[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-16-g430abd7
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-16-g430abd7 |
|
Date: |
Wed, 11 Jul 2012 23:02:35 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=430abd76c8e1b166640736fa24100142ed8381c3
The branch, master has been updated
via 430abd76c8e1b166640736fa24100142ed8381c3 (commit)
via 1712fa2f247cb5e237e5e2d0e34c2fd75336bd55 (commit)
via e441e4bbf444e85ff69e69022c0f81b0b9a812ae (commit)
via 08a139712edc097877a15c133ed2c7e2e8d19867 (commit)
from 6299e590874b88364206f61d00cc08a256c57df4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 430abd76c8e1b166640736fa24100142ed8381c3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 12 01:03:21 2012 +0200
Added functions to handle TPM stored keys.
Not everything is on working state.
commit 1712fa2f247cb5e237e5e2d0e34c2fd75336bd55
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jul 11 23:47:58 2012 +0200
Allow importing a public key from UUID
commit e441e4bbf444e85ff69e69022c0f81b0b9a812ae
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jul 11 23:34:57 2012 +0200
Added the option to register a key
commit 08a139712edc097877a15c133ed2c7e2e8d19867
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jul 11 21:32:06 2012 +0200
Added option to load a TPM key from an UUID (untested)
-----------------------------------------------------------------------
Summary of changes:
NEWS | 4 +
lib/includes/gnutls/abstract.h | 9 +
lib/includes/gnutls/tpm.h | 13 +-
lib/libgnutls.map | 4 +
lib/tpm.c | 900 ++++++++++++++++++++++++++++++++--------
src/tpmtool-args.c | 176 ++++++---
src/tpmtool-args.def | 20 +
src/tpmtool-args.h | 28 +-
src/tpmtool.c | 68 +++-
9 files changed, 988 insertions(+), 234 deletions(-)
diff --git a/NEWS b/NEWS
index ba0f658..72befa5 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,10 @@ gnutls_privkey_import_openpgp_raw: Added
gnutls_privkey_import_x509_raw: Added
gnutls_privkey_import_ext2: Added
gnutls_tpm_privkey_generate: Added
+gnutls_tpm_key_list_deinit: Added
+gnutls_tpm_key_list_get_url: Added
+gnutls_tpm_get_registered: Added
+gnutls_tpm_privkey_delete: Added
gnutls_x509_privkey_import2: Added
gnutls_x509_privkey_import_openssl: Added
gnutls_load_file: Added
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index 623c774..4c79e5a 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -69,6 +69,11 @@ gnutls_pubkey_import_privkey (gnutls_pubkey_t key,
gnutls_privkey_t pkey,
unsigned int usage, unsigned int flags);
int
+gnutls_pubkey_import_tpm_url (gnutls_pubkey_t pkey,
+ const char* url,
+ const char *srk_password);
+
+int
gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey,
const gnutls_datum_t * fdata,
gnutls_x509_crt_fmt_t format,
@@ -201,6 +206,10 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
const char *srk_password,
const char *tpm_password);
+int
+gnutls_privkey_import_tpm_url (gnutls_privkey_t pkey,
+ const char* url, const char *srk_password, const char *key_password);
+
int gnutls_privkey_import_pkcs11_url (gnutls_privkey_t key, const char *url);
int
diff --git a/lib/includes/gnutls/tpm.h b/lib/includes/gnutls/tpm.h
index 9eb3c92..d179c71 100644
--- a/lib/includes/gnutls/tpm.h
+++ b/lib/includes/gnutls/tpm.h
@@ -31,8 +31,11 @@ extern "C"
{
#endif
-#define GNUTLS_TPM_SIG_PKCS1V15 1
-#define GNUTLS_TPM_SIG_PKCS1V15_SHA1 2
+struct tpm_key_list_st;
+typedef struct tpm_key_list_st *gnutls_tpm_key_list_t;
+
+#define GNUTLS_TPM_KEY_SIGNING (1<<2)
+#define GNUTLS_TPM_REGISTER_KEY (1<<3)
int
gnutls_tpm_privkey_generate (gnutls_pk_algorithm_t pk, unsigned int bits,
@@ -43,6 +46,12 @@ gnutls_tpm_privkey_generate (gnutls_pk_algorithm_t pk,
unsigned int bits,
gnutls_datum_t* pubkey,
unsigned int flags);
+void gnutls_tpm_key_list_deinit (gnutls_tpm_key_list_t list);
+int gnutls_tpm_key_list_get_url (gnutls_tpm_key_list_t list, unsigned int idx,
char** url);
+int gnutls_tpm_get_registered (gnutls_tpm_key_list_t *list);
+int gnutls_tpm_privkey_delete (const char* url, const char* srk_password);
+
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index d7579aa..1315ee7 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -809,6 +809,10 @@ GNUTLS_3_1_0 {
gnutls_privkey_import_tpm_raw;
gnutls_tpm_privkey_generate;
gnutls_pubkey_import_tpm_raw;
+ gnutls_tpm_key_list_deinit;
+ gnutls_tpm_key_list_get_url;
+ gnutls_tpm_get_registered;
+ gnutls_tpm_privkey_delete;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
diff --git a/lib/tpm.c b/lib/tpm.c
index f50b818..27f720f 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -36,11 +36,11 @@
#include <pkcs11_int.h>
#include <x509/common.h>
#include <x509_b64.h>
+#include <random.h>
#include <trousers/tss.h>
#include <trousers/trousers.h>
-/* Signing function for TPM privkeys, set with gnutls_privkey_import_ext2() */
struct tpm_ctx_st
{
TSS_HCONTEXT tpm_ctx;
@@ -50,7 +50,28 @@ struct tpm_ctx_st
TSS_HPOLICY srk_policy;
};
+struct tpm_key_list_st
+{
+ UINT32 size;
+ TSS_KM_KEYINFO * ki;
+ TSS_HCONTEXT tpm_ctx;
+};
+
static void tpm_close_session(struct tpm_ctx_st *s);
+static int import_tpm_key (gnutls_privkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ TSS_UUID *uuid,
+ const char *srk_password,
+ const char *key_password);
+
+/* TPM URL format:
+ *
+ * tpmkey:file=/path/to/file
+ * tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343
+ *
+ */
+
static int tss_err(TSS_RESULT err)
{
@@ -130,7 +151,6 @@ tpm_sign_fn (gnutls_privkey_t key, void *_s,
static const unsigned char nullpass[20];
const TSS_UUID srk_uuid = TSS_UUID_SRK;
-
static int tpm_open_session(struct tpm_ctx_st *s, const char* srk_password)
{
int err, ret;
@@ -210,64 +230,25 @@ static void tpm_close_session(struct tpm_ctx_st *s)
s->tpm_ctx = 0;
}
-/**
- * gnutls_privkey_import_tpm_raw:
- * @pkey: The private key
- * @fdata: The TPM key to be imported
- * @format: The format of the private key
- * @srk_password: The password for the SRK key (optional)
- * @key_password: A password for the key (optional)
- *
- * This function will import the given private key to the abstract
- * #gnutls_privkey_t structure. If a password is needed to access
- * TPM then or the provided password is wrong, then
- * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the key password
- * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR
- * is returned.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value.
- *
- * Since: 3.1.0
- *
- **/
-int
-gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
- const gnutls_datum_t * fdata,
- gnutls_x509_crt_fmt_t format,
- const char *srk_password,
- const char *key_password)
+static int
+import_tpm_key (gnutls_privkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ TSS_UUID *uuid,
+ const char *srk_password,
+ const char *key_password)
{
- gnutls_datum_t asn1;
+ gnutls_datum_t asn1 = { NULL, 0 };
size_t slen;
int err, ret;
struct tpm_ctx_st *s;
gnutls_datum_t tmp_sig;
- ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
- if (ret)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Error decoding TSS key blob: %s\n",
- gnutls_strerror (ret));
- return ret;
- }
-
- slen = asn1.size;
- ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size,
asn1.data, &slen);
- if (ret < 0)
- {
- gnutls_assert();
- goto out_blob;
- }
- asn1.size = slen;
-
s = gnutls_malloc (sizeof (*s));
if (s == NULL)
{
gnutls_assert ();
- ret = GNUTLS_E_MEMORY_ERROR;
- goto out_blob;
+ return GNUTLS_E_MEMORY_ERROR;
}
ret = tpm_open_session(s, srk_password);
@@ -277,25 +258,64 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
goto out_ctx;
}
- /* ... we get it here instead. */
- err = Tspi_Context_LoadKeyByBlob (s->tpm_ctx, s->srk,
- asn1.size, asn1.data, &s->tpm_key);
- if (err != 0)
+ if (fdata != NULL)
{
- if (srk_password)
- {
- gnutls_assert ();
- _gnutls_debug_log
- ("Failed to load TPM key blob: %s\n",
- Trspi_Error_String (err));
- }
+ ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
+ if (ret)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Error decoding TSS key blob: %s\n",
+ gnutls_strerror (ret));
+ goto out_session;
+ }
+
+ slen = asn1.size;
+ ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size,
asn1.data, &slen);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto out_blob;
+ }
+ asn1.size = slen;
+ /* ... we get it here instead. */
+ err = Tspi_Context_LoadKeyByBlob (s->tpm_ctx, s->srk,
+ asn1.size, asn1.data, &s->tpm_key);
+ if (err != 0)
+ {
+ if (srk_password)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log
+ ("Failed to load TPM key blob: %s\n",
+ Trspi_Error_String (err));
+ }
+
+ if (err)
+ {
+ gnutls_assert ();
+ ret = tss_err(err);
+ goto out_blob;
+ }
+ }
+ }
+ else if (uuid)
+ {
+ err =
+ Tspi_Context_LoadKeyByUUID (s->tpm_ctx, TSS_PS_TYPE_SYSTEM,
+ *uuid, &s->tpm_key);
if (err)
- {
- gnutls_assert ();
- ret = tss_err(err);
- goto out_session;
- }
+ {
+ gnutls_assert ();
+ ret = tss_err(err);
+ goto out_session;
+ }
+ }
+ else
+ {
+ gnutls_assert();
+ ret = GNUTLS_E_INVALID_REQUEST;
+ goto out_session;
}
ret =
@@ -365,15 +385,292 @@ out_key_policy:
out_key:
Tspi_Context_CloseObject (s->tpm_ctx, s->tpm_key);
s->tpm_key = 0;
+out_blob:
+ gnutls_free (asn1.data);
out_session:
tpm_close_session(s);
out_ctx:
gnutls_free (s);
-out_blob:
- gnutls_free (asn1.data);
return ret;
}
+/**
+ * gnutls_privkey_import_tpm_raw:
+ * @pkey: The private key
+ * @fdata: The TPM key to be imported
+ * @format: The format of the private key
+ * @srk_password: The password for the SRK key (optional)
+ * @key_password: A password for the key (optional)
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure. If a password is needed to access
+ * TPM then or the provided password is wrong, then
+ * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the key password
+ * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR
+ * is returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ *
+ **/
+int
+gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ const char *srk_password,
+ const char *key_password)
+{
+ return import_tpm_key(pkey, fdata, format, NULL, srk_password, key_password);
+}
+
+struct tpmkey_url_st
+{
+ char* filename;
+ TSS_UUID uuid;
+ unsigned int uuid_set;
+};
+
+static void clear_tpmkey_url(struct tpmkey_url_st *s)
+{
+ gnutls_free(s->filename);
+ memset(s, 0, sizeof(*s));
+}
+
+static int
+unescape_string (char *output, const char *input, size_t * size,
+ char terminator)
+{
+ gnutls_buffer_st str;
+ int ret = 0;
+ char *p;
+ int len;
+
+ _gnutls_buffer_init (&str);
+
+ /* find terminator */
+ p = strchr (input, terminator);
+ if (p != NULL)
+ len = p - input;
+ else
+ len = strlen (input);
+
+ ret = _gnutls_buffer_append_data (&str, input, len);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = _gnutls_buffer_unescape (&str);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ ret = _gnutls_buffer_append_data (&str, "", 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ _gnutls_buffer_pop_data (&str, output, size);
+
+ _gnutls_buffer_clear (&str);
+
+ return ret;
+}
+
+#define UUID_SIZE 16
+
+static int randomize_uuid(TSS_UUID* uuid)
+{
+ uint8_t raw_uuid[16];
+ int ret;
+
+ ret = _gnutls_rnd (GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid));
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ memcpy(&uuid->ulTimeLow, raw_uuid, 4);
+ memcpy(&uuid->usTimeMid, &raw_uuid[4], 2);
+ memcpy(&uuid->usTimeHigh, &raw_uuid[6], 2);
+ uuid->bClockSeqHigh = raw_uuid[8];
+ uuid->bClockSeqLow = raw_uuid[9];
+ memcpy(&uuid->rgbNode, &raw_uuid[10], 6);
+
+ return 0;
+}
+
+static int encode_tpmkey_url(char** url, TSS_UUID* uuid)
+{
+size_t size = UUID_SIZE*2+4+32;
+
+ *url = gnutls_malloc(size);
+ if (*url == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ snprintf(*url, size,
"tpmkey:uuid=%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
+ (unsigned int)uuid->ulTimeLow, (unsigned int)uuid->usTimeMid,
+ (unsigned int)uuid->usTimeHigh, (unsigned int)uuid->bClockSeqHigh,
+ (unsigned int)uuid->bClockSeqLow, (unsigned int)uuid->rgbNode[0],
+ (unsigned int)uuid->rgbNode[1], (unsigned int)uuid->rgbNode[2],
+ (unsigned int)uuid->rgbNode[3], (unsigned int)uuid->rgbNode[4],
+ (unsigned int)uuid->rgbNode[5]);
+
+ return 0;
+}
+
+static int decode_tpmkey_url(const char* url, struct tpmkey_url_st *s)
+{
+ char* p;
+ size_t size;
+ int ret;
+ unsigned int i, j;
+
+ if (strstr (url, "tpmkey:") == NULL)
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+
+ memset(s, 0, sizeof(*s));
+
+ p = strstr(url, "file=");
+ if (p != NULL)
+ {
+ p += sizeof ("file=") - 1;
+ size = strlen(p);
+ s->filename = gnutls_malloc(size);
+ if (s->filename == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ ret = unescape_string (s->filename, p, &size, ';');
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+
+
+ }
+ else if ((p = strstr(url, "uuid=")) != NULL)
+ {
+ char tmp_uuid[33];
+ uint8_t raw_uuid[16];
+
+ p += sizeof ("uuid=") - 1;
+ size = strlen(p);
+
+ for (j=i=0;i<size;i++)
+ {
+ if (j==sizeof(tmp_uuid)-1)
+ {
+ break;
+ }
+ if (isalnum(p[i])) tmp_uuid[j++]=p[i];
+ }
+ tmp_uuid[j] = 0;
+
+ size = sizeof(raw_uuid);
+ ret = _gnutls_hex2bin(tmp_uuid, strlen(tmp_uuid), raw_uuid, &size);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ memcpy(&s->uuid.ulTimeLow, raw_uuid, 4);
+ memcpy(&s->uuid.usTimeMid, &raw_uuid[4], 2);
+ memcpy(&s->uuid.usTimeHigh, &raw_uuid[6], 2);
+ s->uuid.bClockSeqHigh = raw_uuid[8];
+ s->uuid.bClockSeqLow = raw_uuid[9];
+ memcpy(&s->uuid.rgbNode, &raw_uuid[10], 6);
+ s->uuid_set = 1;
+ }
+ else
+ {
+ return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ }
+
+ return 0;
+
+cleanup:
+ clear_tpmkey_url(s);
+ return ret;
+}
+
+/**
+ * gnutls_privkey_import_tpm_url:
+ * @pkey: The private key
+ * @url: The URL of the TPM key to be imported
+ * @srk_password: The password for the SRK key (optional)
+ * @key_password: A password for the key (optional)
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure. If a password is needed to access
+ * TPM then or the provided password is wrong, then
+ * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the key password
+ * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR
+ * is returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ *
+ **/
+int
+gnutls_privkey_import_tpm_url (gnutls_privkey_t pkey,
+ const char* url,
+ const char *srk_password,
+ const char *key_password)
+{
+struct tpmkey_url_st durl;
+gnutls_datum_t fdata = { NULL, 0 };
+int ret;
+
+ ret = decode_tpmkey_url(url, &durl);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (durl.filename)
+ {
+
+ ret = gnutls_load_file(durl.filename, &fdata);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = gnutls_privkey_import_tpm_raw (pkey, &fdata, GNUTLS_X509_FMT_PEM,
+
srk_password, key_password);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ else if (durl.uuid_set)
+ {
+ ret = import_tpm_key (pkey, NULL, 0, &durl.uuid, srk_password,
key_password);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+cleanup:
+ gnutls_free(fdata.data);
+ clear_tpmkey_url(&durl);
+ return ret;
+}
+
+
/* reads the RSA public key from the given TSS key.
* If psize is non-null it contains the total size of the parameters
* in bytes */
@@ -425,94 +722,187 @@ int ret;
}
-/**
- * gnutls_pubkey_import_tpm_raw:
- * @pkey: The public key
- * @fdata: The TPM key to be imported
- * @format: The format of the private key
- * @srk_password: The password for the SRK key (optional)
- * @key_password: A password for the key (optional)
- *
- * This function will import the public key from the provided
- * TPM key structure. If a password is needed to decrypt
- * the provided key or the provided password is wrong, then
- * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
- * negative error value.
- *
- * Since: 3.1.0
- *
- **/
-int
-gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey,
- const gnutls_datum_t * fdata,
- gnutls_x509_crt_fmt_t format,
- const char *srk_password)
+static int
+import_tpm_pubkey (gnutls_pubkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ TSS_UUID *uuid,
+ const char *srk_password)
{
-gnutls_datum_t asn1;
+gnutls_datum_t asn1 = {NULL, 0};
size_t slen;
int err, ret;
struct tpm_ctx_st s;
- ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
- if (ret)
+ ret = tpm_open_session(&s, srk_password);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (fdata != NULL)
{
- gnutls_assert ();
- _gnutls_debug_log ("Error decoding TSS key blob: %s\n",
- gnutls_strerror (ret));
- return ret;
- }
+ ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
+ if (ret)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Error decoding TSS key blob: %s\n",
+ gnutls_strerror (ret));
+ goto out_session;
+ }
- slen = asn1.size;
- ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size,
asn1.data, &slen);
- if (ret < 0)
+ slen = asn1.size;
+ ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size,
asn1.data, &slen);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto out_blob;
+ }
+ asn1.size = slen;
+
+ err = Tspi_Context_LoadKeyByBlob (s.tpm_ctx, s.srk,
+ asn1.size, asn1.data, &s.tpm_key);
+ if (err != 0)
+ {
+ if (srk_password)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log
+ ("Failed to load TPM key blob: %s\n",
+ Trspi_Error_String (err));
+ }
+
+ if (err)
+ {
+ gnutls_assert ();
+ ret = tss_err(err);
+ goto out_blob;
+ }
+ }
+ }
+ else if (uuid)
+ {
+ err =
+ Tspi_Context_LoadKeyByUUID (s.tpm_ctx, TSS_PS_TYPE_SYSTEM,
+ *uuid, &s.tpm_key);
+ if (err)
+ {
+ gnutls_assert ();
+ ret = tss_err(err);
+ goto out_session;
+ }
+ }
+ else
{
gnutls_assert();
- goto out_blob;
+ ret = GNUTLS_E_INVALID_REQUEST;
+ goto out_session;
}
- asn1.size = slen;
- ret = tpm_open_session(&s, srk_password);
+ ret = read_pubkey(pkey, s.tpm_key, NULL);
if (ret < 0)
{
gnutls_assert();
goto out_blob;
}
- /* ... we get it here instead. */
- err = Tspi_Context_LoadKeyByBlob (s.tpm_ctx, s.srk,
- asn1.size, asn1.data, &s.tpm_key);
- if (err != 0)
- {
- if (srk_password)
- {
- gnutls_assert ();
- _gnutls_debug_log
- ("Failed to load TPM key blob: %s\n",
- Trspi_Error_String (err));
- }
+ ret = 0;
+out_blob:
+ gnutls_free (asn1.data);
+out_session:
+ tpm_close_session(&s);
+ return ret;
+}
- if (err)
- {
- gnutls_assert ();
- ret = tss_err(err);
- goto out_session;
- }
- }
- ret = read_pubkey(pkey, s.tpm_key, NULL);
+/**
+ * gnutls_pubkey_import_tpm_raw:
+ * @pkey: The public key
+ * @fdata: The TPM key to be imported
+ * @format: The format of the private key
+ * @srk_password: The password for the SRK key (optional)
+ * @key_password: A password for the key (optional)
+ *
+ * This function will import the public key from the provided
+ * TPM key structure. If a password is needed to decrypt
+ * the provided key or the provided password is wrong, then
+ * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ *
+ **/
+int
+gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ const char *srk_password)
+{
+ return import_tpm_pubkey(pkey, fdata, format, NULL, srk_password);
+}
+
+/**
+ * gnutls_pubkey_import_tpm_url:
+ * @pkey: The public key
+ * @url: The URL of the TPM key to be imported
+ * @srk_password: The password for the SRK key (optional)
+ *
+ * This function will import the given private key to the abstract
+ * #gnutls_privkey_t structure. If a password is needed to access
+ * TPM then or the provided password is wrong, then
+ * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ *
+ **/
+int
+gnutls_pubkey_import_tpm_url (gnutls_pubkey_t pkey,
+ const char* url,
+ const char *srk_password)
+{
+struct tpmkey_url_st durl;
+gnutls_datum_t fdata = { NULL, 0 };
+int ret;
+
+ ret = decode_tpmkey_url(url, &durl);
if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (durl.filename)
{
- gnutls_assert();
- goto out_session;
+
+ ret = gnutls_load_file(durl.filename, &fdata);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = gnutls_pubkey_import_tpm_raw (pkey, &fdata, GNUTLS_X509_FMT_PEM,
+ srk_password);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ else if (durl.uuid_set)
+ {
+ ret = import_tpm_pubkey (pkey, NULL, 0, &durl.uuid, srk_password);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
}
ret = 0;
-out_session:
- tpm_close_session(&s);
-out_blob:
- gnutls_free (asn1.data);
+cleanup:
+ gnutls_free(fdata.data);
+ clear_tpmkey_url(&durl);
return ret;
}
@@ -537,7 +927,12 @@ out_blob:
* is not one of the allowed values, then it will be quantized to
* one of 512, 1024, 2048, 4096, 8192 and 16384.
*
- * Allowed flags are %GNUTLS_TPM_SIG_PKCS1V15 and
%GNUTLS_TPM_SIG_PKCS1V15_SHA1.
+ * Allowed flags are:
+ *
+ * %GNUTLS_TPM_KEY_SIGNING: Generate a signing key instead of a legacy,
+
+ * %GNUTLS_TPM_REGISTER_KEY: Register the generate key in TPM. In that
+ * case @privkey would contain a URL with the UUID.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -553,18 +948,22 @@ gnutls_tpm_privkey_generate (gnutls_pk_algorithm_t pk,
unsigned int bits,
gnutls_datum_t* pubkey,
unsigned int flags)
{
-TSS_FLAG tpm_flags = TSS_KEY_TYPE_LEGACY | TSS_KEY_VOLATILE;
+TSS_FLAG tpm_flags = TSS_KEY_VOLATILE;
TSS_HKEY key_ctx;
TSS_RESULT tssret;
int ret;
void* tdata;
UINT32 tint;
-gnutls_datum_t tmpkey;
+gnutls_datum_t tmpkey = {NULL, 0};
TSS_HPOLICY key_policy;
-unsigned int sig;
gnutls_pubkey_t pub;
struct tpm_ctx_st s;
+ if (flags & GNUTLS_TPM_KEY_SIGNING)
+ tpm_flags |= TSS_KEY_TYPE_SIGNING;
+ else
+ tpm_flags |= TSS_KEY_TYPE_LEGACY;
+
if (bits <= 512)
tpm_flags |= TSS_KEY_SIZE_512;
else if (bits <= 1024)
@@ -590,13 +989,8 @@ struct tpm_ctx_st s;
goto err_cc;
}
- if (flags & GNUTLS_TPM_SIG_PKCS1V15_SHA1)
- sig = TSS_SS_RSASSAPKCS1V15_SHA1;
- else
- sig = TSS_SS_RSASSAPKCS1V15_DER;
-
tssret = Tspi_SetAttribUint32(key_ctx, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
- sig);
+ TSS_SS_RSASSAPKCS1V15_DER);
if (tssret != 0)
{
gnutls_assert();
@@ -633,36 +1027,72 @@ struct tpm_ctx_st s;
goto err_sa;
}
- tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
- TSS_TSPATTRIB_KEYBLOB_BLOB, &tint,
(void*)&tdata);
- if (tssret != 0)
+ if (flags & GNUTLS_TPM_REGISTER_KEY)
{
- gnutls_assert();
- ret = tss_err(tssret);
- goto err_sa;
- }
+ TSS_UUID key_uuid;
+
+ ret = randomize_uuid(&key_uuid);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto err_sa;
+ }
+
+ tssret = Tspi_Context_RegisterKey(s.tpm_ctx, key_ctx, TSS_PS_TYPE_USER,
+ key_uuid, TSS_PS_TYPE_SYSTEM,
srk_uuid);
+ if (tssret != 0)
+ {
+ gnutls_assert();
+ ret = tss_err(tssret);
+ goto err_sa;
+ }
+
+ ret = encode_tpmkey_url((char**)&privkey->data, &key_uuid);
+ if (ret < 0)
+ {
+ TSS_HKEY tkey;
+
+ Tspi_Context_UnregisterKey(s.tpm_ctx, TSS_PS_TYPE_USER, key_uuid,
&tkey);
+ gnutls_assert();
+ goto err_sa;
+ }
+ privkey->size = strlen((char*)privkey->data);
- ret = _gnutls_x509_encode_octet_string(tdata, tint, &tmpkey);
- if (ret < 0)
- {
- gnutls_assert();
- goto cleanup;
}
-
- if (format == GNUTLS_X509_FMT_PEM)
+ else /* get the key as blob */
{
- ret = _gnutls_fbase64_encode ("TSS KEY BLOB", tmpkey.data, tmpkey.size,
privkey);
+
+ tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
+ TSS_TSPATTRIB_KEYBLOB_BLOB, &tint,
(void*)&tdata);
+ if (tssret != 0)
+ {
+ gnutls_assert();
+ ret = tss_err(tssret);
+ goto err_sa;
+ }
+
+ ret = _gnutls_x509_encode_octet_string(tdata, tint, &tmpkey);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
- }
- else
- {
- privkey->data = tmpkey.data;
- privkey->size = tmpkey.size;
- tmpkey.data = NULL;
+
+ if (format == GNUTLS_X509_FMT_PEM)
+ {
+ ret = _gnutls_fbase64_encode ("TSS KEY BLOB", tmpkey.data,
tmpkey.size, privkey);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ else
+ {
+ privkey->data = tmpkey.data;
+ privkey->size = tmpkey.size;
+ tmpkey.data = NULL;
+ }
}
/* read the public key */
@@ -721,3 +1151,147 @@ err_cc:
return ret;
}
+
+/**
+ * gnutls_tpm_key_list_deinit:
+ * @list: a list of the keys
+ *
+ * This function will deinitialize the list of stored keys in the TPM.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ **/
+void
+gnutls_tpm_key_list_deinit (gnutls_tpm_key_list_t list)
+{
+ if (list->tpm_ctx != 0) Tspi_Context_Close (list->tpm_ctx);
+ gnutls_free(list);
+}
+
+/**
+ * gnutls_tpm_key_list_get_url:
+ * @list: a list of the keys
+ *
+ * This function will deinitialize the list of stored keys in the TPM.
+ *
+ * If the provided index is out of bounds then
%GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * is returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ **/
+int
+gnutls_tpm_key_list_get_url (gnutls_tpm_key_list_t list, unsigned int idx,
char** url)
+{
+ if (idx >= list->size)
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
+ return encode_tpmkey_url(url, &list->ki[idx].keyUUID);
+}
+
+/**
+ * gnutls_tpm_get_registered:
+ * @list: a list to store the keys
+ * @srk_password: a password to protect the exported key (optional)
+ *
+ * This function will get a list of stored keys in the TPM. The uuid
+ * of those keys
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ **/
+int
+gnutls_tpm_get_registered (gnutls_tpm_key_list_t *list)
+{
+TSS_RESULT tssret;
+int ret;
+
+ *list = gnutls_calloc(1, sizeof(struct tpm_key_list_st));
+ if (*list == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ tssret = Tspi_Context_Create (&(*list)->tpm_ctx);
+ if (tssret)
+ {
+ gnutls_assert ();
+ ret = tss_err(tssret);
+ goto cleanup;
+ }
+
+ tssret = Tspi_Context_Connect ((*list)->tpm_ctx, NULL);
+ if (tssret)
+ {
+ gnutls_assert ();
+ ret = tss_err(tssret);
+ goto cleanup;
+ }
+
+ tssret =
+ Tspi_Context_GetRegisteredKeysByUUID((*list)->tpm_ctx,
TSS_PS_TYPE_SYSTEM,
+ NULL, &(*list)->size, &(*list)->ki);
+ if (tssret)
+ {
+ gnutls_assert ();
+ ret = tss_err(tssret);
+ goto cleanup;
+ }
+ return 0;
+
+cleanup:
+ gnutls_tpm_key_list_deinit(*list);
+
+ return ret;
+}
+
+/**
+ * gnutls_tpm_privkey_delete:
+ * @url: the URL describing the key
+ * @srk_password: a password for the SRK key
+ *
+ * This function will unregister the private key from the TPM
+ * chip.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.0
+ **/
+int
+gnutls_tpm_privkey_delete (const char* url, const char* srk_password)
+{
+struct tpm_ctx_st s;
+struct tpmkey_url_st durl;
+TSS_RESULT tssret;
+TSS_HKEY tkey;
+int ret;
+
+ ret = decode_tpmkey_url(url, &durl);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (durl.uuid_set == 0)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ ret = tpm_open_session(&s, srk_password);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ tssret = Tspi_Context_UnregisterKey(s.tpm_ctx, TSS_PS_TYPE_USER, durl.uuid,
&tkey);
+ if (tssret != 0)
+ {
+ gnutls_assert();
+ ret = tss_err(tssret);
+ goto err_cc;
+ }
+
+ ret = 0;
+err_cc:
+ tpm_close_session(&s);
+ return ret;
+}
diff --git a/src/tpmtool-args.c b/src/tpmtool-args.c
index c8f98fb..30120fb 100644
--- a/src/tpmtool-args.c
+++ b/src/tpmtool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (tpmtool-args.c)
*
- * It has been AutoGen-ed July 8, 2012 at 09:02:01 PM by AutoGen 5.16
+ * It has been AutoGen-ed July 12, 2012 at 12:55:38 AM by AutoGen 5.16
* From the definitions tpmtool-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* tpmtool option static const strings
*/
-static char const tpmtool_opt_strs[1647] =
+static char const tpmtool_opt_strs[1821] =
/* 0 */ "tpmtool @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -96,30 +96,39 @@ static char const tpmtool_opt_strs[1647] =
/* 964 */ "Generate an RSA private-public key pair\0"
/* 1004 */ "GENERATE_RSA\0"
/* 1017 */ "generate-rsa\0"
-/* 1030 */ "Prints the public key of the provided key\0"
-/* 1072 */ "PUBKEY\0"
-/* 1079 */ "pubkey\0"
-/* 1086 */ "Specify the security level [low, legacy, normal, high, ultra].\0"
-/* 1149 */ "SEC_PARAM\0"
-/* 1159 */ "sec-param\0"
-/* 1169 */ "Specify the number of bits for key generate\0"
-/* 1213 */ "BITS\0"
-/* 1218 */ "bits\0"
-/* 1223 */ "Display extended usage information and exit\0"
-/* 1267 */ "help\0"
-/* 1272 */ "Extended usage information passed thru pager\0"
-/* 1317 */ "more-help\0"
-/* 1327 */ "Output version information and exit\0"
-/* 1363 */ "version\0"
-/* 1371 */ "TPMTOOL\0"
-/* 1379 */ "tpmtool - GnuTLS TPM tool - Ver. @address@hidden"
+/* 1030 */ "Any generated key will be registered in the TPM\0"
+/* 1078 */ "REGISTER\0"
+/* 1087 */ "register\0"
+/* 1096 */ "Prints the public key of the provided key\0"
+/* 1138 */ "PUBKEY\0"
+/* 1145 */ "pubkey\0"
+/* 1152 */ "Lists all stored keys in the TPM\0"
+/* 1185 */ "LIST\0"
+/* 1190 */ "list\0"
+/* 1195 */ "Delete the key identified by the given URL (UUID).\0"
+/* 1246 */ "DELETE\0"
+/* 1253 */ "delete\0"
+/* 1260 */ "Specify the security level [low, legacy, normal, high, ultra].\0"
+/* 1323 */ "SEC_PARAM\0"
+/* 1333 */ "sec-param\0"
+/* 1343 */ "Specify the number of bits for key generate\0"
+/* 1387 */ "BITS\0"
+/* 1392 */ "bits\0"
+/* 1397 */ "Display extended usage information and exit\0"
+/* 1441 */ "help\0"
+/* 1446 */ "Extended usage information passed thru pager\0"
+/* 1491 */ "more-help\0"
+/* 1501 */ "Output version information and exit\0"
+/* 1537 */ "version\0"
+/* 1545 */ "TPMTOOL\0"
+/* 1553 */ "tpmtool - GnuTLS TPM tool - Ver. @address@hidden"
"USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
-/* 1480 */ "address@hidden"
-/* 1499 */ "\n\n\0"
-/* 1502 */ "\n"
+/* 1654 */ "address@hidden"
+/* 1673 */ "\n\n\0"
+/* 1676 */ "\n"
"Program that allows handling cryptographic data from the TPM
chip.\n\0"
-/* 1571 */ "tpmtool @address@hidden"
-/* 1589 */ "tpmtool [options]\n"
+/* 1745 */ "tpmtool @address@hidden"
+/* 1763 */ "tpmtool [options]\n"
"tpmtool --help for usage instructions.\n";
/*
@@ -158,39 +167,64 @@ static char const tpmtool_opt_strs[1647] =
#define GENERATE_RSA_FLAGS (OPTST_DISABLED)
/*
+ * register option description:
+ */
+#define REGISTER_DESC (tpmtool_opt_strs+1030)
+#define REGISTER_NAME (tpmtool_opt_strs+1078)
+#define REGISTER_name (tpmtool_opt_strs+1087)
+#define REGISTER_FLAGS (OPTST_DISABLED)
+
+/*
* pubkey option description:
*/
-#define PUBKEY_DESC (tpmtool_opt_strs+1030)
-#define PUBKEY_NAME (tpmtool_opt_strs+1072)
-#define PUBKEY_name (tpmtool_opt_strs+1079)
+#define PUBKEY_DESC (tpmtool_opt_strs+1096)
+#define PUBKEY_NAME (tpmtool_opt_strs+1138)
+#define PUBKEY_name (tpmtool_opt_strs+1145)
#define PUBKEY_FLAGS (OPTST_DISABLED)
/*
+ * list option description:
+ */
+#define LIST_DESC (tpmtool_opt_strs+1152)
+#define LIST_NAME (tpmtool_opt_strs+1185)
+#define LIST_name (tpmtool_opt_strs+1190)
+#define LIST_FLAGS (OPTST_DISABLED)
+
+/*
+ * delete option description:
+ */
+#define DELETE_DESC (tpmtool_opt_strs+1195)
+#define DELETE_NAME (tpmtool_opt_strs+1246)
+#define DELETE_name (tpmtool_opt_strs+1253)
+#define DELETE_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
+
+/*
* sec-param option description:
*/
-#define SEC_PARAM_DESC (tpmtool_opt_strs+1086)
-#define SEC_PARAM_NAME (tpmtool_opt_strs+1149)
-#define SEC_PARAM_name (tpmtool_opt_strs+1159)
+#define SEC_PARAM_DESC (tpmtool_opt_strs+1260)
+#define SEC_PARAM_NAME (tpmtool_opt_strs+1323)
+#define SEC_PARAM_name (tpmtool_opt_strs+1333)
#define SEC_PARAM_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* bits option description:
*/
-#define BITS_DESC (tpmtool_opt_strs+1169)
-#define BITS_NAME (tpmtool_opt_strs+1213)
-#define BITS_name (tpmtool_opt_strs+1218)
+#define BITS_DESC (tpmtool_opt_strs+1343)
+#define BITS_NAME (tpmtool_opt_strs+1387)
+#define BITS_name (tpmtool_opt_strs+1392)
#define BITS_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (tpmtool_opt_strs+1223)
-#define HELP_name (tpmtool_opt_strs+1267)
+#define HELP_DESC (tpmtool_opt_strs+1397)
+#define HELP_name (tpmtool_opt_strs+1441)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (tpmtool_opt_strs+1272)
-#define MORE_HELP_name (tpmtool_opt_strs+1317)
+#define MORE_HELP_DESC (tpmtool_opt_strs+1446)
+#define MORE_HELP_name (tpmtool_opt_strs+1491)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC NULL
@@ -203,8 +237,8 @@ static char const tpmtool_opt_strs[1647] =
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (tpmtool_opt_strs+1327)
-#define VER_name (tpmtool_opt_strs+1363)
+#define VER_DESC (tpmtool_opt_strs+1501)
+#define VER_name (tpmtool_opt_strs+1537)
/*
* Declare option callback procedures
*/
@@ -272,8 +306,20 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ GENERATE_RSA_DESC, GENERATE_RSA_NAME,
GENERATE_RSA_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 4, VALUE_OPT_PUBKEY,
- /* equiv idx, value */ 4, VALUE_OPT_PUBKEY,
+ { /* entry idx, value */ 4, VALUE_OPT_REGISTER,
+ /* equiv idx, value */ 4, VALUE_OPT_REGISTER,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ REGISTER_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --register */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ REGISTER_DESC, REGISTER_NAME, REGISTER_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 5, VALUE_OPT_PUBKEY,
+ /* equiv idx, value */ 5, VALUE_OPT_PUBKEY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PUBKEY_FLAGS, 0,
@@ -284,8 +330,32 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PUBKEY_DESC, PUBKEY_NAME, PUBKEY_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 5, VALUE_OPT_SEC_PARAM,
- /* equiv idx, value */ 5, VALUE_OPT_SEC_PARAM,
+ { /* entry idx, value */ 6, VALUE_OPT_LIST,
+ /* equiv idx, value */ 6, VALUE_OPT_LIST,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ LIST_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --list */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ LIST_DESC, LIST_NAME, LIST_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 7, VALUE_OPT_DELETE,
+ /* equiv idx, value */ 7, VALUE_OPT_DELETE,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DELETE_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --delete */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DELETE_DESC, DELETE_NAME, DELETE_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 8, VALUE_OPT_SEC_PARAM,
+ /* equiv idx, value */ 8, VALUE_OPT_SEC_PARAM,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ SEC_PARAM_FLAGS, 0,
@@ -296,8 +366,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ SEC_PARAM_DESC, SEC_PARAM_NAME, SEC_PARAM_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 6, VALUE_OPT_BITS,
- /* equiv idx, value */ 6, VALUE_OPT_BITS,
+ { /* entry idx, value */ 9, VALUE_OPT_BITS,
+ /* equiv idx, value */ 9, VALUE_OPT_BITS,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ BITS_FLAGS, 0,
@@ -352,14 +422,14 @@ static tOptDesc optDesc[OPTION_CT] = {
*
* Define the tpmtool Option Environment
*/
-#define zPROGNAME (tpmtool_opt_strs+1371)
-#define zUsageTitle (tpmtool_opt_strs+1379)
+#define zPROGNAME (tpmtool_opt_strs+1545)
+#define zUsageTitle (tpmtool_opt_strs+1553)
#define zRcName NULL
#define apzHomeList NULL
-#define zBugsAddr (tpmtool_opt_strs+1480)
-#define zExplain (tpmtool_opt_strs+1499)
-#define zDetail (tpmtool_opt_strs+1502)
-#define zFullVersion (tpmtool_opt_strs+1571)
+#define zBugsAddr (tpmtool_opt_strs+1654)
+#define zExplain (tpmtool_opt_strs+1673)
+#define zDetail (tpmtool_opt_strs+1676)
+#define zFullVersion (tpmtool_opt_strs+1745)
/* extracted from optcode.tlib near line 350 */
#if defined(ENABLE_NLS)
@@ -373,7 +443,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define tpmtool_full_usage (NULL)
-#define tpmtool_short_usage (tpmtool_opt_strs+1589)
+#define tpmtool_short_usage (tpmtool_opt_strs+1763)
#endif /* not defined __doxygen__ */
@@ -515,7 +585,7 @@ tOptions tpmtoolOptions = {
NO_EQUIVALENT, /* '-#' option index */
NO_EQUIVALENT /* index of default opt */
},
- 10 /* full option count */, 7 /* user option count */,
+ 13 /* full option count */, 10 /* user option count */,
tpmtool_full_usage, tpmtool_short_usage,
NULL, NULL,
PKGDATADIR, tpmtool_packager_info
diff --git a/src/tpmtool-args.def b/src/tpmtool-args.def
index 37a7abd..84b62cc 100644
--- a/src/tpmtool-args.def
+++ b/src/tpmtool-args.def
@@ -17,12 +17,32 @@ flag = {
};
flag = {
+ name = register;
+ descrip = "Any generated key will be registered in the TPM";
+ doc = "";
+};
+
+flag = {
name = pubkey;
descrip = "Prints the public key of the provided key";
doc = "";
};
flag = {
+ name = list;
+ descrip = "Lists all stored keys in the TPM";
+ doc = "";
+};
+
+flag = {
+ name = delete;
+ arg-type = string;
+ arg-name = "url";
+ descrip = "Delete the key identified by the given URL (UUID).";
+ doc = "";
+};
+
+flag = {
name = sec-param;
arg-type = string;
arg-name = "Security parameter";
diff --git a/src/tpmtool-args.h b/src/tpmtool-args.h
index 6e40678..0ae0286 100644
--- a/src/tpmtool-args.h
+++ b/src/tpmtool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (tpmtool-args.h)
*
- * It has been AutoGen-ed July 8, 2012 at 09:02:01 PM by AutoGen 5.16
+ * It has been AutoGen-ed July 12, 2012 at 12:55:38 AM by AutoGen 5.16
* From the definitions tpmtool-args.def
* and the template file options
*
@@ -71,15 +71,18 @@ typedef enum {
INDEX_OPT_INFILE = 1,
INDEX_OPT_OUTFILE = 2,
INDEX_OPT_GENERATE_RSA = 3,
- INDEX_OPT_PUBKEY = 4,
- INDEX_OPT_SEC_PARAM = 5,
- INDEX_OPT_BITS = 6,
- INDEX_OPT_VERSION = 7,
- INDEX_OPT_HELP = 8,
- INDEX_OPT_MORE_HELP = 9
+ INDEX_OPT_REGISTER = 4,
+ INDEX_OPT_PUBKEY = 5,
+ INDEX_OPT_LIST = 6,
+ INDEX_OPT_DELETE = 7,
+ INDEX_OPT_SEC_PARAM = 8,
+ INDEX_OPT_BITS = 9,
+ INDEX_OPT_VERSION = 10,
+ INDEX_OPT_HELP = 11,
+ INDEX_OPT_MORE_HELP = 12
} teOptIndex;
-#define OPTION_CT 10
+#define OPTION_CT 13
#define TPMTOOL_VERSION "@VERSION@"
#define TPMTOOL_FULL_VERSION "tpmtool @VERSION@"
@@ -123,9 +126,12 @@ typedef enum {
#define VALUE_OPT_INFILE 1
#define VALUE_OPT_OUTFILE 2
#define VALUE_OPT_GENERATE_RSA 3
-#define VALUE_OPT_PUBKEY 4
-#define VALUE_OPT_SEC_PARAM 5
-#define VALUE_OPT_BITS 6
+#define VALUE_OPT_REGISTER 4
+#define VALUE_OPT_PUBKEY 5
+#define VALUE_OPT_LIST 6
+#define VALUE_OPT_DELETE 7
+#define VALUE_OPT_SEC_PARAM 8
+#define VALUE_OPT_BITS 9
#define OPT_VALUE_BITS (DESC(BITS).optArg.argInt)
#define VALUE_OPT_HELP 'h'
diff --git a/src/tpmtool.c b/src/tpmtool.c
index b9543cf..4e2f410 100644
--- a/src/tpmtool.c
+++ b/src/tpmtool.c
@@ -50,8 +50,10 @@
#include "tpmtool-args.h"
static void cmd_parser (int argc, char **argv);
-static void tpm_generate(FILE* outfile, unsigned int key_type, unsigned int
bits);
+static void tpm_generate(FILE* outfile, unsigned int key_type, unsigned int
bits, int reg);
static void tpm_pubkey(FILE* infile, FILE* outfile);
+static void tpm_delete(const char* url, FILE* outfile);
+static void tpm_list(FILE* outfile);
static FILE *outfile;
static FILE *infile;
@@ -79,7 +81,7 @@ cmd_parser (int argc, char **argv)
int ret, debug = 0;
unsigned int optct;
unsigned int key_type = GNUTLS_PK_UNKNOWN;
- unsigned int bits = 0;
+ unsigned int bits = 0, reg = 0;
const char* sec_param = NULL;
optct = optionProcess( &tpmtoolOptions, argc, argv);
@@ -89,6 +91,9 @@ cmd_parser (int argc, char **argv)
if (HAVE_OPT(DEBUG))
debug = OPT_VALUE_DEBUG;
+ if (HAVE_OPT(REGISTER))
+ reg = 1;
+
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
if (debug > 1)
@@ -125,12 +130,20 @@ cmd_parser (int argc, char **argv)
{
key_type = GNUTLS_PK_RSA;
bits = get_bits (key_type, bits, sec_param);
- tpm_generate (outfile, key_type, bits);
+ tpm_generate (outfile, key_type, bits, reg);
}
else if (HAVE_OPT(PUBKEY))
{
tpm_pubkey (infile, outfile);
}
+ else if (HAVE_OPT(DELETE))
+ {
+ tpm_delete (OPT_ARG(DELETE), outfile);
+ }
+ else if (HAVE_OPT(LIST))
+ {
+ tpm_list (outfile);
+ }
else
{
USAGE(1);
@@ -141,11 +154,15 @@ cmd_parser (int argc, char **argv)
gnutls_global_deinit ();
}
-static void tpm_generate(FILE* outfile, unsigned int key_type, unsigned int
bits)
+static void tpm_generate(FILE* outfile, unsigned int key_type, unsigned int
bits, int reg)
{
int ret;
char* srk_pass, *key_pass;
gnutls_datum_t privkey, pubkey;
+ unsigned int flags = 0;
+
+ if (reg)
+ flags |= GNUTLS_TPM_REGISTER_KEY;
srk_pass = getpass ("Enter SRK password: ");
if (srk_pass != NULL)
@@ -157,7 +174,7 @@ static void tpm_generate(FILE* outfile, unsigned int
key_type, unsigned int bits
ret = gnutls_tpm_privkey_generate(key_type, bits, srk_pass, key_pass,
GNUTLS_X509_FMT_PEM, &privkey, &pubkey,
- GNUTLS_TPM_SIG_PKCS1V15);
+ flags);
free(key_pass);
free(srk_pass);
@@ -171,6 +188,47 @@ static void tpm_generate(FILE* outfile, unsigned int
key_type, unsigned int bits
fputs ("\n", outfile);
}
+static void tpm_delete(const char* url, FILE* outfile)
+{
+ int ret;
+ char* srk_pass;
+
+ srk_pass = getpass ("Enter SRK password: ");
+
+ ret = gnutls_tpm_privkey_delete(url, srk_pass);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_tpm_privkey_delete: %s", gnutls_strerror
(ret));
+
+ fprintf (outfile, "Key %s deleted\n", url);
+}
+
+static void tpm_list(FILE* outfile)
+{
+ int ret;
+ gnutls_tpm_key_list_t list;
+ unsigned int i;
+ char* url;
+
+ ret = gnutls_tpm_get_registered (&list);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_tpm_get_registered: %s", gnutls_strerror
(ret));
+
+ fprintf(outfile, "Available keys under SRK:\n");
+ for (i=0;;i++)
+ {
+ ret = gnutls_tpm_key_list_get_url(list, i, &url);
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+ else if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_tpm_key_list_get_url: %s",
gnutls_strerror (ret));
+
+ fprintf(outfile, "\t%u: %s\n", i, url);
+ gnutls_free(url);
+ }
+
+ fputs ("\n", outfile);
+}
+
static void tpm_pubkey(FILE* infile, FILE* outfile)
{
int ret;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-16-g430abd7,
Nikos Mavrogiannopoulos <=