xref: /netbsd-src/crypto/external/cpl/trousers/dist/src/tcs/tcsi_aik.c (revision 7788a0781fe6ff2cce37368b4578a7ade0850cb1) 
1 
2 /*
3  * Licensed Materials - Property of IBM
4  *
5  * trousers - An open source TCG Software Stack
6  *
7  * (C) Copyright International Business Machines Corp. 2004
8  *
9  */
10 
11 
12 #include <stdlib.h>
13 #include <stdio.h>
14 #include <string.h>
15 #include <inttypes.h>
16 
17 #include "trousers/tss.h"
18 #include "trousers_types.h"
19 #include "tcs_tsp.h"
20 #include "tcs_utils.h"
21 #include "tcs_int_literals.h"
22 #include "capabilities.h"
23 #include "tcslog.h"
24 #include "tcsps.h"
25 #include "req_mgr.h"
26 #include "tcs_aik.h"
27 
28 
29 TSS_RESULT
30 TCSP_MakeIdentity_Internal(TCS_CONTEXT_HANDLE hContext,			/* in  */
31 			   TCPA_ENCAUTH identityAuth,			/* in */
32 			   TCPA_CHOSENID_HASH IDLabel_PrivCAHash,	/* in */
33 			   UINT32 idKeyInfoSize,			/* in */
34 			   BYTE * idKeyInfo,				/* in */
35 			   TPM_AUTH * pSrkAuth,				/* in, out */
36 			   TPM_AUTH * pOwnerAuth,			/* in, out */
37 			   UINT32 * idKeySize,				/* out */
38 			   BYTE ** idKey,				/* out */
39 			   UINT32 * pcIdentityBindingSize,		/* out */
40 			   BYTE ** prgbIdentityBinding,			/* out */
41 			   UINT32 * pcEndorsementCredentialSize,	/* out */
42 			   BYTE ** prgbEndorsementCredential,		/* out */
43 			   UINT32 * pcPlatformCredentialSize,		/* out */
44 			   BYTE ** prgbPlatformCredential,		/* out */
45 			   UINT32 * pcConformanceCredentialSize,	/* out */
46 			   BYTE ** prgbConformanceCredential)		/* out */
47 {
48 	UINT64 offset;
49 	UINT32 paramSize;
50 	TSS_RESULT result;
51 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
52 
53 	if ((result = ctx_verify_context(hContext)))
54 		goto done;
55 
56 	if (pSrkAuth != NULL) {
57 		LogDebug("SRK Auth Used");
58 		if ((result = auth_mgr_check(hContext, &pSrkAuth->AuthHandle)))
59 			goto done;
60 	} else {
61 		LogDebug("No SRK Auth");
62 	}
63 
64 	if ((result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
65 		goto done;
66 
67 	offset = 0;
68 	if ((result = tpm_rqu_build(TPM_ORD_MakeIdentity, &offset, txBlob, identityAuth.authdata,
69 				    IDLabel_PrivCAHash.digest, idKeyInfoSize, idKeyInfo, pSrkAuth,
70 				    pOwnerAuth)))
71 		goto done;
72 
73 	if ((result = req_mgr_submit_req(txBlob)))
74 		goto done;
75 
76 	result = UnloadBlob_Header(txBlob, &paramSize);
77 	if (!result) {
78 		if ((result = tpm_rsp_parse(TPM_ORD_MakeIdentity, txBlob, paramSize, idKeySize,
79 					    idKey, pcIdentityBindingSize, prgbIdentityBinding,
80 					    pSrkAuth, pOwnerAuth)))
81 			goto done;
82 
83 		/* If an error occurs, these will return NULL */
84 		get_credential(TSS_TCS_CREDENTIAL_PLATFORMCERT, pcPlatformCredentialSize,
85 			       prgbPlatformCredential);
86 		get_credential(TSS_TCS_CREDENTIAL_TPM_CC, pcConformanceCredentialSize,
87 			       prgbConformanceCredential);
88 		get_credential(TSS_TCS_CREDENTIAL_EKCERT, pcEndorsementCredentialSize,
89 			       prgbEndorsementCredential);
90 	}
91 	LogResult("Make Identity", result);
92 done:
93 	auth_mgr_release_auth(pSrkAuth, pOwnerAuth, hContext);
94 	return result;
95 }
96 
97 TSS_RESULT
98 TCSP_ActivateTPMIdentity_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
99 				  TCS_KEY_HANDLE idKey,	/* in */
100 				  UINT32 blobSize,	/* in */
101 				  BYTE * blob,	/* in */
102 				  TPM_AUTH * idKeyAuth,	/* in, out */
103 				  TPM_AUTH * ownerAuth,	/* in, out */
104 				  UINT32 * SymmetricKeySize,	/* out */
105 				  BYTE ** SymmetricKey)	/* out */
106 {
107 	UINT64 offset;
108 	TSS_RESULT result;
109 	UINT32 paramSize;
110 	UINT32 keySlot;
111 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
112 
113 	LogDebug("TCSP_ActivateTPMIdentity");
114 
115 	if ((result = ctx_verify_context(hContext)))
116 		goto done;
117 
118 	if (idKeyAuth != NULL) {
119 		if ((result = auth_mgr_check(hContext, &idKeyAuth->AuthHandle)))
120 			goto done;
121 	}
122 	if ((result = auth_mgr_check(hContext, &ownerAuth->AuthHandle)))
123 		goto done;
124 
125 	if ((result = ensureKeyIsLoaded(hContext, idKey, &keySlot)))
126 		goto done;
127 
128 	offset = 0;
129 	if ((result = tpm_rqu_build(TPM_ORD_ActivateIdentity, &offset, txBlob, keySlot, blobSize,
130 				    blob, idKeyAuth, ownerAuth)))
131 		goto done;
132 
133 	if ((result = req_mgr_submit_req(txBlob)))
134 		goto done;
135 
136 	result = UnloadBlob_Header(txBlob, &paramSize);
137 	if (!result) {
138 		if ((result = tpm_rsp_parse(TPM_ORD_ActivateIdentity, txBlob, paramSize,
139 					    SymmetricKeySize, SymmetricKey, idKeyAuth, ownerAuth)))
140 			goto done;
141 	}
142 
143 done:
144 	auth_mgr_release_auth(idKeyAuth, ownerAuth, hContext);
145 	return result;
146 }
147 
148 TSS_RESULT
149 TCS_GetCredential_Internal(TCS_CONTEXT_HANDLE hContext,		/* in  */
150 			   UINT32 ulCredentialType,		/* in */
151 			   UINT32 ulCredentialAccessMode,	/* in */
152 			   UINT32 * pulCredentialSize,		/* out */
153 			   BYTE ** prgbCredentialData)		/* out */
154 {
155 	TSS_RESULT result;
156 
157 	if ((result = ctx_verify_context(hContext)))
158 		return result;
159 
160 	if ((ulCredentialType != TSS_TCS_CREDENTIAL_EKCERT) &&
161 	    (ulCredentialType != TSS_TCS_CREDENTIAL_TPM_CC) &&
162 	    (ulCredentialType != TSS_TCS_CREDENTIAL_PLATFORMCERT)) {
163 		LogError("GetCredential - Unsupported Credential Type");
164 		return TCSERR(TSS_E_BAD_PARAMETER);
165 	}
166 
167 	if (ulCredentialAccessMode == TSS_TCS_CERT_ACCESS_AUTO) {
168 		get_credential(ulCredentialType, pulCredentialSize, prgbCredentialData);
169 	} else {
170 		LogError("GetCredential - Unsupported Credential Access Mode");
171 		return TCSERR(TSS_E_FAIL);
172 	}
173 
174 	return TSS_SUCCESS;
175 }
176 
177 TSS_RESULT
178 TCSP_MakeIdentity2_Internal(TCS_CONTEXT_HANDLE hContext,		/* in  */
179 			    TCPA_ENCAUTH identityAuth,			/* in */
180 			    TCPA_CHOSENID_HASH IDLabel_PrivCAHash,	/* in */
181 			    UINT32 idKeyInfoSize,			/* in */
182 			    BYTE * idKeyInfo,				/* in */
183 			    TPM_AUTH * pSrkAuth,			/* in, out */
184 			    TPM_AUTH * pOwnerAuth,			/* in, out */
185 			    UINT32 * idKeySize,				/* out */
186 			    BYTE ** idKey,				/* out */
187 			    UINT32 * pcIdentityBindingSize,		/* out */
188 			    BYTE ** prgbIdentityBinding)		/* out */
189 {
190 	UINT64 offset;
191 	UINT32 paramSize;
192 	TSS_RESULT result;
193 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
194 
195 	if ((result = ctx_verify_context(hContext)))
196 		goto done;
197 
198 	if (pSrkAuth) {
199 		if ((result = auth_mgr_check(hContext, &pSrkAuth->AuthHandle)))
200 			goto done;
201 	}
202 
203 	if ((result = auth_mgr_check(hContext, &pOwnerAuth->AuthHandle)))
204 		goto done;
205 
206 	offset = 0;
207 	if ((result = tpm_rqu_build(TPM_ORD_MakeIdentity, &offset, txBlob, identityAuth.authdata,
208 				    IDLabel_PrivCAHash.digest, idKeyInfoSize, idKeyInfo, pSrkAuth,
209 				    pOwnerAuth)))
210 		goto done;
211 
212 	if ((result = req_mgr_submit_req(txBlob)))
213 		goto done;
214 
215 	result = UnloadBlob_Header(txBlob, &paramSize);
216 	if (!result) {
217 		if ((result = tpm_rsp_parse(TPM_ORD_MakeIdentity, txBlob, paramSize, idKeySize,
218 					    idKey, pcIdentityBindingSize, prgbIdentityBinding,
219 					    pSrkAuth, pOwnerAuth)))
220 			goto done;
221 	}
222 	LogResult("Make Identity", result);
223 done:
224 	auth_mgr_release_auth(pSrkAuth, pOwnerAuth, hContext);
225 	return result;
226 }
227 
228