Fixes for attestation with endorsement key. Remove the `WOLFTPM2_KEYB…

…LOB` name (deprecated). It is in handle.name now.
wolfSSL · Dec 29, 2023 · 66c7c10 · 66c7c10
1 parent af4861e
commit 66c7c10
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 73 deletions.
diff --git a/examples/attestation/activate_credential.c b/examples/attestation/activate_credential.c
@@ -44,6 +44,7 @@ static void usage(void)
     printf("Expected usage:\n");
     printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n");
     printf("* cred.blob is a input file holding the generated credential.\n");
+    printf("* -eh: Use the EK public key to encrypt the challenge\n");
     printf("Demo usage without parameters, uses \"cred.blob\" filename.\n");
 }
 
@@ -64,14 +65,8 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     const char *input = "cred.blob";
     const char *keyblob = "keyblob.bin";
 
-    union {
-        ActivateCredential_In activCred;
-        byte maxInput[MAX_COMMAND_SIZE];
-    } cmdIn;
-    union {
-        ActivateCredential_Out activCred;
-        byte maxOutput[MAX_RESPONSE_SIZE];
-    } cmdOut;
+    ActivateCredential_In  activCredIn;
+    ActivateCredential_Out activCredOut;
 
     if (argc == 1) {
         printf("Using default values\n");
@@ -157,9 +152,13 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
         /* Set the created Policy Session for use in next operation */
         rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0);
         if (rc != 0) goto exit;
+        /* Set the name for the endorsement handle */
+        rc = wolfTPM2_SetAuthHandleName(&dev, 1, &primary->handle);
+        if (rc != 0) goto exit;
     }
     else {
-        wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
+        rc = wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
+        if (rc != 0) goto exit;
     }
 
     /* Prepare the auth password for the Attestation Key */
@@ -169,19 +168,19 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);
 
     /* Prepare the Activate Credential command */
-    XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred));
-    XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred));
-    cmdIn.activCred.activateHandle = akKey.handle.hndl;
-    cmdIn.activCred.keyHandle = primary->handle.hndl;
+    XMEMSET(&activCredIn, 0, sizeof(activCredIn));
+    XMEMSET(&activCredOut, 0, sizeof(activCredOut));
+    activCredIn.activateHandle = akKey.handle.hndl;
+    activCredIn.keyHandle = primary->handle.hndl;
     /* Read credential from the user file */
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(input, "rb");
     if (fp != XBADFILE) {
-        dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1,
-                                sizeof(cmdIn.activCred.credentialBlob), fp);
+        dataSize = (int)XFREAD((BYTE*)&activCredIn.credentialBlob, 1,
+                                sizeof(activCredIn.credentialBlob), fp);
         if (dataSize > 0) {
-            dataSize += (int)XFREAD((BYTE*)&cmdIn.activCred.secret, 1,
-                                     sizeof(cmdIn.activCred.secret), fp);
+            dataSize += (int)XFREAD((BYTE*)&activCredIn.secret, 1,
+                                     sizeof(activCredIn.secret), fp);
         }
         XFCLOSE(fp);
     }
@@ -192,14 +191,18 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     goto exit;
 #endif
     /* All required data to verify the credential is prepared */
-    rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred);
+    rc = TPM2_ActivateCredential(&activCredIn, &activCredOut);
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_ActivateCredential failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
         goto exit;
     }
     printf("TPM2_ActivateCredential success\n");
 
+    printf("Secret: %d\n", activCredOut.certInfo.size);
+    TPM2_PrintBin(activCredOut.certInfo.buffer,
+                  activCredOut.certInfo.size);
+
 exit:
 
     wolfTPM2_UnloadHandle(&dev, &primary->handle);

diff --git a/examples/attestation/make_credential.c b/examples/attestation/make_credential.c
@@ -68,16 +68,10 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     const char *srkPubFile = "srk.pub";
     const char *pubFilename = NULL;
 
-    union {
-        MakeCredential_In makeCred;
-        LoadExternal_In  loadExtIn;
-        byte maxInput[MAX_COMMAND_SIZE];
-    } cmdIn;
-    union {
-        MakeCredential_Out makeCred;
-        LoadExternal_Out loadExtOut;
-        byte maxOutput[MAX_RESPONSE_SIZE];
-    } cmdOut;
+    MakeCredential_In  makeCredIn;
+    MakeCredential_Out makeCredOut;
+    LoadExternal_In  loadExtIn;
+    LoadExternal_Out loadExtOut;
 
     if (argc == 1) {
         printf("Using public key from SRK to create the challenge\n");
@@ -100,12 +94,6 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
         goto exit_badargs;
     }
 
-    XMEMSET(&name, 0, sizeof(name));
-    XMEMSET(&cmdIn.makeCred, 0, sizeof(cmdIn.makeCred));
-    XMEMSET(&cmdOut.makeCred, 0, sizeof(cmdOut.makeCred));
-    XMEMSET(&cmdIn.loadExtIn, 0, sizeof(cmdIn.loadExtIn));
-    XMEMSET(&cmdOut.loadExtOut, 0, sizeof(cmdOut.loadExtOut));
-
     printf("Demo how to create a credential challenge for remote attestation\n");
     printf("Credential will be stored in %s\n", output);
 
@@ -125,24 +113,26 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     }
     rc = readKeyBlob(pubFilename, &primary);
     if (rc != 0) {
-        printf("Failure to load %s\n", pubFilename);
+        printf("Failure to read %s\n", pubFilename);
         goto exit;
     }
+
     /* Prepare the key for use by the TPM */
-    XMEMCPY(&cmdIn.loadExtIn.inPublic, &primary.pub,
-        sizeof(cmdIn.loadExtIn.inPublic));
-    cmdIn.loadExtIn.hierarchy = TPM_RH_NULL;
-    rc = TPM2_LoadExternal(&cmdIn.loadExtIn, &cmdOut.loadExtOut);
+    XMEMSET(&loadExtIn, 0, sizeof(loadExtIn));
+    XMEMSET(&loadExtOut, 0, sizeof(loadExtOut));
+    XMEMCPY(&loadExtIn.inPublic, &primary.pub, sizeof(loadExtIn.inPublic));
+    loadExtIn.hierarchy = TPM_RH_NULL;
+    rc = TPM2_LoadExternal(&loadExtIn, &loadExtOut);
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_LoadExternal: failed %d: %s\n", rc,
             wolfTPM2_GetRCString(rc));
         return rc;
     }
     printf("Public key for encryption loaded\n");
-    handle.hndl = cmdOut.loadExtOut.objectHandle;
-
+    handle.hndl = loadExtOut.objectHandle;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     /* Load AK Name digest */
+    XMEMSET(&name, 0, sizeof(name));
     fp = XFOPEN("ak.name", "rb");
     if (fp != XBADFILE) {
         size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp);
@@ -153,31 +143,37 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
 #endif
 
     /* Create secret for the attestation server */
-    cmdIn.makeCred.credential.size = CRED_SECRET_SIZE;
-    wolfTPM2_GetRandom(&dev, cmdIn.makeCred.credential.buffer,
-                        cmdIn.makeCred.credential.size);
-    /* Prepare the AK name */
-    cmdIn.makeCred.objectName.size = name.size;
-    XMEMCPY(cmdIn.makeCred.objectName.name, name.name,
-                cmdIn.makeCred.objectName.size);
+    XMEMSET(&makeCredIn, 0, sizeof(makeCredIn));
+    XMEMSET(&makeCredOut, 0, sizeof(makeCredOut));
+    makeCredIn.credential.size = CRED_SECRET_SIZE;
+    wolfTPM2_GetRandom(&dev, makeCredIn.credential.buffer,
+                             makeCredIn.credential.size);
+    /* Set the object name */
+    makeCredIn.objectName.size = name.size;
+    XMEMCPY(makeCredIn.objectName.name, name.name,
+            makeCredIn.objectName.size);
     /* Set TPM key and execute */
-    cmdIn.makeCred.handle = handle.hndl;
-    rc = TPM2_MakeCredential(&cmdIn.makeCred, &cmdOut.makeCred);
+    makeCredIn.handle = handle.hndl;
+    rc = TPM2_MakeCredential(&makeCredIn, &makeCredOut);
     if (rc != TPM_RC_SUCCESS) {
-        printf("TPM2_MakeCredentials failed 0x%x: %s\n", rc,
+        printf("TPM2_MakeCredential failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
         goto exit;
     }
     printf("TPM2_MakeCredential success\n");
 
+    printf("Secret: %d\n", makeCredIn.credential.size);
+    TPM2_PrintBin(makeCredIn.credential.buffer,
+                  makeCredIn.credential.size);
+
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(output, "wb");
     if (fp != XBADFILE) {
-        dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1,
-                                 sizeof(cmdOut.makeCred.credentialBlob), fp);
+        dataSize = (int)XFWRITE((BYTE*)&makeCredOut.credentialBlob, 1,
+                                 sizeof(makeCredOut.credentialBlob), fp);
         if (dataSize > 0) {
-            dataSize += (int)XFWRITE((BYTE*)&cmdOut.makeCred.secret, 1,
-                                      sizeof(cmdOut.makeCred.secret), fp);
+            dataSize += (int)XFWRITE((BYTE*)&makeCredOut.secret, 1,
+                                      sizeof(makeCredOut.secret), fp);
         }
         XFCLOSE(fp);
     }

diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c
@@ -141,7 +141,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
     const char *pemFilename = NULL;
     #endif
-    FILE *fp;
 #endif
     size_t len = 0;
     char symMode[] = "aesctr";
@@ -378,14 +377,13 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         /* Store primary public key */
         XMEMCPY(&primaryBlob.pub, &primary->pub, sizeof(primaryBlob.pub));
         rc |= writeKeyBlob(pubFilename, &primaryBlob);
+
         /* Write AK's Name digest */
-        fp = XFOPEN(nameFile, "wb");
-        if (fp != XBADFILE) {
-            XFWRITE((BYTE*)&newKeyBlob.name, 1, sizeof(newKeyBlob.name), fp);
-            printf("Wrote AK Name digest\n");
-            XFCLOSE(fp);
-        }
+        rc |= writeBin(nameFile, (byte*)&newKeyBlob.handle.name,
+            sizeof(newKeyBlob.handle.name));
+        printf("Wrote AK Name digest\n");
     }
+    if (rc != TPM_RC_SUCCESS) goto exit;
 #else
     if (alg == TPM_ALG_SYMCIPHER) {
         printf("The Public Part of a symmetric key contains only meta data\n");

diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -100,13 +100,20 @@ rm -f keyedhashblob.bin
 [ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
-    # KeyGen Endorsement with Policy Secret
+    # KeyGen under Endorsement
     ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
+    ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1
+
     ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
+    ./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
 fi
 
 
@@ -277,21 +284,31 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
 fi
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/keygen/keygen keyblob.bin -rsa >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1
     ./examples/attestation/make_credential >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1
-    # TODO: TPM_RC_INTEGRITY
-    #./examples/attestation/activate_credential >> run.out
-    #RESULT=$?
-    #[ $RESULT -ne 0 ] && echo -e "activate_credential failed! $RESULT" && exit 1
+    ./examples/attestation/activate_credential >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "activate_credential failed! $RESULT" && exit 1
 
+    # Endorsement hierarchy
+    ./examples/keygen/keygen keyblob.bin -rsa -eh >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen rsa endorsement failed! $RESULT" && exit 1
     ./examples/attestation/make_credential -eh >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "make_credential endorsement failed! $RESULT" && exit 1
-    # TODO: TPM_RC_INTEGRITY
-    #./examples/attestation/activate_credential -eh >> run.out
-    #RESULT=$?
-    #[ $RESULT -ne 0 ] && echo -e "activate_credential endorsement failed! $RESULT" && exit 1
+    ./examples/attestation/activate_credential -eh >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "activate_credential endorsement failed! $RESULT" && exit 1
+
+    rm -f cred.blob
+    rm -f ek.pub
+    rm -f srk.pub
+    rm -f ak.name
 fi
 
 # PCR Quote Tests
@@ -473,6 +490,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     rm -f aaa.bin
 fi
 
+rm -f keyblob.bin
 
 echo -e "Success!"
 exit 0
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -1772,7 +1772,7 @@ int wolfTPM2_CreateLoadedKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
 
     wolfTPM2_CopyPub(&keyBlob->pub, &createLoadedOut.outPublic);
     wolfTPM2_CopyPriv(&keyBlob->priv, &createLoadedOut.outPrivate);
-    wolfTPM2_CopyName(&keyBlob->name, &createLoadedOut.name);
+    wolfTPM2_CopyName(&keyBlob->handle.name, &createLoadedOut.name);
 
     return rc;
 }

diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -63,7 +63,6 @@ typedef struct WOLFTPM2_KEY {
 typedef struct WOLFTPM2_KEYBLOB {
     WOLFTPM2_HANDLE   handle;
     TPM2B_PUBLIC      pub;
-    TPM2B_NAME        name;
     TPM2B_PRIVATE     priv;
 } WOLFTPM2_KEYBLOB;