+openpts (0.2.5.1) unstable; urgency=low
+
+ * Added config option for Infineon TPM
+ * Fixed base64 decode functions to support CR in the middle of string
+
+ -- Seiji Munetoh <munetoh@users.sourceforge.jp> Wed, 30 Nov 2011 10:50:00 +0900
+
openpts (0.2.5) unstable; urgency=low
* scan by coverity
# http://www.opensource.org/licenses/cpl1.0.php.
#
-AC_INIT(openpts, 0.2.5, openpts-users@lists.sourceforge.jp)
+AC_INIT(openpts, 0.2.5.1, openpts-users@lists.sourceforge.jp)
# use pkg-config
# check /usr/lib64/pkgconfig/
################################################################################
#
+# Attestation(sign) key
+#
+# aik.storage.type
+# tss use tcsd ps_system
+# blob use the file (set the filename by aik.storage.filename)
+#
+# aik.auth.type
+# null use the null secret
+# common use the common secret
+#
+# Uncomment the following line for Infineon TPM(v1.2)
+# aik.storage.type=blob
+# aik.storage.filename=key.blob
+# aik.auth.type=common
+
+#
# SRK password
#
# null tpm_takeownership with null password (just enter)
OPENPTS_TARGET target[];
} OPENPTS_TARGET_LIST;
+/* UUID status */
#define OPENPTS_UUID_EMPTY 0
#define OPENPTS_UUID_FILENAME_ONLY 1
#define OPENPTS_UUID_UUID_ONLY 2
int status;
} OPENPTS_UUID;
+/* Attestation(sign) key */
+#define OPENPTS_AIK_STORAGE_TYPE_TSS 0
+#define OPENPTS_AIK_STORAGE_TYPE_BLOB 1
+#define OPENPTS_AIK_AUTH_TYPE_NULL 0
+#define OPENPTS_AIK_AUTH_TYPE_COMMON 1
+
/**
* Config
*/
TSS_VERSION tss_version;
TSS_VERSION pts_version;
+ /* Attestation(sign) key */
+ int aik_storage_type;
+ char *aik_storage_filename;
+ int aik_auth_type;
+
/* UUID */
OPENPTS_UUID * uuid; /**< Platform(collector) UUID */
OPENPTS_UUID * rm_uuid; /**< RM(now) UUID */
/* tss.c */
int printTssKeyList(int ps_type);
int createTssSignKey(
- PTS_UUID *uuid, int ps_type, char *filename, int force, int srk_password_mode);
+ PTS_UUID *uuid,
+ int ps_type,
+ char *filename,
+ int auth_type,
+ int force,
+ int srk_password_mode);
int deleteTssKey(PTS_UUID *uuid, int ps_type);
int getTpmVersion(TSS_VERSION *version);
int getTssPubKey(
PTS_UUID *uuid,
- int ps_type, int srk_password_mode, int resetdalock,
+ int ps_type,
+ int srk_password_mode,
+ int resetdalock,
char *filename,
+ int auth_type,
int *pubkey_length, BYTE **pubkey);
int quoteTss(
PTS_UUID *uuid,
int ps_type,
int srk_password_mode,
char *filename,
+ int auth_type,
BYTE *nonce,
OPENPTS_PCRS *pcrs,
TSS_VALIDATION *validationData);
int ps_type,
int srk_password_mode,
char *filename,
+ int auth_type,
BYTE *nonce,
OPENPTS_PCRS *pcrs,
TSS_VALIDATION *validationData);
OPENPTS_PROPERTY *prop_start,
OPENPTS_PROPERTY *prop_end) {
int rc = PTS_SUCCESS;
- UINT32 ps_type = TSS_PS_TYPE_SYSTEM;
OPENPTS_CONTEXT *ctx;
int i;
int keygen = 1;
// if verifier take the ownership of sign key, we needs the key for each verifier.
// auth can be transferd by IF-M (DH excnage)
if (keygen == 1) {
- rc = createTssSignKey(conf->uuid->uuid, ps_type, NULL, 0, conf->srk_password_mode);
+ rc = createTssSignKey(
+ conf->uuid->uuid,
+ conf->aik_storage_type,
+ conf->aik_storage_filename,
+ conf->aik_auth_type,
+ 0,
+ conf->srk_password_mode);
if (rc == 0x0001) { // 0x0001
fprintf(stderr, "createSignKey failed. "
"if you uses well known SRK secret, "
free(conf->config_file);
}
+ if (conf->aik_storage_filename != NULL) {
+ free(conf->aik_storage_filename);
+ }
+
free(conf);
return PTS_SUCCESS;
char *path;
char *filename2 = NULL; // fullpath
int buf_len;
+ /* tmp path */
+ char *aik_storage_filename = NULL;
DEBUG("readPtsConfig() : %s\n", filename);
}
}
+ /* Atetstation(sign) key*/
+ if (!strncmp(name, "aik.storage.type", 16)) {
+ if (!strncmp(value, "tss", 3)) {
+ conf->aik_storage_type = OPENPTS_AIK_STORAGE_TYPE_TSS;
+ DEBUG("conf->aik_storage_type : none\n");
+ } else if (!strncmp(value, "blob", 4)) {
+ conf->aik_storage_type = OPENPTS_AIK_STORAGE_TYPE_BLOB;
+ DEBUG("conf->aik_storage_type : blob\n");
+ } else {
+ ERROR("unknown aik.storage.type %s\n", value); // TODO
+ conf->aik_storage_type = 0;
+ }
+ }
+ if (!strncmp(name, "aik.storage.filename", 20)) {
+ if (aik_storage_filename != NULL) {
+ free(aik_storage_filename);
+ }
+ aik_storage_filename = smalloc(value);
+ DEBUG("aik_storage_filename : CONF/%s\n", aik_storage_filename);
+ }
+ if (!strncmp(name, "aik.auth.type", 13)) {
+ if (!strncmp(value, "null", 4)) {
+ conf->aik_auth_type = OPENPTS_AIK_AUTH_TYPE_NULL;
+ DEBUG("conf->aik_auth_type : null\n");
+ } else if (!strncmp(value, "common", 6)) {
+ conf->aik_auth_type = OPENPTS_AIK_AUTH_TYPE_COMMON;
+ DEBUG("conf->aik_auth_type : common\n");
+ } else {
+ ERROR("unknown aik.auth.type %s\n", value); // TODO
+ conf->aik_auth_type = 0;
+ }
+ }
+
cnt++;
} else {
// TODO
conf->verifier_logging_dir = smalloc("~/.openpts");
}
+ /* Atetstation(sign) key */
+ if (conf->aik_storage_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
+ if (aik_storage_filename == NULL) {
+ /* set the default filename if missed */
+ conf->aik_storage_filename = getFullpathName(conf->config_dir, "key.blob");
+ } else {
+ conf->aik_storage_filename =
+ getFullpathName(conf->config_dir, aik_storage_filename);
+ free(aik_storage_filename);
+ }
+ DEBUG("conf->aik_storage_filename : %s\n", conf->aik_storage_filename);
+ }
+
#if 0
if (conf->uuid != NULL) {
DEBUG("conf->uuid->filename : %s\n", conf->uuid->filename);
/* get PUBKEY */
rc = getTssPubKey(
conf->uuid->uuid,
- TSS_PS_TYPE_SYSTEM,
+ conf->aik_storage_type,
conf->srk_password_mode,
conf->tpm_resetdalock,
- NULL,
+ conf->aik_storage_filename,
+ conf->aik_auth_type,
&conf->pubkey_length,
&conf->pubkey);
if (rc != TSS_SUCCESS) {
*/
int genIrFromTss(OPENPTS_CONTEXT *ctx) {
int rc;
- UINT32 ps_type = TSS_PS_TYPE_SYSTEM; // TODO move to context?
/* get IML via securityfs */
if (ctx->conf->tpm_quote_type == 1) {
rc = quoteTss(
ctx->conf->uuid->uuid,
- ps_type,
+ ctx->conf->aik_storage_type,
ctx->conf->srk_password_mode,
- NULL, NULL,
+ ctx->conf->aik_storage_filename,
+ ctx->conf->aik_auth_type,
+ NULL,
ctx->pcrs,
ctx->validation_data); // tss.c
} else {
rc = quote2Tss(
ctx->conf->uuid->uuid,
- ps_type,
+ ctx->conf->aik_storage_type,
ctx->conf->srk_password_mode,
- NULL, NULL,
+ ctx->conf->aik_storage_filename,
+ ctx->conf->aik_auth_type,
+ NULL,
ctx->pcrs,
ctx->validation_data); // tss.c
}
/* get PUBKEY */
rc = getTssPubKey(
conf->uuid->uuid,
- TSS_PS_TYPE_SYSTEM,
+ conf->aik_storage_type, // TSS_PS_TYPE_SYSTEM,
conf->srk_password_mode,
conf->tpm_resetdalock,
- NULL,
+ conf->aik_storage_filename, // NULL,
+ conf->aik_auth_type,
&conf->pubkey_length,
&conf->pubkey);
if (rc != TSS_SUCCESS) {
// Local TCSD
#define SERVER NULL
+// TODO common secret
+#define TPMSIGKEY_SECRET "password"
+
#if 0
/* options */
const struct option long_option[] = {
{0, 0, 0, 0}
};
#endif
-const char short_option[] = "u:flNPt:a:hSUB:vz";
+const char short_option[] = "u:flNPt:a:hSUB:Cvz";
int verbose = 0;
printf("\t-N\tCreate key without auth secret\n");
printf("\t-a PASSWORD\tCreate key with auth secret, PASSWORD\n");
printf("\t-P\tUse TSS diaglog to set the authsecret\n");
+ printf("\t-C\tUse common authsecret\n");
printf("\t-f\tUpdate the key\n");
printf("\t-z\tUse the SRK secret of all zeros (20 bytes of zeros).\n");
unsigned len = 0;
int srk_password_mode = 0;
+ int auth_type = 0;
while (1) {
case 'z': /* SRK */
srk_password_mode = 1;
break;
+ case 'C': /* common auth */
+ auth_type = 1;
+ break;
case 'v': /* Verbose */
verbose = 1;
return 0;
goto close;
}
}
+ } else {
+ if (auth_type == 1) {
+ // Noauth => uses common Auth secret
+ result = Tspi_Context_CreateObject(
+ hContext,
+ TSS_OBJECT_TYPE_POLICY,
+ TSS_POLICY_USAGE,
+ &hKeyPolicy);
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Context_CreateObject failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ strlen(TPMSIGKEY_SECRET),
+ (BYTE *)TPMSIGKEY_SECRET);
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+
+ result = Tspi_Policy_AssignToObject(
+ hKeyPolicy,
+ hKey);
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+ }
}
result = Tspi_Key_CreateKey(hKey, hSRK, 0);
#define TSS_PS_TYPE_BLOB (0) // not defined by TSS
+// TODO common secret
+#define TPMSIGKEY_SECRET "password"
#ifdef CONFIG_NO_TSS
/* ONLY for verifier side */
*
* TODO return PUBKEY blog
*/
-int createTssSignKey(PTS_UUID *uuid, int ps_type, char *filename, int force, int srk_password_mode) {
+int createTssSignKey(
+ PTS_UUID *uuid,
+ int ps_type,
+ char *filename,
+ int auth_type,
+ int force,
+ int srk_password_mode)
+{
TSS_RESULT result = 0;
TSS_HCONTEXT hContext;
TSS_HTPM hTPM;
TSS_HKEY hKey;
UINT32 keyLength;
BYTE *keyBlob;
+ TSS_HPOLICY hKeyPolicy;
int i;
TSS_UUID tss_uuid;
- TSS_FLAG initFlag = TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_SIGNING;
/* Open TSS */
result = Tspi_Context_Create(&hContext);
/* UUID */
memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
- /* Create New Key object */
- result = Tspi_Context_CreateObject(hContext,
- TSS_OBJECT_TYPE_RSAKEY,
- initFlag, &hKey);
- if (result != TSS_SUCCESS) {
- ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
- result);
- goto close;
+
+
+ if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
+ /* Create New Key object */
+ result = Tspi_Context_CreateObject(
+ hContext,
+ TSS_OBJECT_TYPE_RSAKEY,
+ TSS_KEY_AUTHORIZATION | TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_SIGNING,
+ &hKey);
+ if (result != TSS_SUCCESS) {
+ ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+
+ // Noauth => uses Dummy Auth secret
+ result = Tspi_Context_CreateObject(
+ hContext,
+ TSS_OBJECT_TYPE_POLICY,
+ TSS_POLICY_USAGE,
+ &hKeyPolicy);
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Context_CreateObject failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ strlen(TPMSIGKEY_SECRET),
+ (BYTE *)TPMSIGKEY_SECRET);
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+
+ result = Tspi_Policy_AssignToObject(hKeyPolicy, hKey);
+
+ if (result != TSS_SUCCESS) {
+ printf
+ ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+ } else {
+ /* Create New Key object */
+ result = Tspi_Context_CreateObject(
+ hContext,
+ TSS_OBJECT_TYPE_RSAKEY,
+ TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_SIGNING,
+ &hKey);
+ if (result != TSS_SUCCESS) {
+ ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
+ result);
+ goto close;
+ }
}
/* create Key */
}
/* RegisterKey */
- if (ps_type == TSS_PS_TYPE_BLOB) {
+ if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
/* save as blob */
FILE *fp;
if (filename == NULL) {
ERROR("key blob filename is NULL\n");
+ result = TSS_E_KEY_NOT_LOADED;
goto close;
}
+
fp = fopen(filename, "w");
+ if (fp==NULL) {
+ ERROR("file open fail, key blob file is %s",filename);
+ result = TSS_E_KEY_NOT_LOADED;
+ goto close;
+ }
result = Tspi_GetAttribData(
hKey,
int ps_type,
int srk_password_mode,
int resetdalock,
- char *filename, int *pubkey_length, BYTE **pubkey) {
+ char *filename,
+ int auth_type,
+ int *pubkey_length, BYTE **pubkey) {
TSS_RESULT result = 0;
TSS_HCONTEXT hContext;
TSS_HKEY hKey;
BYTE *srk_auth;
int srk_auth_len = 0;
TSS_HPOLICY hKeyPolicy;
- BYTE key_auth[1] = {0};
-
if (resetdalock == 1) {
// 2011-03-03 SM WEC TPM locks well.
// TODO resetDaLock
/* Load AIK or Sign key */
- if (ps_type == 0) {
+ if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
/* Blob file */
FILE *fp;
BYTE blob[KEY_BLOB_SIZE];
int len;
fp = fopen(filename, "r");
+ if (fp==NULL) {
+ ERROR("file open fail, key blob file is %s",filename);
+ result = TSS_E_KEY_NOT_LOADED;
+ goto close;
+ }
len = fread(blob, 1, KEY_BLOB_SIZE, fp);
fclose(fp);
goto close;
}
-
- /* Set Policy */
- result = Tspi_Policy_SetSecret(
- hKeyPolicy,
- TSS_SECRET_MODE_PLAIN,
- 0, // ""
- key_auth);
- if (result != TSS_SUCCESS) {
- printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
- result);
- goto close;
+ if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
+ /* Set Policy - Dummy Secret */
+ // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ strlen(TPMSIGKEY_SECRET),
+ (BYTE *)TPMSIGKEY_SECRET);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+ } else {
+ /* Set Policy - Null Secret */
+ // Atmel, Winbond, STM
+ BYTE key_auth[1] = {0};
+
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ 0,
+ key_auth);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
}
/* get pubkey */
int ps_type,
int srk_password_mode,
char *filename,
+ int auth_type,
/* Nonce */
BYTE *nonce,
/* PCR selection */
TSS_HKEY hKey;
TSS_HPOLICY hKeyPolicy;
- BYTE key_auth[1] = {0};
-
TSS_UUID tss_uuid;
TSS_HPCRS hPcrComposite;
TSS_VALIDATION validation_data; // local
/* Load AIK or Sign key */
- if (ps_type == 0) {
+ if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
/* Blob file */
FILE *fp;
BYTE blob[KEY_BLOB_SIZE];
int len;
fp = fopen(filename, "r");
+ if (fp==NULL) {
+ ERROR("file open fail, key blob file is %s",filename);
+ result = TSS_E_KEY_NOT_LOADED;
+ goto close;
+ }
+
len = fread(blob, 1, KEY_BLOB_SIZE, fp);
fclose(fp);
goto close;
}
- /* Set Policy */
- result = Tspi_Policy_SetSecret(
- hKeyPolicy,
- TSS_SECRET_MODE_PLAIN,
- 0, // ""
- key_auth);
- if (result != TSS_SUCCESS) {
- printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
- result);
- goto close;
+ if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
+ /* Set Policy - Dummy Secret */
+ // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ strlen(TPMSIGKEY_SECRET),
+ (BYTE *)TPMSIGKEY_SECRET);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+ } else {
+ /* Set Policy - Null Secret */
+ // Atmel, Winbond, STM
+ BYTE key_auth[] = "";
+
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ 0,
+ key_auth);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
}
-
/* Setup (copy) Validation Data Structure */
validation_data.versionInfo.bMajor = validationData->versionInfo.bMajor;
validation_data.versionInfo.bMinor = validationData->versionInfo.bMinor;
int ps_type,
int srk_password_mode,
char *filename,
+ int auth_type,
/* Nonce */
BYTE *nonce,
/* PCR selection */
TSS_HKEY hKey;
TSS_HPOLICY hKeyPolicy;
- BYTE key_auth[] = "";
-
TSS_UUID tss_uuid;
TSS_HPCRS hPcrComposite;
TSS_VALIDATION validation_data; // local
/* Load AIK or Sign key */
- if (ps_type == 0) {
+ if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
/* Blob file */
FILE *fp;
BYTE blob[KEY_BLOB_SIZE];
int len;
fp = fopen(filename, "r");
+ if (fp==NULL) {
+ ERROR("file open fail, key blob file is %s",filename);
+ result = TSS_E_KEY_NOT_LOADED;
+ goto close;
+ }
+
+
len = fread(blob, 1, KEY_BLOB_SIZE, fp);
fclose(fp);
goto close;
}
- /* Set Policy */
- result = Tspi_Policy_SetSecret(
- hKeyPolicy,
- TSS_SECRET_MODE_PLAIN,
- 0,
- key_auth);
- if (result != TSS_SUCCESS) {
- printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
- result);
- goto close;
+ if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
+ /* Set Policy - Dummy Secret */
+ // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ strlen(TPMSIGKEY_SECRET),
+ (BYTE *)TPMSIGKEY_SECRET);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
+ } else {
+ /* Set Policy - Null Secret */
+ // Atmel, Winbond, STM
+ BYTE key_auth[] = "";
+
+ result = Tspi_Policy_SetSecret(
+ hKeyPolicy,
+ TSS_SECRET_MODE_PLAIN,
+ 0,
+ key_auth);
+ if (result != TSS_SUCCESS) {
+ printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
+ result);
+ goto close;
+ }
}
/* Nonce -> rgbExternalData */