Added example for TPM2_Certify.

examples/attestation/activate_credential.c

@@ -33,7 +33,7 @@
 
 #ifndef WOLFTPM2_NO_WRAPPER
 
-#include <examples/attestation/credential.h>
+#include <examples/attestation/attestation.h>
 #include <hal/tpm_io.h>
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>

examples/attestation/credential.h → examples/attestation/attestation.h

@@ -1,4 +1,4 @@
-/* credential.h
+/* attestation.h
  *
  * Copyright (C) 2006-2024 wolfSSL Inc.
  *
@@ -19,8 +19,8 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-#ifndef _CREDENTIAL_H_
-#define _CREDENTIAL_H_
+#ifndef _ATTESTATION_H_
+#define _ATTESTATION_H_
 
 #ifdef __cplusplus
     extern "C" {
@@ -30,9 +30,10 @@
 
 int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]);
+int TPM2_Certify_Example(void* userCtx, int argc, char *argv[]);
 
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif
 
-#endif /* _CREDENTIAL_H_ */
+#endif /* _ATTESTATION_H_ */

examples/attestation/certify.c

@@ -0,0 +1,240 @@
+/* certify.c
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* This example shows how to create a attestation for a key (like IAK)
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolftpm/tpm2_wrap.h>
+
+#include <stdio.h>
+
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT)
+
+#include <examples/attestation/attestation.h>
+#include <hal/tpm_io.h>
+#include <examples/tpm_test.h>
+#include <examples/tpm_test_keys.h>
+
+
+/******************************************************************************/
+/* --- BEGIN TPM2.0 Certify example tool  -- */
+/******************************************************************************/
+
+static void usage(void)
+{
+    printf("Expected usage:\n");
+    printf("./examples/attestation/certify [-eh] [-rsa/-ecc]\n");
+    printf("* -ecc/-rsa: SRK is RSA or ECC (default is RSA)\n");
+    printf("* -eh: Create keys under the Endorsement Hierarchy (EK) "
+        "(default is Owner)\n");
+}
+
+int TPM2_Certify_Example(void* userCtx, int argc, char *argv[])
+{
+    int rc = -1;
+    int endorseKey = 0;
+    WOLFTPM2_DEV dev;
+    WOLFTPM2_KEY storage;
+    WOLFTPM2_KEYBLOB akKey;
+    WOLFTPM2_KEY     devidKey;
+    WOLFTPM2_SESSION tpmSession;
+    TPM_ALG_ID alg = TPM_ALG_RSA;
+    TPMA_OBJECT objectAttributes;
+    TPMT_PUBLIC publicTemplate;
+    TPM_ALG_ID hashAlg = TPM_ALG_SHA256;
+    word32 digestSz = 0;
+    Certify_In  certifyIn;
+    Certify_Out certifyOut;
+    const char keyCreationNonce[] = "RandomServerPickedCreationNonce";
+
+    if (argc >= 2) {
+        if (XSTRCMP(argv[1], "-?") == 0 ||
+            XSTRCMP(argv[1], "-h") == 0 ||
+            XSTRCMP(argv[1], "--help") == 0) {
+            usage();
+            return 0;
+        }
+    }
+    while (argc > 1) {
+        if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
+            alg = TPM_ALG_ECC;
+        }
+        else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
+            alg = TPM_ALG_RSA;
+        }
+        else if (XSTRCMP(argv[argc-1], "-eh") == 0) {
+            endorseKey = 1;
+        }
+        else {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
+        argc--;
+    }
+
+    (void)endorseKey; /* TODO: Add endorsement */
+
+    XMEMSET(&storage, 0, sizeof(storage));
+    XMEMSET(&akKey, 0, sizeof(akKey));
+    XMEMSET(&devidKey, 0, sizeof(devidKey));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
+
+    printf("Certify IDevID with IAK to generate TPM-signed attestation info\n");
+    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
+    if (rc != TPM_RC_SUCCESS) {
+        printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
+        goto exit;
+    }
+    printf("wolfTPM2_Init: success\n");
+
+    /* Get SRK */
+    rc = getPrimaryStoragekey(&dev, &storage, alg);
+    if (rc != 0) goto exit;
+
+    /* Create an IAK */
+    objectAttributes = (
+        TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_noDA |
+        TPMA_OBJECT_userWithAuth | TPMA_OBJECT_adminWithPolicy |
+        TPMA_OBJECT_decrypt | TPMA_OBJECT_sign);
+    XMEMSET(&publicTemplate, 0, sizeof(publicTemplate));
+    if (alg == TPM_ALG_RSA) {
+        rc = GetKeyTemplateRSA(&publicTemplate, TPM_ALG_SHA256,
+            objectAttributes, 2048, 0, TPM_ALG_NULL, TPM_ALG_NULL);
+    }
+    else { /* TPM_ALG_ECC */
+        rc = GetKeyTemplateECC(&publicTemplate, TPM_ALG_SHA256,
+            objectAttributes, TPM_ECC_NIST_P256, TPM_ALG_NULL, TPM_ALG_NULL);
+    }
+    if (rc == 0) {
+        word32 val;
+
+        /* Setup admin policy */
+        publicTemplate.objectAttributes |= TPMA_OBJECT_adminWithPolicy;
+
+        XMEMSET(publicTemplate.authPolicy.buffer, 0,
+            sizeof(publicTemplate.authPolicy.buffer));
+        digestSz = TPM2_GetHashDigestSize(hashAlg);
+
+        val = TPM_CC_Certify;
+    #ifndef BIG_ENDIAN_ORDER
+        val = ByteReverseWord32(val);
+    #endif
+        rc = wolfTPM2_PolicyHash1(hashAlg, publicTemplate.authPolicy.buffer,
+            &digestSz, TPM_CC_PolicyCommandCode, (byte*)&val, sizeof(val));
+        TPM2_PrintBin(publicTemplate.authPolicy.buffer, digestSz);
+    }
+    if (rc == 0) {
+        publicTemplate.authPolicy.size = (UINT16)digestSz;
+        rc = wolfTPM2_CreateKey(&dev, &akKey, &storage.handle, &publicTemplate,
+            (const byte*)gAiKeyAuth, sizeof(gAiKeyAuth)-1);
+    }
+    if (rc == 0) {
+        wolfTPM2_LoadKey(&dev, &akKey, &storage.handle);
+    }
+    if (rc != 0) {
+        printf("Failed to create IAK!\n");
+        goto exit;
+    }
+    printf("IAK Created and Loaded: 0x%x (%d bytes)\n",
+        (word32)akKey.handle.hndl, akKey.pub.size);
+
+    /* Start a policy session for admin policy authentication */
+    rc = wolfTPM2_StartSession(&dev, &tpmSession, NULL, NULL,
+                               TPM_SE_POLICY, TPM_ALG_NULL);
+    if (rc == 0) {
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
+            TPMA_SESSION_continueSession);
+    }
+    if (rc != 0) {
+        printf("Failed to start policy session!\n");
+        goto exit;
+    }
+
+    /* Perform admin policy authorizations */
+    rc = wolfTPM2_PolicyCommandCode(&dev, &tpmSession, TPM_CC_Certify);
+    if (rc != 0) {
+        goto exit;
+    }
+
+    wolfTPM2_SetAuthHandle(&dev, 1, &akKey.handle);
+
+    /* Create signed certify structure */
+    XMEMSET(&certifyIn, 0, sizeof(certifyIn));
+    certifyIn.objectHandle = storage.handle.hndl;
+    certifyIn.signHandle = akKey.handle.hndl;
+    certifyIn.inScheme.scheme = TPM_ALG_RSASSA;
+    certifyIn.inScheme.details.any.hashAlg = TPM_ALG_SHA256;
+    /* provide a random nonce from remote server (optional) */
+    certifyIn.qualifyingData.size = sizeof(keyCreationNonce)-1;
+    XMEMCPY(certifyIn.qualifyingData.buffer, keyCreationNonce,
+        certifyIn.qualifyingData.size);
+    rc = TPM2_Certify(&certifyIn, &certifyOut);
+    if (rc != TPM_RC_SUCCESS) {
+        printf("TPM2_Certify RSA key failed 0x%x: %s\n", rc,
+            TPM2_GetRCString(rc));
+        goto exit;
+    }
+    else {
+        printf("TPM2_Certify test passed\n");
+    }
+
+exit:
+
+    if (rc != 0) {
+        printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
+    }
+
+    wolfTPM2_UnloadHandle(&dev, &storage.handle);
+    wolfTPM2_UnloadHandle(&dev, &akKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
+    wolfTPM2_Cleanup(&dev);
+
+    return rc;
+}
+
+/******************************************************************************/
+/* --- END TPM2.0 Certify example tool -- */
+/******************************************************************************/
+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */
+
+#ifndef NO_MAIN_DRIVER
+int main(int argc, char *argv[])
+{
+    int rc = -1;
+
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT)
+    rc = TPM2_Certify_Example(NULL, argc, argv);
+#else
+    printf("Wrapper or wolfCrypt code not compiled in\n");
+    (void)argc;
+    (void)argv;
+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */
+
+    return rc;
+}
+#endif

examples/attestation/include.am

@@ -3,27 +3,34 @@
 
 if BUILD_EXAMPLES
 noinst_PROGRAMS += examples/attestation/make_credential \
-                   examples/attestation/activate_credential
+                   examples/attestation/activate_credential \
+                   examples/attestation/certify
 
-noinst_HEADERS  += examples/attestation/credential.h
+noinst_HEADERS  += examples/attestation/attestation.h
 
 examples_attestation_make_credential_SOURCES      = examples/attestation/make_credential.c \
                                                     examples/tpm_test_keys.c
 examples_attestation_make_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_make_credential_DEPENDENCIES = src/libwolftpm.la
 
-examples_attestation_activate_credential_SOURCES  = examples/attestation/activate_credential.c \
-                                                    examples/tpm_test_keys.c
+examples_attestation_activate_credential_SOURCES      = examples/attestation/activate_credential.c \
+                                                        examples/tpm_test_keys.c
 examples_attestation_activate_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_activate_credential_DEPENDENCIES = src/libwolftpm.la
 
+examples_attestation_certify_SOURCES      = examples/attestation/certify.c \
+                                            examples/tpm_test_keys.c
+examples_attestation_certify_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_attestation_certify_DEPENDENCIES = src/libwolftpm.la
 endif
 example_attestationdir = $(exampledir)/attestation
 dist_example_attestation_DATA = \
   examples/attestation/make_credential.c \
-  examples/attestation/activate_credential.c
+  examples/attestation/activate_credential.c \
+  examples/attestation/certify.c
 
 DISTCLEANFILES+= examples/attestation/.libs/make_credential \
-                 examples/attestation/.libs/activate_credential
+                 examples/attestation/.libs/activate_credential \
+                 examples/attestation/.libs/certify
 
 EXTRA_DIST+= examples/attestation/README.md

examples/attestation/make_credential.c

@@ -29,7 +29,7 @@
 
 #ifndef WOLFTPM2_NO_WRAPPER
 
-#include <examples/attestation/credential.h>
+#include <examples/attestation/attestation.h>
 #include <hal/tpm_io.h>
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>

examples/native/native_test.c

@@ -111,7 +111,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
         ECDH_KeyGen_In ecdh;
         ECDH_ZGen_In ecdhZ;
         EncryptDecrypt2_In encDec;
-        CertifyCreation_In certifyCreationIn;
+        CertifyCreation_In certifyCreation;
         HMAC_In hmac;
         HMAC_Start_In hmacStart;
 #if defined(WOLFTPM_ST33) || defined(WOLFTPM_AUTODETECT)
@@ -151,7 +151,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
         ECDH_KeyGen_Out ecdh;
         ECDH_ZGen_Out ecdhZ;
         EncryptDecrypt2_Out encDec;
-        CertifyCreation_Out certifyCreationOut;
+        CertifyCreation_Out certifyCreation;
         HMAC_Out hmac;
         HMAC_Start_Out hmacStart;
         byte maxOutput[MAX_RESPONSE_SIZE];
@@ -1226,15 +1226,18 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
     }
 
     /* Use the RSA key for Encrypt/Decrypt to unit test certifyCreation */
-    cmdIn.certifyCreationIn.signHandle = rsaKey.handle;
-    cmdIn.certifyCreationIn.objectHandle = rsaKey.handle;
-    cmdIn.certifyCreationIn.creationHash.size = rsaKey.creationHash.size;
-    XMEMCPY(cmdIn.certifyCreationIn.creationHash.buffer, rsaKey.creationHash.buffer, cmdIn.certifyCreationIn.creationHash.size);
-    XMEMCPY(&cmdIn.certifyCreationIn.creationTicket, &rsaKey.creationTicket, sizeof(rsaKey.creationTicket));
-    cmdIn.certifyCreationIn.inScheme.scheme = TPM_ALG_RSASSA;
-    cmdIn.certifyCreationIn.inScheme.details.any.hashAlg = TPM_ALG_SHA256;
-    cmdIn.certifyCreationIn.qualifyingData.size = 0; /* optional */
-    rc = TPM2_CertifyCreation(&cmdIn.certifyCreationIn, &cmdOut.certifyCreationOut);
+    cmdIn.certifyCreation.signHandle = rsaKey.handle;
+    cmdIn.certifyCreation.objectHandle = rsaKey.handle;
+    cmdIn.certifyCreation.creationHash.size = rsaKey.creationHash.size;
+    XMEMCPY(cmdIn.certifyCreation.creationHash.buffer, rsaKey.creationHash.buffer, cmdIn.certifyCreation.creationHash.size);
+    XMEMCPY(&cmdIn.certifyCreation.creationTicket, &rsaKey.creationTicket, sizeof(rsaKey.creationTicket));
+    cmdIn.certifyCreation.inScheme.scheme = TPM_ALG_RSASSA;
+    cmdIn.certifyCreation.inScheme.details.any.hashAlg = TPM_ALG_SHA256;
+    /* provide a random nonce from remote server (optional) */
+    cmdIn.certifyCreation.qualifyingData.size = sizeof(keyCreationNonce)-1;
+    XMEMCPY(cmdIn.certifyCreation.qualifyingData.buffer, keyCreationNonce,
+        cmdIn.certifyCreation.qualifyingData.size);
+    rc = TPM2_CertifyCreation(&cmdIn.certifyCreation, &cmdOut.certifyCreation);
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_CertifyCreation RSA key failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));