}
/**
* Verifies that there were no more additional invocations on the mocks after each test has been
* completed.
*/
@AfterMethod
public void verifyMocks() {
verifyNoMoreInteractions(mockStructConverter, mockRestTemplate, mockTpm);
}
/**
* Tests {@link RestfulClientProvisioner#takeOwnership()}.
*/
@Test
public void testTakeOwnership() {
// perform test
provisioner.takeOwnership();
// verify tpm was used appropriately
verify(mockTpm).takeOwnership();
}
/**
* Tests {@link RestfulClientProvisioner#getACAPublicKey()}.
*
* @throws Exception while generating key pair
*/
@Test
@SuppressWarnings("unchecked")
public void testGetACAPublicKey() throws Exception {
// create a key pair generator to generate a temporary RSA key
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(512);
// create the temporary key
KeyPair keyPair = keyPairGenerator.generateKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
// assign the ACA identity URL
ReflectionTestUtils.setField(provisioner, "acaPublicKeyURL", ACA_KEY_URL);
// mock response from the ACA
ResponseEntity responseEntity = mock(ResponseEntity.class);
// when our rest template is called, just return our mocked response
when(mockRestTemplate.getForEntity(ACA_KEY_URL, byte[].class)).thenReturn(responseEntity);
// when requesting the response, return our test public key
when(responseEntity.getBody()).thenReturn(publicKey.getEncoded());
// perform the actual test
RSAPublicKey result = provisioner.getACAPublicKey();
// verify that the key is correct
assertEquals(result.getPublicExponent(), publicKey.getPublicExponent());
assertEquals(result.getModulus(), publicKey.getModulus());
// verify mock interactions
verify(mockRestTemplate).getForEntity(ACA_KEY_URL, byte[].class);
verify(responseEntity).getBody();
}
/**
* Tests {@link RestfulClientProvisioner#createIdentityRequest(AsymmetricPublicKey,
* String, DeviceInfoReport)}.
* @throws Exception if there is a problem encountered when mocking
* DeviceInfoCollector
*/
@Test
public void createIdentityCredential() throws Exception {
PowerMockito.spy(DeviceInfoCollector.class);
final InetAddress ipAddress = getTestIpAddress();
final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66};
// test parameters
String uuid = "uuid";
byte[] asymmetricBlob = new byte[]{1};
byte[] request = new byte[]{2};
byte[] ekModulus = new byte[]{3};
byte[] ek = new byte[]{50};
// test specific mocks
AsymmetricPublicKey publicKey = mock(AsymmetricPublicKey.class);
// when the converter is used to serialize public key, return known blob
when(mockStructConverter.convert(publicKey)).thenReturn(asymmetricBlob);
// when tpm collate identity is invoked using test blob and uuid, return known request
when(mockTpm.collateIdentityRequest(asymmetricBlob, uuid)).thenReturn(request);
// return known credential when asked.
when(mockTpm.getEndorsementCredentialModulus()).thenReturn(ekModulus);
when(mockTpm.getEndorsementCredential()).thenReturn(ek);
PowerMockito.doReturn("AB12345").when(DeviceInfoCollector.class,
"collectDmiDecodeValue", OSName.LINUX, "system-serial-number");
PowerMockito.doReturn("AB12346").when(DeviceInfoCollector.class,
"collectDmiDecodeValue", OSName.LINUX, "chassis-serial-number");
// perform test
final DeviceInfoReport deviceInfoReport = new DeviceInfoReport(
new NetworkInfo("test hostname", ipAddress, macAddress),
new OSInfo(), new FirmwareInfo(), new HardwareInfo(), new TPMInfo());
IdentityRequestEnvelope envelope = provisioner.createIdentityRequest(publicKey, uuid,
deviceInfoReport);
// validate the identity request
assertEquals(envelope.getEndorsementCredentialModulus(), ekModulus);
assertEquals(envelope.getEndorsementCredentialModulusLength(), ekModulus.length);
assertEquals(envelope.getEndorsementCredential(), ek);
assertEquals(envelope.getEndorsementCredentialLength(), ek.length);
assertEquals(envelope.getRequest(), request);
assertEquals(envelope.getRequestLength(), request.length);
int deviceInfoReportLength = envelope.getDeviceInfoReportLength();
assertTrue(deviceInfoReportLength > 0);
assertEquals(envelope.getDeviceInfoReport().length, deviceInfoReportLength);
assertEquals(envelope.getDeviceInfoReport(),
SerializationUtils.serialize(deviceInfoReport));
// verify mock interactions
verify(mockStructConverter).convert(publicKey);
verify(mockTpm).collateIdentityRequest(asymmetricBlob, uuid);
verify(mockTpm).getEndorsementCredentialModulus();
verify(mockTpm).getEndorsementCredential();
verifyNoMoreInteractions(publicKey);
}
/**
* Tests {@link RestfulClientProvisioner#createIdentityRequest(AsymmetricPublicKey,
* String, DeviceInfoReport)}.
* @throws Exception if there is a problem encountered when mocking
* DeviceInfoCollector
*/
@Test
public void createIdentityCredentialEkNotFound() throws Exception {
PowerMockito.spy(DeviceInfoCollector.class);
final InetAddress ipAddress = getTestIpAddress();
final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66};
// test parameters
String uuid = "uuid";
byte[] asymmetricBlob = new byte[]{1};
byte[] request = new byte[]{2};
byte[] ekModulus = new byte[]{3};
// test specific mocks
AsymmetricPublicKey publicKey = mock(AsymmetricPublicKey.class);
// when the converter is used to serialize public key, return known blob
when(mockStructConverter.convert(publicKey)).thenReturn(asymmetricBlob);
// when tpm collate identity is invoked using test blob and uuid, return known request
when(mockTpm.collateIdentityRequest(asymmetricBlob, uuid)).thenReturn(request);
// return known credential when asked.
when(mockTpm.getEndorsementCredentialModulus()).thenReturn(ekModulus);
when(mockTpm.getEndorsementCredential()).thenThrow(new CommandException("no good",
new CommandResult("EK not found", -1)));
PowerMockito.doReturn("AB12345").when(DeviceInfoCollector.class,
"collectDmiDecodeValue", OSName.LINUX, "system-serial-number");
PowerMockito.doReturn("AB12346").when(DeviceInfoCollector.class,
"collectDmiDecodeValue", OSName.LINUX, "chassis-serial-number");
// perform test
final DeviceInfoReport deviceInfoReport = new DeviceInfoReport(
new NetworkInfo("test hostname", ipAddress, macAddress),
new OSInfo(), new FirmwareInfo(), new HardwareInfo(), new TPMInfo());
IdentityRequestEnvelope envelope = provisioner.createIdentityRequest(publicKey, uuid,
deviceInfoReport);
// validate the identity request
assertEquals(envelope.getEndorsementCredentialModulus(), ekModulus);
assertEquals(envelope.getEndorsementCredentialModulusLength(), ekModulus.length);
assertNotNull(envelope.getEndorsementCredential());
assertEquals(envelope.getEndorsementCredentialLength(), 1);
assertEquals(envelope.getRequest(), request);
assertEquals(envelope.getRequestLength(), request.length);
int deviceInfoReportLength = envelope.getDeviceInfoReportLength();
assertTrue(deviceInfoReportLength > 0);
assertEquals(envelope.getDeviceInfoReport().length, deviceInfoReportLength);
assertEquals(envelope.getDeviceInfoReport(),
SerializationUtils.serialize(deviceInfoReport));
// verify mock interactions
verify(mockStructConverter).convert(publicKey);
verify(mockTpm).collateIdentityRequest(asymmetricBlob, uuid);
verify(mockTpm).getEndorsementCredentialModulus();
verify(mockTpm).getEndorsementCredential();
verifyNoMoreInteractions(publicKey);
}
/**
* Tests {@link RestfulClientProvisioner#attestIdentityRequest(IdentityRequestEnvelope)}.
*/
@Test
@SuppressWarnings("unchecked")
public void testAttestIdentityRequest() {
// create some test variables
byte[] requestBytes = new byte[]{1};
byte[] responseBytes = new byte[]{2};
// create some test mocks
IdentityRequestEnvelope request = mock(IdentityRequestEnvelope.class);
IdentityResponseEnvelope response = mock(IdentityResponseEnvelope.class);
ResponseEntity responseEntity = mock(ResponseEntity.class);
// assign the ACA identity URL
ReflectionTestUtils.setField(provisioner, "acaIdentityURL", ACA_IDENTITY_URL);
// the mock converter should serialize the identity request to bytes and likewise
// deserialize the identity response
when(mockStructConverter.convert(request)).thenReturn(requestBytes);
when(mockStructConverter.convert(responseBytes, IdentityResponseEnvelope.class))
.thenReturn(response);
// the template should be used to send a post to the assigned url
when(mockRestTemplate.exchange(eq(ACA_IDENTITY_URL), eq(HttpMethod.POST),
any(HttpEntity.class), eq(byte[].class))).thenReturn(responseEntity);
// the aca response body should be acquired in order to convert into a response object
when(responseEntity.getBody()).thenReturn(responseBytes);
// perform the test
provisioner.attestIdentityRequest(request);
// verify converter mock
verify(mockStructConverter).convert(request);
verify(mockStructConverter).convert(responseBytes, IdentityResponseEnvelope.class);
// setup captor for rest template verification.
ArgumentCaptor<HttpEntity> argument = ArgumentCaptor.forClass(HttpEntity.class);
// verify the rest template and capture the argument for the response entity type
verify(mockRestTemplate).exchange(eq(ACA_IDENTITY_URL), eq(HttpMethod.POST),
argument.capture(), eq(byte[].class));
// verify response entity body is acquired
verify(responseEntity).getBody();
// assert that the http entity object being sent to the aca contained the request bytes
assertEquals(argument.getValue().getBody(), requestBytes);
// verify test specific mocks had no other unintended interactions
verifyNoMoreInteractions(request, response, responseEntity);
}
/**
* Tests {@link RestfulClientProvisioner#activateCredential(IdentityResponseEnvelope,
* String)}.
*/
@Test
public void testActivateCredential() {
// create test parameters
String uuid = "uuid";
byte[] asymmetricContents = new byte[]{1};
byte[] symmetricContents = new byte[]{2};
byte[] response = new byte[]{3};
// create test specific mocks
IdentityResponseEnvelope envelope = mock(IdentityResponseEnvelope.class);
SymmetricAttestation attestation = mock(SymmetricAttestation.class);
// both asymmetric and symmetric contents should be obtained
when(envelope.getAsymmetricContents()).thenReturn(asymmetricContents);
when(envelope.getSymmetricAttestation()).thenReturn(attestation);
// the tpm should be sent both contents and the specified uuid
when(mockTpm.activateIdentity(asymmetricContents, symmetricContents, uuid))
.thenReturn(response);
// the symmetric contents need to be converted
when(mockStructConverter.convert(attestation)).thenReturn(symmetricContents);
// perform the actual test
provisioner.activateCredential(envelope, uuid);
// verify mock interactions
verify(mockTpm).activateIdentity(asymmetricContents, symmetricContents, uuid);
verify(envelope).getAsymmetricContents();
verify(envelope).getSymmetricAttestation();
verify(mockStructConverter).convert(attestation);
// ensure test specific mocks have no unintended interactions
verifyNoMoreInteractions(envelope, attestation);
}
private static InetAddress getTestIpAddress() {
try {
return InetAddress.getByAddress(new byte[] {127, 0, 0, 1});
} catch (UnknownHostException e) {
return null;
}
}
}

45
TPM_Utils/build.gradle
View File

@ -1,45 +0,0 @@
apply plugin: 'java'
apply plugin: 'checkstyle'
apply plugin: 'jacoco'
sourceCompatibility = 1.8
dependencies {
compile libs.log4j2
compile libs.commons_codec
compile libs.commons_io
compile libs.commons_lang
compile libs.spring_core
testCompile libs.testng
}
ext.configDir = new File(projectDir, 'config')
ext.checkstyleConfigDir = "$configDir/checkstyle"
checkstyle {
toolVersion = '5.7'
configFile = checkstyleConfigFile
configProperties.put('basedir', checkstyleConfigDir)
ignoreFailures = false
showViolations = true
}
jacocoTestReport {
reports {
xml.enabled true
csv.enabled true
html.enabled true
html.destination "${buildDir}/reports/jacoco/html"
}
}
publishing {
publications {
maven(MavenPublication) {
artifactId 'hirs-tpm-utils'
from components.java
}
}
}

13
TPM_Utils/config/checkstyle/suppressions.xml
View File

@ -1,13 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.1//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_1.dtd">
<suppressions>
<suppress checks="MagicNumber" files=".*[/\\]src[/\\]test[/\\]+" />
<suppress checks="FinalParameters" files=".*[/\\]src[/\\]test[/\\]+" />
<suppress checks="JavadocPackage" files=".*[/\\]src[/\\]test[/\\]+" />
</suppressions>

60
TPM_Utils/src/main/java/hirs/tpm/tss/Tpm.java
View File

@ -1,60 +0,0 @@
package hirs.tpm.tss;
import java.io.IOException;
/**
* Defines the functionality of a Tpm as specified in the TCG TSS Specification.
*/
public interface Tpm {
/**
* Takes ownership of an active but unowned Tpm.
*/
void takeOwnership();
/**
* Obtain the public Endorsement Credential modulus.
*
* @return the endorsement credential modulus
* @see #collateIdentityRequest(byte[], String)
*/
byte[] getEndorsementCredentialModulus();
/**
* Obtains the full Endorsement Credential stored in the TPM.
* @return the EC on the TPM, if present, otherwise null
* @throws IOException if there's an error writing the EC to a temporary file for processing
*/
byte[] getEndorsementCredential() throws IOException;
/**
* Instructs the Tpm to collate an identity request as stated in the TSS specification.
*
* @param acaPublicKey non null, ACA PK information.
* @param uuid non null, non empty, UUID for the identity.
* @return the identity request. to be later attested.
*/
byte[] collateIdentityRequest(byte[] acaPublicKey, String uuid);
/**
* Activates the identity within the TPM given the label and ACA symmetric and asymmetric
* identity response blobs. The return will be the identity credential that is activated within
* the TPM.
*
* @param asymmetricBlob from ACA identity response
* @param symmetricBlob from ACA identity response
* @param uuid of the identity request
* @return the activated identity credential
*/
byte[] activateIdentity(byte[] asymmetricBlob, byte[] symmetricBlob, String uuid);
/**
* Queries the TPM for quote data given the specified pcrValues using the specified UUID.
*
* @param pcrValues cannot be null or empty
* @param nonce cannot be null or empty
* @param uuid cannot be null or empty
* @return quote data
*/
byte[] getQuote(String pcrValues, String nonce, String uuid);
}

28
TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandException.java
View File

@ -1,28 +0,0 @@
package hirs.tpm.tss.command;
/**
* Exception that is thrown by the {@link CommandTpm} when executing operations.
*/
public class CommandException extends RuntimeException {
private CommandResult commandResult;
/**
* Constructs this exception with the specified message and the command result.
*
* @param message as to why this exception occurred
* @param commandResult the result of the command that caused this exception
*/
public CommandException(final String message, final CommandResult commandResult) {
super(message);
this.commandResult = commandResult;
}
/**
* @return {@link CommandResult} of the command that caused this exception
*/
public CommandResult getCommandResult() {
return this.commandResult;
}
}

42
TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandResult.java
View File

@ -1,42 +0,0 @@
package hirs.tpm.tss.command;
/**
* Encapsulates the results of executing a command.
*/
public class CommandResult {
/**
* The exit status when attempting to take ownership of an already owned TPM.
*/
public static final int TPM_PREVIOUSLY_OWNED_ERROR = 20;
private String output;
private int exitStatus;
/**
* Creates the command result with the specified output and exist status.
*
* @param output of the command
* @param exitStatus of the command
*/
public CommandResult(final String output, final int exitStatus) {
this.output = output;
this.exitStatus = exitStatus;
}
/**
* @return command output.
*/
public String getOutput() {
return output;
}
/**
* @return command exit status.
*/
public int getExitStatus() {
return exitStatus;
}
}

245
TPM_Utils/src/main/java/hirs/tpm/tss/command/CommandTpm.java
View File

@ -1,245 +0,0 @@
package hirs.tpm.tss.command;
import hirs.tpm.tss.Tpm;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.util.Assert;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
/**
* Implementation of a {@link Tpm} that uses the TPM_MODULE command as the interface to the TPM.
*/
public class CommandTpm implements Tpm {
private static final String TPM_COMMAND = "/usr/bin/tpm_module";
private static final String TPM_TOOLS_READ_COMMAND = "tpm_nvread";
private static final String TPM_TOOLS_INFO_COMMAND = "tpm_nvinfo";
// The fixed location of the endorsement credential (TPM 1.2 only)
private static final int EC_INDEX = 0xf000;
private static final int EC_INDEX_MASK = 0x0000ffff;
private static final String IDENTITY_LABEL = "HISIdentityKey";
@Override
public void takeOwnership() {
// take ownership if the TPM is currently unowned
try {
sendTPMCommand("-nr -m 1 -z");
} catch (CommandException ex) {
// if the error isn't that the TPM is already owned, bubble the exception up.
if (ex.getCommandResult().getExitStatus() != CommandResult.TPM_PREVIOUSLY_OWNED_ERROR) {
throw ex;
}
}
}
@Override
public byte[] getEndorsementCredentialModulus() {
return sendTPMCommand("-m 17 -z -nr -t ek").getOutput().getBytes();
}
@Override
public byte[] getEndorsementCredential() throws IOException {
File tempExtractFile = File.createTempFile("nvread-extract", ".tmp");
try {
int ecIndex = findEndorsementCredentialIndex();
int ecSize = getEndorsementCredentialSize(ecIndex);
// don't care about the stdout from this command. If the command fails, an exception
// is thrown, otherwise, read the temp file content
String argList = "-i " + ecIndex
+ " -s " + ecSize + " -z -f " + tempExtractFile.getAbsolutePath();
sendCommand(TPM_TOOLS_READ_COMMAND, argList);
return FileUtils.readFileToByteArray(tempExtractFile);
} finally {
FileUtils.deleteQuietly(tempExtractFile);
}
}
private int findEndorsementCredentialIndex() {
CommandResult command = sendCommand(TPM_TOOLS_INFO_COMMAND, "");
return parseEcIndexFromNvInfoOutput(command.getOutput());
}
/**
* Parses the output from tpm_nvinfo to find the index for the endorsement credential.
* @param commandOutput the output of the tpm_nvinfo command
* @return the index of the EC
*/
static int parseEcIndexFromNvInfoOutput(final String commandOutput) {
String[] lines = commandOutput.trim().split("\\r?\\n");
for (String line: lines) {
if (line.startsWith("NVRAM index")) {
String rawIndex = line.split(":")[1].trim();
String hexIndexStr = rawIndex.split(" ")[0];
int index = Integer.decode(hexIndexStr);
if ((EC_INDEX_MASK & index) == EC_INDEX) {
return index;
}
}
}
throw new RuntimeException("Failed to find index for EC");
}
private int getEndorsementCredentialSize(final int index) {
try {
String args = "-i " + index;
CommandResult command = sendCommand(TPM_TOOLS_INFO_COMMAND, args);
return parseNvramSizeFromNvInfoOutput(command.getOutput());
} catch (Exception ex) {
throw new RuntimeException("Failed to get EC size: ", ex);
}
}
/**
* Parses the output from tpm_nvinfo for a particular address, returning the size of the
* data at the queried address.
* @param commandOutput the output of a tpm_nvinfo -i [address] command
* @return the size at the address, as a decimal integer
*/
static int parseNvramSizeFromNvInfoOutput(final String commandOutput) {
// trim the ends and split on lines.
String[] lines = commandOutput.trim().split("\\r?\\n");
// search lines for the first "Size" line, which contains the # of bytes to
// read at the location
for (String line : lines) {
if (line.startsWith("Size")) {
String rawSizeValue = line.split(":")[1].trim();
// The value after the ":" contains the decimal and hex values.
// Parse out the decimal portion
String decimalSizeStr = rawSizeValue.split(" ")[0];
return Integer.parseInt(decimalSizeStr);
}
}
throw new RuntimeException("Failed to find size from EC's NVRAM area");
}
@Override
public byte[] collateIdentityRequest(final byte[] acaPublicKey, final String uuid) {
Assert.notNull(acaPublicKey, "acaPublicKey is null");
Assert.hasLength(uuid, "uuid must not be empty or null");
// encode the aca PK to a hex string.
String hexAcaBlob = Hex.encodeHexString(acaPublicKey);
// send the collate identity request
String request = sendTPMCommand(
String.format("-nr -z -o -m 6 -p %s -u %s -l %s -nvram -debug",
hexAcaBlob, uuid, IDENTITY_LABEL)).getOutput();
try {
// attempt to decode the response
return Hex.decodeHex(request.toCharArray());
} catch (DecoderException e) {
throw new RuntimeException(
"Encountered error decoding response from tpm_module: " + e.getMessage(), e);
}
}
@Override
public byte[] activateIdentity(final byte[] asymmetricBlob, final byte[] symmetricBlob,
final String uuid) {
Assert.notNull(asymmetricBlob, "asymmetricBlob is null");
Assert.notNull(symmetricBlob, "symmetricBlob is null");
Assert.hasLength(uuid, "uuid must not be empty or null");
// encode the blobs into hex strings
String hexAsymmetric = Hex.encodeHexString(asymmetricBlob);
String hexSymmetric = Hex.encodeHexString(symmetricBlob);
// issue the activate identity command
CommandResult result = sendTPMCommand(String.format("-asym %s -sym %s -u %s -m 7 -z - nr",
hexAsymmetric, hexSymmetric, uuid));
try {
return Hex.decodeHex(result.getOutput().toCharArray());
} catch (DecoderException e) {
throw new RuntimeException(
"Encountered error decoding response from tpm_module: " + e.getMessage(), e);
}
}
@Override
public byte[] getQuote(final String pcr, final String nonce, final String uuid) {
Assert.hasLength(pcr, "pcr must not be empty or null");
Assert.hasLength(nonce, "nonce must not be empty or null");
Assert.hasLength(uuid, "uuid must not be empty or null");
// issues the quote 2 command (-m 9) to retrieve the quote for the selected PCR (-p #).
CommandResult result =
sendTPMCommand(String.format("-m 9 -z -n %s -c -u %s -p %s", nonce, uuid, pcr));
try {
return Hex.decodeHex(result.getOutput().toCharArray());
} catch (DecoderException e) {
throw new RuntimeException(
"Encountered error decoding response from tpm_module: " + e.getMessage(), e);
}
}
private CommandResult sendTPMCommand(final String arguments) {
// always run the tpm_module with debug (-d).
// otherwise the exit status and error messages are squelched.
return sendCommand(TPM_COMMAND, "-d " + arguments);
}
/**
* Issues the specified command to the tpm_module process.
*/
private CommandResult sendCommand(final String application, final String arguments) {
String[] command = {application};
// add the specified arguments to the command
command = ArrayUtils.addAll(command, arguments.split("\\s+"));
// build up the process
ProcessBuilder processBuilder = new ProcessBuilder(command);
// merge the error stream into the standard output
processBuilder.redirectErrorStream(true);
try {
// issue the command
Process process = processBuilder.start();
// block and wait for the process to be complete
int returnCode = process.waitFor();
try (InputStream processInputStream = process.getInputStream()) {
// grab the command output
String output = IOUtils.toString(processInputStream);
// construct the command result
CommandResult result = new CommandResult(output, returnCode);
// if the command wasn't successful, generate an exception with command output
if (returnCode != 0) {
throw new CommandException(
String.format("Encountered error: %s while executing command: %s",
output, StringUtils.join(command, " ")), result);
}
return result;
}
} catch (IOException | InterruptedException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
}

4
TPM_Utils/src/main/java/hirs/tpm/tss/command/package-info.java
View File

@ -1,4 +0,0 @@
/**
* Defines command line interface to the TPM/TSS.
*/
package hirs.tpm.tss.command;

4
TPM_Utils/src/main/java/hirs/tpm/tss/package-info.java
View File

@ -1,4 +0,0 @@
/**
* Defines high level interfaces for communicating and interacting with a TPM.
*/
package hirs.tpm.tss;

13
TPM_Utils/src/main/resources/log4j2.xml
View File

@ -1,13 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t @ %C.%M] %-5p : %m%n"/>
</Console>
</Appenders>
<Loggers>
<Root level="WARN">
<AppenderRef ref="STDOUT"/>
</Root>
</Loggers>
</Configuration>

68
TPM_Utils/src/test/java/hirs/tpm/tss/command/CommandTpmTest.java
View File

@ -1,68 +0,0 @@
package hirs.tpm.tss.command;
import org.testng.Assert;
import org.testng.annotations.Test;
/**
* Unit tests for {@see CommandTpm}.
*/
public class CommandTpmTest {
/**
* Tests retrieving the size given a valid output from tpm_nvinfo.
*/
@Test
public void parseSizeValid() {
final int expectedSize = 1129;
String nvInfoOutput =
"\n"
+ "NVRAM index : 0x1000f000 (268496896)\n"
+ "PCR read selection:\n"
+ " Localities : ALL\n"
+ "PCR write selection:\n"
+ " Localities : ALL\n"
+ "Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)\n"
+ "bReadSTClear : FALSE\n"
+ "bWriteSTClear : FALSE\n"
+ "bWriteDefine : FALSE\n"
+ "Size : 1129 (0x469)\n"
+ "\n";
int readSize = CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput);
Assert.assertEquals(readSize, expectedSize);
}
/**
* Tests failure to get the size given output from tpm_nvinfo with missing size value.
*/
@Test(expectedExceptions = RuntimeException.class)
public void parseSizeMissingSizeValue() {
String nvInfoOutput =
"\n"
+ "NVRAM index : 0x1000f000 (268496896)\n"
+ "PCR read selection:\n"
+ " Localities : ALL\n"
+ "PCR write selection:\n"
+ " Localities : ALL\n"
+ "Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)\n"
+ "bReadSTClear : FALSE\n"
+ "bWriteSTClear : FALSE\n"
+ "bWriteDefine : FALSE\n"
+ "Strength : 1129 (0x469)\n"
+ "\n";
CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput);
}
/**
* Tests failure to get the EC size given a completely garbage tpm_nvifo output.
*/
@Test(expectedExceptions = RuntimeException.class)
public void parseSizeBadOutput() {
String nvInfoOutput = "bad data here. FAILURE TO READ SOMETHING!";
CommandTpm.parseNvramSizeFromNvInfoOutput(nvInfoOutput);
}
}

4
TPM_Utils/src/test/java/hirs/tpm/tss/command/package-info.java
View File

@ -1,4 +0,0 @@
/**
* Tests for the TPM command classes.
*/
package hirs.tpm.tss.command;

15
tpm_module/build.gradle
View File

@ -1,15 +0,0 @@
task make(type: Exec) {
outputs.file 'tpm_module'
inputs.dir fileTree(dir: '.').include('main.cpp').include('*.hpp')
commandLine 'make'
}
task cleanUp() {
delete 'tpm_module', 'main.d', 'main.o'
}
task fullBuild(type: GradleBuild) {
tasks = ['cleanUp', 'make']
}
build.dependsOn tasks.fullBuild

5
tpm_module/debian/changelog
View File

@ -1,5 +0,0 @@
tpm-module (3.11) trusty; urgency=low
* Initial release
-- HIRS <HIRS@HIRS.HIRS> Thu, 05 Feb 2015 17:44:25 -0500

1
tpm_module/debian/compat
View File

@ -1 +0,0 @@
9

13
tpm_module/debian/control
View File

@ -1,13 +0,0 @@
Source: tpm-module
Section: admin
Priority: optional
Maintainer: HIRS <HIRS@HIRS.HIRS>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.5
Package: tpm-module
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, tpm-tools, libtspi1
Description: HIRS TPM Module
Allows for interaction with TPMs.

0
tpm_module/debian/docs
View File

1
tpm_module/debian/files
View File

@ -1 +0,0 @@
tpm-module_3.11_amd64.deb admin optional

2
tpm_module/debian/lintian-overrides
View File

@ -1,2 +0,0 @@
# Ignore lintian error about incorrectly formatted copyright file
tpm-module binary: copyright-should-refer-to-common-license-file-for-lgpl

7
tpm_module/debian/rules
View File

@ -1,7 +0,0 @@
#!/usr/bin/make -f
# -*- makefile -*-
export DH_VERBOSE=1
%:
dh $@

1
tpm_module/debian/source/format
View File

@ -1 +0,0 @@
3.0 (native)

1
tpm_module/debian/tpm-module.install
View File

@ -1 +0,0 @@
src/tpm_module usr/bin

1
tpm_module/debian/tpm-module.manpages
View File

@ -1 +0,0 @@
debian/tpm_module.1

2
tpm_module/debian/tpm-module.substvars
View File

@ -1,2 +0,0 @@
shlibs:Depends=libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.4.0), libtspi1 (>= 0.3.1)
misc:Depends=

224
tpm_module/libhis_activateidentity.hpp
View File

@ -1,224 +0,0 @@
#ifndef libhis_activateidentity_hpp
#define libhis_activateidentity_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_activateidentity
{
public:
libhis_activateidentity()
{
//set default values
init_ik_size = TSS_KEY_SIZE_DEFAULT;
init_ik_type = TSS_KEY_TYPE_IDENTITY;
init_ik_authorized = TSS_KEY_AUTHORIZATION;
init_ik_migratable = TSS_KEY_NOT_MIGRATABLE;
init_ik_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create IK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result);
}
void init()
{
//combine the init flags
init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile;
//Create IK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result);
binitialized = true;
}
void activateidentity(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_ik_value,
unsigned long auth_ik_size,
bool auth_ik_sha1,
unsigned char *asym_value,
unsigned long asym_size,
unsigned char *sym_value,
unsigned long sym_size,
unsigned char *uuid_ik_value,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the IK UUID
hextouuid(uuid_ik_value, uuid_ik);
//Get the IK by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result);
//set up IK auth
if(auth_ik_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result);
}
//assign the IK auth
result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result);
//Unwrap the IK
result = Tspi_Key_LoadKey(hkey_ik, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result);
//Activate identity
BYTE *value;
UINT32 size;
result = Tspi_TPM_ActivateIdentity(htpm, hkey_ik, asym_size, asym_value, sym_size, sym_value, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Activate identity", result);
//Copy memory because TSS uses malloc and free, but we're using new and delete
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
{
output_value[i] = value[i];
}
//clean up the TSS data -- CANNOT DO THIS; TSS MEMORY LEAK?
//result = Tspi_Context_FreeMemory(hcontext, value);
//if(result != TSS_SUCCESS) throw libhis_exception("Cleanup identity credential", result);
return;
}
~libhis_activateidentity()
{
//clean up IK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result);
if(binitialized)
{
//clean up IK
result = Tspi_Context_CloseObject(hcontext, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_ik;
TSS_HPOLICY hpolicy_tpm,
hpolicy_srk,
hpolicy_ik;
TSS_UUID uuid_ik;
UINT32 init_ik,
init_ik_size,
init_ik_type,
init_ik_authorized,
init_ik_migratable,
init_ik_volatile;
bool binitialized;
};
#endif

271
tpm_module/libhis_bind.hpp
View File

@ -1,271 +0,0 @@
#ifndef libhis_bind_hpp
#define libhis_bind_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_bind
{
public:
libhis_bind()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
init_key_scheme = 0;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
//Create ENCData object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result);
//Create ENCData policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result);
}
void initbind(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the encryption scheme
if(in_scheme == 0)
init_key_scheme = TSS_ES_RSAESPKCSV15;
else if(in_scheme == 1)
init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1;
else if(in_scheme == 2)
init_key_scheme = TSS_ES_SYM_CNT;
else if(in_scheme == 3)
init_key_scheme = TSS_ES_SYM_OFB;
else if(in_scheme == 4)
init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD;
else
init_key_scheme = TSS_ES_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the encryption scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result);
binitialized = true;
}
void bind(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *auth_enc_value,
unsigned long auth_enc_size,
bool auth_enc_sha1,
unsigned char *uuid_key_value,
unsigned char *hash_value,
unsigned long hash_size,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//set up ENCData auth
if(auth_enc_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result);
}
//assign the ENCData auth
result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result);
//bind data
result = Tspi_Data_Bind(hencdata, hkey_key, hash_size, hash_value);
if(result != TSS_SUCCESS) throw libhis_exception("Bind", result);
//Get the bound data blob
BYTE *value;
UINT32 size;
result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Get bound data blob", result);
//copy over memory
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result);
}
~libhis_bind()
{
//clean up ENCData policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result);
//Clean up ENCData
result = Tspi_Context_CloseObject(hcontext, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result);
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key,
hpolicy_enc;
TSS_UUID uuid_key;
TSS_HENCDATA hencdata;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
bool binitialized;
};
#endif

316
tpm_module/libhis_changekeyauth.hpp
View File

@ -1,316 +0,0 @@
#ifndef libhis_changekeyauth_hpp
#define libhis_changekeyauth_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_changekeyauth
{
public:
libhis_changekeyauth()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
//Create new policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result);
}
void initidentity()
{
//set the type
init_key_type = TSS_KEY_TYPE_IDENTITY;
//set the key size
init_key_size = TSS_KEY_SIZE_DEFAULT;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initsign(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initbind(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initstorage(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_STORAGE;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void changekeyauth(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
unsigned char *auth_new_value,
unsigned long auth_new_size,
bool auth_new_sha1)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up Key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set Key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set Key Secret Plain", result);
}
//assign the Key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign Key Secret", result);
//set up new auth
if(auth_new_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result);
}
//change the Key secret
result = Tspi_ChangeAuth(hkey_key, hkey_srk, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Change Key Secret", result);
try
{
//save key
result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Save key By UUID", result);
}
catch(libhis_exception &e)
{
//Unregister the existing key
result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_unregister);
if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result);
//Register a new key
result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Resave key By UUID", result);
}
return;
}
~libhis_changekeyauth()
{
//clean up new policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result);
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key,
hkey_unregister;
TSS_HPOLICY hpolicy_srk,
hpolicy_key,
hpolicy_new;
TSS_UUID uuid_key;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
bool binitialized;
};
#endif

109
tpm_module/libhis_changeownership.hpp
View File

@ -1,109 +0,0 @@
#ifndef libhis_changeownership_hpp
#define libhis_changeownership_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_changeownership
{
public:
libhis_changeownership()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create new policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result);
}
void changeownership(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *auth_new_value,
unsigned long auth_new_size,
bool auth_new_sha1)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result);
//set up new auth
if(auth_new_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result);
}
//change the TPM secret
result = Tspi_ChangeAuth(htpm, 0, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Change TPM Secret", result);
return;
}
~libhis_changeownership()
{
//clean up new policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm,
hpolicy_new;
};
#endif

150
tpm_module/libhis_changesrksecret.hpp
View File

@ -1,150 +0,0 @@
#ifndef libhis_changesrksecret_hpp
#define libhis_changesrksecret_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_changesrksecret
{
public:
libhis_changesrksecret()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create new policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Create New Policy", result);
}
void changesrksecret(unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_new_value,
unsigned long auth_new_size,
bool auth_new_sha1)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//set up new auth
if(auth_new_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_SHA1, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_new, TSS_SECRET_MODE_PLAIN, auth_new_size, auth_new_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set New Secret Plain", result);
}
//change the SRK secret
result = Tspi_ChangeAuth(hkey_srk, htpm, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Change SRK Secret", result);
return;
}
~libhis_changesrksecret()
{
//clean up new policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_new);
if(result != TSS_SUCCESS) throw libhis_exception("Close New Policy", result);
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk;
TSS_HPOLICY hpolicy_tpm,
hpolicy_srk,
hpolicy_new;
};
#endif

167
tpm_module/libhis_clearkey.hpp
View File

@ -1,167 +0,0 @@
#ifndef libhis_clearkey_hpp
#define libhis_clearkey_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_clearkey
{
public:
libhis_clearkey()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
}
void clearkey(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//Unregister the existing key
result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Unregister uuid", result);
return;
}
~libhis_clearkey()
{
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key;
TSS_UUID uuid_key;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
};
#endif

121
tpm_module/libhis_clearnvdata.hpp
View File

@ -1,121 +0,0 @@
#ifndef libhis_clearnvdata_hpp
#define libhis_clearnvdata_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_clearnvdata
{
public:
libhis_clearnvdata()
{
//set defaults
nvstore_index = 0;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create NVSTore object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result);
}
void clearnvdata(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned long nv_index)
{
//set up the index value
if(nv_index == 0)
nvstore_index = TPM_NV_INDEX_EKCert;
else if(nv_index == 1)
nvstore_index = TPM_NV_INDEX_TPM_CC;
else if(nv_index == 2)
nvstore_index = TPM_NV_INDEX_PlatformCert;
else if(nv_index == 3)
nvstore_index = TPM_NV_INDEX_Platform_CC;
else
nvstore_index = nv_index;
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//assign the TPM auth to the NVStore
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result);
//force NVData to be readable by the owner only
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE);
if(result != TSS_SUCCESS) throw libhis_exception("Requier owner auth on NVStore read/write", result);
//set the read address
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index);
if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result);
//clear the nvstore space
result = Tspi_NV_ReleaseSpace(hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Clear data at NVStore index", result);
}
~libhis_clearnvdata()
{
//clean up NVStore
result = Tspi_Context_CloseObject(hcontext, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
TSS_HNVSTORE hnvstore;
UINT32 nvstore_index;
};
#endif

83
tpm_module/libhis_clearownership.hpp
View File

@ -1,83 +0,0 @@
#ifndef libhis_clearownership_hpp
#define libhis_clearownership_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_clearownership
{
public:
libhis_clearownership()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
}
void clearownership(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result);
//clear the TPM owner
result = Tspi_TPM_ClearOwner(htpm, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Clear Ownership", result);
}
~libhis_clearownership()
{
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
};
#endif

122
tpm_module/libhis_clearpcr.hpp
View File

@ -1,122 +0,0 @@
#ifndef libhis_clearpcr_hpp
#define libhis_clearpc_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_clearpcr
{
public:
libhis_clearpcr()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create PCRS object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
}
void clearpcr(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *mask)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
for(unsigned long i = 0; i < 24; i++)
{
if(bitmask[i])
{
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
}
}
//clear PCR value
result = Tspi_TPM_PcrReset(htpm, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Reset PCRs", result);
return;
}
~libhis_clearpcr()
{
//clean up PCRS
result = Tspi_Context_CloseObject(hcontext, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
TSS_HPCRS hpcrs;
};
#endif

3245
tpm_module/libhis_cli.hpp
View File

File diff suppressed because it is too large Load Diff

278
tpm_module/libhis_collateidentityrequest.hpp
View File

@ -1,278 +0,0 @@
#ifndef libhis_collateidentityrequest_hpp
#define libhis_collateidentityrequest_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_collateidentityrequest
{
public:
libhis_collateidentityrequest()
{
//set default values
init_ik_size = TSS_KEY_SIZE_DEFAULT;
init_ik_type = TSS_KEY_TYPE_IDENTITY;
init_ik_authorized = TSS_KEY_AUTHORIZATION;
init_ik_migratable = TSS_KEY_NOT_MIGRATABLE;
init_ik_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create IK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result);
//Create ACAK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_acak);
if(result != TSS_SUCCESS) throw libhis_exception("Create ACAK", result);
}
void init()
{
//combine the init flags
init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile;
//Create IK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result);
binitialized = true;
}
void collateidentityrequest(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_ik_value,
unsigned long auth_ik_size,
bool auth_ik_sha1,
unsigned char *label_ik_value,
unsigned long label_ik_size,
unsigned char *key_acak_value,
unsigned long key_acak_size,
unsigned char *uuid_ik_value,
bool uuid_overwrite,
unsigned char *ekc_value,
unsigned long ekc_size,
unsigned char *pc_value,
unsigned long pc_size,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret", result);
//assign the TPM auth to the ACAK too
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_acak);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ACAK Secret", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//set up IK auth
if(auth_ik_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result);
}
//assign the IK auth
result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result);
//set ACAK blob
result = Tspi_SetAttribData(hkey_acak, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, key_acak_size, key_acak_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ACAK Blob", result);
if(ekc_size != 0)
{
//set the EK cert
result = Tspi_SetAttribData(htpm, TSS_TSPATTRIB_TPM_CREDENTIAL, TSS_TPMATTRIB_EKCERT, ekc_size, ekc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set EK credential blob", result);
}
if(pc_size != 0)
{
//set the Platform cert
result = Tspi_SetAttribData(htpm, TSS_TSPATTRIB_TPM_CREDENTIAL, TSS_TPMATTRIB_PLATFORMCERT, pc_size, pc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set Platform credential blob", result);
}
//Collate identity request
BYTE *value;
UINT32 size;
result = Tspi_TPM_CollateIdentityRequest(htpm, hkey_srk, hkey_acak, label_ik_size, label_ik_value, hkey_ik, TSS_ALG_AES, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Collate identity Request", result);
//Copy memory because TSS uses malloc and free, but we're using new and delete
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
{
output_value[i] = value[i];
}
//clean up the TSS data -- CANNOT DO THIS; TSS MEMORY LEAK?
//result = Tspi_Context_FreeMemory(hcontext, value);
//if(result != TSS_SUCCESS) throw libhis_exception("Cleanup identity request", result);
//Unwrap the newly generated IK
result = Tspi_Key_LoadKey(hkey_ik, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result);
//Set up the IK UUID
hextouuid(uuid_ik_value, uuid_ik);
try
{
//save ik
result = Tspi_Context_RegisterKey(hcontext, hkey_ik, TSS_PS_TYPE_SYSTEM, uuid_ik, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Save IK By UUID", result);
}
catch(libhis_exception &e)
{
if(uuid_overwrite)
{
//Unregister the existing key
result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_unregister);
if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result);
//Register a new key
result = Tspi_Context_RegisterKey(hcontext, hkey_ik, TSS_PS_TYPE_SYSTEM, uuid_ik, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Resave IK By UUID", result);
}
else throw e;
}
return;
}
~libhis_collateidentityrequest()
{
//clean up ACAK
result = Tspi_Context_CloseObject(hcontext, hkey_acak);
if(result != TSS_SUCCESS) throw libhis_exception("Close ACAK", result);
//clean up IK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result);
if(binitialized)
{
//clean up IK
result = Tspi_Context_CloseObject(hcontext, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_ik,
hkey_acak,
hkey_unregister;
TSS_HPOLICY hpolicy_tpm,
hpolicy_srk,
hpolicy_ik;
TSS_UUID uuid_ik;
UINT32 init_ik,
init_ik_size,
init_ik_type,
init_ik_authorized,
init_ik_migratable,
init_ik_volatile;
bool binitialized;
};
#endif

70
tpm_module/libhis_createek.hpp
View File

@ -1,70 +0,0 @@
#ifndef libhis_createek_hpp
#define libhis_createek_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_createek
{
public:
libhis_createek()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create EK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Create EK object handle", result);
}
void createek(
unsigned char *nonce)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//TSS requires external data to be set for EK creation
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
//create EK
result = Tspi_TPM_CreateEndorsementKey(htpm, hkey_ek, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result);
}
~libhis_createek()
{
//clean up EK object
result = Tspi_Context_CloseObject(hcontext, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Close EK object handle", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_ek;
TSS_VALIDATION validation;
};
#endif

317
tpm_module/libhis_createkey.hpp
View File

@ -1,317 +0,0 @@
#ifndef libhis_createkey_hpp
#define libhis_createkey_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_createkey
{
public:
libhis_createkey()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
init_key_scheme = 0;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
}
void initsign(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the signature scheme
if(in_scheme == 0)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1;
else if(in_scheme == 1)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER;
else
init_key_scheme = TSS_SS_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the signature scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result);
binitialized = true;
}
void initbind(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the encryption scheme
if(in_scheme == 0)
init_key_scheme = TSS_ES_RSAESPKCSV15;
else if(in_scheme == 1)
init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1;
else if(in_scheme == 2)
init_key_scheme = TSS_ES_SYM_CNT;
else if(in_scheme == 3)
init_key_scheme = TSS_ES_SYM_OFB;
else if(in_scheme == 4)
init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD;
else
init_key_scheme = TSS_ES_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the encryption scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result);
binitialized = true;
}
void initstorage(unsigned int in_size, unsigned int in_location)
{
//set the type
init_key_type = TSS_KEY_TYPE_STORAGE;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the encryption scheme
if(in_location == 0)
init_key_location = TSS_PS_TYPE_SYSTEM;
else
init_key_location = TSS_PS_TYPE_USER;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile | init_key_location;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void createkey(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
bool uuid_overwrite)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//create the key
result = Tspi_Key_CreateKey(hkey_key, hkey_srk, 0);
//Unwrap the newly generated key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
try
{
//save key
result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Save key By UUID", result);
}
catch(libhis_exception &e)
{
if(uuid_overwrite)
{
//Unregister the existing key
result = Tspi_Context_UnregisterKey(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_unregister);
if(result != TSS_SUCCESS) throw libhis_exception("Unregister slot", result);
//Register a new key
result = Tspi_Context_RegisterKey(hcontext, hkey_key, TSS_PS_TYPE_SYSTEM, uuid_key, TSS_PS_TYPE_SYSTEM, uuid_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Resave key By UUID", result);
}
else throw e;
}
return;
}
~libhis_createkey()
{
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key,
hkey_unregister;
TSS_HPOLICY hpolicy_srk,
hpolicy_key;
TSS_UUID uuid_key;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme,
init_key_location;
bool binitialized;
};
#endif

41
tpm_module/libhis_errors.txt
View File

@ -1,41 +0,0 @@
< 200 TPM ERROR CODE
> 12000 TSS ERROR CODE
TPM_MODULE ERROR CODES
-------------------------
290 can't open log file
300 invalid mode argument
310 hex to bin invalid length
311 hex to bin character validation error
312 hex to bin character validation error
320 new auth argument missing
321 tpm auth argument missing
322 srk auth argument missing
323 ik auth argument missing
324 sign auth argument missing
325 bind auth argument missing
326 stor auth argument missing
327 enc auth argument missing
328 key auth argument missing
330 nonce argument missing
340 uuid argument missing
350 pcrs argument missing
360 key type argument missing
361 key type argument invalid
370 key length argument missing
380 key scheme argument missing
381 signing scheme invalid
382 binding scheme invalid
390 nvram index missing
391 nvram index invalid
400 help argument set
410 mode-specific argument missing
411 mode-specific argument missing
412 mode-specific argument missing
420 uuid validation failure
421 uuid validation failure
422 uuid validation failure
423 uuid validation failure
424 uuid validation failure
425 uuid validation failure
430 mask validation failure

47
tpm_module/libhis_exception.hpp
View File

@ -1,47 +0,0 @@
#ifndef libhis_exception_hpp
#define libhis_exception_hpp
#ifdef WINDOWS
#include <exception>
using namespace std;
class libhis_exception : public exception
{
public:
libhis_exception(const char *message, int value) : exception(message)
{
result = value;
}
int result;
};
#endif
#ifdef LINUX
#include <exception>
#include <string>
using namespace std;
class libhis_exception
{
public:
libhis_exception(string inmessage, int value)
{
message = inmessage;
result = value;
}
~libhis_exception() {}
string what()
{
return message;
}
int result;
string message;
};
#endif
#endif

101
tpm_module/libhis_extendpcr.hpp
View File

@ -1,101 +0,0 @@
#ifndef libhis_extendpcr_hpp
#define libhis_extendpcr_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_extendpcr
{
public:
libhis_extendpcr()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
}
void extendpcr(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned long pcr_index,
unsigned char *hash,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//extend PCR value
UINT32 size;
BYTE *value;
result = Tspi_TPM_PcrExtend(htpm, pcr_index, 20, hash, 0, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Extend PCR", result);
//convert memory
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//free dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Free dynamic memory", result);
return;
}
~libhis_extendpcr()
{
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
};
#endif

292
tpm_module/libhis_getkeyblob.hpp
View File

@ -1,292 +0,0 @@
#ifndef libhis_getkeyblob_hpp
#define libhis_getkeyblob_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_getkeyblob
{
public:
libhis_getkeyblob()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Context", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
}
void initidentity()
{
//set the type
init_key_type = TSS_KEY_TYPE_IDENTITY;
//set the key size
init_key_size = TSS_KEY_SIZE_DEFAULT;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initsign(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initbind(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initstorage(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_STORAGE;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void getkeyblob(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//get the keyblob
UINT32 size;
BYTE *value;
result = Tspi_GetAttribData(hkey_key, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Get keyblob", result);
//copy out the results
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Cleanup dynamic memory", result);
return;
}
~libhis_getkeyblob()
{
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key;
TSS_UUID uuid_key;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile;
bool binitialized;
};
#endif

439
tpm_module/libhis_getkeymodulus.hpp
View File

@ -1,439 +0,0 @@
#ifndef libhis_getkeymodulus_hpp
#define libhis_getkeymodulus_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_getkeymodulus
{
public:
libhis_getkeymodulus()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create EK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
}
void initidentity()
{
//set the type
init_key_type = TSS_KEY_TYPE_IDENTITY;
//set the key size
init_key_size = TSS_KEY_SIZE_DEFAULT;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initsign(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initbind(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
void initstorage(unsigned int in_size)
{
//set the type
init_key_type = TSS_KEY_TYPE_STORAGE;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
binitialized = true;
}
/*
* @Deprecated
*/
void getpubsrk(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//set up key container
UINT32 mod_size;
BYTE *mod_value;
//get the public EK
result = Tspi_TPM_OwnerGetSRKPubKey(htpm, &mod_size, &mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public SRK", result);
//copy out the SRK modulus
output_size = mod_size;
output_value = new unsigned char[mod_size];
for(unsigned long i = 0; i < mod_size; i++)
output_value[i] = mod_value[i];
//clean up SRK modulus
result = Tspi_Context_FreeMemory(hcontext, mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result);
}
/*
* @Deprecated
*/
void getpubek(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *nonce,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//assign the TPM auth to the EK
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result);
//set up nonce
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
try
{
//get the public EK
result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
}
catch(libhis_exception &e)
{
//get the public EK the Atmel TPM in an Ultrabook way
result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
//let a second exception make its way upward (should be same error code)
}
//get the modulus
UINT32 mod_size;
BYTE *mod_value;
result = Tspi_GetAttribData(hkey_ek, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &mod_size, &mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Get EK Blob", result);
//copy out the EK modulus
output_size = mod_size;
output_value = new unsigned char[mod_size];
for(unsigned long i = 0; i < mod_size; i++)
output_value[i] = mod_value[i];
//clean up ek modulus
result = Tspi_Context_FreeMemory(hcontext, mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result);
}
void getkeymodulus(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//get the keyblob
UINT32 size;
BYTE *value;
result = Tspi_GetAttribData(hkey_key, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Get modulus", result);
//copy out the results
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Cleanup dynamic memory", result);
return;
}
~libhis_getkeymodulus()
{
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//clean up EK object
result = Tspi_Context_CloseObject(hcontext, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Close EK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_ek,
hkey_srk,
hkey_key,
hkey_unregister;
TSS_HPOLICY hpolicy_tpm,
hpolicy_srk,
hpolicy_key;
TSS_VALIDATION validation;
TSS_UUID uuid_key;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile;
bool binitialized;
};
#endif

182
tpm_module/libhis_getnvdata.hpp
View File

@ -1,182 +0,0 @@
#ifndef libhis_getnvdata_hpp
#define libhis_getnvdata_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include <trousers/trousers.h>
class libhis_getnvdata
{
public:
libhis_getnvdata()
{
//set defaults
nvstore_index = 0;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create NVSTore object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result);
}
void getnvdata(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned long nv_index,
unsigned char *&nv_value,
unsigned long &nv_size)
{
//set up the index value
bool nv_platform = false;
if(nv_index == 0)
nvstore_index = TPM_NV_INDEX_EKCert;
else if(nv_index == 1)
nvstore_index = TPM_NV_INDEX_TPM_CC;
else if(nv_index == 2) {
nvstore_index = TPM_NV_INDEX_PlatformCert;
nv_platform = true;
}
else if(nv_index == 3) {
nvstore_index = TPM_NV_INDEX_Platform_CC;
nv_platform = true;
}
else
nvstore_index = nv_index;
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
// Check if the NV area is locked. Must be performed after TPM AUTH.
TSS_BOOL nvLocked;
result = Tspi_TPM_GetStatus(htpm, TSS_TPMSTATUS_NV_LOCK, &nvLocked);
if (result != TSS_SUCCESS) throw libhis_exception("Check TPM NV Lock", result);
// If locked, set the bit in the index to retrieve the requested data. else, unset that bit.
nvstore_index = ((nvLocked == TRUE) && !nv_platform) ? nvstore_index + TSS_NV_DEFINED : nvstore_index & ~TSS_NV_DEFINED;
//assign the TPM auth to the NVStore
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result);
//force NVData to be readable by the owner only
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE);
if(result != TSS_SUCCESS) throw libhis_exception("Requier owner auth on NVStore read/write", result);
//set the read address
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index);
if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result);
//get the size
UINT32 size = 0;
BYTE *value = 0;
#ifdef WINDOWS
//read the size of the data at the index
result = Tspi_GetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_DATASIZE, 0, &size);
if(result != TSS_SUCCESS) throw libhis_exception("WINDOWS: Get size of NVStore object", result);
#endif
#ifdef LINUX
UINT32 ulResultLen; // stores the length of the data returned by GetCapability
// Retrieves a TPM_NV_DATA_PUBLIC structure that indicates the values for the specified NV area.
// The NV area is identified by the nvstore_index.
result = Tspi_TPM_GetCapability(htpm, TSS_TPMCAP_NV_INDEX, sizeof(UINT32),
(BYTE *)&nvstore_index, &ulResultLen, &value);
if(result == TSS_SUCCESS) {
UINT64 off = 0;
// value which is a BYTE* must be converted into its TSS Data Structure
TPM_NV_DATA_PUBLIC *nvDataPublicStruct = new TPM_NV_DATA_PUBLIC();
// Trousers converts the data blob into the struct
result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, value, nvDataPublicStruct);
if(result != TSS_SUCCESS) {
delete nvDataPublicStruct;
throw libhis_exception("LINUX: Problems converting data blob to NV Public Data object", result);
}
// Save off the size of the data stored in the NV area.
size = nvDataPublicStruct->dataSize;
// Free the memory.
delete nvDataPublicStruct;
}
#endif
if(size > 0) {
//read the nvdata
result = Tspi_NV_ReadValue(hnvstore, 0, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Read NVStore space", result);
//copy out the values
nv_size = size;
nv_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
nv_value[i] = value[i];
}
//cleanup
result = Tspi_Context_FreeMemory(hcontext, value);
// I'm not sure if this error message is useful. But it was stopping the process unnecessarily.
//if(result != TSS_SUCCESS) throw libhis_exception("Clean memory", result);
}
~libhis_getnvdata()
{
//clean up NVStoer
result = Tspi_Context_CloseObject(hcontext, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
TSS_HNVSTORE hnvstore;
UINT32 nvstore_index;
};
#endif

106
tpm_module/libhis_getpcr.hpp
View File

@ -1,106 +0,0 @@
#ifndef libhis_getpcr_hpp
#define libhis_getpcr_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_getpcr
{
public:
libhis_getpcr()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create PCRS object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
}
void getpcr(
unsigned char *mask,
unsigned char *&output_pcrs_value,
unsigned long &output_pcrs_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//prepare the PCR output array
short counter = 0;
for(short i = 0; i < 24; i++)
if(bitmask[i]) counter++;
output_pcrs_size = counter * 20;
output_pcrs_value = new unsigned char[counter * 20];
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
counter = 0;
for(unsigned long i = 0; i < 24; i++)
{
if(bitmask[i])
{
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
for(unsigned long j = 0; j < 20; j++)
output_pcrs_value[counter * 20 + j] = temp_value[j];
counter++;
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
}
}
return;
}
~libhis_getpcr()
{
//clean up PCRS
result = Tspi_Context_CloseObject(hcontext, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPCRS hpcrs;
};
#endif

166
tpm_module/libhis_getpubkey.hpp
View File

@ -1,166 +0,0 @@
#ifndef libhis_getpubkey_hpp
#define libhis_getpubkey_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_getpubkey
{
public:
libhis_getpubkey()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create EK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
}
void getpubek(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *nonce,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//assign the TPM auth to the EK
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result);
//set up nonce
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
try
{
//get the public EK
result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
}
catch(libhis_exception &e)
{
//get the public EK the Atmel TPM in an Ultrabook way
result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
//let a second exception make its way upward (should be same error code)
}
//get the modulus
UINT32 mod_size;
BYTE *mod_value;
result = Tspi_GetAttribData(hkey_ek, TSS_TSPATTRIB_RSAKEY_INFO, TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &mod_size, &mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Get EK Blob", result);
//copy out the EK modulus
output_size = mod_size;
output_value = new unsigned char[mod_size];
for(unsigned long i = 0; i < mod_size; i++)
output_value[i] = mod_value[i];
//clean up ek modulus
result = Tspi_Context_FreeMemory(hcontext, mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result);
}
void getpubsrk(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//set up key container
UINT32 mod_size;
BYTE *mod_value;
//get the public EK
result = Tspi_TPM_OwnerGetSRKPubKey(htpm, &mod_size, &mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public SRK", result);
//copy out the SRK modulus
output_size = mod_size;
output_value = new unsigned char[mod_size];
for(unsigned long i = 0; i < mod_size; i++)
output_value[i] = mod_value[i];
//clean up SRK modulus
result = Tspi_Context_FreeMemory(hcontext, mod_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up modulus data", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_ek;
TSS_HPOLICY hpolicy_tpm;
TSS_VALIDATION validation;
};
#endif

71
tpm_module/libhis_getrandombytes.hpp
View File

@ -1,71 +0,0 @@
#ifndef libhis_getrandombytes_hpp
#define libhis_getrandombytes_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_getrandombytes
{
public:
libhis_getrandombytes()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
}
void getrandombytes(
unsigned long bytes_size,
unsigned char *&output_value)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//get random bytes
BYTE *bytes_value;
result = Tspi_TPM_GetRandom(htpm, bytes_size, &bytes_value);
if(result != TSS_SUCCESS) throw libhis_exception("Get Random Bytes", result);
//copy C-style output into C++ format
output_value = new unsigned char[bytes_size];
for(unsigned long i = 0; i < bytes_size; i++)
{
output_value[i] = bytes_value[i];
}
//clean up random bytes
result = Tspi_Context_FreeMemory(hcontext, bytes_value);
if(result != TSS_SUCCESS) throw libhis_exception("Cleanup bytes", result);
return;
}
~libhis_getrandombytes()
{
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
};
#endif

436
tpm_module/libhis_quote.hpp
View File

@ -1,436 +0,0 @@
#ifndef libhis_quote_hpp
#define libhis_quote_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_quote
{
public:
libhis_quote()
{
//set default values
init_ik_size = TSS_KEY_SIZE_DEFAULT;
init_ik_type = TSS_KEY_TYPE_IDENTITY;
init_ik_authorized = TSS_KEY_AUTHORIZATION;
init_ik_migratable = TSS_KEY_NOT_MIGRATABLE;
init_ik_volatile = TSS_KEY_VOLATILE;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create IK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK Policy", result);
}
void init(bool bshort)
{
if(bshort)
{
//Create PCRS object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_SHORT, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
}
else
{
//Create PCRS object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
}
//combine the init flags
init_ik = init_ik_size | init_ik_type | init_ik_authorized | init_ik_migratable | init_ik_volatile;
//Create IK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Create IK", result);
binitialized = true;
}
void quote(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_ik_value,
unsigned long auth_ik_size,
bool auth_ik_sha1,
unsigned char *nonce,
unsigned char *uuid_ik_value,
unsigned char *mask,
unsigned char *&output_pcrs_value,
unsigned long &output_pcrs_size,
unsigned char *&output_quote_value,
unsigned long &output_quote_size,
unsigned char *&output_sig_value,
unsigned long &output_sig_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the IK UUID
hextouuid(uuid_ik_value, uuid_ik);
//Get the IK by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result);
//set up IK auth
if(auth_ik_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result);
}
//assign the IK auth
result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result);
//Unwrap the IK
result = Tspi_Key_LoadKey(hkey_ik, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result);
//set up nonce
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//prepare the PCR output array
short counter = 0;
for(short i = 0; i < 24; i++)
if(bitmask[i]) counter++;
output_pcrs_size = counter * 20;
output_pcrs_value = new unsigned char[counter * 20];
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
counter = 0;
for(unsigned long i = 0; i < 24; i++)
{
if(bitmask[i])
{
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
result = Tspi_PcrComposite_SelectPcrIndex(hpcrs, i);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
for(unsigned long j = 0; j < 20; j++)
output_pcrs_value[counter * 20 + j] = temp_value[j];
counter++;
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
}
}
//quote
result = Tspi_TPM_Quote(htpm, hkey_ik, hpcrs, &validation);
if(result != TSS_SUCCESS) throw libhis_exception("Quote", result);
//copy values
output_quote_size = validation.ulDataLength;
output_quote_value = new unsigned char[validation.ulDataLength];
for(unsigned long i = 0; i < validation.ulDataLength; i++)
output_quote_value[i] = validation.rgbData[i];
result = Tspi_Context_FreeMemory(hcontext, validation.rgbData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up digest", result);
output_sig_size = validation.ulValidationDataLength;
output_sig_value = new unsigned char [validation.ulValidationDataLength];
for(unsigned long i = 0; i < validation.ulValidationDataLength; i++)
output_sig_value[i] = validation.rgbValidationData[i];
result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up signature", result);
return;
}
void quote2(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_ik_value,
unsigned long auth_ik_size,
bool auth_ik_sha1,
unsigned char *nonce,
unsigned char *uuid_ik_value,
unsigned char *mask,
unsigned char *&output_pcrs_value,
unsigned long &output_pcrs_size,
unsigned char *&output_quote_value,
unsigned long &output_quote_size,
unsigned char *&output_sig_value,
unsigned long &output_sig_size,
bool bCapVersion)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the IK UUID
hextouuid(uuid_ik_value, uuid_ik);
//Get the IK by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_ik, &hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Get IK by UUID", result);
//set up IK auth
if(auth_ik_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_SHA1, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_ik, TSS_SECRET_MODE_PLAIN, auth_ik_size, auth_ik_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set IK Secret Plain", result);
}
//assign the IK auth
result = Tspi_Policy_AssignToObject(hpolicy_ik, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Assign IK Secret", result);
//Unwrap the IK
result = Tspi_Key_LoadKey(hkey_ik, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap IK", result);
//set up nonce
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//prepare the PCR output array
short counter = 0;
for(short i = 0; i < 24; i++)
if(bitmask[i]) counter++;
output_pcrs_size = counter * 20;
output_pcrs_value = new unsigned char[counter * 20];
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
counter = 0;
for(unsigned long i = 0; i < 24; i++)
{
if(bitmask[i])
{
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
for(unsigned long j = 0; j < 20; j++)
output_pcrs_value[counter * 20 + j] = temp_value[j];
counter++;
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
}
}
//quote2
BYTE* version_value;
UINT32 version_size;
//read PCR 10 again right before collecting the quote
if(bitmask[10])
{
//reread PCR 10
result = Tspi_TPM_PcrRead(htpm, 10, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
//read quote2
result = Tspi_TPM_Quote2(htpm, hkey_ik, bCapVersion, hpcrs, &validation, &version_size, &version_value);
if(result != TSS_SUCCESS) throw libhis_exception("Quote2", result);
//set value of PCR 10 in the PCR Composite
result = Tspi_PcrComposite_SetPcrValue(hpcrs, 10, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
for(unsigned long j = 0; j < 20; j++)
output_pcrs_value[10 * 20 + j] = temp_value[j];
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
} else {
//read quote2 without rereading PCR 10
result = Tspi_TPM_Quote2(htpm, hkey_ik, bCapVersion, hpcrs, &validation, &version_size, &version_value);
if(result != TSS_SUCCESS) throw libhis_exception("Quote2", result);
}
//copy values
output_quote_size = validation.ulDataLength;
output_quote_value = new unsigned char[validation.ulDataLength];
for(unsigned long i = 0; i < validation.ulDataLength; i++)
output_quote_value[i] = validation.rgbData[i];
result = Tspi_Context_FreeMemory(hcontext, validation.rgbData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up digest", result);
output_sig_size = validation.ulValidationDataLength;
output_sig_value = new unsigned char [validation.ulValidationDataLength];
for(unsigned long i = 0; i < validation.ulValidationDataLength; i++)
output_sig_value[i] = validation.rgbValidationData[i];
result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up signature", result);
result = Tspi_Context_FreeMemory(hcontext, version_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up version info", result);
return;
}
~libhis_quote()
{
//clean up IK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK Policy", result);
if(binitialized)
{
//clean up PCRS
result = Tspi_Context_CloseObject(hcontext, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result);
//clean up IK
result = Tspi_Context_CloseObject(hcontext, hkey_ik);
if(result != TSS_SUCCESS) throw libhis_exception("Close IK", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_ik;
TSS_HPOLICY hpolicy_srk,
hpolicy_ik;
TSS_NONCE nonce;
TSS_VALIDATION validation;
TSS_UUID uuid_ik;
TSS_HPCRS hpcrs;
UINT32 init_ik,
init_ik_size,
init_ik_type,
init_ik_authorized,
init_ik_migratable,
init_ik_volatile;
bool binitialized;
};
#endif

347
tpm_module/libhis_seal.hpp
View File

@ -1,347 +0,0 @@
#ifndef libhis_seal_hpp
#define libhis_seal_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_seal
{
public:
libhis_seal()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create PCRS object
#ifdef WINDOWS
//Windows and NTru are capable of unsealing all PCRS structures so use 1.2 LONG for full 24 PCR support
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO_LONG, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
#endif
#ifdef LINUX
//Linux and Trousers CANNOT unseal 1.2 LONG or SHORT PCRS structures so use the legacy 1.1 structure with 16 PCR limit
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_PCRS, TSS_PCRS_STRUCT_INFO, &hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Create PCRS", result);
#endif
//Create ENCData object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL, &hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result);
//Create ENCData policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result);
}
void seal(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_enc_value,
unsigned long auth_enc_size,
bool auth_enc_sha1,
unsigned char *mask,
unsigned char *payload_value,
unsigned long payload_size,
unsigned char *&output_enc_value,
unsigned long &output_enc_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//set up ENCData auth
if(auth_enc_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result);
}
//assign the ENCData auth
result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result);
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
#ifdef WINDOWS
for(unsigned long i = 0; i < 24; i++) //all PCRs available in SHORT or LONG
#endif
#ifdef LINUX
for(unsigned long i = 0; i < 16; i++) //we cannot use all PCRs in Linux mode due to legacy PCRS structure
#endif
{
if(bitmask[i])
{
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
//don't do this for regular seal because creation PCRs are meaningless in this context
//result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_CREATION);
//if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at creation", result);
#ifdef WINDOWS
//use EX functions because we are PCRS LONG
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at release", result);
#endif
#ifdef LINUX
//cannot use EX functions
result = Tspi_PcrComposite_SelectPcrIndex(hpcrs, i);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index legacy mode", result);
#endif
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
}
}
//Seal data
result = Tspi_Data_Seal(hencdata, hkey_srk, payload_size, payload_value, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Seal data", result);
//Get the sealed data blob
BYTE *value;
UINT32 size;
result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Get sealed data blob", result);
//copy over memory
output_enc_size = size;
output_enc_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_enc_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result);
return;
}
void seal2(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_enc_value,
unsigned long auth_enc_size,
bool auth_enc_sha1,
unsigned char *mask,
unsigned char *payload_value,
unsigned long payload_size,
unsigned char *release_value,
unsigned long release_size,
unsigned char *&output_enc_value,
unsigned long &output_enc_size)
{
#ifdef LINUX
//don't even let the users do seal2 because TSS_PCRS_STRUCT_INFO_LONG does not work for unsealing in Linux
if(result != TSS_SUCCESS) throw libhis_exception("Command disabled in Linux due to TSS_PCRS_STRUCT_INFO_LONG unseal defect", TPM_E_DISABLED_CMD);
#endif
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//set up ENCData auth
if(auth_enc_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result);
}
//assign the ENCData auth
result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result);
//set up mask
bool bitmask[24];
for(short i = 0; i < 24; i++)
bitmask[i] = 0;
masktobitmask(mask, bitmask);
//collect the PCR values
UINT32 temp_size;
BYTE *temp_value;
short counter = 0;
for(unsigned long i = 0; i < 24; i++)
{
if(bitmask[i])
{
//set the creation value
result = Tspi_TPM_PcrRead(htpm, i, &temp_size, &temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("PCR value read", result);
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_CREATION);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at creation", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
result = Tspi_Context_FreeMemory(hcontext, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear temporary memory", result);
//set the release value
temp_value = new unsigned char[20];
for(short j = 0; j < 20; j++)
temp_value[j] = release_value[j + counter * 20];
result = Tspi_PcrComposite_SelectPcrIndexEx(hpcrs, i, TSS_PCRS_DIRECTION_RELEASE);
if(result != TSS_SUCCESS) throw libhis_exception("Set PCR composite index at release", result);
result = Tspi_PcrComposite_SetPcrValue(hpcrs, i, temp_size, temp_value);
if(result != TSS_SUCCESS) throw libhis_exception("Store PCR value in composite", result);
delete [] temp_value;
}
}
//Seal data
result = Tspi_Data_Seal(hencdata, hkey_srk, payload_size, payload_value, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Seal data", result);
//Get the sealed data blob
BYTE *value;
UINT32 size;
result = Tspi_GetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Get sealed data blob", result);
//copy over memory
output_enc_size = size;
output_enc_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_enc_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result);
return;
}
~libhis_seal()
{
//clean up ENCData policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result);
//Clean up ENCData
result = Tspi_Context_CloseObject(hcontext, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result);
//clean up PCRS
result = Tspi_Context_CloseObject(hcontext, hpcrs);
if(result != TSS_SUCCESS) throw libhis_exception("Close PCRS", result);
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk;
TSS_HPOLICY hpolicy_srk,
hpolicy_enc;
TSS_HPCRS hpcrs;
TSS_HENCDATA hencdata;
};
#endif

131
tpm_module/libhis_setnvdata.hpp
View File

@ -1,131 +0,0 @@
#ifndef libhis_setnvdata_hpp
#define libhis_setnvdata_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_setnvdata
{
public:
libhis_setnvdata()
{
//set defaults
nvstore_index = 0;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create NVSTore object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_NV, 0, &hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Create NVStore object", result);
}
void setnvdata(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned long nv_index,
unsigned char *nv_value,
unsigned long nv_size)
{
//set up the index value
if(nv_index == 0)
nvstore_index = TPM_NV_INDEX_EKCert;
else if(nv_index == 1)
nvstore_index = TPM_NV_INDEX_TPM_CC;
else if(nv_index == 2)
nvstore_index = TPM_NV_INDEX_PlatformCert;
else if(nv_index == 3)
nvstore_index = TPM_NV_INDEX_Platform_CC;
else
nvstore_index = nv_index;
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//assign the TPM auth to the NVStore
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to NVStore", result);
//set the write address
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_INDEX, 0, nvstore_index);
if(result != TSS_SUCCESS) throw libhis_exception("Set NVStore index", result);
//force NVData to be readable by the owner only
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_PERMISSIONS, 0, TPM_NV_PER_OWNERREAD | TPM_NV_PER_OWNERWRITE);
if(result != TSS_SUCCESS) throw libhis_exception("Require owner auth on NVStore read/write", result);
//set the size
result = Tspi_SetAttribUint32(hnvstore, TSS_TSPATTRIB_NV_DATASIZE, 0, nv_size);
if(result != TSS_SUCCESS) throw libhis_exception("Set size of NVStore object", result);
//define the space we need
result = Tspi_NV_DefineSpace(hnvstore, 0, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Define NVStore space", result);
//write the value using the weird way the TSS does it
result = Tspi_NV_WriteValue(hnvstore, 0, nv_size, nv_value);
if(result != TSS_SUCCESS) throw libhis_exception("Write NVData", result);
}
~libhis_setnvdata()
{
//clean up NVStoer
result = Tspi_Context_CloseObject(hcontext, hnvstore);
if(result != TSS_SUCCESS) throw libhis_exception("Close NVStore object", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HPOLICY hpolicy_tpm;
TSS_HNVSTORE hnvstore;
UINT32 nvstore_index;
};
#endif

236
tpm_module/libhis_sign.hpp
View File

@ -1,236 +0,0 @@
#ifndef libhis_sign_hpp
#define libhis_sign_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_sign
{
public:
libhis_sign()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
init_key_scheme = 0;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
//create hash object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_HASH, TSS_HASH_SHA1, &hhash);
if(result != TSS_SUCCESS) throw libhis_exception("Create hash object", result);
}
void initsign(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the signature scheme
if(in_scheme == 0)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1;
else if(in_scheme == 1)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER;
else
init_key_scheme = TSS_SS_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the signature scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result);
binitialized = true;
}
void sign(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
unsigned char *hash,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//set hash value
result = Tspi_Hash_UpdateHashValue(hhash, 20, hash);
if(result != TSS_SUCCESS) throw libhis_exception("Set hash value", result);
//sign data
UINT32 size = 0;
BYTE *value = 0;
result = Tspi_Hash_Sign(hhash, hkey_key, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Sign", result);
//copy dynamic values
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//cleanup
Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Free memory", result);
}
~libhis_sign()
{
//clean up hash object
result = Tspi_Context_CloseObject(hcontext, hhash);
if(result != TSS_SUCCESS) throw libhis_exception("Close hash object", result);
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key;
TSS_UUID uuid_key;
TSS_HHASH hhash;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
bool binitialized;
};
#endif

168
tpm_module/libhis_takeownership.hpp
View File

@ -1,168 +0,0 @@
#ifndef libhis_takeownership_hpp
#define libhis_takeownership_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
class libhis_takeownership
{
public:
libhis_takeownership()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create EK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_SIZE_DEFAULT, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Create EK", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create TPM policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Create TPM Policy", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
}
void takeownership(
unsigned char *auth_tpm_value,
unsigned long auth_tpm_size,
bool auth_tpm_sha1,
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *nonce)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//set up TPM auth
if(auth_tpm_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_SHA1, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_tpm, TSS_SECRET_MODE_PLAIN, auth_tpm_size, auth_tpm_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set TPM Secret Plain", result);
}
//assign the TPM auth to the TPM
result = Tspi_Policy_AssignToObject(hpolicy_tpm, htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to TPM", result);
//assign the TPM auth to the EK
result = Tspi_Policy_AssignToObject(hpolicy_tpm, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Assign TPM Secret to EK", result);
//set up nonce
validation.ulExternalDataLength = 20;
validation.rgbExternalData = nonce;
try
{
//get the public EK
result = Tspi_TPM_GetPubEndorsementKey(htpm, false, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
}
catch(libhis_exception &e)
{
//get the public EK the Atmel TPM in an Ultrabook way
result = Tspi_TPM_GetPubEndorsementKey(htpm, true, &validation, &hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Get Public EK", result);
//let a second exception make its way upward (rare)
}
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//take ownership of the TPM
result = Tspi_TPM_TakeOwnership(htpm, hkey_srk, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Take Ownership", result);
//clean up validation data
result = Tspi_Context_FreeMemory(hcontext, validation.rgbData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up rgbData", result);
result = Tspi_Context_FreeMemory(hcontext, validation.rgbValidationData);
if(result != TSS_SUCCESS) throw libhis_exception("Clean up rgbValidationData", result);
//test the SRK to make sure it actually works (required for NTru because TakeOwnership sometimes doesn't execute RegisterKey for SRK)
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Test the SRK", result);
return;
}
~libhis_takeownership()
{
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up TPM policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_tpm);
if(result != TSS_SUCCESS) throw libhis_exception("Close TPM Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//clean up EK object
result = Tspi_Context_CloseObject(hcontext, hkey_ek);
if(result != TSS_SUCCESS) throw libhis_exception("Close EK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_ek,
hkey_srk;
TSS_HPOLICY hpolicy_tpm,
hpolicy_srk;
TSS_VALIDATION validation;
};
#endif

270
tpm_module/libhis_unbind.hpp
View File

@ -1,270 +0,0 @@
#ifndef libhis_unbind_hpp
#define libhis_unbind_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_unbind
{
public:
libhis_unbind()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
init_key_scheme = 0;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
//Create ENCData object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result);
//Create ENCData policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result);
}
void initbind(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_BIND;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the encryption scheme
if(in_scheme == 0)
init_key_scheme = TSS_ES_RSAESPKCSV15;
else if(in_scheme == 1)
init_key_scheme = TSS_ES_RSAESOAEP_SHA1_MGF1;
else if(in_scheme == 2)
init_key_scheme = TSS_ES_SYM_CNT;
else if(in_scheme == 3)
init_key_scheme = TSS_ES_SYM_OFB;
else if(in_scheme == 4)
init_key_scheme = TSS_ES_SYM_CBC_PKCS5PAD;
else
init_key_scheme = TSS_ES_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the encryption scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set encryption scheme", result);
binitialized = true;
}
void unbind(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *auth_enc_value,
unsigned long auth_enc_size,
bool auth_enc_sha1,
unsigned char *uuid_key_value,
unsigned char *payload_value,
unsigned long payload_size,
unsigned char *&output_value,
unsigned long &output_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//install the encrypted data blob into hencdata object
result = Tspi_SetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, payload_size, payload_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set encrypted data blob", result);
//set up ENCData auth
if(auth_enc_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result);
}
//assign the ENCData auth
result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result);
//unseal the data
BYTE *value;
UINT32 size;
result = Tspi_Data_Unbind(hencdata, hkey_key, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Unbind", result);
output_size = size;
output_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result);
}
~libhis_unbind()
{
//clean up ENCData policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result);
//Clean up ENCData
result = Tspi_Context_CloseObject(hcontext, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result);
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key,
hpolicy_enc;
TSS_UUID uuid_key;
TSS_HENCDATA hencdata;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
bool binitialized;
};
#endif

157
tpm_module/libhis_unseal.hpp
View File

@ -1,157 +0,0 @@
#ifndef libhis_unseal_hpp
#define libhis_unseal_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_unseal
{
public:
libhis_unseal()
{
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create ENCData object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL, &hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Object", result);
//Create ENCData policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Create ENCData Policy", result);
}
void unseal(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_enc_value,
unsigned long auth_enc_size,
bool auth_enc_sha1,
unsigned char *payload_value,
unsigned long payload_size,
unsigned char *&output_enc_value,
unsigned long &output_enc_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//install the encrypted data blob into hencdata object
result = Tspi_SetAttribData(hencdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, payload_size, payload_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set encrypted data blob", result);
//set up ENCData auth
if(auth_enc_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_SHA1, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_enc, TSS_SECRET_MODE_PLAIN, auth_enc_size, auth_enc_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set ENCData Secret Plain", result);
}
//assign the ENCData auth
result = Tspi_Policy_AssignToObject(hpolicy_enc, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Assign ENCData Secret", result);
//unseal the data
BYTE *value;
UINT32 size;
result = Tspi_Data_Unseal(hencdata, hkey_srk, &size, &value);
if(result != TSS_SUCCESS) throw libhis_exception("Unseal", result);
output_enc_size = size;
output_enc_value = new unsigned char[size];
for(unsigned long i = 0; i < size; i++)
output_enc_value[i] = value[i];
//clean up dynamic memory
result = Tspi_Context_FreeMemory(hcontext, value);
if(result != TSS_SUCCESS) throw libhis_exception("Clear dynamic memory", result);
return;
}
~libhis_unseal()
{
//clean up ENCData policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_enc);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData Policy", result);
//Clean up ENCData
result = Tspi_Context_CloseObject(hcontext, hencdata);
if(result != TSS_SUCCESS) throw libhis_exception("Close ENCData", result);
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk;
TSS_HPOLICY hpolicy_srk,
hpolicy_enc;
TSS_HPCRS hpcrs;
TSS_HENCDATA hencdata;
};
#endif

367
tpm_module/libhis_utils.hpp
View File

@ -1,367 +0,0 @@
#ifndef libhis_utils_hpp
#define libhis_utils_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
void hextouuid(unsigned char *hex, TSS_UUID &uuid)
{
//process the unsigned long leading the UUID
for(short i = 0; i < 8; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 420);
}
uuid.ulTimeLow = hex[0] * 268435456 + hex[1] * 16777216 + hex[2] * 1048576 +
hex[3] * 65536 + hex[4] * 4096 + hex[5] * 256 + hex[6] * 16 + hex[7];
//process the unsigned short for midtime
for(short i = 9; i < 13; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 421);
}
uuid.usTimeMid = hex[9] * 4096 + hex[10] * 256 + hex[11] * 16 + hex[12];
//process the unsigned short for hightime
for(short i = 14; i < 18; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 422);
}
uuid.usTimeHigh = hex[14] * 4096 + hex[15] * 256 + hex[16] * 16 + hex[17];
//process bClockSeqHigh
for(short i = 19; i < 21; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 423);
}
uuid.bClockSeqHigh = hex[19] * 16 + hex[20];
//process bClockSeqLow
for(short i = 21; i < 23; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 424);
}
uuid.bClockSeqLow = hex[21] * 16 + hex[22];
//process final 6 byte array
for(short i = 24; i < 36; i++)
{
if(hex[i] >= 48 && hex[i] <= 57)
hex[i] -= 48;
else if(hex[i] >= 65 && hex[i] <= 70)
hex[i] -= 55;
else if(hex[i] >= 97 && hex[i] <= 102)
hex[i] -= 87;
else
throw libhis_exception("UUID validation failure", 425);
}
uuid.rgbNode[0] = hex[24] * 16 + hex[25];
uuid.rgbNode[1] = hex[26] * 16 + hex[27];
uuid.rgbNode[2] = hex[28] * 16 + hex[29];
uuid.rgbNode[3] = hex[30] * 16 + hex[31];
uuid.rgbNode[4] = hex[32] * 16 + hex[33];
uuid.rgbNode[5] = hex[34] * 16 + hex[35];
return;
}
/*
* masktobitmask function that does it the screwed up TCG way
*/
void masktobitmask(unsigned char *mask, bool binarray[24])
{
int sequence[] = {1, 0, 3, 2, 5, 4};
int i;
//convert hex values to binary values while validating
for(short j = 0; j < 6; j++)
{
i = sequence[j];
switch(mask[i])
{
case 48: //0
{
break;
}
case 49: //1
{
binarray[j * 4 + 0] = true;
break;
}
case 50: //2
{
binarray[j * 4 + 1] = true;
break;
}
case 51: //3
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 1] = true;
break;
}
case 52: //4
{
binarray[j * 4 + 2] = true;
break;
}
case 53: //5
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 2] = true;
break;
}
case 54: //6
{
binarray[j * 4 + 1] = true;
binarray[j * 4 + 2] = true;
break;
}
case 55: //7
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 1] = true;
binarray[j * 4 + 2] = true;
break;
}
case 56: //8
{
binarray[j * 4 + 3] = true;
break;
}
case 57: //9
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 3] = true;
break;
}
case 65: //a
case 97: //A
{
binarray[j * 4 + 1] = true;
binarray[j * 4 + 3] = true;
break;
}
case 66: //b
case 98: //B
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 1] = true;
binarray[j * 4 + 3] = true;
break;
}
case 67: //c
case 99: //C
{
binarray[j * 4 + 2] = true;
binarray[j * 4 + 3] = true;
break;
}
case 68: //d
case 100: //D
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 2] = true;
binarray[j * 4 + 3] = true;
break;
}
case 69: //e
case 101: //E
{
binarray[j * 4 + 1] = true;
binarray[j * 4 + 2] = true;
binarray[j * 4 + 3] = true;
break;
}
case 70: //f
case 102: //F
{
binarray[j * 4 + 0] = true;
binarray[j * 4 + 1] = true;
binarray[j * 4 + 2] = true;
binarray[j * 4 + 3] = true;
break;
}
default:
{
throw libhis_exception("Mask validation failure", 430);
}
}
}
return;
}
/*
* Original masktobitmask function.
*/
/*void masktobitmask(unsigned char *mask, bool binarray[24])
{
//convert hex values to binary values while validating
for(short i = 0; i < 6; i++)
{
switch(mask[i])
{
case 48: //0
{
break;
}
case 49: //1
{
binarray[i * 4 + 3] = true;
break;
}
case 50: //2
{
binarray[i * 4 + 2] = true;
break;
}
case 51: //3
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 2] = true;
break;
}
case 52: //4
{
binarray[i * 4 + 1] = true;
break;
}
case 53: //5
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 1] = true;
break;
}
case 54: //6
{
binarray[i * 4 + 2] = true;
binarray[i * 4 + 1] = true;
break;
}
case 55: //7
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 2] = true;
binarray[i * 4 + 1] = true;
break;
}
case 56: //8
{
binarray[i * 4 + 0] = true;
break;
}
case 57: //9
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 0] = true;
break;
}
case 65: //a
case 97: //A
{
binarray[i * 4 + 2] = true;
binarray[i * 4 + 0] = true;
break;
}
case 66: //b
case 98: //B
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 2] = true;
binarray[i * 4 + 0] = true;
break;
}
case 67: //c
case 99: //C
{
binarray[i * 4 + 1] = true;
binarray[i * 4 + 0] = true;
break;
}
case 68: //d
case 100: //D
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 1] = true;
binarray[i * 4 + 0] = true;
break;
}
case 69: //e
case 101: //E
{
binarray[i * 4 + 2] = true;
binarray[i * 4 + 1] = true;
binarray[i * 4 + 0] = true;
break;
}
case 70: //f
case 102: //F
{
binarray[i * 4 + 3] = true;
binarray[i * 4 + 2] = true;
binarray[i * 4 + 1] = true;
binarray[i * 4 + 0] = true;
break;
}
default:
{
throw libhis_exception("Mask validation failure", 1);
}
}
}
return;
}*/
#endif

224
tpm_module/libhis_verifysignature.hpp
View File

@ -1,224 +0,0 @@
#ifndef libhis_verifysignature_hpp
#define libhis_verifysignature_hpp
#ifdef WINDOWS
#include "tspi.h"
#include "tss_error.h"
#include "tss_defines.h"
#endif
#ifdef LINUX
#include <tss/tspi.h>
#include <tss/tss_error.h>
#include <tss/tss_defines.h>
#endif
#include "libhis_exception.hpp"
#include "libhis_utils.hpp"
class libhis_verifysignature
{
public:
libhis_verifysignature()
{
//set default values
init_key_size = TSS_KEY_SIZE_DEFAULT;
init_key_type = TSS_KEY_TYPE_DEFAULT;
init_key_authorized = TSS_KEY_AUTHORIZATION;
init_key_migratable = TSS_KEY_NOT_MIGRATABLE;
init_key_volatile = TSS_KEY_VOLATILE;
init_key_scheme = 0;
binitialized = false;
//create a context object
result = Tspi_Context_Create(&hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Create Conntext", result);
//create an SRK object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, TSS_KEY_TSP_SRK, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK", result);
//Create SRK policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Create SRK Policy", result);
//Create key policy
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key Policy", result);
//create hash object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_HASH, TSS_HASH_SHA1, &hhash);
if(result != TSS_SUCCESS) throw libhis_exception("Create hash object", result);
}
void initsign(unsigned int in_size, unsigned int in_scheme)
{
//set the type
init_key_type = TSS_KEY_TYPE_SIGNING;
//set the key size
if(in_size == 0)
init_key_size = TSS_KEY_SIZE_DEFAULT;
else if(in_size == 512)
init_key_size = TSS_KEY_SIZE_512;
else if(in_size == 1024)
init_key_size = TSS_KEY_SIZE_1024;
else if(in_size == 2048)
init_key_size = TSS_KEY_SIZE_2048;
else if(in_size == 4096)
init_key_size = TSS_KEY_SIZE_4096;
else if(in_size == 8192)
init_key_size = TSS_KEY_SIZE_8192;
else if(in_size == 16384)
init_key_size = TSS_KEY_SIZE_16384;
else throw libhis_exception("Invalid key size", 400);
//set the signature scheme
if(in_scheme == 0)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_SHA1;
else if(in_scheme == 1)
init_key_scheme = TSS_SS_RSASSAPKCS1V15_DER;
else
init_key_scheme = TSS_SS_NONE;
//combine the init flags
init_key = init_key_size | init_key_type | init_key_authorized | init_key_migratable | init_key_volatile;
//Create key object
result = Tspi_Context_CreateObject(hcontext, TSS_OBJECT_TYPE_RSAKEY, init_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Create key", result);
//Set the signature scheme
result = Tspi_SetAttribUint32(hkey_key, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME, init_key_scheme);
if(result != TSS_SUCCESS) throw libhis_exception("Set signature scheme", result);
binitialized = true;
}
void verifysignature(
unsigned char *auth_srk_value,
unsigned long auth_srk_size,
bool auth_srk_sha1,
unsigned char *auth_key_value,
unsigned long auth_key_size,
bool auth_key_sha1,
unsigned char *uuid_key_value,
unsigned char *hash,
unsigned char *signature_value,
unsigned long signature_size)
{
//establish a session
result = Tspi_Context_Connect(hcontext, 0);
if(result != TSS_SUCCESS) throw libhis_exception("Connect Context", result);
//get the TPM object
result = Tspi_Context_GetTpmObject(hcontext, &htpm);
if(result != TSS_SUCCESS) throw libhis_exception("Get TPM Object", result);
//load the SRK
TSS_UUID uuid_srk = TSS_UUID_SRK;
result = Tspi_Context_LoadKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_srk, &hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Load SRK", result);
//set up SRK auth
if(auth_srk_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_SHA1, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_srk, TSS_SECRET_MODE_PLAIN, auth_srk_size, auth_srk_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set SRK Secret Plain", result);
}
//assign the SRK auth
result = Tspi_Policy_AssignToObject(hpolicy_srk, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Assign SRK Secret", result);
//Set up the key UUID
hextouuid(uuid_key_value, uuid_key);
//Get the key by UUID
result = Tspi_Context_GetKeyByUUID(hcontext, TSS_PS_TYPE_SYSTEM, uuid_key, &hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Get key by UUID", result);
//set up key auth
if(auth_key_sha1)
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_SHA1, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret SHA1", result);
}
else
{
result = Tspi_Policy_SetSecret(hpolicy_key, TSS_SECRET_MODE_PLAIN, auth_key_size, auth_key_value);
if(result != TSS_SUCCESS) throw libhis_exception("Set key Secret Plain", result);
}
//assign the key auth
result = Tspi_Policy_AssignToObject(hpolicy_key, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Assign key Secret", result);
//Unwrap the key
result = Tspi_Key_LoadKey(hkey_key, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Unwrap key", result);
//set hash value
result = Tspi_Hash_UpdateHashValue(hhash, 20, hash);
if(result != TSS_SUCCESS) throw libhis_exception("Set hash value", result);
//verify signature data
result = Tspi_Hash_VerifySignature(hhash, hkey_key, signature_size, signature_value);
if(result != TSS_SUCCESS) throw libhis_exception("Verify signature", result);
}
~libhis_verifysignature()
{
//clean up hash object
result = Tspi_Context_CloseObject(hcontext, hhash);
if(result != TSS_SUCCESS) throw libhis_exception("Close hash object", result);
//clean up key policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key Policy", result);
if(binitialized)
{
//clean up key
result = Tspi_Context_CloseObject(hcontext, hkey_key);
if(result != TSS_SUCCESS) throw libhis_exception("Close key", result);
}
//clean up SRK policy
result = Tspi_Context_CloseObject(hcontext, hpolicy_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK Policy", result);
//clean up SRK object
result = Tspi_Context_CloseObject(hcontext, hkey_srk);
if(result != TSS_SUCCESS) throw libhis_exception("Close SRK", result);
//close context
result = Tspi_Context_Close(hcontext);
if(result != TSS_SUCCESS) throw libhis_exception("Close Context", result);
}
private:
TSS_RESULT result;
TSS_HCONTEXT hcontext;
TSS_HTPM htpm;
TSS_HKEY hkey_srk,
hkey_key;
TSS_HPOLICY hpolicy_srk,
hpolicy_key;
TSS_UUID uuid_key;
TSS_HHASH hhash;
UINT32 init_key,
init_key_size,
init_key_type,
init_key_authorized,
init_key_migratable,
init_key_volatile,
init_key_scheme;
bool binitialized;
};
#endif

31
tpm_module/main.cpp
View File

@ -1,31 +0,0 @@
/**
* When compiling in Linux define LINUX. When compiling in Windows define
* WINDOWS. This software is designed to be compiled on either platform without
* modification. Simply set the preprocessor definitions and the code will take
* care of the rest.
*/
/**
* This software was originally implemented as a static library. However,
* requirements changed and it resumed existing as a command line-driven
* executable. The libhis header files are designed such that you could easily
* break them out into their own library. They do not require inclusion of TCG
* headers or the use of TCG data structures. All input is handled with standard
* C++ types.
*/
#include "libhis_cli.hpp"
#ifdef LINUX
int main(int argc, char **argv)
#endif
#ifdef WINDOWS
unsigned long main(int argc, char **argv)
#endif
{
//provide all arguments to our controller class
libhis_cli test(argc, argv);
//return the integer result from our controller class's execution function
return test.cli();
}

58
tpm_module/makefile
View File

@ -1,58 +0,0 @@
################################################################################
# Automatically-generated file. Do not edit!
################################################################################
-include makefile.init
RM := rm -rf
# All of the sources participating in the build are defined here
-include sources.mk
-include subdir.mk
-include objects.mk
ifneq ($(MAKECMDGOALS),clean)
ifneq ($(strip $(C++_DEPS)),)
-include $(C++_DEPS)
endif
ifneq ($(strip $(C_DEPS)),)
-include $(C_DEPS)
endif
ifneq ($(strip $(CC_DEPS)),)
-include $(CC_DEPS)
endif
ifneq ($(strip $(CPP_DEPS)),)
-include $(CPP_DEPS)
endif
ifneq ($(strip $(CXX_DEPS)),)
-include $(CXX_DEPS)
endif
ifneq ($(strip $(C_UPPER_DEPS)),)
-include $(C_UPPER_DEPS)
endif
endif
-include makefile.defs
# Add inputs and outputs from these tool invocations to the build variables
# All Target
all: tpm_module
# Tool invocations
tpm_module: $(OBJS) $(USER_OBJS)
@echo 'Building target: $@'
@echo 'Invoking: GCC C++ Linker'
g++ -o "tpm_module" $(OBJS) $(USER_OBJS) $(LIBS)
@echo 'Finished building target: $@'
@echo ' '
# Other Targets
clean:
-$(RM) $(OBJS)$(C++_DEPS)$(C_DEPS)$(CC_DEPS)$(CPP_DEPS)$(EXECUTABLES)$(CXX_DEPS)$(C_UPPER_DEPS) tpm_module
-@echo ' '
.PHONY: all clean dependents
.SECONDARY:
-include makefile.targets

111
tpm_module/man/tpm_module.1
View File

@ -1,111 +0,0 @@
.TH TPM_MODULE 1 "January 11, 2018"
.sp 1
.SH NAME
tpm_module \- interact with the TPM
.SH SYNOPSIS
.B tpm_module
[\-m <mode>] [\-options]
.SH DESCRIPTION
Provide various modes for interacting with the TPM.
.SH MODES
1 Take Ownership of TPM
.br
2 Change Owner Authorization Data
.br
3 Clear Ownership (Disables TPM)
.br
4 Create EK
.br
5 Change SRK Authorization Data
.br
6 Collate Identity Request (Create Identity Key)
.br
7 Activate Identity (Create Identity Key Certificate)
.br
8 Quote
.br
9 Quote 2
.br
10 Seal Data (Encrypt Data to Current Platform State)
.br
11 Seal 2 (Seal Against Future PCRs)
.br
12 Unseal Data
.br
13 Generate Random Bytes
.br
14 Create Signing, Binding, or Storage Key
.br
15 Change Key Authorization Data
.br
16 Get Keyblob
.br
17 Get Key Modulus
.br
18 Clear Key
.br
19 Get PCR
.br
20 Extend PCR (Update PCR Value)
.br
21 Clear PCR
.br
22 Set NVRAM Data
.br
23 Get NVRAM Data
.br
24 Clear NVRAM Data
.br
25 Sign Data
.br
26 Verify Signed Data
.br
27 Bind
.br
28 Unbind
.br
29 Get Public Key
.SH OPTIONS
.B \-h, \-\-help
.IP
display help, use with -m to see help/options for individual modes
.P
.B \-v, \-\-version
.IP
display software version info
.P
.B \-d, \-\-debug
.IP
enable console debugging
.P
.B \-f, \-\-file
.IP
write debugging info to file
.P
.B \-z, \-\-zeros
.IP
fill in authdata with zeroes
.P
.B \-r, \-\-readable
.IP
make output human-readable with delimiters
.P
.B \-nr, \-\-nonce_random
.IP
populate nonce with TPM's random byte generator
.SH EXAMPLES
Take ownership of TPM using a specific nonce and zeroes for auth data:
.IP
tpm_module \-m 1 \-n 0123456789012345678901234567890123456789 \-z
.P
Get help with collate identity request mode:
.IP
tpm_module \-m 6 \-h
.P
Generate a quote2 using the first 16 PCRs, random nonce, identity key with
simple UUID, and omitted SRK auth as zeroes:
.IP
tpm_module \-m 9 \-p ffff00 \-nr \-u 00000000\-0000\-0000\-0000\-040000000001 \-authp_ik password \-z
.SH SEE ALSO
hirs-provisioner(1)

8
tpm_module/objects.mk
View File

@ -1,8 +0,0 @@
################################################################################
# Automatically-generated file. Do not edit!
################################################################################
USER_OBJS :=
LIBS := -ltspi

27
tpm_module/sources.mk
View File

@ -1,27 +0,0 @@
################################################################################
# Automatically-generated file. Do not edit!
################################################################################
O_SRCS :=
CPP_SRCS :=
C_UPPER_SRCS :=
C_SRCS :=
S_UPPER_SRCS :=
OBJ_SRCS :=
ASM_SRCS :=
CXX_SRCS :=
C++_SRCS :=
CC_SRCS :=
OBJS :=
C++_DEPS :=
C_DEPS :=
CC_DEPS :=
CPP_DEPS :=
EXECUTABLES :=
CXX_DEPS :=
C_UPPER_DEPS :=
# Every subdirectory with source files must be described here
SUBDIRS := \
. \

24
tpm_module/subdir.mk
View File

@ -1,24 +0,0 @@
################################################################################
# Automatically-generated file. Do not edit!
################################################################################
# Add inputs and outputs from these tool invocations to the build variables
CPP_SRCS += \
main.cpp
OBJS += \
main.o
CPP_DEPS += \
main.d
# Each subdirectory must supply rules for building sources it contributes
%.o: %.cpp
@echo 'Building file: $<'
@echo 'Invoking: GCC C++ Compiler'
g++ -DLINUX -I"./tpm_module" -O3 -Wall -c -fmessage-length=0 -MMD -MP -MF"$(@:%.o=%.d)" -MT"$(@:%.o=%.d)" -o "$@" "$<"
@echo 'Finished building: $<'
@echo ' '